AutoIt and Malware: Difference between revisions
mNo edit summary |
No edit summary |
||
(13 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
==Overview== | |||
If you have been using AutoIt for any length of time you will know that it is a great and powerful scripting language. As with all powerful languages there comes a downside: virus creation by those with malicious intent. AutoIt has no viruses installed on your system, and if a script you have created has been marked as a virus (and you're not malicious) then this is a [http://www.pcguide.com/care/data/virus/scanFalse-c.html false positive]. The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's. This can be due to several reasons: | If you have been using AutoIt for any length of time you will know that it is a great and powerful scripting language. As with all powerful languages there comes a downside: virus creation by those with malicious intent. AutoIt has no viruses installed on your system, and if a script you have created has been marked as a virus (and you're not malicious) then this is a [http://www.pcguide.com/care/data/virus/scanFalse-c.html false positive]. The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's. This can be due to several reasons: | ||
Line 4: | Line 5: | ||
* A malicious scripter got the AutoIt script engine recognized as a virus. | * A malicious scripter got the AutoIt script engine recognized as a virus. | ||
There are more ways your executable could be marked; this topic covers only the most common causes. If you encounter a false positive, in which your script is erroneously recognized as a virus, please alert the offending AV company immediately so the matter can be resolved. Best practice would be to include your source code along with a compiled exe, allowing the AV company to independently verify your report. This process may take up to 24 hours depending on the AV company, but will be resolved much more quickly if you provide source code. | There are more ways your executable could be marked; this topic covers only the most common causes. | ||
==Avoiding False Positives== | |||
To get around the false positives problem, just use the *.A3X format. [https://www.autoitscript.com/forum/topic/201562-au3tocmd-avoid-false-virus-positives-version-20220727/?do=findComment&comment=1446375 Look here]: | |||
[https://www.autoitscript.com/forum/topic/201562-au3tocmd-avoid-false-virus-positives-version-20220727/?do=findComment&comment=1446375 Au3toCmd] | |||
==Reporting False Positives== | |||
If you encounter a false positive, in which your script is erroneously recognized as a virus, please alert the offending AV company immediately so the matter can be resolved. Best practice would be to include your source code along with a compiled exe, allowing the AV company to independently verify your report. This process may take up to 24 hours depending on the AV company, but will be resolved much more quickly if you provide source code. | |||
A good resource for reporting false positives can be found at: [http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm How to Report Malware or False Positives to Multiple Antivirus Vendors]. There are also some links below to help. | |||
* AntiVir | * AntiVir | ||
Line 25: | Line 36: | ||
** [http://www.grisoft.com/ Website] | ** [http://www.grisoft.com/ Website] | ||
** [http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=395 Contact] | ** [http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=395 Contact] | ||
* G Data | |||
** [https://www.gdatasoftware.com/securitylabs.html Sample Submission] | |||
* ClamWin | * ClamWin | ||
Line 53: | Line 67: | ||
** [http://www.emsisoft.com/ Website] | ** [http://www.emsisoft.com/ Website] | ||
** [mailto:fp@emsisoft.com Contact] | ** [mailto:fp@emsisoft.com Contact] | ||
* SUPERAntiSpyware | |||
** [http://www.superantispyware.com/ Website] | |||
** [http://www.superantispyware.com/downloads/SUPERSampleSubmit.exe Contact] | |||
* ESET | |||
** [http://www.eset.com/int/ Website] | |||
** [http://kb.eset.com/esetkb/index?page=content&id=SOLN141 Contact] | |||
* Kaspersky | |||
** [http://www.kaspersky.com/ Website] | |||
** [https://my.kaspersky.com/?logonSessionData=MyAccount&returnUrl=en%2fsupport Contact] (login required) | |||
* Microsoft Security Essentials | |||
** [http://www.microsoft.com/ Website] | |||
** [https://support.microsoftsecurityessentials.com/default.aspx?productkey=morromalware&mytask=country Contact] | |||
* Avira Free Antyvirus | |||
** [http://www.avira.com/en/avira-free-antivirus Website] | |||
** [https://analysis.avira.com/en/submit Contact] | |||
* Panda Security | |||
** [http://www.pandasecurity.com/poland/homeusers/solutions/antivirus/ Website] | |||
** [http://support.pandasecurity.com/forum/viewtopic.php?f=5&t=337 Contact] | |||
* Trend Micro | |||
** [http://www.trendmicro.de/ Website] | |||
** [http://esupport.trendmicro.com/consumer/default.aspx Contact] | |||
* F-secure | |||
** [http://www.f-secure.com/ Website] | |||
** [http://www.f-secure.com/v-descs/false_positive.shtml Contact] | |||
* How to Report Malware or False Positives to Multiple Antivirus Vendors | |||
** [http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm#List_Of_All_Vendors ALL VENDORS LIST] | |||
[[Category:AutoIt_Wiki]] |
Latest revision as of 17:07, 26 August 2022
Overview
If you have been using AutoIt for any length of time you will know that it is a great and powerful scripting language. As with all powerful languages there comes a downside: virus creation by those with malicious intent. AutoIt has no viruses installed on your system, and if a script you have created has been marked as a virus (and you're not malicious) then this is a false positive. The most common cause is an AntiVirus engine has found a set of instructions in an AutoIt EXE and deemed it malicious, took the general signature of the file, and has now flagged all (or most) AutoIt EXE's. This can be due to several reasons:
- Compiled AutoIt scripts can optionally be compressed with UPX. UPX is an open source software compression packer. It is used with many viruses (to make them smaller).
- A malicious scripter got the AutoIt script engine recognized as a virus.
There are more ways your executable could be marked; this topic covers only the most common causes.
Avoiding False Positives
To get around the false positives problem, just use the *.A3X format. Look here: Au3toCmd
Reporting False Positives
If you encounter a false positive, in which your script is erroneously recognized as a virus, please alert the offending AV company immediately so the matter can be resolved. Best practice would be to include your source code along with a compiled exe, allowing the AV company to independently verify your report. This process may take up to 24 hours depending on the AV company, but will be resolved much more quickly if you provide source code.
A good resource for reporting false positives can be found at: How to Report Malware or False Positives to Multiple Antivirus Vendors. There are also some links below to help.
- G Data
- ClamAV
- How to Report Malware or False Positives to Multiple Antivirus Vendors