DHL Posted October 11, 2017 Posted October 11, 2017 (edited) Hi, We've been using AutoIt v.3.3.6.1 to compile our .au3 scripts because the online virus scanner "virustotal.com", that scans the uploaded file using different scanners and gives you a report showing the results, have seemed to report fewer false positives on executables when using the old 3.3.6.1 compiler instead of more recent, higher versions of AutoIt. We compile using AutoIt2Exe without UDF compression and sign them using our code-signing certificate from a trusted vendor. It has been a while since we compared scanning the same .au3 script compiled with different versions, and I was just wondering if version 3.3.6.1 still is the "safest" version or if people here have another preference for which AutoIt version / compiler that causes the least number of false positives? Edited October 11, 2017 by DHL typo and added fact that we use a cert to sign our exes
BrewManNH Posted October 11, 2017 Posted October 11, 2017 I've never had any of my compiled execs flagged and I'm using the latest version. So, anything we tell you would depend on which unreliable AV you're using that's flagging them. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator
Moderators JLogan3o13 Posted October 11, 2017 Moderators Posted October 11, 2017 Same here, I routinely write and compile scripts in corporate environments, and have lately found myself doing a lot of AutoIt/PowerCLI cross scripting. Never any issues with the latest version and any of the major business AV suites out there. I'm sure I have run under just about everything in the top three sections of the magic quadrant: https://solutionsreview.com/endpoint-security/gartner-2017-epp-magic-quadrant/ "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum!
iamtheky Posted October 11, 2017 Posted October 11, 2017 (edited) do you mean 'without UDF compression' OR 'without UPX (UCL) compression'? and have you tried just hashing your exe and uploading that to see if you are really popping for a signature? or commenting out the whole thing, and uploading an exe that does a bunch of nothing to see if its all compiler flags, or if someone really did detonate you in a sandbox and you tripped heursitics. If that last thing happened you need to bear in mind that all AutoIt exes look like 90% the same, so it really is on the author to perform their due diligence in getting it whitelisted. That being said, I drop scripts all over monoliths in regulated environments, the last script I got flagged on was Carbon Black and that's because i was running the powershell invoke-obfuscation module, so that's hardly AutoIts fault. Edited October 11, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Draygoes Posted November 18, 2017 Posted November 18, 2017 (edited) Just contacted Bullguard a few days ago. It detected a UPX compiled script on a friends machine. I only bring it up so that you all can be aware. Bullguard is quick to update, and their customer support is fantastic, so I am willing to bet they fixed it by now. (its been just under a week) It does look like this problem has gotten better over the years though. The noticeable difference is that I can now run my favorite antimalware programs without have to worry about one hitting Autoit by accident. EDIT I most often use Avast, ClamWin (I know, I know, but its worth doing just in case when poop hits the fan...), Spybot, and a few less effective ones that can still catch unusual problems that even the big guns can miss. Its rare, but it happens. Only Avast is allowed to run in the background of course. Edited November 18, 2017 by Draygoes Added details... Spoiler "If a vegetarian eats vegetables,What the heck does a humanitarian eat?" "I hear voices in my head, but I ignore them and continue on killing." "You have forced me to raise the indifference warning to beige, it's a beige alert people. As with all beige alerts please prepare to think about the possibility of caring." An optimist says that giving someone power DOESN'T immediately turn them into a sadist. A pessimist says that giving someone power doesn't IMMEDIATELY turn them into a sadist.
EmilyLove Posted November 21, 2017 Posted November 21, 2017 (edited) I must admit, I'm getting really tired of the false positives and constantly having to fight av vendors to get my scripts whitelisted. I coded a simple hello world script. #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** MsgBox(0,"Hello","World") 6 Detectionshttps://www.virustotal.com/#/file/2cf504b59fd1e185d45519e03a4fe47866db9f84d4a68cad7850d78a660b060a/detection My website's reputation is suffering because of this. I'm thinking about leaving AutoIt for good and learning some other language like c#. I know I'm still going to have to fight them, no matter what language I pick, but this is getting ridiculous. What are your thoughts? Edited November 21, 2017 by BetaLeaf
iamtheky Posted November 21, 2017 Posted November 21, 2017 (edited) The only one that is laughable is SOPHOS who claims their ML identified it via heuristics. The others have just correctly identified something that shares 98% of its code with identified malware. It may be lazy grading, but I'd like to see more compiler directives (like UPX=N, to try and accomodate them rather than expecting the reverse). I'm down to 4 with just directives. #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_UseX64=n #AutoIt3Wrapper_Run_Tidy=y #AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7 #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** MsgBox(0, "Hello", "World") Edited November 21, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
iamtheky Posted November 21, 2017 Posted November 21, 2017 (edited) down to 3 - weird that Qihoo and SentinelOne fall off and DrWeb comes back. They wouldnt have arbitrary checks they try and pass off as Machine Learning...thats unheard of in the infosec community. If you only score a 3/67 and you are not a large vendor or carrying a signed exe in your pocket, then you are doing great. (You want to see something fun, put the pragma directives in place of the wrapper_ and watch all of the them start changing again, it's r-e-t-a-r-d-e-d and does not change when your language of choice changes) #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_UseX64=n #AutoIt3Wrapper_ShowProgress=y #AutoIt3Wrapper_Res_SaveSource=y #AutoIt3Wrapper_Res_Fileversion=3.0 #AutoIt3Wrapper_Run_Tidy=y #AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7 #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** MsgBox(0, "Hello", "World") Edited November 21, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
BrewManNH Posted November 21, 2017 Posted November 21, 2017 6 hours ago, BetaLeaf said: I must admit, I'm getting really tired of the false positives and constantly having to fight av vendors to get my scripts whitelisted. See post #160 in this thread, VirusTotal is a joke and completely unreliable. Stop flogging the dead horse, it's not going to rise from the dead. EmilyLove and Earthshine 2 If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator
EmilyLove Posted November 21, 2017 Posted November 21, 2017 5 hours ago, BrewManNH said: See post #160 in this thread, VirusTotal is a joke and completely unreliable. Stop flogging the dead horse, it's not going to rise from the dead. I'm not flogging a dead horse, my customers are. There are some who will only validate their existing beliefs. (Confirmation Bias/The Backfire Effect)
EmilyLove Posted November 21, 2017 Posted November 21, 2017 I've used letsencrypt for my website, is there an equivalent for applications?
iamtheky Posted November 22, 2017 Posted November 22, 2017 (edited) I think it's fair to say that VirusTotal is a dead horse. Does your customer have full/enterprise versions of AV that are also triggering, if so which vendors? Does IDS trip when they download the file? Does it get quarantined by the ESA if sent as an attachment? Does the EDR lose its shit when it executes? Or "just this one website doesnt tell me its clean."? Edited November 22, 2017 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
iamtheky Posted November 22, 2017 Posted November 22, 2017 That might be the most YOLO app security strategy I have ever heard of in my 15 years of infosec. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
EmilyLove Posted November 22, 2017 Posted November 22, 2017 (edited) 22 minutes ago, iamtheky said: That might be the most YOLO app security strategy I have ever heard of in my 15 years of infosec. Look ik virus total is crap, I'm saying my customers don't. I'm just trying to figure out why something as simple as a hello world script gets flagged, which was answered by @BrewManNH Edited November 22, 2017 by BetaLeaf
iamtheky Posted November 22, 2017 Posted November 22, 2017 i was agreeing. customer service issues with the ill informed sucks. and software signing should not help with the ML and heuristic detections (as those should be detonations/behavioral and signing wouldnt change that), though I have no faith those arent triggering on something static. EmilyLove 1 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Trax Posted January 3, 2018 Posted January 3, 2018 Webroot SecureAnywhere is on the warpath. All the EXEs I have written and being quarantined. None of them are malicious. They are finding some common signature bytes and blacklisting everything. Does anyone know links to Webroot to complain?
iamtheky Posted January 3, 2018 Posted January 3, 2018 (edited) id start with support, but you may want to also make sure you are compiling in the most AV friendly manner like with upx off. https://www.webrootanywhere.com/servicewelcome.asp Edited January 3, 2018 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
antmar904 Posted January 25, 2018 Posted January 25, 2018 (edited) We are using the latest version of TrendMicro OfficeScan XG and it's not starting to flag my AutoIT .exe as Trojan's. I was told that I would have to submit my exe to Trend for verification BUT the .exe would have to be digitally signed. Is anyone else seeing this? Edited January 25, 2018 by antmar904
Sergeant_Shultz Posted March 20, 2018 Posted March 20, 2018 Windows Defender was flagging all .exes as Trojians. Turned off real time protection and cloud protection as well as automatic sample submission. Currently using another AV software. Open to suggestions.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now