Are my AutoIt exes really infected?

[quickbeam]

On 8/23/2019 at 8:47 AM, bowain said:

I had my work create a signing cert which I sign all my code with. I have a batch set up that is run after the compilation to do the signing.

The cert is recognized by the AV and that way I don't have to whitelist each exe. I do a lot of revisions and complies to test things so whitlisting hashes is a hassle. Also some remote devices don't update as they should so this eliminates that issue as well.

 

Does a certificate really guarantee your app won't get flagged?  We have a client that says our app was getting quarantined, so we signed it with Entrust CA.  Apparently Windows Defender is still flagging it, but now at least he gets an option to run it anyway.  There's a little bit of an English issue, but we're going to set up a laptop here with the same version of MS Windows Defender and see if we can duplicate it in-house.

[iamtheky]

29 minutes ago, quickbeam said:

Does a certificate really guarantee your app won't get flagged?

No, it has zero effect, not even what certs are for.

certificates verify the author (not that the file is certified clean), its the code equivalent of a pretty cursive signature.

 

**That being said, you can whitelist things in your Enterprise AV based off any value.  Cert is as valid a value in that sense as any other.

Edited December 3, 2019 by iamtheky

[sebrauf]

Kaspersky  flagged as virus one program I did. I emailed them and they fixed it for the following updates

[stkggo]

I create a website builder with Autoit. Method is to merge text files and photos to build the website. Very simple. I scan the au3 file with virustotal. No virus. But when I scan the exe file, it is regarded as maleware by some virus scanners. I submit the software to Cnet. They reply approval is not given unless the problem is solved. 

[Musashi]

https://www.autoitscript.com/forum/topic/34658-are-my-autoit-exes-really-infected/

[JLogan3o13]

@Musashi why would you link to the exact same thread?

[Musashi]

1 hour ago, JLogan3o13 said:

@Musashi why would you link to the exact same thread? 

I have given the link to this thread as an answer in another thread. There the OP described his problems with "false positives". Later the thread was merged/moved in here by a moderator, including my contribution. Now my answer is outside the original context, and appears therefore pointless .

Perhaps it would be a good idea to simply remove the link.

Edited December 16, 2019 by Musashi

[Eishockeyfan]

Productive work with AutoIt Newest Version is no longer possible under Windows 10. Windows Defender permanently reports a virus when the script has been compiled and the ".EXE" file is saved in an automatically saved onedrive folder (e.g. Downloads or Desktop etc.). This means that online transfers to other users are no longer possible and no longer execute there.

best regards Chris

[Eishockeyfan]

Gotta correct me! Before you compile the script you should work with #Pragmas, then Windows Defender is silent.
Problem solved ... thanks

[JLogan3o13]

15 hours ago, Eishockeyfan said:

Productive work with AutoIt Newest Version is no longer possible under Windows 10.

Did you really think, for as long as AutoIt has supported Windows 10 (on systems with Defender), that if this was the case it wouldn't have been advertised far and wide??

In the future, rather than making a definitive statement such as this and then having to come back and retract it, perhaps start by asking a question in the forum about the problems you're encountering.

Edited December 27, 2019 by JLogan3o13

[Tripredacus]

Some recent update to Defender in Windows 10 (noticed today) that some AutoIT .exe are being detected as Trojan:Win32/Fuerboos.D!cl and being quarantined automatically. Unfortunately, due to the sensitivity of the programs I've made, I cannot submit them for review to anyone.

[JLogan3o13]

Well, if you can't submit to anyone, you're out of luck. Without source, no AV company can do anything.

[Musashi]

10 hours ago, Tripredacus said:

Some recent update to Defender in Windows 10 (noticed today) that some AutoIT .exe are being detected as Trojan:Win32/Fuerboos.D!cl and being quarantined automatically.

Considering your post count, you'll probably know the following info already . Furthermore, this has been mentioned numerous times in this and other threads. Just in case it has escaped your attention until now, here is a brief summary (simplified) :

Compile your scripts in a3x format instead of exe.

To execute a3x scripts on the target machine, there are several ways, e.g. :

• Install AutoIt, then you can execute a3x scripts similar to .exe by double-clicking. However, this option is often not desired by the recipient. If the scripts should only run on your own computer this is irrelevant, because an AutoIt installation already exists.
• Copy the appropriate file(s) AutoIt3.exe or AutoIt3_x64.exe to the target computer. Associate the extension a3x with the interpreter (AutoIt3.exe). Execution of a3x scripts by double-clicking possible. Since this requires a change in the registry of the target computer, it may also be undesirable.
• Copy the appropriate file(s) AutoIt3.exe or AutoIt3_x64.exe to the target computer. a3x files can be executed e.g. via a .cmd or a shortcut. This is the least invasive variant.

I have switched all my scripts to the a3x format and since then virtually no problems with virus software anymore .

Regarding security : au3 scripts will be embedded as a3x when compiling an .exe, so there are no differences.

 

==> Definitely worth a look is the solution from @Exit , see : au3tocmd-avoid-false-positives

Edited January 15, 2021 by Musashi
typo

[Shark007]

If at all possible, compile your exe's as 64-bit. This trick no longer works in AutoIt v3.3.16.0
When compiled as 32-Bit, I get as many as 12-18 virus detections from VirusTotal.
The exact same script, compiled as 64-Bit, only has 2-3 detections.

Almost all Windows computer systems these days are 64-Bit operating systems.

Take NOTICE: special considerations are required for the Windows Registry, Windows\System* files and ProgramFiles* directories.

Edited March 27, 2022 by Shark007

[IlanMS]

When using VirusTotal, several anti-viruses that are not listed here false positive, most important of which is Miscrosoft av.

[JLogan3o13]

On 7/18/2021 at 5:53 AM, IlanMS said:

When using VirusTotal, several anti-viruses that are not listed here false positive

Not surprising when the original list was compiled 15 years ago

The workaround is the same, as mentioned numerous times throughout this thread, there are things you can do to mitigate false positives. Failing these suggestions, you need to contact the AV vendor.

 

 

[mLipok]

2 weeks ago I starts having issue in time when I compile one of my projects.
Funny thing is that solution to all my problems was to add at the top of my scirpts, this following line:

If Not @Compiled Then ConsoleWrite('ESET')

Today it starts hapening for my other projects.

 

I also remember such case:

Several years ago, I was working on corrections to one of my projects. I have been correcting it for several hours of work.

At the end, when I achieved the desired effect, I noticed that I had a linguistic error (a typo) in one of the messages. So I literally corrected one letter and sent the amendment to the update server.

Then, in a remote connection (TeamViewer) at the client's workstation, I wanted to finally update the product.

It turned out that changing one letter in the program code regarding the displayed message may cause the heuristic methods of antivirus programs to recognize the program as a virus.

Edited March 14, 2022 by mLipok

[jchd]

15 minutes ago, mLipok said:

It turned out that changing one letter in the program code regarding the displayed message may cause the heuristic methods of antivirus programs to recognize the program as a virus.

That's the drawback of heuristics: they can misinterpret a tree as a school bus when a bird leaves its nest in the tree.

[obiwanceleri]

Not sure where to post this but this week I've been programming again and discovered that my new compiled scripts are being flagged as infected with "Trojan:Win32/Sabsik.FL.A!ml"

It's an obvious false positive. And Defender doesn't even let me create an exception (the only way around this is to tell Defender to skip the folder(s) where I am compiling the scripts).

IMPORTANT: this only affect the 32 bit version and not the 64 bit one. So at least there's a workaround. 

IMPORTANT: this also affect the beta version in the same way

I did send the 'offending' .EXE to Microsoft but there's no way of telling them this is a actual false positive.

 

Here are a few version numbers for you

AutoIt version : 3.3.16.0

Windows version : 19044.1706 (21H2) 

Defender client version : 4.18.2203.5

Defender engine : 1.1.19200.6

Defender version : 1.367.1454.0

Anti-Spyware version : 1.367.1454.0

 

Here's the script that got flagged (as you can see, there's nothing offending here). I've compiled a few scripts and I get the same issue. 

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Version=Beta
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
; Test 01 tester les clsid
; Ordinateur\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders --> {374DE290-123F-4565-9164-39C4925E467B}
#include <File.au3>
#include<Array.au3>

$sChemin = RegRead('HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders','{374DE290-123F-4565-9164-39C4925E467B}')
$aDir = _FileListToArray($sChemin,"*")

_ArrayDisplay($aDir)

If this is in the wrong section, please tell me where I can post this. 

Edited June 13, 2022 by obiwanceleri

[argumentum]

30 minutes ago, obiwanceleri said:

Not sure where to post this

...not much that can be done. Exempt the EXEs or/and folders in Defender.