Jump to content

Recommended Posts

  • 5 months later...
  • 2 months later...
Posted

See for example here:
https://www.joesandbox.com/analysis/722827/0/html

and here:
https://www.virustotal.com/gui/file/8b7098c44275d0203c23f2ce56c0e913c0d6b6d2264bc537e8a9f0a9f07badc9/community

and here:
https://cuckoo.cert.ee/analysis/3853341/summary/

Maybe it makes sense to mention on the Downloads page and/or Wiki? So people are not getting too frustrated.

 

Or even reach out (if possible) to at least some of community resources to ask them to whitelist the AutoIt itself, by SHA256 maybe

  • Moderators
Posted
7 hours ago, 62mkv said:

Maybe it makes sense to mention on the Downloads page and/or Wiki? So people are not getting too frustrated.

Wouldn't curb things as much as you might think. We have tried things like that in the past; there is even an entire thread dedicated to false positives that people see, why the occur, and what to do about them. Yet people continue to post issues they encounter because the don't stop to read. 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic
  • 5 months later...
Posted (edited)

Not too sure if this is the kind of feedback this thread is looking for but as of lately I have been getting Windows Defender to flag my executable. This is a exe I have been using for years written entirely by me of course, not even additional UDF's outside of the included functions. Trojan:Win32/Bearfoos.A!ml

image.png.040d04aee0b78289577ed8e05c1cbfb5.png

Edited by kjpolker
Added keywords
  • 2 months later...
Posted (edited)

Hiding an AutoIt GUI with WinSetState Triggers a False Detection

I think I found at least one of the reasons for false detection by Windows Defender. A couple of years ago, I submitted my zPlayer.exe to Microsoft Defender ATP team for malware analysis and they removed the detection. I repeated this process several times whenever I made small changes in the code. After about 10 times of this process, the false detection stopped and I thought  I was, sort of, given a freedom to make whatever changes I wanted. But it abruptly changed recently and Windows Defender statrted to flag my exe again. So I submitted the file again, and they said they had to maintain the detection. I compared the codes of the last previous version, which was not detected, with the current one and I found a clue. My program has video control GUI on top of the video image created by winmm.dll. The current version has a new function to hide the video image including the video control, and I used WinSetState command for both of them. The video image is not my GUI so GUISetState does not work on it anyway. I thought it would be OK to use WinSetState for the video control as well. And that was the mistake. Just out of curiosity I replaced WinSetState with GUISetState for hiding the video control and the false detection stopped. So the lesson I learned is: do not hide an AutoIt GUI with WinSetState.

Edited by CYCho
Posted

To follow up with another possible issue I noticed tha triggers false positive is how arrays are formed.

This will trigger false positives,
Local $arrName = ['3G1', '3G2', '3G3', '3G4', '3G5', '3G6', '3G7', '3G8', '3G9']

This does not trigger false positives,
Local $arrName[9] = ['3G1', '3G2', '3G3', '3G4', '3G5', '3G6', '3G7', '3G8', '3G9']

  • 2 months later...
Posted
Publisher:  Unknown publisher

I think there's a push for having everything "known", as in who made it.
Even corporate PCs will be changed/replaced to those that have TPM. The CPU serial number was rejected by the community but now with all those "data hack/stolen/CallItWhatYouWill", the push, based on fear ( in my view ) to accept a "safe" everything, all it does is to have everything known. Who made it. Who is liable.
That is my conclusion, even tho each aspect have has it's own story line that will clearly toss away what I come to understand as superstition. My 2 cents.

Bottom line, software wise, is to apply an "Extended Validation (EV) Code Signing" or have a high volume of samples running around to ramp up the credit score fame score. Again, my 2 cents.

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

  • Developers
Posted
26 minutes ago, argumentum said:

Bottom line, software wise, is to apply an "Extended Validation (EV) Code Signing"

True, but that comes at a cost and I am only willing to provide my time to this and other projects. ;) 

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

  • 7 months later...
Posted (edited)

Hi everyone, I've been using AutoIt for a while now and I'm quite happy with it as it's not overly complex and quite advanced in its functionality. Unfortunately, I've been encountering false positives on compiled scripts with AutoIt, especially when I upload them to VirusTotal.

I abandoned AutoHotkey because I didn't like their GPL license, which required me to release the source code of my .ahk scripts. As a developer, I believe it's important to have the freedom to choose the license for my own source code.

I noticed that "AutoIt3_x64.exe" received a negative rating of -30 from some users, which seems unjustified given its low detection rate and overall notoriety. In fact, it is one of the executables with the least detections overall.

It would be great if antivirus companies could consider whitelisting the base code of executables to help reduce these unnecessary detections. I often find myself reporting incorrect detections, and it's quite unnerving.

Edited by Skdp
Posted
On 8/19/2024 at 12:24 PM, Skdp said:

I often find myself reporting incorrect detections, and it's quite unnerving.

After almost two weeks of my false positive reports via email my executables are still being detected, many companies have not even responded to me.😡 Few detections findings have been removed and few responses received. I don't want to use Au3toCmd because it creates cmd files and not exe. I will be forced to compile the scripts in 64 bit, but they will not work on very old PCs.😢 

Furthermore, in the AutoIt license agreement it's written thereis written that only scripts or compiled stand-alone scripts can be sold and that if AutoIt.exe is incorporated into own software product (just to interpret scripts) it can only be distributed, correct?

Quote

Commercial Use. You may use the SOFTWARE PRODUCT for commercial purposes. You may sell for profit and freely distribute scripts and/or compiled scripts that were created with the SOFTWARE PRODUCT.

 

Posted
7 hours ago, Skdp said:

... if AutoIt.exe is incorporated into own software product (just to interpret scripts) it can only be distributed, correct?

You can legally distribute the script as EXE or AU3 or A3X as that is your product.
AutoIt is not your product hence you are not free to distribute it or bundle it, UNLESS it carries AutoIt's own EULA and the user agrees to that too. ( otherwise you are installing another product the user may not agree to )

... legally speaking, according to my interpretation of the link you provided. Never read the thing until now.

Am not a lawyer in your country, nor in mine. These are my interpretations and this is not to be understood as legal counsel.

As a side note, it be sensible to add something like:

in case something goes wrong with your script. ( I put that one together so I may be bias in the example :) )

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...