Jump to content
Kronzky

AutoIt Script blocked as MachineLearning/Anomalous

Recommended Posts

A simple AutoIt script I wrote myself (and which isn't doing anything weird) is blocked as malware (MachineLearning/Anomalous.97%)

MW.log exe.zip

Share this post


Link to post
Share on other sites

Would you mind telling me what triggered the warning (so I can avoid it in the future)?

Also, if you say it "has been fixed" - what does that mean in terms of definition updates (i.e. how long until this fix will be available)?

Share this post


Link to post
Share on other sites

This is fixed in the cloud so the effect is a few minutes.

You can see here for some explanations.

 

Share this post


Link to post
Share on other sites
14 minutes ago, shadowwar said:

This is fixed in the cloud so the effect is a few minutes.

Well... I scanned it yesterday (after I was told it was fixed), and I scanned it again just now, but it's still giving a false positive (in both cases your software went through the update process first, so I assume it had had the latest definitions).

Also, what was this "fix"? Did you just put my program's name (or "fingerprint") on some whitelist? And if so, what happens if I change it, or use the same libraries/methods/whatever it was that cause the false positive again, in some other program?

 

15 minutes ago, shadowwar said:

You can see here for some explanations.

That was the first place I looked when I came upon this issue, but it only contains some very generic guidelines.
What exactly was triggering the false positive in *my particular* program is what I would like to know.

Share this post


Link to post
Share on other sites

This was fixed now.

I can only say the following would help with it not being detected.

Properly filled out version information on the file.

Digitally signing the file.

Basically the system looks for anomalous items in the file and computes a score. The less the file looks like all the other autoit malware out there then the less chance of it being detected. Doing the above would definitely help.

 

There are 5 other av's currently detecting it according to virustotal just for your information.

 

 

Share this post


Link to post
Share on other sites

So, you still won't tell me what exactly triggered the false alarm, and you also won't tell me what the "fix" consisted of?

But — you are telling that I should adjust my programming, in order to accommodate your faulty detection mechanism???

Yeah, that seem like a great solution.
 

I used to recommend your software to any client who asked me. Guess not anymore...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.