Jump to content

Are my AutoIt exes really infected?

JSThePatriot
 Share

Recommended Posts

mLipok Universalist

mLipok

Posted
Posted
 
 
 
 
3 minutes ago, JLogan3o13 said:

@Mobius Just curious, if you were one of the big AV companies - how would you police and decide who is a hobbyist and who is not, so that you could apply different levels of response logic?

IMHO:

By allowing local admin to add a certificate to trusted zone (on central AV admin console).
And if APP Dev is using the same certificate for CodeSigning then such EXE file should be always treated as SECURE.

But did you ever seen any AV Software which has a feature to add a certificate to trusted zone?

Signature beginning:
Please remember: "AutoIt"..... *  Wondering who uses AutoIt and what it can be used for ? * Forum Rules *
ADO.au3 UDF * POP3.au3 UDF * XML.au3 UDF * IE on Windows 11 * How to ask ChatGPT for AutoIt Codefor other useful stuff click the following button:

Spoiler

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind. 

My contribution (my own projects): * Debenu Quick PDF Library - UDF * Debenu PDF Viewer SDK - UDF * Acrobat Reader - ActiveX Viewer * UDF for PDFCreator v1.x.x * XZip - UDF * AppCompatFlags UDF * CrowdinAPI UDF * _WinMergeCompare2Files() * _JavaExceptionAdd() * _IsBeta() * Writing DPI Awareness App - workaround * _AutoIt_RequiredVersion() * Chilkatsoft.au3 UDF * TeamViewer.au3 UDF * JavaManagement UDF * VIES over SOAP * WinSCP UDF * GHAPI UDF - modest begining - comunication with GitHub REST APIErrorLog.au3 UDF - A logging Library * Include Dependency Tree (Tool for analyzing script relations) * Show_Macro_Values.au3 *

 

My contribution to others projects or UDF based on  others projects: * _sql.au3 UDF  * POP3.au3 UDF *  RTF Printer - UDF * XML.au3 UDF * ADO.au3 UDF SMTP Mailer UDF * Dual Monitor resolution detection * * 2GUI on Dual Monitor System * _SciLexer.au3 UDF * SciTE - Lexer for console pane

Useful links: * Forum Rules * Forum etiquette *  Forum Information and FAQs * How to post code on the forum * AutoIt Online Documentation * AutoIt Online Beta Documentation * SciTE4AutoIt3 getting started * Convert text blocks to AutoIt code * Games made in Autoit * Programming related sites * Polish AutoIt Tutorial * DllCall Code Generator * 

Wiki: Expand your knowledge - AutoIt Wiki * Collection of User Defined Functions * How to use HelpFile * Good coding practices in AutoIt * 

OpenOffice/LibreOffice/XLS Related: WriterDemo.au3 * XLS/MDB from scratch with ADOX

IE Related:  * How to use IE.au3  UDF with  AutoIt v3.3.14.x * Why isn't Autoit able to click a Javascript Dialog? * Clicking javascript button with no ID * IE document >> save as MHT file * IETab Switcher (by LarsJ ) * HTML Entities * _IEquerySelectorAll() (by uncommon) * IE in TaskSchedulerIE Embedded Control Versioning (use IE9+ and HTML5 in a GUI) * PDF Related:How to get reference to PDF object embeded in IE * IE on Windows 11

I encourage you to read: * Global Vars * Best Coding Practices * Please explain code used in Help file for several File functions * OOP-like approach in AutoIt * UDF-Spec Questions *  EXAMPLE: How To Catch ConsoleWrite() output to a file or to CMD *

I also encourage you to check awesome @trancexx code:  * Create COM objects from modules without any demand on user to register anything. * Another COM object registering stuffOnHungApp handlerAvoid "AutoIt Error" message box in unknown errors  * HTML editor

winhttp.au3 related : * https://www.autoitscript.com/forum/topic/206771-winhttpau3-download-problem-youre-speaking-plain-http-to-an-ssl-enabled-server-port/

"Homo sum; humani nil a me alienum puto" - Publius Terentius Afer
"Program are meant to be read by humans and only incidentally for computers and execute" - Donald Knuth, "The Art of Computer Programming"
:naughty:  :ranting:, be  :) and       \\//_.

Anticipating Errors :  "Any program that accepts data from a user must include code to validate that data before sending it to the data store. You cannot rely on the data store, ...., or even your programming language to notify you of problems. You must check every byte entered by your users, making sure that data is the correct type for its field and that required fields are not empty."

Signature last update: 2023-04-24

Link to comment
Share on other sites
  • Replies 293
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Jon
Jon

Maybe we just have most popular AV vendors explicitly (just in case an external link to a more in depth guide gets removed). Easier for us to maintain that way but still useful for the majority.

Jokerman
Jokerman

I'd like to start by saying that I've experienced pretty much everything that has been mentioned in this thread - quarantined exes for completely innocuous code, compiled exes flagged as infected mont

gi_jimbo
gi_jimbo

I'm not a regular contributor here but if the @argumentum digital signing tool works, I think it would be good to add it to the "AutoIt and Malware" page (https://www.autoitscript.com/wiki/AutoIt_and_

Posted Images

Mobius Universalist

Mobius

Posted
Posted
32 minutes ago, JLogan3o13 said:

@Mobius Just curious, if you were one of the big AV companies - how would you police and decide who is a hobbyist and who is not, so that you could apply different levels of response logic?

To be honest I thought the sole purpose/concern of an antivirus company would be to ascertain what is malicious vs that which is not, and not just to green light those willing to pay and red light those that are not or cannot. Hobbyist vs not should not concern them in the least.

It is worth noting looking back at the early origins of digital signatures, malicious application developers were one of the biggest buyers so the point of recommending digital signatures seems a bit flat to me.

wtfpl-badge-1.png

Link to comment
Share on other sites
Earthshine Universalist

Earthshine

Posted
Posted (edited)

so, you have zero ideas of how to implement it. So, you can stop complaining in other words. i wish this thread would get locked. I had an issue, I went to MS and had them whitelist my autoit apps, no more issues.

Edited by Earthshine

My resources are limited. You must ask the right questions

 

Link to comment
Share on other sites
Mobius Universalist

Mobius

Posted
Posted
1 minute ago, Earthshine said:

so, you have zero ideas of how to implement it. So, you can stop complaining in other words. i wish this thread would get locked. I had an issue, I went to MS and had them whitelist my autoit apps, no more issues.

"ascertain what is malicious vs that which is not"

There is my idea of implementing a model that works in plain english, not your strong point huh? <(rhetoric)

wtfpl-badge-1.png

Link to comment
Share on other sites
Mobius Universalist

Mobius

Posted
Posted
2 minutes ago, Earthshine said:

HAGHAHAHAHA, and how are they to do that? do you think they have unlimited resources? You get ignored now.

It's called reverse engineering, but I suppose ignorance IS bliss for some, no offense intended in my statements but yet there is always one.

wtfpl-badge-1.png

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted
41 minutes ago, Earthshine said:

so, you have zero ideas of how to implement it. So, you can stop complaining in other words. i wish this thread would get locked. I had an issue, I went to MS and had them whitelist my autoit apps, no more issues.

Not sure why you: A: think this post would be locked just because you don't like the content and B: don't move along if you don't like said content rather than ranting. I think you're getting your underwear in a twist over nothing.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)
43 minutes ago, Mobius said:

"ascertain what is malicious vs that which is not"

so even if you look to something like cylance, where its 'pure math' there are still decision trees it has to follow (and that inexplecibably ended at a file size limit in their last reported bypass) and thresholds that breed false positives.

There is no magic bullet, and as long as you write small scripts that are 99.8% the same as every other autoit dropper ever, you will need to get your hashes whitelisted.  And that process is pretty easy these days, just need to work audit and exclusion tasks into the gantt for your project.

Edited by iamtheky
bad grammar, the worst. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
Musashi Universalist

Musashi

Posted
Posted

(Aside from the dispute that is currently taking place)

Just my personal experiences :
Q : Is a quality certificate beneficial ? A : Yes (in the vast majority of cases)

Q : Does it make sense to report 'false positives' to the antivirus companies ? A : Yes (most of the problems will be solved within a few days)

As @iamtheky already wrote : There is no magic bullet.

I always find it somehow irritating, that people easily pay $1000+ per year for their mobile phone but getting a heart attack if they have to spend $200 on a good certificate.

(a bit off topic)
What concerns me more from a privacy point of view is :
The development goes increasingly in the direction of real-time cloud protection services. You can still disable this feature (at the moment), but my trust in this approach is rather low. From a technical perspective this might be great, but we all know what will happen to our personal informations :( .

Musashi-C64.png

"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

Link to comment
Share on other sites
BrewManNH Universalist

BrewManNH

Posted
Posted

BTW, I would never implicitly trust a self-signed certificate, and neither should ANY AV company. If it doesn't come from a reputable certificate issuer, then it's not worth the metaphorical paper it's written on.

Just because someone with Admin rights has installed such a cert (self-signed) doesn't mean that the cert in question is secure, in any way shape or form, it just means someone that has admin credentials installed it.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
spudw2k Universalist

spudw2k

Posted
Posted
On ‎9‎/‎27‎/‎2019 at 8:45 PM, BrewManNH said:

doesn't mean that the cert in question is secure

Minor nit pick here: The issue isn't no so much that a self-signed cert isn't secure, but whether or not the issuer of a cert is trustworthy. ;)

Spoiler

Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of CardsHideItICUIcon FreezerIpod EjectorJunos Configuration ExplorerLink DownloaderMD5 Folder EnumeratorPassGen ◊ Ping ToolQuick NICRead OCRRemoteITSchTasksGuiSpyCamSystem Scan Report ToolSystem UpTimeTransparency Machine VMWare ESX Builder
Misc Code Snippets: ADODB ExampleCheckHover ◊ Detect SafeModeDynEnumArrayGetNetStatData ◊ HashArrayIsBetweenDates Local AdminsMake ChoiceRecursive File ListRemove Sizebox StyleRetrieve PNPDeviceIDRetrieve SysListView32 ContentsSet IE Homepage Tickle Expired PasswordTranspose Array
Projects: Drive Space Usage GUI ◊ LEDkITPlasma_kIt ◊ Scan Engine BuilderSpeeDBurnerSubnetCalc
Cool Stuff: AutoItObject UDF Extract Icon From ProcGuiCtrlFontRotateHex Edit FuncsRun binaryService_UDF

 

Link to comment
Share on other sites
tcurran Seeker

tcurran

Posted
Posted

To reaffirm some of what's been said before: Try compiling...

  • with UPX off
  • with compression set to Low or Lowest/Off
  • launching the 64-bit version of the exe. Sometimes this will work when the 32-bit will not

One of the above or some combination of them will very likely work for you.

Link to comment
Share on other sites
Jokerman Seeker

Jokerman

Posted
Posted
10 minutes ago, tcurran said:

To reaffirm some of what's been said before: Try compiling...

  • with UPX off
  • with compression set to Low or Lowest/Off
  • launching the 64-bit version of the exe. Sometimes this will work when the 32-bit will not

One of the above or some combination of them will very likely work for you.

To add on to this - if the first version you compile gets flagged try adding a new comment line, or edit an existing one, and compile again. Or add a new unused variable (which you can then comment/uncomment in future attempts at bypassing the AV filter). I've found that changes as small as these can cause a compiled exe to miraculously no longer be flagged. YMMV.

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

That is indeed a thing, I might have scripts in the wild with some commented out Lorem Ipsum and Beowulf 🙋‍♂️

It has been years though, I really havent had a problem with the newer enterprise AVs. 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
bowain Seeker

bowain

Posted
Posted
On 9/27/2019 at 6:45 AM, BrewManNH said:

BTW, I would never implicitly trust a self-signed certificate, and neither should ANY AV company. If it doesn't come from a reputable certificate issuer, then it's not worth the metaphorical paper it's written on.

Just because someone with Admin rights has installed such a cert (self-signed) doesn't mean that the cert in question is secure, in any way shape or form, it just means someone that has admin credentials installed it.

My approach was meant more for in a work around in my corporate environment and not for public. If I were to distribute anything I code I would indeed buy a cert. And as you emphasize this will not work outside as it is a self signed cert.

I have had to whitelist most of my apps on my home lab as the AV here flags them. Mainly the older ones that were not signed and complied with UPX. I'm not sure if that is why or not.

Link to comment
Share on other sites
BrewManNH Universalist

BrewManNH

Posted
Posted
4 hours ago, bowain said:

My approach was meant more for in a work around in my corporate environment and not for public.

But it shouldn't work with a self-signed exe, the AV companies shouldn't be accepting them as valid proof you're not sending viruses around was my point. There's no reputation behind a SSC, it's just you saying "hey I swear I'm not encrypting everyone's files because I signed my exe."

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
bowain Seeker

bowain

Posted
Posted

@BrewManNH This is just white listed on the corporate rules, not by the AV company. Corporate created the cert on an in house CA so we know we can trust it on the corporate machines. This would never, should not ever and will not ever be used outside of our environment. As I said if I wanted to go beyond out corp area I would buy a cert from a recognized CA.

Link to comment
Share on other sites
BrewManNH Universalist

BrewManNH

Posted
Posted

That does make sense, I guess I was looking at it in a more general view.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites
  • 1 month later...
Jokerman Seeker

Jokerman

Posted
Posted (edited)

@stephensmith You may want to have a look at the Forum Rules post - specifically the 4th bullet point. Most things about games are specifically off-limits on these forums so think carefully before bringing them up. 😉

Edited by Jokerman
Somehow posted before I hit submit
Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted
On 11/3/2019 at 1:58 PM, stephensmith1211 said:

I don't know much about this. Just one thing to ask, can it affect my rom file downloaded from  https://garoms.com/pokemon-black/ to play pokemon game?

Jokerman is quite right, @stephensmith1211 this forum does not support game automation questions in any form. Please familiarize yourself with the rules before continuing to post.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...