AutoIt false positives

I have sent a lot of files to analysis in the past that were false positives of AutoIt scripts.
In the last VPS, a lot of false detections were back again :cry:
Igor, can you check?

17/10/2006 15:08:32 1161108512 SYSTEM 924 Sign of “Win32:Autoit [Trj]” has been found in “…\Flush DNS.exe[UPX]” file.
17/10/2006 15:09:14 1161108554 SYSTEM 924 Sign of “Win32:Autoit [Trj]” has been found in “…\avast! Update Silent.exe[UPX]” file.

Same here … :o ;D

I would have though that by now that Alwil wouldn’t have just given a specific autoit malware name, but obtained a copy of autoit and tried to identify what it is in the autoit conversion process to an executable file that caused the problem ???

I’ve created a sort of task sheduler with AutoIt which runs a program on a certain time.
The task shedular exe runs without any problem, but when it calls the backup utility, Avast gives the trojan horse alert (Win32.AutoIt Trojan Horse). Both programs are created with the same AutoIt version.
The filename is mentioned as backup.exe[UPX] on the Avast alert message.

This shouldn’t be an trojan…

[edit] The task shedular was already running some hours before avast updated his virus definitions this night.
It also won’t run anymore now because avast denies the access :frowning:

If you are certain it isn’t infected (and it probably isn’t) add it to the exclusions lists:
Standard Shield, Customize, Advanced add the path and file name e.g. C:*\autoit-file-folder\backup.exe the wild card can be used to shorten the path.
Program Settings, Exclusions

I’m not sure of the benefit of sending it to avast other than highlight yet another autoit compiled file being detected again.
Also see (Mini Sticky) False Positives, how to report and what to do to exclude them until the problem is corrected.

It won’t be bad if they test more than now, because I know they test AutoIt executable files.
My avast! tweaker, which development is ‘stopped’ right now, I’m with very little ‘spare’ time, it is detected by avast too.
Well, false positives are really a pain. I’ve added my AutoIt executables to the avast Exclusion lists. Peace 8)

Same here when trying to use “Universal Extractor”.
And to make matters worse, the following two exclusions:

C:\Program Files\Universal Extractor\bin*
C:\Program Files\Universal Extractor\bin\UniExtract.exe

still dont fix the problem!
Running “UniExtract.exe” causes a windows error “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”
If I reboot and run it again, I get an Avast infection notification.
This is so incredibly anoying…

Same Autoit problem with a little script running two exe files.

The problem seems to be fixed with the latest VPS update - 0642-1.
Tech’s Tweaker is no longer detected as virus. Can someone confirm this. ::slight_smile:

EDIT: Now the latest VPS is 0642-2.

hello .:XMAS:. the latest VPS update - 0642-1 seem to have fixed the problem with Tech’s Tweaker

sorry VPS update - 0642-2

I love it when a plan comes together.

It’s fixed ;D

Well… I’ve blamed. So I’ve thank avast now for solved the issue :wink:

So I’ve installed the current AutoIt 3.2.81 and the Scite version that comes with it. Now the

Autoit3Wrapper.exe
Autoit3WrapperGUI.exe

are detected as infected with Win32:Agent-OYT [tri]

Now is this a false positive or what? Thx.

Are you sure, that your Avast VPS database is up to date? All AutoIt 3.2.8.1 files tested with current VPS (080103-0) are clear.

Yes, I do have that very same VPS database installed.

However, these files are only installed when you also install the current Scite version from the AutoIt page. The files reside in \AutoIt\Scite\AutoIt3Wrapper.

I’ve mailed those files to virus (at) avast (dot) com, maybe they can sort it out.

this FP will be fixed with next VPS update (today)…

Hi could also be this new worm:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOHANAD.FM

Check it out as given on that site under solutions,

polonus

some new sohanad samples are in queue, i saw them while sorting my virtotal set today… it will be added soon…