Jump to content

Are my AutoIt exes really infected?

JSThePatriot
 Share

Recommended Posts

topten Universalist

topten

Posted
Posted

Ok, I understand, UPX, malwares and all that sort of things, but...

Dont the people use other languages to write malwares? Dont they use c++, python and other languages to hook dlls etc? But as default AV companies dont mark their simple code such as "MsgBox (0,0,0)" as Autoit keylogger .gen trojan. Sincerely, I can live with this... But I want to be proud of my scripts.- not to be marked for such simple things

Link to comment
Share on other sites
  • Replies 293
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Jon
Jon

Maybe we just have most popular AV vendors explicitly (just in case an external link to a more in depth guide gets removed). Easier for us to maintain that way but still useful for the majority.

Jokerman
Jokerman

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected mont

gi_jimbo
gi_jimbo

I'm not a regular contributor here but if the @argumentum digital signing tool works, I think it would be good to add it to the "AutoIt and Malware" page (https://www.autoitscript.com/wiki/AutoIt_and_

Posted Images

  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

AV companies often mark any Compiled script as virus for the simple fact they check on the included runtime module in stead of the real script section.
There is a simple reason why AutoIt3 is used to write illigal stuff because it is so damn simply to do.
In this case of autoit3help I have no clue why they make that as virus as it is a simple c++ program which opens the helpfile on the right topic/function page depending on the parameter provided.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
c.haslam Universalist

c.haslam

Posted
Posted

I am interested to hear that the sources for AutoIt3Help.exe are written in C++. I thought Melba23 was rough on me because he was assuming that I knew that AutoIt3Help.exe is a compiled AutoIt script, which I now know is not so. AutoIt3Help.exe is not "my AutoIt EXE".

It must be tough on the moderators to face compiled AutoIt scripts being seen as infected.

Would it make sense to distribute an AutoIt3Help.au3 script? The antivirus guys, to my knowledge, don't tag scripts as infected,

...chris

Spoiler

CDebug Dumps values of variables including arrays and DLL structs, to a GUI, to the Console, and to the Clipboard

 

Link to comment
Share on other sites
jchd Universalist

jchd

Posted
Posted

Yes they regularly do. Some .au3 are even sometimes their targets.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

I don't see what having an uncompiled help file would buy us, besides further confusion for new users.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted (edited)

I am interested to hear that the sources for AutoIt3Help.exe are written in C++.

You could have read a little but further back and see it was already stated by me on May 15 in this thread. :)

Autoit3Help.exe is an C++ compiled program so is indeed not related to False positives regularly seen with the compiled scripts.

Jos

I am also not sure why you read into Melba23's post that AutoIt3Help.exe is a compiled script. It used to be one which was converted to an EXE when we added some extra logic and to keep it smaller, so it's not going to be reverted. :)

Jos

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
c.haslam Universalist

c.haslam

Posted
Posted (edited)

You could have read a little but further back and see it was already stated by me on May 15 in this thread. :)

I am also not sure why you read into Melba23's post that AutoIt3Help.exe is a compiled script. It used to be one which was converted to an EXE when we added some extra logic and to keep it smaller, so it's not going to be reverted. :)

Jos

Actually, I didn't read (or post) to this thread yesterday, but to a new thread, because AutoIt3Help.exe is not my exe. Perhaps I missed the point, but the only reason I could see for Melba23's blast was that AutoIt3Help.exe is a compiled script. Perhaps I missed his point. I see your point for not reverting it to a compiled script.

May we win the war against the AV companies!

Edited by c.haslam
Spoiler

CDebug Dumps values of variables including arrays and DLL structs, to a GUI, to the Console, and to the Clipboard

 

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted (edited)

May we win the war against the AV companies!

That will never happen, like AV companies will never catch all malicious programs.

Jos

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
  • 5 weeks later...
  • 1 month later...
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

my script always become infected after using UPX Compression !! and sometimes even without using it

please help

 

Not sure what you are expecting for other help than already suggested in this thread,but assume you get false positives or else you have a serious problem we can't help you with..

Jos 

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
  • 4 weeks later...
EmilyLove Universalist

EmilyLove

Posted
Posted

Greetings, I actually have a script that allows you to quickly report your programs as false positives to all known anti virus vendors with a simple drag and drop operation. It takes what normally takes a person a couple of hours to do and does it in 30 seconds. You can get it from my signature below. It's called False Positive Reporter. Thank you for your time and have a great day. I hope this was of help to you.

 

 

Link to comment
Share on other sites
  • 3 months later...
water Universalist

water

Posted
Posted (edited)

In the following case the script isn't flagged as a virus but the problem is caused by an AV software:

  • You run Trend Micro AV software.
  • You get an AutoIt error message when running the script telling you "Unable to open the script file".
  • The size of this exe is a few kilobyte smaller then that of a working exe.
  • You do not get any error messages when compiling the script. Neither from Aut2xe nor from Trend Micro.

The problem - in my case - was caused by Trend Micro's Behavior Monitoring.
To solve the problem you simply have to disable this feature for Aut2Exe.exe.

Seemed that logging was disabled for the Behavior Monitoring as well (by default?) so we didn't find anything in the TM logs.
Details can be found in the following thread:
 

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2024-07-28 - Version 1.6.3.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites
  • 4 weeks later...
MattHiggs Universalist

MattHiggs

Posted
Posted

Is it really too much to ask that antivirus companies put quality before quantity, especially for the ones which charge annual fees for the service?  I work as a remote IT support specialist and service many different clients, and I often use Autoit scripts to assist my end users, which is made difficult when I get a slew of emails stating that a script I wrote (which includes a legitimate program installer, say, for an adobe reader update, and runs the installer unattended using my admin credentials) is being flagged as malicious by their antivirus programs.  I have the issue with antiviruses just flat out trying to automatically quarantine my files without so much as a warning, and I can tell you that opening my antivirus, restoring my quarantined file, and marking it or the folder it is in in the exception list just never gets old (sarcasm).  And the sad fact of the matter is that it is not just antiviruses which play a role in this.....frustration.  Now browsers are trying to get in on the action.  Even if, somehow, the file is not flagged as a virus, I still get emails from users using Google chrome who, when attempting to download the file, would receive a message stating "This file has not been downloaded very often and may harm your computer.  You should delete it" or something to that extent.  If they would just read the message and use this little thing called logic (I just wrote the script to meet your needs, so of course it hasn't been downloaded often), they could save themselves and myself the migraine, but when they see that red circle, they start freaking out and stop using their brains.  But I still blame the browser in the end for trying to nudge its way into malware detection and using a metric that is completely retarded in order to determine this. 

Link to comment
Share on other sites
JohnOne Universalist

JohnOne

Posted
Posted

I have never had a false for over 2 years since I stopped using compression.

Or.

Start creating a library of functions/methods/classes to do the work, in some other language, as I cannot see this problem ending anytime soon.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites
  • 3 weeks later...
  • 3 weeks later...
Trong Universalist

Trong

Posted
Posted

The antivirus is the reason that I stopped using autoit to write public software. 
I am very sad and be forced to switched to using c++ it harder than AutoIt.
I hope people do not use autoit to write viruses.
I always love AutoIt.

  

Win32:Evo-gen [Susp]
Trojan: W32/AutoIt

 

Regards,
 

Link to comment
Share on other sites
  • 3 weeks later...
VaultGuy Seeker

VaultGuy

Posted
Posted

I don't know if someone already suggested this:
Get a code signing certificate from a certificate authority (Thawte, GlobalSign, etc.) and use it to digitally sign your applications.
Usually costs around 200-300$ per year (Just had a quick glance).

Usually AV solutions monitor the certificates issued by a CA and trust the applications signed with official certificates automatically.
Even if that's not the case, many AV solutions use a reputation system for the heuristic analysis of files.
Having a digital signature would improve the chances of your file being detected as "good".

If you want to use your software in any commercial way or in a professional environment, code signing would be the best way to get along with AV solutions.

Link to comment
Share on other sites
  • 1 month later...
  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...