Winbatch and virus software?

Started by fastlane65, July 19, 2019, 02:09:46 PM

Previous topic - Next topic

fastlane65

I used WinBatch for many years but migrated to AutoIt when the company shut down.  I just found that WinBatch is still alive!

Do compiled WinBatch scripts get false positives from virus checkers?  Every script I have compiled lately in AutoIt has been flagged by MS Defender as some sort of virus or another, so I am looking for a new (or old) scripter. 

td

That is an impossible question to answer.  Any executable can be tagged as a virus by any anti-malware software at any time.  Some applications are more prone than others but all anti-malWare software is just that software.  It's written by humans and it, therefore, has bugs.

That said, we have never had a report from a user stating that Defender has flagged their compiled script as a virus. 

About once a year or so we do get a report from a user that their anti-malware - usual some network appliance - has prevented them from downloading our compressed installation file.  That usually clears itself up when the software's malware database is updated. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

JTaylor

The thing I most commonly run into is that my EXEs get flagged because they don't have enough "votes/users" by Norton/Symantec users.  Some sites have things locked down so their users can't install anything that Norton flags for any reason.   Most of the time they can tell it to go ahead but  upon rare occasions that isn't an option.

What is more annoying is that on my own server it automatically removes my exe's for this reason and I have had to set exceptions to use my scripts.   Took me a bit to figure out why my executables kept disappearing without any noticeable reason.

So, it doesn't flag it as a virus but may flag it for trust issues.

Jim

td

A few years ago we use to run Norton the Malware on a build machine.   Part of the build process is verifying the integrity of the build output by running the raw executables.  For example, WinBatch.exe is not called WinBatch.exe when it is built.  It instead has a version-specific name.  Norton never flagged the WinBatch.exe file, however, it consistently flagged the build output version-named executable even though the executables were identical in all other respects.  Rather than fiddle with Norton/Symantec we switch to a different malware scanner.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

fastlane65

Switch AV product is not an option.  All my scripts are internal use and I can usually get away with adding to the Defender exception list but the pandemic is really trying my patience.  All these work-from-home people using their own computers coming in through VPN.

td

 I guess you are out of luck then. You could try signing your executables if you don't already.  Don't know if it would help any but all the compiled scripts we distribute are signed and users usually do the right thing and install to protected directories.  We have near zero antimalware software issues to speak of.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

ChuckC

Tony mentioned a key point that is subtle and often missed by many people as it pertains to how aggressive AV software may be on Windows.

The location on disk makes a big difference.  A program that is installed under "C:\Program Files" or "C:\Program Files (x86)" are in a secure area that requires elevated privileges to place it there.  Program files outside of those locations, and outside of "C:\Windows", too, are subjected to more scrutiny.