Fix Kaspersky AntiVirus False Positive Detection of AutoIT Applications (Trojan-PSW.Win32.Autoit.m)

Our company just switched from Symantec antivirus to Kaspersky a few weeks ago and I noticed that every application that I have written and compiled with AutoIT ended up getting falsely detected with Kaspersky as a virus.  Since I wrote each application, I know for a fact that there isn’t a Trojan in my code.  So I started a live chat with Kaspersky’s support staff and here was our solution.

1) Open up the Kaspersky Administration Kit and navigate to Managed Computers > Policies and then right click on the Protection Policy that you want to update and then select Properties.  For me the policy name is Protection Policy – Windows Workstations.

2) Next Click on the Protection Tab

3) Click on the Trusted Zone button

4) Click add and fill out the rule description as follows:
Properties: Threat Type
Comment: <What ever you want to name the Rule> AutoIT False Positive
Rule Description:
select object: Trojan-PSW.Win32.Autoit.m
Component: any

5) Click Ok then OK.

This will then automatically update all of the clients and all of your AutoIT application will run and not be detected and deleted as a virus.  If for some reason you AutoIT applicaiton are flagged as a virus other than Trojan-PSW.Win32.Autoit.m then you can just replace that parameter with above.

Note: This will now allow any valid Trojan-PSW.Win32.Autoit.m virus to go undetected by Kaspersky.  I write a lot of my script around the office in AutoIT so this was a chance I was willing to take.

 

 

Remote Process Kill via WMI. A Replacement to rkill.exe/wrkill.exe

In the past I have use an application from the Windows 2000 Resource Kit called rkill.exe and its GUI counter part called wrkill.exe to remotely kill processes.  But lately I find that it is more and more unreliable and I get an error message “The RPC server is unavailable“.  So I decided to write a utility that uses Windows built-in WMI (Windows Management Instrument) to find and kill processes instead.  This application is freely available and I have included the source code released under the GPL v3 license.  The application is written in AutoIT. If you use this and like it please let me know in the comments. I find it useful when trying to remove spyware from people’s computers around the office.

Application: Remote Process Kill (780)
Source:
Remote Process Kill Source (882)

RemoteProcKill.exe

RemoteProcKill.exe

Windows Vista/7 Screen Saver Settings Application

Windows Vista and Windows 7 come with two nice screensavers by default, Mystify and Ribbons.  Both screens savers come as is and don’t have a setting button to modify the number of ribbons/lines or the width of the ribbon/line but as many sites point out you can modify a few system registry keys to be able to change different aspects of each screensaver.  Last year I wrote a couple of applications that will remove the difficulty and fear that some users might have with modifying registry settings into nice easy applications.  If you are curious as to what each screen saver looks like after the modification take a look at the screen shots from here.

Here is a screen shot from my the MystifySSConfig.exe config utility (the RibbonsSSConfig.exe look exactly the same).  The applications aren’t pretty looking but they gets the job done. There isn’t any installers, you just download and double click on the exes.  The apps are written in Autoit and the source is included.  Feel free to modify it as you wish and if you make any nice changes please let me know.

mystifySSApplication

Mystify Screensaver Config (304)
Ribbons Screensaver Config (298)

Source

Mystify Screensaver Source (407)
Ribbon Screensaver Source (332)

Autoit Command Line Parameters. A new approach.

autoit_6_240x100

There are two ways to get command line arguments that are passed to an Autoit script, $cmdLineRaw() and $cmdLine[]. Both allow you to get the arguments to control your script. Read about them here. The problem is that if you want an application to have multiple arguments but don’t what to have the user enter these in a certain order and to be able to distinguish each argument with a “-m or /m [parameter]“. Basically make your Autoit script with command line arguments act as any DOS command line application.

As you may know when you use $cmdLine[] approach each argument has to be in a certain order so that your program can react appropriately to each $cmdLine[1], $cmdLine[2], etc variable. But what if the user accidentally swaps his input and places the data that should go in parameter 1 in paramter 2? Now your script will either give an error or worst manipulate the wrong data. Below I will show you how I got around this:

Here is what we want our application to do, we want there to be two required arguments “-h and -b” both of these require that you have data passed to it and there are two optional arguments “-x and -y” that do not have data passed to it, they are just flags. Once run, we will display a message box showing the Header and Body along with if a flag was set.

First we will define some Global variables that will be place holders for our users input. Next we will create two functions, one called ReadCmdLineParams() which will be get the parameters that are passed on the command line. The second function is our help message called CmdLineHelpMsg() telling the user what each parameter means and how to use the application.

First define the Global Variables:

Global $msgHeader	 	= ""			;Varible for the message header
Global $msgBody			= ""			;Varible for the message body
Global $flagX 			= "False"		;Flag X
Global $flagY 			= "False"		;Flag y

After we set the Global variables we call the ReadCmdLineParams() function, then we will display the message box that will show the output from the command line arguments.

;;Get Parameters
ReadCmdLineParams()
 
;; Display message
MsgBox(0, "MsgHeader: " & $msgHeader, "MsgBody: " & $msgBody & " FlagX: " & $flagX & " FlagY: " & $flagY)

Next we will define the ReadCmdLineParams() function. This function will loop through all command line arguments and based on the specified arguements determine if a flag needs to be set or to go to the next argument to process the data and enter it to one of the Global variables.

Func ReadCmdLineParams() 	;Read in the optional switch set in the users profile and set a variable - used in case selection
 
	;;Loop through every arguement
	;;$cmdLine[0] is an integer that is eqaul to the total number of arguements that we passwed to the command line
	for $i = 1 to $cmdLine[0]
 
		select
			;;If the arguement equal -h
			case $CmdLine[$i] = "-h"
				;check for missing argument
				if $i == $CmdLine[0] Then cmdLineHelpMsg()
 
				;Make sure the next argument is not another paramter
				if StringLeft($cmdline[$i+1], 1) == "-" Then
					cmdLineHelpMsg()
				Else
					;;Stip white space from the begining and end of the input
					;;Not alway nessary let it in just in case
					$msgHeader = StringStripWS($CmdLine[$i + 1], 3)
				endif
 
			;;If the arguement equal  -b
			case $CmdLine[$i] = "-b"
 
				;check for missing arguement
				if $i == $CmdLine[0] Then cmdLineHelpMsg()
 
				;Make sure the next argument is not another paramter
				if StringLeft($cmdline[$i+1], 1) == "-" Then
					cmdLineHelpMsg()
				Else
					;;Stip white space from the begining and end of the input
					;;Not alway nessary let it in just in case
					$msgBody = StringStripWS($CmdLine[$i + 1], 3)
				EndIf
 
			;set the -x flag to True
			case $cmdLine[$i] = "-x"
				$flagX = "True"
 
			;set the -y flag to True
			case $cmdLine[$i] = "-y"
				$flagY = "True"
 
		EndSelect
 
	Next
 
	;Make sure required options are set and if not display the Help Message
	if $msgHeader == "" Or $msgBody == "" Then
		cmdLineHelpMsg()
	EndIf
 
EndFunc

Last we specify the cmdLineHelpMsg() function. This function gets called whenever a user inputs data to the command line incorrectly or without any arguments. It is just a message box that display how to use the application. Once the user presses OK to the message box the application is exited.

Func cmdLineHelpMsg()
	ConsoleWrite('A better way to get the command line parameters' & @LF & @LF & _
					'Syntax:' & @tab & 'cmdLineForBlog.exe [options]' & @LF & @LF & _
					'Default:' & @tab & 'Display help message.' & @LF & @LF & _
					'Required Options:' & @LF & _
					'-h [message]' & @tab & ' Message Header' & @LF & _
					'-b [message]' & @tab & ' Message Body' & @LF & _
					@LF & _
					'Optional Options:' & @LF & _
					'-x ' & @tab & 'Flag X' & @lf & _
					'-y' & @tab &  'Flag Y' & @lf)
	Exit
EndFunc

Once you compile the application as an exe (cmdLineForBlog.exe) go to a command prompt and type:

c:\> cmdLineForBlog.exe -h "Header Message" -b "Body Message" -x -y
or
c:\> cmdLineForBlog.exe  -b "Body Message" -x -y -h "Header Message"
or
c:\> cmdLineForBlog.exe -h "Header Message" -b "Body Message" -y

Now you can put the parameters in any order and still get the desired results.

You can also change the msgbox() function to the consolewrite() function and add #AutoIt3Wrapper_Change2CUI=y to the begining of your application which will display the help message in the DOS command windows instead of popping up a message box. One important note This application does not sanitize any data. Please write the appropriate functions to do so. Do not assume that use will always enter the correct data. If you have any questions or comments please email me at motersho [ at ] gmail [ dot ] com

UPDATE:
This page get a fair amount of traffic but I have received no comments. Since you have managed to read this far can you please leave a comment (g00d or bad) to let me know if this is a viable option for you or if this just doesn’t make sense. Any feed back is good feedback IMHO. Thanks.

Here is the script all at once:

Global $msgHeader	 	= ""			;Varible for the message header
Global $msgBody			= ""			;Varible for the message body
Global $flagX 			= "False"		;Flag X
Global $flagY 			= "False"		;Flag y
 
;;Get Parameters
ReadCmdLineParams()
 
;; Display message
MsgBox(0, "MsgHeader: " & $msgHeader, "MsgBody: " & $msgBody & " FlagX: " & $flagX & " FlagY: " & $flagY)
 
Func ReadCmdLineParams() 	;Read in the optional switch set in the users profile and set a variable - used in case selection
 
	;;Loop through every arguement
	;;$cmdLine[0] is an integer that is eqaul to the total number of arguements that we passwed to the command line
	for $i = 1 to $cmdLine[0]
 
		select
			;;If the arguement equal -h
			case $CmdLine[$i] = "-h"
				;check for missing argument
				if $i == $CmdLine[0] Then cmdLineHelpMsg()
 
				;Make sure the next argument is not another paramter
				if StringLeft($cmdline[$i+1], 1) == "-" Then
					cmdLineHelpMsg()
				Else
					;;Stip white space from the begining and end of the input
					;;Not alway nessary let it in just in case
					$msgHeader = StringStripWS($CmdLine[$i + 1], 3)
				endif
 
			;;If the arguement equal  -b
			case $CmdLine[$i] = "-b"
 
				;check for missing arguement
				if $i == $CmdLine[0] Then cmdLineHelpMsg()
 
				;Make sure the next argument is not another paramter
				if StringLeft($cmdline[$i+1], 1) == "-" Then
					cmdLineHelpMsg()
				Else
					;;Stip white space from the begining and end of the input
					;;Not alway nessary let it in just in case
					$msgBody = StringStripWS($CmdLine[$i + 1], 3)
				EndIf
 
			;set the -x flag to True
			case $cmdLine[$i] = "-x"
				$flagX = "True"
 
			;set the -y flag to True
			case $cmdLine[$i] = "-y"
				$flagY = "True"
 
		EndSelect
 
	Next
 
	;Make sure required options are set and if not display the Help Message
	if $msgHeader == "" Or $msgBody == "" Then
		cmdLineHelpMsg()
	EndIf
 
EndFunc
 
Func cmdLineHelpMsg()
	ConsoleWrite('A better way to get the command line parameters' & @LF & @LF & _
					'Syntax:' & @tab & 'cmdLineForBlog.exe [options]' & @LF & @LF & _
					'Default:' & @tab & 'Display help message.' & @LF & @LF & _
					'Required Options:' & @LF & _
					'-h [message]' & @tab & ' Message Header' & @LF & _
					'-b [message]' & @tab & ' Message Body' & @LF & _
					@LF & _
					'Optional Options:' & @LF & _
					'-x ' & @tab & 'Flag X' & @lf & _
					'-y' & @tab &  'Flag Y' & @lf)
	Exit
EndFunc