Are my AutoIt exes really infected?

[Jos]

52 minutes ago, bdr529 said:

why are there different results?

No idea but you really need to read and try to understand the first post in this thread! 

 

Jos

[AutoBert]

Ask the developer of the av-scanner, and tell them also it's a false positive.

[bdr529]

I'm sorry but I do not write in English I need to google translator
it is strange that you get different results from different versions of the same software (Aut2exe.exe and Aut2exe_x64.exe)

[Jos]

No it is not as it all depends how the AV company made it's signature., so contact them for support as this is the wrong place!

Jos

[timmy2]

Two apparent false positives. Probably unrelated. No action requested here, but I figured I should document them in case others encounter these issues.

Please know that I'm posting this after submitting a false positive report to MalwareBytes and Microsoft for Defender.

First, I installed AutoIt (v3.3.14.5 according to the associated Help file title page) on a W10 virtual machine (Windows ver 1803 (17134.407). I could not compile or even syntax check my AutoIt script because Defender kept blocking it. Defender cited this file: C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe\autAB90.tmp.exe. Said it's infected with Trojan:Win32/Zpevdo.A (Alert level: Severe). Defender popped up a window I've never seen before about some new feature they've added. I was too interested in testing my script idea to explore this anomaly so I just told Defender to exclude C:\FGCDIR. (come to think of it, where did that folder come from!?! Now that I have a moment I'll investigate)

Second, on my production machine, using AutoIt 3.3.14.2, I've hit a snag with Malwarebytes Premium quarantining anything I compile if I include GuiEdit.au3, citing a threat named "MachineLearning/Anomalous.100%".

[Jos]

10 minutes ago, timmy2 said:

(come to think of it, where did that folder come from!?!

Which folder?

10 minutes ago, timmy2 said:

C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe

As already explained ample times, this directory should be excluded from AV scanning as the compiler activity often gives issues with AV activated.

Jos

[timmy2]

C:\FGCDIR

22 minutes ago, timmy2 said:

... so I just told Defender to exclude C:\FGCDIR.

The only reason I know this is because when I looked in Defender's Allowed Threats that folder was excluded on the same date that the threat was detected. Interesting that excluding the threat did not exclude C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe\ but excluded this oddball folder. I apologize for lack of detail. To me it was just another "what fresh hell is this?" moment.

Thank you for the heads-up about the AutoIt folder that should be excluded. Despite having used AutoIt for a fairly long time, albeit sporadically, I missed that memo. 

[Jos]

20 minutes ago, timmy2 said:

The only reason I know this is because when I looked in Defender's Allowed Threats that folder was excluded on the same date that the threat was detected. Interesting that excluding the threat did not exclude C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe\ but excluded this oddball folder. I apologize for lack of detail. To me it was just another "what fresh hell is this?" moment.

No clue what directory FGCDIR  has to do with the compile of your script unless you have files in there the script has an FileInstall() for.  A quick search gave this info, but obviously don't know  if that is also in your case:
 

Quote

What is the FGCDIR folder?

 

Does anyone know what the FGCDIR folder is for and whether it or any of its contents can be safely deleted?

----- Answer -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Remants of Virtual Sandbox and Fortes Grand antispyware / antimalware. Don't remove it if you are using that sofware.

Jos

[timmy2]

I did indeed test Fortres Grand's Clean Slate several days ago so that explains the presence of the folder. They probably added their folder to Defender's exclude list, and it just so happened that that was the same day I installed AutoIt and discovered that Defender blocked compiling, syntax checking, etc. I definitely could not make any progress with AutoIt until I told Defender to do something (exclude, ignore, whatever), but I no longer recall what I did, and for that I apologize.

Maybe if I find the time I'll revert the VM, install AutoIt, and try again. This was more of an observation in case others experience it, prompted mostly by Malwarebytes blocking me today --  a few days after the Defender issue. Coincidence I guess. Thank you!

[timmy2]

Excluding C:\Users\(my username)\AppData\Local\AutoIt v3\Aut2exe in Windows Defender solved the problem of Defender halting a Build. 

[nbarrosuriburu]

Hello, I'm new in autoit, but have some experience scripting on python, lisp, batch, also programming macros on office and stuff alike.  I become interested on Autoit because of a recent virus in my pc: i found an exe presumably compiled by autoit v3.1 that seemed to try to access to the keyboard (some kind of keylogger) and the package had some measures so it would be hard to delete: the application was in startup also was autoit v3 script. in the folder there were four files with .txt or .etc: were compiled scripts, surely, named wrong for hide purpose. I don't know exactly how I was infected but have some ideas since my pc is used by 2 other people more and they are very basic pc users, maybe they were navigating and some shit they downloaded and opened it. I found the source, change in regedit so wouldn't continue protecting itself and eliminate them finally.

I'm convinced that the main reason of the false positives you call is because of malwares that use autoit. 

The virus found this time has

• 3 folders, in "c:\desktop" and some numbers just to camouflage, in "c:\ProgramData\Autoit" and in "c:\Program Files\" and a folder in hex , the name of the malware was in hex too.
• in each folder 4 files, on with some hexnumber .exe, shell.txt (but was some compiled program, by trying read it), autoit.exe and dump.doc (another compiled program)

it was on those places most of it so the c:\ProgramData\Autoit would not be eliminated. a program running copied the files if there weren't there, controlling minute by minute, by copying from one of the safe places. Also in registry there were some calls to the program and the autoit.exe in the common places so it run at start. I couldn't find the original package downloaded from internet probably some zip file or some vbe script.

the autoit.exe file it seems it is the same as Autoit3.exe interpreter to run compiled .a3x (shell.txt and dump.doc probably were .a3x renamed for camouflage) since  autoit.exe has digital signature, i feel intrigued about this and started look around about autoit, and here I am.

Well, just for all of you to know.

Nicolas

 

 

[JLogan3o13]

@nbarrosuriburu everything you state above is well known to the community. You are finding that, like other languages such as python, no one can control what a few bad apples choose to do with it. All we can do is keep the forum as free of that kind of stupidity as possible, to protect the reputation of the language. That is why you will see the forum rules specifically forbid things such as keyloggers, game bots, security measure bypasses, etc.

[Somerset]

Some of those "false positives" will even be reported to you as .au3 extensions, not just binary files alone.

[Guest]

Breaking News: You may not have problems only with AVs! Google itself & google chrome may block your website and any autoit you download even if the file is 98% clean according to VirusTotal. There is nothing you can do if you get f** by google because it turns out that the f***s are not going to support you.

Edited April 2, 2019 by Guest

[Jos]

7 hours ago, gil900 said:

Breaking News: You may not have problems only with AVs! Google itself & google chrome may block your website and any autoit you download even if the file is 98% clean according to VirusTotal. There is nothing you can do if you get f** by google because it turns out that the f***s are not going to support you.

Nothing breaking about that and don't tell me I didn't warn you! 
You should NOT include compiled scripts in your distribution and for sure not use UPX compression  as that can get you flagged. We had the same here when the SciTE4AutoIt3 installer got flagged.

Jos

[Guest]

By saying, "not  distribute" you mean to be open source?

I am considering to make it open source and make the website to block google products.

I dont think that I am the one that did something wrong.. 

Google did something wrong probably because if you scan it on VT you will get 2/80 detections.

I may be stupid but not wrong.

So as I see it, it is very right thing to block google products.

 

They did a lot of things wrong. For example I got no notification that website was blacklisted for a whole month

 

Google are not god, they also wrong sometimes. 

I accept mistakes, but the way I got support, the way their "safe browsing" works... it is too much bad.

So I will for sure block any google chrome browser with notification why it was blocked.

 

Sorry for that the talk is being out of scope of the thread 

 

[Jos]

Venting is fine but not going to solve your problems.
I have solved our problems against this issue by simply not providing any compiled script but rather ony the source which is run by the official and signed AutoIt3.exe.

As simple as that!

Jos

[Guest]

50 minutes ago, Jos said:

Venting is fine but not going to solve your problems.
I have solved our problems against this issue by simply not providing any compiled script but rather ony the source which is run by the official and signed AutoIt3.exe.

As simple as that!

Jos

I finished to do my logic calculations and I will

1) use github to host it with the source code and compiled exe under license 

https://creativecommons.org/licenses/by-nd/3.0/

2) Work on the Microsoft Store version of the app

3) Keep selling it as it is

4) Consider to blacklist google chrome browser on the offical website

[Skysnake]

I have recently experienced Windows Defender identifying Inet includes (downloaders) as a variety of trojans.  Just saying.

[eagle4life69]

On 5/19/2019 at 3:41 AM, Skysnake said:

I have recently experienced Windows Defender identifying Inet includes (downloaders) as a variety of trojans.  Just saying.

I have been fighting Windows Defender on the enterprise level trying to get it to stop blocking my programs. Doesn't matter if I have Upx on or off... Its getting old quick, I think to many bad guys are using Autoit... I need to figure out how to digital sign my programs to see if that allows them...