Grrr I know this is pain but...

Technical support and scripting issues

Moderators: Dorian (MJT support), JRL

Post Reply
User avatar
Phil Pendlebury
Automation Wizard
Posts: 543
Joined: Tue Jan 16, 2007 9:00 am
Contact:

Grrr I know this is pain but...

Post by Phil Pendlebury » Fri Jul 14, 2023 9:21 am

15.0.24 / Windows 11 latest.

Just compiled all my scripts with latest version and Windows is immediately deleting them.

Code: Select all

Trojan:Win32/Wacatac.B!ml
I know this is a false positive of course. Recently I had to jump through a ton of hoops, (took me weeks) to get the upload accepted on a site that uses Virus Total to check files. But this has never been an issue on my local machine.

Now allowed the threat and I sent the file to the team and all of them get Virus warnings and the exe file is immediately deleted.

Is there anything we can do about this, as my very small number of users are all complaining.
Phil Pendlebury - Linktree

User avatar
Dorian (MJT support)
Automation Wizard
Posts: 1386
Joined: Sun Nov 03, 2002 3:19 am
Contact:

Re: Grrr I know this is pain but...

Post by Dorian (MJT support) » Fri Jul 14, 2023 9:44 am

Does the last reply on this thread help?

viewtopic.php?f=1&t=10673
Yes, we have a Custom Scripting Service. Message me or go here

User avatar
Phil Pendlebury
Automation Wizard
Posts: 543
Joined: Tue Jan 16, 2007 9:00 am
Contact:

Re: Grrr I know this is pain but...

Post by Phil Pendlebury » Fri Jul 14, 2023 9:59 am

Hi Dorian, yes I read all that before. I cannot afford to get code signing. These are just few free applications.

The odd thing is that the last version of MS was not having this issue. It could be coincidence that I just updated to 15.0.24 from 15.0.22 and that is when the issue started.

I know it is not something that Marcus can wave a magic wand at. But just trying to figure out why it started happening again.

Also, I could be wrong about this as there are many factors involved, but it seems that some compiled scripts don't exhibit the issue. Another odd thing is that the one I have a problem with is very simple and just does some FTP stuff.

I'll run some more tests, but it is tricky because I have to allow the threat then disallow it again etc.

It would be good to just have some discussion about this and how other users deal with it.:-)
Phil Pendlebury - Linktree

User avatar
JRL
Automation Wizard
Posts: 3526
Joined: Mon Jan 10, 2005 6:22 pm
Location: Iowa

Re: Grrr I know this is pain but...

Post by JRL » Fri Jul 14, 2023 2:54 pm

Hi Phil,
...and how other users deal with it.
Mostly by cursing. :evil:

Been dealing with this for a few years.

I have no idea how to get to the location I discovered one day where on my computer I was able to exclude folders from Windows Defender's heavy handed tactics. I excluded my Macro Scheduler scripts folder and I excluded c:\util, a folder I've been creating on all of my and all company computers since the mid 1980's. That does not help any other user of my exes. Also does not help me when trying to run an executable from a network location.

Two things I'd suggest.
One is that Microsoft claims that executable age is a factor in their determination of whether a script is good or bad. Get a copy of "Touch.exe" or something similar and change the timestamp on the executable to make it 10 or 15 years old. I've not yet tried this but I do know that freshly compiled scripts are often captured by Defender whereas scripts from 2012 seem to be fine, mostly.

The other is what I've been doing and I can't explain why its working. I compile a script and send it directly to the network location by placing that location in the script's first line compile information. I run the script from the network location to see if it will be hindered or deleted. If It runs the first time I usually kill it and run it again. I do this at least 5 times. After 5 runs I'm fairly confident Defender will leave the executable alone. If Defender hinders or deletes, I go to the name of the executable on the first line of the script and I add a "1" to the name and recompile. Then I run the new "scriptname1.exe" up to 5 times. If it fails, I alter the first line to compile to "scriptname2.exe"... etc. So far I've never had to go past "scriptname3.exe". I tried this on noticing that once Defender zeros in on a file's name, executables with that name do not stand a chance of working.

Nothing I've tried will prevent the file from working fine for 6 months then suddenly being deleted.

I don't know for certain about file age being a good determinant but I can tell you I have a clock program that I compiled back in 2013 that has been running constantly on an old computer I have at home. Suddenly, summer of 2022, the program stopped and the file was gone. I have backup copies and kept retrying the executable. After a month or so Defender let me run it again and I've had no issue with it since. Again I have no explanation other than the information you can find in the Windows Defender threat protection history. Absolutely know the program was stopped and the file deleted by Windows Defender. Defender said the file was deleted (quarantined) because it was "PUA:Win32/Vigua.A".

As to why this is happening I have two theories. First, Microsoft is using this as a method to generate income.
Butch Cassidy wrote:If he'd just pay me what he's paying them to stop me robbing him, I'd stop robbing him.
Second theory is all of our executables are "packed" by UPX to make the file size smaller. I don't know anything and I have zero expertise on the subject but I have read that UPX is sometimes used by the bad guys to try to hide their code from malware scanners that are looking for signatures. I suspect that on occasion Defender sees the "signature" for UPX in an executable and hinders the process or deletes the file.

I really don't think that the purpose of the script or the functions used in a script have much to do with whether Defender decides to f..mess with the script. At my facility we also have hundreds of old compiled C and Visual basic programs. (Created using Microsoft's Visual Studio.) They are also occasionally getting the same harsh treatment. That said I've never seen one of them deleted, just a warning message that the program is unsafe and will not run. Give it a week and the program will work again.

User avatar
Grovkillen
Automation Wizard
Posts: 1131
Joined: Fri Aug 10, 2012 2:38 pm
Location: Bräcke, Sweden
Contact:

Re: Grrr I know this is pain but...

Post by Grovkillen » Fri Jul 14, 2023 5:31 pm

If you're using 365 you're able to add exceptions to the windows defender using the portal. Works ok for us in our workplace.
Let>ME=%Script%

Running: 15.0.27
version history

User avatar
Phil Pendlebury
Automation Wizard
Posts: 543
Joined: Tue Jan 16, 2007 9:00 am
Contact:

Re: Grrr I know this is pain but...

Post by Phil Pendlebury » Sat Jul 15, 2023 9:45 am

Grovkillen wrote:
Fri Jul 14, 2023 5:31 pm
If you're using 365 you're able to add exceptions to the windows defender using the portal. Works ok for us in our workplace.
I have office subscription but not a company one. However, the issue is not really for me but for the other people I send the files to. :-)
Phil Pendlebury - Linktree

User avatar
Phil Pendlebury
Automation Wizard
Posts: 543
Joined: Tue Jan 16, 2007 9:00 am
Contact:

Re: Grrr I know this is pain but...

Post by Phil Pendlebury » Sat Jul 15, 2023 9:46 am

JRL wrote:
Fri Jul 14, 2023 2:54 pm
Hi Phil,
...and how other users deal with it.
Mostly by cursing. :evil:

Been dealing with this for a few years.
Hi JRL,

Thank you for this. There are some great points there. I will try to go through this in detail after the weekend. :-)
Phil Pendlebury - Linktree

Post Reply
cron
Sign up to our newsletter for free automation tips, tricks & discounts