Author Topic: Double Trouble  (Read 10485 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 84759
  • No support PMs thanks
Re: Double Trouble
« Reply #15 on: September 10, 2014, 11:10:03 PM »
Once sent and confirmed they are generally corrected quickly. But sending just a report isn't going to help much unless you submit samples of the detected file.

That said, autoit scripts get hit/detected on a fairly regular basis. But that is normally if it is a generic signature detection designed to catch multiple variants of similar malware.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.2.2455 (build 21.2.6096.648) UI 1.0.608/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #16 on: September 10, 2014, 11:25:53 PM »
I submitted my report about 24 hours ago along with the download URL.

That said, autoit scripts get hit/detected on a fairly regular basis. But that is normally if it is a generic signature detection designed to catch multiple variants of similar malware.

Well the code may be partially useful to me for protecting my own application from decompilation. This means that whatever is throwing the FP will also prevent my program from running or even being downloaded by people with computers running Avast. I haven't decided to use the code, but every bit of protection is potentially useful. Do you see my dilema?

Actually it's everyone's dilema in a way. Developers get their code ripped off and redistributed with keygens and such things. So developers try to prevent that by making the code as impenetrable as possible with lots of security features. But then the binary can't be analysed so easily by AV companies and heuristics tend to throw a lot of false positives. Ultimately technological creativity and advancement suffers. This is a real shame.

Also, with it being an autoit script (not compiled), it is nothing more than information. It won't run on your computer unless you know how to run it yourself, or have some malware installed that will run it secretly behind your back - in which case you the antivirus should be targeting the malware rather than the script. Blocking an AutoIt script download is akin to censorship. I am prevented from accessing data, not some rootkit or nasty virus that is going to trash my computer without warning - just plain and simple text. Here is where I think the water gets rather muddy.

'Hiting/detecting AutoIt scripts on a fairly regular basis' means the Avast team are misleading people to thinking a language is a virus. I really would like to know why.
« Last Edit: September 11, 2014, 01:19:07 AM by czardas »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 84759
  • No support PMs thanks
Re: Double Trouble
« Reply #17 on: September 11, 2014, 01:05:48 AM »
As an avast user I simply can't answer the 'why' questions, I'm basically recounting what I have seen over time in the forums in relation to autoit detections.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.2.2455 (build 21.2.6096.648) UI 1.0.608/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #18 on: September 11, 2014, 01:17:16 AM »
DavidR - I know you are giving assistance here by donating your free time to help people. I appreciate your responces and thank you for trying to help me.

Maybe the Avast dev team are trying to fix things and it's just taking a little longer than I had hoped. If I still can't access the URL in a day or two, I'll resubmit the report.
« Last Edit: September 11, 2014, 01:31:07 AM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #19 on: September 11, 2014, 08:57:23 PM »
Okay I have resubmitted the first FP. In order to make things simpler, I will make a summary.

1. False Positive @ http://www.autoitscript.com/forum/index.php?app=core&module=attach&section=attach&attach_id=45061

VirusTotal URL scanner: https://www.virustotal.com/en/url/81ed97568dbd1fd3429d9dea0e0eb869dde9c38bbfb1278a47f0ed175af5fa95/analysis/

Earlier File scan https://www.virustotal.com/nb/file/489f0848463403a0e5a054b08ec8431bf5c554113895258399ab973a57ac9ec0/analysis/1410218486/

Information about this file can be found in the following forum topic: http://www.autoitscript.com/forum/topic/164148-checksumverify-verify-integrity-of-the-compiled-exe/

The URL (file download link) has been submitted as a false positive twice.

The file can not be run unless you know how to run it using the AutoIt interpreter which needs to be downloaded from https://www.autoitscript.com/site/ and then installed on your system. I've never heard of this happening by itself. The file could also possibly be run by a malware program, but the same could be said of practically any file, so we can dismiss this as a reason to target .au3 file extensions containing nothing more than plain text, since by themselves they are totally harmless to any computer. That's something that is unlikely to change in the foreseeable future.



2. What is AutoIt:Injector-G [Trj] ? Is it written in AutoIt? When did it first appear as a threat? Why is CheckSumVerify.au3 being flagged as AutoIt:Injector-G ?



3. I believe this is also a False Positive: http://www.autoitscript.com/forum/topic/152017-my-notepad/?p=1089609 - submitted yesterday.

URL (file download link) submitted as a false positive once.

The 7zip probably contains a compiled autoit script (file extension .exe) which may represent a threat because it will run without third party software needing to be installed. Here I accept the possibility of a threat, although the virus scans suggest that no virus scanner has a clue what it is - see for yourself:

https://www.virustotal.com/en/file/75e7a14a15ca1d056b803dbdd77b9b38572dd03ef124f32b58dfca32357d1b53/analysis/1410312640/

Lot's of apparently contradictory information. Although most virus scanners don't find anything, the 7zip appears to possibly contain several malicious items, one of which appears to have never existed - "Gen2.VXSQX" - at least Google never heard of it. ???



After further tests with other AutoIt scripts, it is clear that Avast does not flag au3 files indiscriminately. My main concern now is about AutoIt:Injector-G. I need to know what it is. If the Avast team know something that other antivirus companies (or computer users) don't know, then it is irresponsible to not share information about this threat. Let's try and keep everyone safe through education!

Finally it would be a shame if I am forced to replace Avast in order to regain control of my computer, especially since it was another AutoIt user who recommended Avast to me in the first place.
« Last Edit: September 12, 2014, 11:26:28 AM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #20 on: September 12, 2014, 11:10:54 AM »
All I can imagine is that I must be doing something wrong. The file is still being flagged. I have received no emails back. Maybe I need to download the file to submit it, but Avast is blocking me from doing that, so I submitted the URL instead. Please could someone on this forum who knows how to submit CheckSumVerify.au3 found on this page: http://www.autoitscript.com/forum/topic/164148-checksumverify-verify-integrity-of-the-compiled-exe/?p=1196863 submit it as a possible FP.

Although both myself and every other AV is saying that it is harmless, you might not believe that. Look what it is - checksum verification - a security feature. I am waiting to test it, provide feedback and perhaps make suggestions for improvement. I really need some assistance here. Please request feedback when submitting the report and leave a link to this thread.

Thank you!
« Last Edit: September 12, 2014, 12:35:43 PM by czardas »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #21 on: September 12, 2014, 01:15:24 PM »
Oops, I missed this, although I linked to this thread and the one on the other forum:

Links to suspect files/sites should be modified so they aren't active to avoid accidental exposure - change the http to hXXp in the URL.

I would have thought a virtual machine would have been enough protection, or using a live linux distro. The file can't be analysed without accessing the URL. Anyway, that's probably where I went wrong, so I'll try again. I must say - this is quite hard work.
« Last Edit: September 12, 2014, 01:19:21 PM by czardas »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992
Re: Double Trouble
« Reply #22 on: September 12, 2014, 01:27:16 PM »
Quote
Maybe I need to download the file to submit it, but Avast is blocking me from doing that,
have you tried right click avast tray icon and pause shields?


Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #23 on: September 12, 2014, 01:35:39 PM »
Quote
Maybe I need to download the file to submit it, but Avast is blocking me from doing that,
have you tried right click avast tray icon and pause shields?

Yes, but that isn't solving the false positive. If I use the code and distribute it on the internet I can't exactly start telling people to disable their Avast protection. That is why I need to get this sorted out.

I submitted both reports again with the hXXp. Let's hope that starts the ball rolling.
« Last Edit: September 12, 2014, 01:38:47 PM by czardas »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36992
Re: Double Trouble
« Reply #24 on: September 12, 2014, 01:42:15 PM »
Quote
Yes, but that isn't solving the false positive.
no .... in cases where you need to download and send a file to avast lab

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #25 on: September 12, 2014, 01:56:08 PM »
Quote
Yes, but that isn't solving the false positive.
no .... in cases where you need to download and send a file to avast lab

When I said using a virtual machine, I meant for the Avast team to safely access potentially dangerous URLs. If I need to download anything, I can pretty much always do so safely using knoppix - I am a bit paranoid about disabling shields. It ought to be a lot easier to simply submit the URL though. Thanks for responding again. :)
« Last Edit: September 12, 2014, 02:04:33 PM by czardas »

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6821
  • volunteer
Re: Double Trouble
« Reply #26 on: September 16, 2014, 10:14:58 PM »
I don't quite know what the problem is but I'm getting more FP results. The 7zip download on this page is not malicious. I have had an older version on my computer for a while now and it appears the sha-1 hash has not altered on the earlier version but that is also throwing a FP right now. Here's the URL where the download for the current version of this file can be found.
http://www.autoitscript.com/forum/topic/152017-my-notepad/?p=1089609

This has been fixed in the latest update.


How long would it normally take for a False Positive to be removed once a report has been sent? Still unable to access:

http://www.autoitscript.com/forum/index.php?app=core&module=attach&section=attach&attach_id=45061

File was fixed in update streaming.

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #27 on: September 17, 2014, 10:49:59 PM »
I would like to convey my sincerest thanks for this fix, and previous occasions where the avast team have investigated false positives thrown by programs created using AutoIt. I totally understand the need for caution and that security comes first. Please forgive me for slight impatience on my part in this, or any other, thread on this forum. I will continue to recommend Avast to other computer users. Thanks to the developers once more: I'm happy now this has been fixed.  ;)

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6821
  • volunteer
Re: Double Trouble
« Reply #28 on: September 17, 2014, 11:01:27 PM »
I would like to convey my sincerest thanks for this fix, and previous occasions where the avast team have investigated false positives thrown by programs created using AutoIt. I totally understand the need for caution and that security comes first. Please forgive me for slight impatience on my part in this, or any other, thread on this forum. I will continue to recommend Avast to other computer users. Thanks to the developers once more: I'm happy now this has been fixed.  ;)

I thank the analyst and the virus lab where the request was sent staff to solve your problem
I am not a member of avast and not even developer.

« Last Edit: September 17, 2014, 11:13:27 PM by jefferson santiag »

Offline czardas

  • Jr. Member
  • **
  • Posts: 81
Re: Double Trouble
« Reply #29 on: September 17, 2014, 11:06:11 PM »
I thank the analyst and the virus lab where the request was sent staff to solve your problem
I am not a member of avast and not even developer.

It was very kind of you to inform me in any case. Cheers to you, the analyst and all parties concerned. :)