CODEWITHSUNDEEP
vbscriptantivirus
Bac0n
Bac0n

Reputation: 29

My vbscript gets flagged by antivirus?

The IT company I work for has requested me to make a script that would be able to download the needed files and store them, in a folder for a later install.

This is the code I used

    Set BS = CreateObject("ADODB.Stream")
 BS.type = 1
 BS.open
 BS.Write xHttp.ResponseBody
 BS.savetofile "putty.exe", 2 '//overwrite

     If objFileSys.FileExists("putty.exe") Then
    objFileSys.DeleteFile "putty.exe"
 BS.SaveToFile "putty.exe", 2
 Set objFile = objFso.GetFile("putty.exe") 

'* If the file doesn't exist, it will be downloaded here. 
Else 
 BS.SaveToFile "putty.exe", 2
 Set objFile = objFso.GetFile("putty.exe")
 End If

This code ^ has no issues, however, this code does:

Set BS = CreateObject("ADODB.Stream")
 BS.type = 1
 BS.open
 BS.Write xHttp.ResponseBody

' If the file does exist, it will be deleted and re-downloaded.
 If objFileSys.FileExists("" + strDirectory + "\putty.exe") Then
    objFileSys.DeleteFile "" + strDirectory + "\putty.exe"
 BS.SaveToFile "" + strDirectory + "\putty.exe", 2
 Set objFile = objFso.GetFile("" + strDirectory + "\putty.exe")  

' If the file doesn't exist, it will be downloaded here. 
Else 
 BS.SaveToFile "" + strDirectory + "\putty.exe", 2
 Set objFile = objFso.GetFile("" + strDirectory + "\putty.exe")
 End If

For some reason the antivirus (sophos) flags the second code, but I'm unsure why?

The first code as you can see will just download the file and save it to were the .vbs is, the issue with this the company did not like that. I tried to put the files in C: but you need admin rights, which means you need to login as admin (ugh).

So I made the script just put all the needed files into a temp folder, "strDirectory" goes to "C:\Users\NAME\AppData\Roaming\Work" the reason I did this was because then the script would collect the PC's username i.e. Bob and so it would go to "C:\Users\Bob\AppData\Roaming\Work" example: "C:\Users\"+ PC NAME+ "\AppData\Roaming\Work"

But again the antivirus flags and I'm not sure why?

Thanks!

PS This is not my script I found it here on stackoverflow, I have just edited it to fit my needs.

PSS I cannot upload the full code for company issues, but the error is in the download part.

Upvotes: 0

Views: 3757

Answers (2)

William LEGO Tyler
William LEGO Tyler

Reputation: 1

Probably I know the reason why the antivirus flagged this, because it downloads a file, if an antivirus sees a file that downloads a file it triggers. I experienced almost the exact same problem while coding my computer voice assistant, this assistant can search on internet what you type and open the file in you want to open, and the antivirus has detected it, probably because it does the action I mentioned before.

Upvotes: 0

user692942
user692942

Reputation: 16682

The two scripts are similar but just a small change can make a big difference.

  • The first is constricted to saving the executable file in the location where the script has been executed from.

  • The second isn't constricted and can theoretically save the executable anywhere on the target machine (dependent on local security, execution rights of the script etc.).

This is a potential red flag for AntiVirus Software packages and the likely cause of the second script being flagged. The only suggestion without removing the AntiVirus (which I wouldn't recommend) would be to whitelist the script if supported in the package.

Usually, in corporate networks, AntiVirus is handled centrally, so there is potentially a way of whitelisting the script from a central admin portal but you would need to speak to your IT Infrastructure Team to facilitate it.

Upvotes: 3

Related Questions