This is clearly not malware. After installation, it was flagged. The download for autoit-v3.3.13.19-beta-setup.exe is on this page:
Hi czardas,
THis is in your way: https://www.virustotal.com/nl/ip-address/87.106.181.57/information/
I get you get a IP block because of what is found to reside from other locations at that IP.
Probably a packer detection.
https://www.virustotal.com/nl/file/f9e48634d2d3f3d10fb48c793161fcd9001f637a3eae04e4705167dda9249d77/analysis/
polonus
That’s strange, but I don’t really see how it’s related. I have absolutely no problem accessing the page or the download link - I’ll look at the report. Avast considers the installer to be free of malware. It’s only when installed that Avast pops up.
https://www.virustotal.com/en/file/70b93fef3cae6a200e3236ee90b6a034f7418388338da2e8734cbac6e9103e5a/analysis/
I checked the SHA-256. Let me see, I think it was this file:
SHA-256 … 767E7E13B2DD575A03E92E687C973248BEF7A0F17984A69CDF052EA0D342DC16
I only found one link on Google:
http://www.herdprotect.com/autoit3.exe-8b50e8ed46359453ddd2f95fb666eaa0688e33f9.aspx
Edit
I’m not sure what the information you posted relates to. Here’s a URL scan for the link posted in the first post:
https://www.virustotal.com/en/url/8c46d07aba0d76032306b3451e0c8b3c1fd3ba293b823e67d4dcca781f2a6ee7/analysis/
No detection.
Also, in the second report you posted, Avast doesn’t find anything suspicious about USB_Write_Protector.exe although I still don’t know what that has to do with this. If you could please explain.
The only reference I could find to USB_Write_Protector.exe in combination with AutoIt is the one link you posted above. The information seems meaningless to me.
You see the IP address for autoitscript.com
here: http://www.dnsinspect.com/autoitscript.com/1423006075
OK. Domain autoitscript.com. resolves to:
Germany 87.106.181.57 and the VT results for that IP where malwares.com URL checker flags
see: https://www.uploady.com/#!/download/maiXtZhhSQx/H2micUxYuUAFbzsN
Considering: https://www.virustotal.com/nl/file/73342ab4e8f6888c81bc4307bc654505b48b99f5d84fa66e8e937704d1a0efd3/analysis/
you could file a FP report to virus@avast.com
polonus
Okay, I found it on the report page, but I’m not sure where it resides in the URL. Possibly in one of the zip files. It sounds like it might have something to do with preventing the deletion of files (such as the portable version of AutoIt) from external storage devices by over-zealous anti-virus programs, but that’s only a guess. If it’s not about that, it certainly wouldn’t be a bad idea. It is a shame if IT professionals have to resort to tactics such as this. Not dealing with False positives makes the World a more dangerous place.
VirusTotal … seems only 39 engines would scan now
https://www.virustotal.com/en/file/70b93fef3cae6a200e3236ee90b6a034f7418388338da2e8734cbac6e9103e5a/analysis/1423007665/
anyway First submission 2014-09-03 13:03:15 UTC ( 5 months ago )
Copyright(c)1999-2014 Jonathan Bennett & AutoIt Team Publisher AutoIt Consulting Ltd File version 3.3.13.19 Description AutoIt v3 Setup (Beta) Signature verification Signed file, verified signature Signing date 5:00 PM 8/24/2014 Signers [+] AutoIt Consulting Ltd [+] GlobalSign CodeSigning CA - G2 [+] GlobalSign Counter signers [+] GlobalSign TSA for MS Authenticode - G1 [+] GlobalSign Timestamping CA - G2 [+] GlobalSign
so a false positive … report it here https://support.avast.com/ > avast virus lab
i guess it was the win32:Evo-Gen [susp] = Suspicious warning avast gave you?
Okay I’ll always report through the web link from now on, because I no longer trust the virus chest FP submission process. I’ll probably write a program that does it automatically. It’s a lot of work which shouldn’t be necessary. Thanks I know that you mean well.