Just an FYI, never saw this in previous versions of AutoHotkey's compiled executables. The virus was added to AntiVir last year in August, so I'm pretty sure its a change in AutoHotkey.
The virus reported to be found is:
TR/AutoIt
This is with the latest free home version of AntiVir <!-- m -->http://www.free-av.com/<!-- m -->
I'm guessing that some specific byte code that AntiVir is using to identify the AutoIt Trojan is being identified in executables generated with the latest version of AutoHotKey. (Since AutoHotkey is an AutoIt derivative I believe, that makes some possible sense?)
For now I set an exception in AntiVir to not scan my AutoHotKey generated EXE files, but that always makes me nervous in case they did get infected with some other virus in the future.
Not sure if there's anything you can do about it, or if its something AntiVir has to adjust (or if you could help them with what they need to fix) but thought I'd post here as an FYI.
AntiVir False Positives with EXE made with AHK 1.0.46.08
Started by
Dragyn
, Mar 02 2007 09:19 PM
24 replies to this topic
#1
-
Posted 02 March 2007 - 09:19 PM
I think the best thing to do is for a customer to contact the company and notify them of the false positive. Although this isn't a bug in AutoHotkey, I can understand your rationale for posting in the Bugs forum.
Thanks.
Thanks.
#2
-
Posted 03 March 2007 - 12:53 AM
Posted in the AntiVir forums also and sent in a sample exe to their 'suspicious files' e-mail. Of course since no other product has such amazing support from the author like AutoHotkey does, we'll see when/if I get a reply from them. Thanks Chris!
#3
-
Posted 03 March 2007 - 08:22 PM
It is not the first false positive from this anti-virus against AutoHotkey, a quick search on the forum should show this...
Note it is not the only one overreacting. I installed PC-cillin at my work (official anti-virus) and it just classified an archive with the official IE7 install package (not yet installed...) as containing a "generic trojan" (sic). It put the file in quarantine... :-(
Note it is not the only one overreacting. I installed PC-cillin at my work (official anti-virus) and it just classified an archive with the official IE7 install package (not yet installed...) as containing a "generic trojan" (sic). It put the file in quarantine... :-(
#4
-
Posted 05 March 2007 - 12:13 PM
Got the false positive confirmed and they said they should fix it in one of the next updates.
"We could not find a virus in the attachment you have sent us.
This is a false positive. We will take out the pattern recognition in one of our
next updates."
"We could not find a virus in the attachment you have sent us.
This is a false positive. We will take out the pattern recognition in one of our
next updates."
#5
-
Posted 05 March 2007 - 06:35 PM
and it just classified an archive with the official IE7 install package (not yet installed...) as containing a "generic trojan" (sic).
That is because it is one...
Good to see that AntiVir speeded up it's replies/service. I reported false positives a couple of times already, but I have been very disappointed with their response time so far...
#6
-
Posted 05 March 2007 - 06:42 PM
Hi@all
i have the same problem but a other answer from AVIRA.
The message from Avira:
Sehr geehrte Damen und Herren,
wir bedanken uns fuer Ihre Email.
In der von Ihnen eingesendeten Datei haben wir einen neuen Virus entdeckt.
Dessen Erkennungsmerkmale werden nun eingebaut, sodass er mit einem der naechsten Updates als TR/Autoit.AE erkannt wird.
Wir bedanken uns fuer Ihre Mithilfe zur Verbesserung des Virenschutzes.
Thanks for your email.
we have fount a new virus called TR/Autoit.AE in your compiled file.
The VDF file will update soon to find this virus.
sry for my Bad english.
I hope they will find a way to delete the virus.
Please dont use WOWsuche.exe. This is the infected file, i delete the file from webserver, if you use it, please delete it and scan your system.
i have the same problem but a other answer from AVIRA.
The message from Avira:
Sehr geehrte Damen und Herren,
wir bedanken uns fuer Ihre Email.
In der von Ihnen eingesendeten Datei haben wir einen neuen Virus entdeckt.
Dessen Erkennungsmerkmale werden nun eingebaut, sodass er mit einem der naechsten Updates als TR/Autoit.AE erkannt wird.
Wir bedanken uns fuer Ihre Mithilfe zur Verbesserung des Virenschutzes.
Thanks for your email.
we have fount a new virus called TR/Autoit.AE in your compiled file.
The VDF file will update soon to find this virus.
sry for my Bad english.
I hope they will find a way to delete the virus.
Please dont use WOWsuche.exe. This is the infected file, i delete the file from webserver, if you use it, please delete it and scan your system.
#7
-
Posted 06 March 2007 - 11:31 AM
It may well be that this WOWsuche script is malicious, but I get this with a compiled script with nothing but a msgbox aswell. :x
Which is a bit too strict.
"TR/Autoit.AE" and then "No description was found matching your research criteria. "
What irritates me too is that you can choose "Ignore" what you want, the alert will still popup :x
Which is a bit too strict.
"TR/Autoit.AE" and then "No description was found matching your research criteria. "
What irritates me too is that you can choose "Ignore" what you want, the alert will still popup :x
#8
-
Posted 06 March 2007 - 03:19 PM
Hi
i have installed AHK new, the Trojan is deleted now. I think it is placed in the Compiler.src file. The file was littel bit bigger as the original after reinstalling AHK.
I have made the post because i get the mail from Avira.
WOWsuche is a script to find Quests on Webseits for WOW. It is placed on Top of Screen in Windowmode and you can simple search for Questdescriptions in Inet.
The Trojan is now deleted and the File is clean.
Update Avira and reinstall AHK, the Trojan will deleted.
i have installed AHK new, the Trojan is deleted now. I think it is placed in the Compiler.src file. The file was littel bit bigger as the original after reinstalling AHK.
I have made the post because i get the mail from Avira.
WOWsuche is a script to find Quests on Webseits for WOW. It is placed on Top of Screen in Windowmode and you can simple search for Questdescriptions in Inet.
The Trojan is now deleted and the File is clean.
Update Avira and reinstall AHK, the Trojan will deleted.
#9
-
Posted 06 March 2007 - 03:58 PM
You are right, updating AHK and recompiling works. Probably Avira detects signatures of previous versions of AHK, still too strict.
#11
-
Posted 06 March 2007 - 04:14 PM
This antivirus "problem" is no big deal... until it happens to you!
AVG just updated their signatures and who woulda thunk, some pattern from the AutoHotkeySC.bin file in AHK v1.0.46.08 was tagged as a trojan. I was in antivirus hell until I upgraded AHK to v1.0.46.09 and recompiled a few scripts. What a pain in the butt! :evil:
I just spent the last 30 minutes trying to track down a place to report false positives to AVG but couldn't find jack squat. I'm usually pretty good at finding this stuff.
:?: Does anyone have an web address or email address to report false positives to AVG. :?:
Thanks in advance for your assistance.
AVG just updated their signatures and who woulda thunk, some pattern from the AutoHotkeySC.bin file in AHK v1.0.46.08 was tagged as a trojan. I was in antivirus hell until I upgraded AHK to v1.0.46.09 and recompiled a few scripts. What a pain in the butt! :evil:
I just spent the last 30 minutes trying to track down a place to report false positives to AVG but couldn't find jack squat. I'm usually pretty good at finding this stuff.
:?: Does anyone have an web address or email address to report false positives to AVG. :?:
Thanks in advance for your assistance.
#12
-
Posted 10 March 2007 - 01:58 AM
I'm not sure but this might be a place to start. <!-- m -->http://forum.grisoft.cz/freeforum/<!-- m -->:?: Does anyone have an web address or email address to report false positives to AVG. :?:
Thanks in advance for your assistance.
#13
-
Posted 10 March 2007 - 06:02 PM
FYI I had the same kind of pb this afternoon and I get rid of simply by recompiling my exe whith the last Autohotkey release (AHK v1.0.46.09)
I hope this sea snake will not go back at the surface in a couple of weeks.
I hope this sea snake will not go back at the surface in a couple of weeks.
#14
-
Posted 10 March 2007 - 06:05 PM
Created a post on the AVG Free forum: http://forum.grisoft.cz/freeforum/. Thank you corrupt for the address. Hopefully they will identify and resolve the issue so that this "sea snake will not go back at the surface in a couple of weeks."I think the best thing to do is for a customer to contact the company and notify them of the false positive.
Edit: I was informed by the moderator at the AVG Free forum that posting this kinda stuff on that forum wouldn't do much good. He/she gave me instructions which can be found here: http://forum.grisoft...ead.php?4,93902
#15
-
Posted 11 March 2007 - 03:55 AM