Are my AutoIt exes really infected?

[ViciousXUSMC]

I have it fixed on my side, added an exception for that particular scan.

I was more or less posting for informational purposes of others that there is a new release so they can have a heads up.

 

For long term I am actually thinking of using a unqie file extension for my scripts and adding a extension exception so that any new false positives will not effect us. 

[Mobius]

Hey ViciousXUSMC two replies not bad

Seriously guys you know you could stem all the repetition (by both posters and responders) by simply locking the thread.

 

 

[Jos]

Hey ViciousXUSMC two replies not bad

Seriously guys you know you could stem all the repetition (by both posters and responders) by simply locking the thread.

 

 

​Agree, but let's then also agree  that this logic would apply to way too many threads, so that ain't happening unless they spin out of control.

Jos

[topten]

 

 

For long term I am actually thinking of using a unqie file extension for my scripts and adding a extension exception so that any new false positives will not effect us. 

​It is quite an interesting approach ViciousXUSMC

Could you please give an example how would you do that?

[ViciousXUSMC]

Firstly sorry if I somehow posted in a thread I should not have.  I figured we would have a community thread to post notices of new false positives for other users to get a heads up, this thread was the first to come up in a search.

Second topten.

All I did was go to HKLM\SOFTWARE\Classes\.exe and look at what registry keys .exe uses to be executed.

I then created my own key with my extension to tell Windows that .XXX is basically executed same as an .exe so that way a user would not get a "how should I open this file" dialog.

Rename any of my compiled AutoIT.exes to my new file extension.

In the corporate virus software control center add an exception to allow .XXX to run without being flagged as a virus.

This was the most "proactive" fix for me as it fixes it now and going forward with little risk.

The original short term fix was to just add the particular "virus" to the whitelist but then down the road a new one could come up and cause trouble all over again.

 

Regards,

[Jos]

This is a pretty clever workaround with the only "limited" risk that a potential thread will read the registry and copy itself to this set extension which then also isn't AV scanned any more.
The real nice thing about it is that all your distributed script executables won't be all wiped in one go when the AV company has a FU in the definition updates.

Jos

[Skysnake]

and now for something completely different:

from the beta 

unzipped with 7zip to au3beta

ESET NOD32 Antivirus detected Autoit3Help.exe

a variant of Win32/Injecto.ANNX trojan

Please note that ESET  never complains about AutoIt EXEs.  This is something new.

Edited May 15, 2015 by Skysnake

[Neutro]

Symantec Released this today: Killing all my scripts out in the field and removing them via quarantine. 

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2015-050111-5257-99&vid=4294922793

I guess I should submit a false positive report but the damage is done pretty fast :/

 

​I had exactly the same problem today with one of my script.

Seems like it's a bad Symantec definitions update.
 

I will report this to them and hopefully they will fix it.

[Jos]

Autoit3Help.exe is an C++ compiled program so is indeed not related to False positives regularly seen with the compiled scripts.

Jos

[Neutro]

​I had exactly the same problem today with one of my script.
Seems like it's a bad Symantec definitions update.
 

I will report this to them and hopefully they will fix it.

​Case 08763017 opened at Symantec Support with my company account.

Will give update here when they answer me!

Edited May 15, 2015 by Neutro

[GoravG]

My autoIt v3.3.8.1 compile script exe file is virus infected

[Melba23]

GoravG,

This whole thread tells you that is NOT the case - although it seems you have not bothered to read any of it before posting.

M23

[Neutro]

​Case 08763017 opened at Symantec Support with my company account.

Will give update here when they answer me!

​Symantec asked me to fill a false positive report, which i did giving my source code, the compiled exe and a link to autoit website.

Currently waiting for an answer.

[Neutro]

Symantec answer:

In relation to submission xxxxx.

Upon further analysis and investigation we have verified your submission and as such this detection will be removed from our products.

The updated detection will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html

Please note that whitelisting can take up to 24 hours to take effect.

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

If you are a software vendor, why not take part in our whitelisting program?
To participate in this program, please complete the following form: https://submit.symantec.com/whitelist

Sincerely,
Symantec Security Response
http://securityresponse.symantec.com

So it should be OK for the next virus definitions

[SCare]

You don't understand the problem at all. The UPX program is a compressor that is used by a lot of software not just AutoIt. The problem is that the AV companies see all AutoIt scripts with the belief that it's "probably" a virus so lets flag it as such. The problem has been beaten to death, and the issue is that the AV companies are lazy.

[JohnOne]

You don't understand the problem at all. The UPX program is a compressor that is used by a lot of software not just AutoIt. The problem is that the AV companies see all AutoIt scripts with the belief that it's "probably" a virus so lets flag it as such. The problem has been beaten to death, and the issue is that the AV companies are lazy.

​Yes, I do understand.

[c.haslam]

I am writing this, taking the risk of being banned: I realize that the previous topic I started on this subject was closed.

I have a lot of confidence in the developers, so I do believe that when they write that there is no Trojan in AutoIt3Help.exe, I believe them; however, they should know that scans by virusTotal.com show mixed results. (Report available on request). 26 out of 51 anti-virus programs show it to be infected.

[Melba23]

c.haslam,

No, you will not get banned - but you make yourself look very stupid. 

- Do you think you are the first to notice this? You are not.

- Is there a Trojan in the Help fie? No.

- Have the AV companies been informed? No doubt - I personally inform AVG every time they hit on an AutoIt file.

So what more do you want us to do?

M23

[c.haslam]

My apologies.

[JohnOne]

SHA256:    bfa04c28ec8ebda53aada77f7d46d29bf5bc4de3bd9678ab154d74710fab5443
File name:    AutoIt3Help.exe
Detection ratio:    0 / 57