Question 181254 in Javascript Question posted in
A very good W3school tutorial can be found here.

Javascript – Detection from Antivirus

I have this Shortcut code that runs perfectly without having any issue. But my problem here is that it does is been detected by numerous antivirus and this is a problem for me. I do not know how I can reverse this code to avoid been detected by antivirus.

Here is the code.

Set objShell = CreateObject("WScript.Shell")
strTempPath = objShell.ExpandEnvironmentStrings("%TEMP%")

strShortcutPath = strTempPath & "PuTTY.lnk"
strTargetPath = "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe"

' Download PuTTY executable
strDownloadURL = strTargetPath
strDownloadPath = strTempPath & "putty.exe"

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strDownloadURL, False
objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then
    Set objADOStream = CreateObject("ADODB.Stream")
    objADOStream.Open
    objADOStream.Type = 1
    objADOStream.Write objXMLHTTP.ResponseBody
    objADOStream.Position = 0
    objADOStream.SaveToFile strDownloadPath
    objADOStream.Close
End If

' Create a shortcut
Set objShellLink = objShell.CreateShortcut(strShortcutPath)
objShellLink.TargetPath = strDownloadPath
objShellLink.Save

' Execute PuTTY
objShell.Run strShortcutPath

I want this code to run without been detected by any antivirus. I noticed that the downloader is what is been detected, so I feel that there is another code that can run the downloader also that is not going to be detected by antivirus.

This is a legit code.

Tags:

2

Answers


  1. 0

    Using curl and running the downloaded exe directly (instead of launching a shortcut), the posted code can be reduced to the following six lines (that will not trigger AV):

    Set oWSH = CreateObject("WScript.Shell")
Temp = oWSH.ExpandEnvironmentStrings("%TEMP%")
URL = "https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe"
Exe = Temp & "putty.exe"
oWSH.Run "curl -L -X GET """ & URL & """ -o """ & Exe & """",0,True
oWSH.Run """" & Exe & """"
    Login or Signup to reply.
  2. 0

    Antivirus is doing what is supposed to. You’re using techniques that are common to malware.

    That’s okay. You know that your code is safe. Simply instruct your AV to make an exception and it will no longer be detected.

    If this code is intended for distribution, VBS is really not the best method for doing that. You should probably provide instructions for making an exception and provide that with your script.

    Alternatively, you could avoid ADODB streams. That’s probably what’s being flagged. But the need to circumvent AV should be a strong indication that you are likely taking a poor approach.

    In general, this entire script is really bad practice. You should never blindly download and execute anything–especially from a script. Even if you believe that you control the remote source, it’s still a bad idea. If you really must, you should, at the very least, verify the file hash to ensure that you downloaded the intended file and that it hasn’t been modified in any way.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search