AutoHotkey Community

[mouser]

Forgive me if i sound mad..

Every month the new false positives start coming in and people freak out thinking we are serving up malware because of the false positive alerts on compiled AHK scripts.

I'm exhausted from having to put out these false positive alarm fires every %&(*% month.

I'm exhausted from all of these websites warning people that our site hosts malware, and contacting them and fixing it and then having it happen all over again the next month.

I've fought against these irresponsible antivirus companies and felt always like "why aren't the AHK people doing more to address this recurring problem".. maybe you guys are trying to get this solved i don't know, but as much as we love AHK on donationcoder, this is just getting ridiculous, and it has to stop.

My suggestion:

If these recurring false positives always have to do with UPX-packed apps being flagged as malware, then STOP packing compiled ahk's with UPX. As soon as humanely possible.

If you want to make some option to do it with a huge warning that using this is very likely guarantee that your application is going to be flagged as a virus in a few weeks, fine.

But in my opinion, until someone puts a stop to this farce of false positives, the UPX packing when compiling ahk executables should cease immediately.

Again, i apologize for the tone -- we love AHK at donationcoder, i'm just at my wits end dealing with this stuff over and over and over and seeing our site show up in warnings for serving malware and having it always be ahk applications that are causing it. I know its not AHK fault, i know its the antivirus companies being retarded. But let's fight and get them to stop doing this, or else do the one thing that you do have control over -- stop packing with upx.

sincerely, and with love for AHK,
-mouser from donationcoder.com

[mouser]

There has been some suggestion that its the compiled AHK itself, not merely the UPX that is to blame. If this is true, then the problem is much worse than i thought. Have you ahk people done a systematic analysis to determine what specifically is constantly causing the malware detection software to flag these executables as malware?

[SoLong&Thx4AllTheFish]

I assume you are aware you can simply remove UPX from compiler directory and your own scripts are no longer compiled with UPX so that would take of some of your problems. Given the fact autohotkey has mouse and keyboard hooks (way over my head this so bare with me) I can only assume that there is always a chance it will be flagged by an AV no matter what changes are made to AHK (and of course virii and malware can be written in AHK so some might even be valid)

And of course, distrubute your script not the compiled exe The avarage donation coder has AHK installed anyway don't they?

See also http://www.autohotkey.com/forum/viewtopic.php?t=31975&postdays=0&postorder=asc&start=0

and several threads related to virii and UPX on the forum.
_________________
AHK Wiki FAQ
TF : Text files & strings lib, TF Forum

[SoLong&Thx4AllTheFish]

[mouser]

hi hugov,

yeah, we've already posted instructions on our forum for coders on how to delete/rename the upx executable.

it's excellent that this can be done so easily (though they need to remember to do every time they update).

But it does mean that we have to go around every time someone uploads or posts a compiled ahk script, download it, check it, and then educate them about this issue and get them to rebuild and re-upload, and do that on a constant basis.

Since this happens so regularly, and so predictably, and so consistently, I really think this should be changed to not be default behavior in ahk.

[mouser]

Again I just want to emphasize, we love AHK on donationcoder; we've donated to ahk before, we've recommended it, we have some serious ahk coders on our forum.

Chris has done an amazing job with it.

And that's why this is so frustrating to me.. I'm just begging Chris and others at AHK to make a higher priority of figuring out a way to stop these false positives -- by any means necessary.

[tidbit]

[mouser]

[nod5]

Let me tag on a question: why is UPX used by default by autohotkey when compiling? Are there advantages that outweigh the false positive problems?

Related:
EndGunner has a list of some false positive forum posts:
http://www.autohotkey.com/forum/viewtopic.php?p=140027#140027
DerRaphael's Open Letter to AV companies initiative:
http://www.autohotkey.com/forum/topic31975.html&postdays=0&postorder=asc&highlight=upx&start=0

[tidbit]

felt like doing this for fun:

[Lexikos]

I think it would be no great loss if upx.exe was removed from the installer or disabled by default.

nod5,
Reduced size is obviously the only advantage. On slow storage devices it can speed up loading by a very small amount, but some have said it otherwise slows down loading.

tidbit,
Anti-virus software isn't psychic, and mostly isn't intelligent. Your compiled script executable will contain code to register the keyboard/mouse hooks, delete files, shutdown the PC etc. regardless of what content the actual script has. Anti-virus software would have to interpret the script to figure out what it really does. Furthermore, keyboard/mouse hooks are obviously a legitimate feature of Windows, so it mightn't be common to detect them. Any reasonable A/V (and some unreasonable A/V's) would notify the user if and when it detected installation of the hook rather than marking any executable which uses it as a potential virus. Lastly, "viruses" self-replicate; your script does not.

[HotKeyIt]

[tidbit]

Lexikos, it seems you didn't detect my sarcasm (all caps ).
I also added the hooks on purpose because i wanted it to be detected. and since i made the script so small, basic and harm-free, I was expecting most/all to not detect it. now if I made a real virus in AHK, I'm sure more then 2 would pick it up.

[SoLong&Thx4AllTheFish]

Cast your vote about UPX here http://www.autohotkey.com/forum/viewtopic.php?p=323104
_________________
AHK Wiki FAQ
TF : Text files & strings lib, TF Forum

[Lexikos]