AutoIt and Malware: Difference between revisions

From AutoIt Wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 1: Line 1:
Unfortunately, due to the nature of scripting languages some parts of AutoIt are often mistakenly labelled as malware. This is usually corrected quickly by the anti-virus vendors but can cause false warnings until the definitions are fixed.
If you have been using AutoIt for any length of time you will know that it is a great, and powerful scripting language. As with all powerful languages there comes a downside. Virus creation by those that are malicious. AutoIt has no virii installed on your system, and if a script you have created has been marked as a virus, (and you're not malicious) then this is a [http://www.pcguide.com/care/data/virus/scanFalse-c.html false positive]. They found a set of instructions in an AutoIt EXE out there somewhere, took the general signature of the file, and now all AutoIt EXE's are marked (or most of them). This can be due to several reasons.
 
* AutoIt is packed with UPX. UPX is an open source software compression packer. It is used with many virii (to make them smaller).
* Malicious scripter got the AutoIt script engine recognized as a virus.
 
And I am sure there are more ways your executable could be marked, but that covers the basics. Now I am sure you are wanting to know what you can do to get back up and running without being recognized as a virus. You have to send in a report to the offending AV company alerting them to the false positive they have made. It never hurts to send in your source code along with a compiled exe, to help them realize their mistake. You may have to wait up to 24 hours for them to release an update. The time it takes really depends on the offending AV company. Anti-Virus Links
 
* AntiVir
** [http://www.avira.com/ Website]
** [http://forum.avira.de/board.php?boardid=91 Contact]
* Avast!
** [http://www.avast.com/ Website]
** [http://forum.avast.com/ Contact]
* McAfee
** [http://www.mcafee.com/ Website]
** [http://mailto:vendor_questions@mcafee.com Contact] (email address)
* Symantec (Norton)
** [http://www.symantec.com/ Website]
** [https://symantec.iseva.net/customerservice.aspx Contact]
* AVG
** [http://www.grisoft.com/ Website]
** [http://www.grisoft.com/doc/110/lng/us/tpl/tpl01 Contact] (It says sales or other ?'s I assume this will work)
* ClamWin
** [http://www.clamwin.com/ Website]
** [http://forums.clamwin.com/ Contact]
* ClamAV
** [http://www.clamav.net/ Website]
** [http://www.clamav.net/team.html#pagestart Contact] (I would only contact the ones with "''virusdb maintainer'' or ''virus submission management''")
* BitDefender
** [http://www.bitdefender.com/ Website]
** [http://www.bitdefender.com/site/contact/1/ Contact]
* ZoneLabs
** [http://www.zonelabs.com/ Website]
** [http://www.zonelabs.com/store/content/company/contact.jsp?dc=12bms&ctry=US&lang=en Contact]
* Norman
** [http://www.norman.com/ Website]
** [http://mailto:support@norman.com Contact] (email address)
* eSafe
** [http://www.ealaddin.com/ Website]
** [http://techsup.ealaddin.com/ Contact] (login required)
* A<sup class="bbc">2</sup> (A-Squared)
** [http://www.emsisoft.com/ Website]
** [http://mailto:fp@emsisoft.com Contact] (email address)

Revision as of 13:33, 15 January 2013

If you have been using AutoIt for any length of time you will know that it is a great, and powerful scripting language. As with all powerful languages there comes a downside. Virus creation by those that are malicious. AutoIt has no virii installed on your system, and if a script you have created has been marked as a virus, (and you're not malicious) then this is a false positive. They found a set of instructions in an AutoIt EXE out there somewhere, took the general signature of the file, and now all AutoIt EXE's are marked (or most of them). This can be due to several reasons.

  • AutoIt is packed with UPX. UPX is an open source software compression packer. It is used with many virii (to make them smaller).
  • Malicious scripter got the AutoIt script engine recognized as a virus.

And I am sure there are more ways your executable could be marked, but that covers the basics. Now I am sure you are wanting to know what you can do to get back up and running without being recognized as a virus. You have to send in a report to the offending AV company alerting them to the false positive they have made. It never hurts to send in your source code along with a compiled exe, to help them realize their mistake. You may have to wait up to 24 hours for them to release an update. The time it takes really depends on the offending AV company. Anti-Virus Links