When I run the new version, Antivirus takes it as a threat

[SegoCode]

When I run the new version, Antivirus takes it as a threat

Originally posted by @lsyk4 in https://github.com/SegoCode/AutoWall/issues/2#issuecomment-735615296

[SegoCode]

Unfortunately autoit has been used to make malware for a long time, and av yara rules contain many autoit function. The version 1.2 support web wallpaper, and youtube url as wallpaper, maybe the external connection cause an antivirus detection, if you are going to use that feature, block AutoWall by firewall.

To check the integrity of the files by yourself;

• Download AutoWall release.
• Delete the binary file.
• Download the AutoWall.au3 in repo.
• Compile AutoWall.au3 with Aut2exe portable. (Very easy).
• Move the new binary to the root AutoWall folder.

In the new versions i will check the functions that cause an antivirus detection. Thx for the feedback

[SegoCode]

According to THOR;

YARA Signature Match - THOR APT Scanner

RULE: SUSP_AutoIt_CompScript_NET_Combo
RULE_SET: Livehunt - Suspicious Indicators 
RULE_TYPE: Valhalla Rule Feed Only 
DESCRIPTION: Detects a suspicious compiled AutoIt script that contains .NET strings
RULE_AUTHOR: Florian Roth

Detection Timestamp: 2020-11-09 12:05
AV Detection Ratio: 🟡 12 / 72

Maybe that there are some .net functions injected by the compiler. . .

[SegoCode]

For some reason the 32-bit autoit compiler generates detections in av

32 bits: https://www.virustotal.com/gui/file/d12bcb1d0215fa780aec6b6c8d5986f842851ad4e416ba891c65ec87a5a05851/detection

64 Bits: https://www.virustotal.com/gui/file/ee56be549e9498125f0ef1118f0cf2d3e8822dba82c003a1647e676ce1065955/detection

64 bits with ico: https://www.virustotal.com/gui/file/edddec85c28c0e374ccd15c2e159994ad9deb0dcf21cb61f10a2a3ae327245c0/detection

I will remove the 32-bit version of the 1.2 releases tomorrow.

[SegoCode]

Done!

New AutoWall 1.2 binary scan: https://www.virustotal.com/gui/file/50828e36df22dbaf75d568a011a59972f1218ec39ff56918c77dbfa2e135921e/detection