jchd Posted June 24, 2019 Posted June 24, 2019 45 minutes ago, eagle4life69 said: I think too many bad guys are using Autoit The issue is elsewhere: since it's sooo easy to detect AutoIt exes, cheap AV companies believe it's a valuable move for to flag them all. That increases their "success rate" at zero cost since they can't care less about false positives... Call that " security through genocide". argumentum and Skysnake 2 This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)
iamtheky Posted June 25, 2019 Posted June 25, 2019 Look at this from the distant past of....2 days ago https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Autoit-COE/detailed-analysis.aspx An 828kb compiled exe? The only way you get it under 850 is upx, and the only way you stay that way is if you dont do much of shit in that script. That is the surefire 2 step way to get flagged by every AV, and pretty much the only way aside from the occasional bad rule that gets pushed. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Nine Posted July 9, 2019 Posted July 9, 2019 Started a week or two ago, one of my script (that I have been using for years) is being detected as a Trojan:Win32/Bearfoos.A!ml . I am on Win7 with MSSE. It is obviously another case of false positive. Just wanted to let you know... “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Screen Scraping Multi-Threading Made Easy
Earthshine Posted July 9, 2019 Posted July 9, 2019 you can get them to white-list it, I had MS do it online, it's free and fast. Skysnake 1 My resources are limited. You must ask the right questions
fastlane65 Posted July 19, 2019 Posted July 19, 2019 First - I love AutoIt. Very entrenched in it. But the virus issue has me hamstrung. I work in the corporate world. I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients. Every script I compile is getting flagged. I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM. I use Autoit because I inherited the process from a retiree. is there another comparable software that won't get flagged by AV? InstallShield seems like overkill. What else is out there?
Developers Jos Posted July 19, 2019 Developers Posted July 19, 2019 1 hour ago, fastlane65 said: I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM. Wrong forum to ask. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
fastlane65 Posted July 19, 2019 Posted July 19, 2019 16 minutes ago, Jos said: Wrong forum to ask. Jos What forum do you suggest?
Developers Jos Posted July 19, 2019 Developers Posted July 19, 2019 Powershell probably is the way to go when you feel you really need to change, but have no recommendations other then "Google is your friend". Autoit3 can work as well when the original Autoit3.exe is used and you run a3x versions of a script..... your choice. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
fastlane65 Posted July 19, 2019 Posted July 19, 2019 I do a lot of Powershell but many scripts need to be compiled for portability and security (passwords and such.) Thanks.
BrewManNH Posted July 19, 2019 Posted July 19, 2019 17 minutes ago, fastlane65 said: security (passwords and such.) AutoIt isn't the language for you then, compiled scripts aren't secure unless dealing with just the usual user types. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator
Moderators JLogan3o13 Posted July 19, 2019 Moderators Posted July 19, 2019 (edited) 38 minutes ago, fastlane65 said: I do a lot of Powershell but many scripts need to be compiled for portability and security (passwords and such.) Thanks. PowerShell is portable on anything built in the last 10 years. If you are embedding passwords you're doing it wrong, regardless of the language you choose. Edited July 19, 2019 by JLogan3o13 iamtheky 1 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum!
iamtheky Posted July 19, 2019 Posted July 19, 2019 (edited) First, why cant you whitelist hashes locally on your corporate AV? Next, try upx=n prior, but if still fails then show us the script. If you are just fileinstalling and running commands, then that should fix it. You probably cant compress or obfuscate it if it is only those simple behaviors because it is literally, except for your path/filename, every autoit dropper ever. *Also, everyone who has the script can read those passwords in plain text with minimal effort and many different ways. Edited July 19, 2019 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Neutro Posted August 23, 2019 Posted August 23, 2019 (edited) On 7/19/2019 at 9:27 PM, fastlane65 said: First - I love AutoIt. Very entrenched in it. But the virus issue has me hamstrung. I work in the corporate world. I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients. Every script I compile is getting flagged. I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM. I use Autoit because I inherited the process from a retiree. is there another comparable software that won't get flagged by AV? InstallShield seems like overkill. What else is out there? You need to understand that AV softwares work in 2 ways: - they detect files that have the same signature as already detected viruses files. This is what the first post of this topic is about. It's basically a "is this file identical to this one?" process. - they use "heuristics detection systems" that inspect what the softwares are doing. It's basically a "does this software act alike what most virus are doing?" process. The problem you're having here is that since you're developping exe that install softwares and change system setting they do similar things as what real viruses are doing, so it triggers the heuristic detection system of AV. Which means even if you switch to another programming language you'll probably still encounter the same problems with AV. In other words, there is no solution to your problem that would allow you to bypass AV checks. So you need to deal with them. Easiest and fastest way is to add your exe to whitelist system, at an AV server level preferably or client level if not possible. Longer but more durable way is what we're all doing in this topic: after the fast way is ok, report the false positive to the different AV companies so that they update their signature base and heuristic detection system to work more precisely. Welcome to our world Edited August 23, 2019 by Neutro quickbeam 1 Identify active network connections and change DNS server - Easily export Windows network settings Clean temporary files from Windows users profiles directories - List Active Directory Groups members Export content of an Outlook mailbox to a PST file - File patch manager - IRC chat connect example Thanks again for your help Water!
bowain Posted August 23, 2019 Posted August 23, 2019 On 7/19/2019 at 2:27 PM, fastlane65 said: First - I love AutoIt. Very entrenched in it. But the virus issue has me hamstrung. I work in the corporate world. I take a lot of in-house and third party software installs and wrap them in an AutoIt exe to ensure a standard process for internal and external clients. Every script I compile is getting flagged. I need an alternative since I can't get install scripts approved by all the AV vendors immediately at 2 AM. I use Autoit because I inherited the process from a retiree. is there another comparable software that won't get flagged by AV? InstallShield seems like overkill. What else is out there? I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing. The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well. Jokerman 1
mLipok Posted September 20, 2019 Posted September 20, 2019 Do any AV software have a feature to add exclusion which will allow to run exe but only when all following condition will fit: specyfic selected single exe file only for this single exe file version single known virus threat What I want to achieve: I want to add an exclusion for single file, but only for single known virus threat, and only for the EXE version which I know, because if the file was changed then this is not the same file which I give him a green light, and because the rule in security is to give permissions as little as possible, so why should I exclude a file from checking completely? Signature beginning:* Please remember: "AutoIt"..... * Wondering who uses AutoIt and what it can be used for ? * Forum Rules ** ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Code * for other useful stuff click the following button: Spoiler Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST API * ErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 * My contribution to others projects or UDF based on others projects: * _sql.au3 UDF * POP3.au3 UDF * RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF * SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane * Useful links: * Forum Rules * Forum etiquette * Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * Wiki: * Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX IE Related: * How to use IE.au3 UDF with AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskScheduler * IE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related: * How to get reference to PDF object embeded in IE * IE on Windows 11 * I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions * EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *I also encourage you to check awesome @trancexx code: * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuff * OnHungApp handler * Avoid "AutoIt Error" message box in unknown errors * HTML editor * winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/ "Homo sum; humani nil a me alienum puto" - Publius Terentius Afer"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming" , be and \\//_. Anticipating Errors : "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty." Signature last update: 2023-04-24
Nine Posted September 20, 2019 Posted September 20, 2019 You could setup Window authorizations to limit any user to replace that specific .exe file. Or simply put the file on readonly. I never saw an AV that supported your 2. + 3. features. But I might be wrong “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Screen Scraping Multi-Threading Made Easy
Danp2 Posted September 20, 2019 Posted September 20, 2019 @mLipok With Webroot, you can add an exclusion based on MD5 hash. Latest Webdriver UDF Release Webdriver Wiki FAQs
Jokerman Posted September 21, 2019 Posted September 21, 2019 (edited) On 8/23/2019 at 9:47 AM, bowain said: I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing. The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well. I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected months or years after they've been sitting idle in an archive folder, the same script being flagged intermittently each time I compile it, you name it. I knew that would be unacceptable if we released our product in that condition so I researched for many days (probably weeks) before our initial release. This is the route we ended up choosing and I honestly couldn't be happier with the results. After we started signing all of our executables using a reputable code signing cert we no longer get flagged by Windows Defender - even using UPX with maximum compression. We've had rare issues with other AV providers but they've been so rare (easily less than 10 total over the past 18 months) it's really been a non-issue. If you already have a corporation setup I highly recommend doing this sooner rather than later. To be upfront, it does have a cost - both in time (generally 1-4 weeks from application to receiving your cert) and money (<$100/year) - but user trust and peace of mind are (very nearly) priceless. Once you have the code signing cert downloaded and installed you can simply add a line to the top of your script to have SciTE automatically sign your newly compiled exe as the final step in the compile process. Something like this: #AutoIt3Wrapper_Run_After=""%ProgramFiles(x86)%\Windows Kits\....\signtool.exe" sign /tr http://timestamp.comodoca.com/?td=sha384 /td SHA384 /a "%out%"" Also, if you have concerns about Windows Defender being reliable and accurate AV software you can let those concerns go. While it's true Windows Defender has had issues in the past, they were in the beginning of Microsoft's attempts at AV and things have improved significantly since then. If you want to check it out for yourself you can Google it or go here: https://www.techspot.com/news/81396-windows-defender-ranked-joint-best-antivirus-program.html (Fyi, up until about 5 years ago I'd been in IT for >20 years doing anywhere from tech support to Windows/Network Admin. In other words, basically dealing with viruses/rootkits/malware/ransomware on a daily basis because of users or customers lacking the wherewithal to not click the link in the email from an unknown source claiming their inheritance is waiting. 🤦♂️) Edit: Btw, in case anyone does want to go this route I can recommend https://www.thesslstore.com/. I'm not affiliated with them in any way except for that's where I purchased our cert from and I can attest that we received it and it works exactly as I've described. We went with the standard Comodo Code Signing cert. The EV certs are more expensive because they require more background evaluation to be done to verify the entity applying for the cert. It may be advantageous in particular circumstances but isn't necessary to simply avoid AV quarantine. Also, the other unmentioned advantage is your exes are now digitally signed. While for most customers this won't make a difference, if you're using your scripts in a corporate environment this may be a major peace-of-mind bonus since it's easy to verify the authenticity of your exes and they have certain assurances the exes haven't been tampered with. 👍 Edited September 21, 2019 by Jokerman Additional info bowain, mdf4356, BigDaddyO and 1 other 3 1
Mobius Posted September 26, 2019 Posted September 26, 2019 Is it me or are AV companies and digital signature companies fading out hobbyist coders and not just those that use interpreted languages either, okay if you are in a corporate environment or are looking to sell your work fine pay your dues to this self sustaining industry, those that do this for fun and knowledge shouldn't really be held to ransom on the off chance we craft something worthy of distribution.
Moderators JLogan3o13 Posted September 26, 2019 Moderators Posted September 26, 2019 @Mobius Just curious, if you were one of the big AV companies - how would you police and decide who is a hobbyist and who is not, so that you could apply different levels of response logic? "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now