Popular Post JSThePatriot Posted October 17, 2006 Popular Post Share Posted October 17, 2006 (edited) If you have been using AutoIt for any length of time you will know that it is a great, and powerful scripting language. As with all powerful languages there comes a downside. Virus creation by those that are malicious. AutoIt has no virii installed on your system, and if a script you have created has been marked as a virus, (and you're not malicious) then this is a false positive. They found a set of instructions in an AutoIt EXE out there somewhere, took the general signature of the file, and now all AutoIt EXE's are marked (or most of them). This can be due to several reasons. AutoIt is packed with UPX. UPX is an open source software compression packer. It is used with many virii (to make them smaller). Malicious scripter got the AutoIt script engine recognized as a virus. And I am sure there are more ways your executable could be marked, but that covers the basics. Now I am sure you are wanting to know what you can do to get back up and running without being recognized as a virus. You have to send in a report to the offending AV company alerting them to the false positive they have made. It never hurts to send in your source code along with a compiled exe, to help them realize their mistake. You may have to wait up to 24 hours for them to release an update. The time it takes really depends on the offending AV company. Anti-Virus Links AntiVir Website Contact Avast! Website Contact McAfee Website Contact (email address) Symantec (Norton) Website Contact AVG Website Contact (It says sales or other ?'s I assume this will work) ClamWin Website Contact ClamAV Website Contact (I would only contact the ones with "virusdb maintainer or virus submission management") BitDefender Website Contact ZoneLabs Website Contact Norman Website Contact (email address) eSafe Website Contact (login required) A2 (A-Squared) Website Contact (email address) Edit: Added Website links and Contact links. I hope this helps you understand why your AutoIt executables are marked as virii. JS Edited January 25, 2023 by Melba23 quickbeam, Leendert-Jan, ibrahem and 10 others 9 4 AutoIt Links File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out. ComputerGetInfo UDF's Updated! 11-23-2006 External Links Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more) Link to comment Share on other sites More sharing options...
Valik Posted October 17, 2006 Share Posted October 17, 2006 Thanks JS, does anybody have anything else to add before I lock this? Link to comment Share on other sites More sharing options...
Blue_Drache Posted October 18, 2006 Share Posted October 18, 2006 (edited) I would like to propose a workaround.For those of you who can, downgrading from the newest version to version 3.1.1 does seem to work. Apparently there's something in the new AutoIt3.bin file included in versions after 3.1.1 that's creating a "lookalike" pattern during the compile and UPX compression. I noticed this during the first round of false-positves with Norton's AV client. I'd not recompiled all my programs with the new version, but I did compile a few of the COM aware scripts that I'd written with the 3.1.1 betas. I also did some work on some old scripts, compiling them with the new version. All newly compiled scripts were eventually whacked, but those compiled with 3.1.1 were untouched. This is the solution that I've decided to run with at this time. Though the new features in 3.2 (COM and whatnot) are absolutely awesome, I don't have any scripts that utelize said features and I don't want to deal with the hassle of 400 users saying "My xyz program doesn't work anymore! Fix it!" because of a false positive. Edited October 18, 2006 by Blue_Drache Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache Link to comment Share on other sites More sharing options...
Uten Posted October 19, 2006 Share Posted October 19, 2006 Rather than hacking upx or the runtime engine we should (as JS points out when he provided the contact information) make a request to the Antivirus maker to fix their scanner such that it does not detect our files as false positives. Make sure to send them a copy of the file. If you are the author of the file it would benefit the comunity if you added instructions on how to decompile it to let them peek at the source.So in your request:Use a real mail address. They should be able to contact you to get further information.Be polite. It is a business your dealing with. Negative wording and disrespectfull behaviour will not benefit you or us.Only use objective arguments. State clearly if you are the author of the file detected as a false positive.If you can, let them have a peek at the source (instructions on how to decompile).Let them know that you and most of the comunity are eager to find a solution. And will, as fare as our knowledge goes, do wathever we can to do so. Please keep your sig. small! Use the help file. Search the forum. Then ask unresolved questions :) Script plugin demo, Simple Trace udf, TrayMenuEx udf, IOChatter demo, freebasic multithreaded dll sample, PostMessage, Aspell, Code profiling Link to comment Share on other sites More sharing options...
Valik Posted October 19, 2006 Share Posted October 19, 2006 Talk to Jon, he's the one who wrote it, named it and mis-informed everybody with the above post. However, I would argue that it shouldn't take more than 2 seconds to figure this out. If you know enough to want to disable UPX, you should know it's a compressor therefore a quick look at the options will provide only one with "UPX" and "compress" in the name. Maybe it is mis-named and not implemented right, but I don't think it takes a computer science degree to figure out what it's for if you know enough about UPX to want to disable it in the first place. Link to comment Share on other sites More sharing options...
Administrators Jon Posted December 19, 2006 Administrators Share Posted December 19, 2006 Talk to Jon, he's the one who wrote it, named it and mis-informed everybody with the above post. However, I would argue that it shouldn't take more than 2 seconds to figure this out. If you know enough to want to disable UPX, you should know it's a compressor therefore a quick look at the options will provide only one with "UPX" and "compress" in the name. Maybe it is mis-named and not implemented right, but I don't think it takes a computer science degree to figure out what it's for if you know enough about UPX to want to disable it in the first place.Only just seen this. So. Oi! Deployment Blog: https://www.autoitconsulting.com/site/blog/ SCCM SDK Programming: https://www.autoitconsulting.com/site/sccm-sdk/ Link to comment Share on other sites More sharing options...
Administrators Jon Posted January 15, 2013 Administrators Share Posted January 15, 2013 This thread will be replaced with a pointer to the wiki: http://www.autoitscript.com/wiki/AutoIt_and_MalwareSo that the community can update it as required. I've copied the first post into the wiki, but it's pretty out of date (I believe) - hopefully someone can update it/wikify it/reword it Deployment Blog: https://www.autoitconsulting.com/site/blog/ SCCM SDK Programming: https://www.autoitconsulting.com/site/sccm-sdk/ Link to comment Share on other sites More sharing options...
storme Posted January 15, 2013 Share Posted January 15, 2013 I've only just found this web pageHow to Report Malware or False Positives to Multiple Antivirus VendorsUpdated 5. January 2013From a quick read through it looks like exactly what we need.Maybe the WIKI could be cut down to an explaination WHY AutoIt isn't a virus and a link to that page so they can send in false positives to the vendor(s). It's 2am so off to bedJohn Morrison Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted January 15, 2013 Moderators Share Posted January 15, 2013 I made some minor spelling and grammatical updates to the page.. I think storme's idea is a good one, but I'm going through all the site links now to ensure there are no dead ones until we decide to go that route. "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
storme Posted January 16, 2013 Share Posted January 16, 2013 I still think the ultimate (That can be achived at this moment) solution is what I suggested hereBasically a tool that we (autoit programmers) can run our latest creations through to see if it triggers any virus alerts (Using Virus total).If it triggers and alert the tool will email the antivirus company to "try" and have it removed.I looked into it and got lost in controlling the VirusTotal JSON API.https://www.virustotal.com/documentation/public-api/It seems simple but I just can't get my head around it.If I can get help with doing that then the rest is just tieing together some basic items. It really doesn't have ot be anything extra special just a tool to help.Here to helpJohn Morrison Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
Administrators Jon Posted January 16, 2013 Administrators Share Posted January 16, 2013 (edited) I made some minor spelling and grammatical updates to the page.. I think storme's idea is a good one, but I'm going through all the site links now to ensure there are no dead ones until we decide to go that route.Maybe we just have most popular AV vendors explicitly (just in case an external link to a more in depth guide gets removed). Easier for us to maintain that way but still useful for the majority. Edited January 16, 2013 by Jon DFerrato 1 Deployment Blog: https://www.autoitconsulting.com/site/blog/ SCCM SDK Programming: https://www.autoitconsulting.com/site/sccm-sdk/ Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted January 16, 2013 Moderators Share Posted January 16, 2013 Maybe we just have most popular AV vendors explicitly (just in case an external link to a more in depth guide gets removed). Easier for us to maintain that way but still useful for the majority.I'd agree with that. I did go through and check all the links; updated a couple of dead ones. Maybe list the top 5 or so explicitly, and then provide the link from storme's post #8 with a line "if you do not see the offending AV company, click here for instructions on submitting to other companies, etc. etc."? "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
RogerL Posted February 22, 2013 Share Posted February 22, 2013 John T. Halley of PortableApps.com wrote on 2013-02-22 5:57pm (at http://portableapps.com/node/36508#new) "DropIT is written in AutoIT. AutoIT is not a compiled language. It merely takes the closed source AutoIT EXE and sticks the script onto the end of it in encrypted form, making it very difficult for tools to analyze is goodware vs badware-ness. AutoIT is also very popular with malware writers since it is relatively easy to use and relatively powerful, with access to most of the Windows API. Since every AutoIT-based EXE is basically the same EXE, false positives run rampant across all kinds of antivirus engines. We had allowed an AutoIT-based app into the app directory, EraserDrop Portable, quite some time ago. We have had numerous issues with false positives in that time. The author even created an updated version last year, but it was detected as a virus by several major antivirus engines, so we have not released it. The end result was that users complain to us that downloads have viruses in them even when they don't. Due to the issues with AutoIT-based EXEs, we instituted a policy against any new AutoIT apps a few years ago. As the same issues persist, we're unlikely to change that policy." Do the AutoIt devs have any comments on this? Link to comment Share on other sites More sharing options...
BrewManNH Posted February 22, 2013 Share Posted February 22, 2013 I'm not a developer, but I'd have to say that John T. Halley is a moron. How many viruses are there that are written in C++, C#, Lisp, etc.? How many false positives from shitty AV software do legitimate exes have, that aren't written in AutoIt? Leendert-Jan 1 If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted February 22, 2013 Moderators Share Posted February 22, 2013 (edited) I would add that, personally anyway, I have never had great luck with PortableApps. When I want something I can run from a thumbdrive, I fire up Cameyo (free), SVS (free) or ThinApp (Not free but worth it), and do it myself. Edited February 22, 2013 by JLogan3o13 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
JohnOne Posted February 23, 2013 Share Posted February 23, 2013 How many viruses are there that are written in C++, C#, Lisp, etc.? How many false positives from shitty AV software do legitimate exes have, that aren't written in AutoIt?1. I'd say more than in autoit.2. I'd say nowhere near as many as autoit.They're tossers for banning autoit programs, but his point is valid.You have seen how it can be, I certainly have when I awoke to find my av had flagged every single compiled script on my machine as virus.It's not their fault, and it's not ours, the burden of responsibility, to me, sits squarely on the shoulders of the AV companies, they are the ones making the big money and claiming to protect machines from viruses.When a person downloads an app from there, and it's flagged, they don't generally come here, they complain to them, they don't know what we do, they don't even know what language it's written in, or what even a programming language is, and they've never heard of autoit.Should they accept the workload of dealing with it all? I certainly wouldn't. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
d3nba9uzs Posted July 3, 2013 Share Posted July 3, 2013 uninstall the autoit. fix isue registry with ccleaner. restart computer. install agains. DONE Link to comment Share on other sites More sharing options...
caramen Posted July 5, 2013 Share Posted July 5, 2013 I am very low in coding things but i noticed that ... may this can help) i used compilation of a false detected malwar by avast and it solved my issue with these parameters Default settings: Compression > Normal UPX compresse .exe stub Used settings to not get anymore my script as a malwar: Compression > lowest My video tutorials : ( In construction ) || My Discord : https://discord.gg/S9AnwHw How to Ask Help || UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote Spoiler Water's UDFs:Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - WikiOutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - WikiExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example ScriptsPowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & SupportExcel - Example Scripts - WikiWord - Wiki Tutorials:ADO - Wiki Link to comment Share on other sites More sharing options...
joseLB Posted October 25, 2013 Share Posted October 25, 2013 I discovered that sometimes if you remove the ICON at compiler time, or change it, it works (Av=kaspberry v6) I hope this can help someone On my case, compression= lowest didn´t solve it. Jose Leendert-Jan 1 Link to comment Share on other sites More sharing options...
jchd Posted October 26, 2013 Share Posted October 26, 2013 kaspberry Are you sure? Asser 1 This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now