Closed SegoCode closed 3 years ago
Unfortunately autoit has been used to make malware for a long time, and av yara rules contain many autoit function. The version 1.2 support web wallpaper, and youtube url as wallpaper, maybe the external connection cause an antivirus detection, if you are going to use that feature, block AutoWall by firewall.
To check the integrity of the files by yourself;
In the new versions i will check the functions that cause an antivirus detection. Thx for the feedback
According to THOR;
YARA Signature Match - THOR APT Scanner
RULE: SUSP_AutoIt_CompScript_NET_Combo
RULE_SET: Livehunt - Suspicious Indicators
RULE_TYPE: Valhalla Rule Feed Only
DESCRIPTION: Detects a suspicious compiled AutoIt script that contains .NET strings
RULE_AUTHOR: Florian Roth
Detection Timestamp: 2020-11-09 12:05
AV Detection Ratio: 🟡 12 / 72
Maybe that there are some .net functions injected by the compiler. . .
For some reason the 32-bit autoit compiler generates detections in av
64 bits with ico: https://www.virustotal.com/gui/file/edddec85c28c0e374ccd15c2e159994ad9deb0dcf21cb61f10a2a3ae327245c0/detection
I will remove the 32-bit version of the 1.2 releases tomorrow.
Done!
New AutoWall 1.2 binary scan: https://www.virustotal.com/gui/file/50828e36df22dbaf75d568a011a59972f1218ec39ff56918c77dbfa2e135921e/detection
When I run the new version, Antivirus takes it as a threat
Originally posted by @lsyk4 in https://github.com/SegoCode/AutoWall/issues/2#issuecomment-735615296