Symantec has identified parts of AutoHotkey_1.1.33.00_setup.exe as malicious based on heuristic rules. I have submitted it to them as a false positive, but now I have corporate Incident Response breathing down my neck (not that I blame them, it's their job to stay on top of any and all potential threats, even tho this doesn't constitute one). Sadly, significant damage to AutoHotkey's reputation has just been done.

I appreciate the effort you put in this answer. This keeps the thread alive and other people will read this too. :thumbup:
But it's not for me. You know, i'm a gardener and almost in retirement. Never earned money with programming or scripting. Yes, for some time I had a (small) leading role and worked with pre-defined office templates. If I wanted to change things my boss said I spent to much time for my administrative tasks!
But in the 90's I had an Amstrad (464?) personal computer where you had to load programs on casette or floppy's and if you wanted to make things work personally for you you had to program it in Basic (sure you know this but some youngsters who read this would be amazed). Commands, AHK and Visual Basic, I like to experiment with it [b]only to keep my brain cells active.[/b] Creating unimportant programs like generating lottery numbers based on personal dates or names and so... Well, the program works but I'm still not a millionaire! :D

[quote=slechtwere post_id=337769 time=1592916854 user_id=123880]
...Personally, I don't bother sending false positives to AV companies. Because I think it's none of their business what I do with my files on my computer. I just excluded the folder containing my scripts from scanning... Once the scripts are being executed there seems to be no problem.
[/quote]

Thanks for your support. However, I think you might be missing the point of why it's important to report false-positives and are advocating for something that is detrimental to the community. It's not simply or only about you or I. It's about poorly run AV companies and competing parties accidentally or purposely mislabeling the software we use and rely on, which then escalates into problems for AHK users [u]in general[/u].

True, you can probably create an exception for [u]yourself[/u]. However, if you use the software in a school, business, work, or give it to friends that is a [u]different situation[/u]. Those people using the software [u]might not have[/u]:

1) The administrative access to create an exception
2) The technical knowledge to know what to do
3) The confidence to allow the software to run or give it permission based on fears and perceived negative reputation

In addition, being mislabeled as malware, tends to have an escalating effect. As has been shown in the past, you can have web browsers, websites that host software, e-mail servers, and public opinion involved. For example, you can have the software on your website mislabeled as malware, and then get [u]unexpectedly blocked by Chrome and Firefox[/u]. Allowing AV companies to [u]wrongfully mislabel an entire scripting language[/u] can lead to bad surprises at the wrong time and unexpected consequences. Other examples are companies or schools not wanting programs coded in that particular scripting language, due to wrongful negative opinions, thus decreasing opportunities for those that code in that language or negatively affecting the projects they are involved in.

So it's more than just being about only ourselves, it's about the [u]AHK community[/u] in general, reputation, public opinion, and proper business practices. Reporting false-positives helps all of us, and acts as a counter-balance to bad actors and AV companies being unscrupulous or involved in bad business practices.

Thank you tank and SOTE. It's nice to have people to be so attached to their community.
Personally, I don't bother sending false positives to AV companies. Because I think it's none of their business what I do with my files on my computer.
I just excluded the folder containing my scripts from scanning. In my opinion these scripts are more suspicious for them if they are just lurking somewhere, especially in the Start up folder. Once the scripts are being executed there seems to be no problem.

[quote=SOTE post_id=328205 time=1589197759 user_id=64090]
[quote=PIcard_1983 post_id=328198 time=1589194965 user_id=83341]
Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

What can i do?

You should read the 1st post. Other people don't know where you got the file from, know about any strange code that a person might be sending to others, nor have the same issue. The most direct course of action is for you to submit the file to Microsoft. You didn't have to wait for 2 weeks, it's something that you can do immediately.

[b]Microsoft[/b] Online Submission for False-Positives: [url]https://www.microsoft.com/en-us/wdsi/filesubmission[/url]
Note- Most people will need to select "[b][u]Home customer[/u][/b]" and then "[b][u]Continue[/u][/b]". Will give tracking of Microsoft's decision.
[/quote]
What would be helpful to the community is that you tell us about what version of the AutoHotkey interpreter that you are using, where you got it from, possibly a sample of the script that you wrote that might be causing the issue. This, of course, is up to you as to which or none that you would like to do. Though it would be good to know what Microsoft says about the file you submit.
[/quote]

Ok, many Thanks. Autohotkey-Version: v1.1.32.00

I'll report it to microsoft. I wrote the script myself. It runs a menu in the taskbar and accesses some file links on different network drives. Nothing more. It's just a support. Let's see what microsoft says.

[mention]hasantr[/mention]
Good job, Hasantr. It's amazing how low quality the companies being accepted to VirusTotal are. If you can't figure out an open-source scripting language interpreter with all of its source code freely available on GitHub is not malware, then there is something very wrong.

An antivirus that has just joined VirusTotale has detected Autohotkey as harmful.
I reported False Positives from this link.
https://www.secureaplus.com/features/antivirus/report-false-positive/

I notified MaxSecure, who thought Autohotkey.exe was harmful, with this mail. They said it would be resolved in the next update.

[email protected]

[quote=PIcard_1983 post_id=328198 time=1589194965 user_id=83341]
Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

What can i do?
[/quote]

You should read the 1st post. Other people don't know where you got the file from, know about any strange code that a person might be sending to others, nor have the same issue. The most direct course of action is for you to submit the file to Microsoft. You didn't have to wait for 2 weeks, it's something that you can do immediately.

[b]Microsoft[/b] Online Submission for False-Positives: [url]https://www.microsoft.com/en-us/wdsi/filesubmission[/url]
Note- Most people will need to select "[b][u]Home customer[/u][/b]" and then "[b][u]Continue[/u][/b]". Will give tracking of Microsoft's decision.

What would be helpful to the community is that you tell us about what version of the AutoHotkey interpreter that you are using, where you got it from, possibly a sample of the script that you wrote that might be causing the issue. This, of course, is up to you as to which or none that you would like to do. Though it would be good to know what Microsoft says about the file you submit.

[quote=PIcard_1983 post_id=328198 time=1589194965 user_id=83341]
What can i do?
[/quote]
If you think it's a false positive (which I would assume, if it wasn't infected unluckily on your computer by some third-party malware), you can report the script to Microsoft, so that they can improve their heuristics. Please see https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266#p264913 Unfortunately, AHK experiences a lot of problems with false positives.

If you are reasonably sure that it is a false positive, you could create an exception for it in Windows Defender, and start using it again. Whatever you do, act reasonably and at your own risk.

Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

See Attachment.
[attachment=0]False.jpg[/attachment]

What can i do?

Chrome is not Anti-Virus software. What is usually the case is they are focused on the website or weblink. The website or weblink has been reported as malware or Google's algorithm has determined the website is infected with malware or the weblink is pointing to such. Google's algorithm to determine if your weblink or website is hosting or pointing to malware is partially determined by VirusTotal (also owned by Google). How exactly that Google comes to its conclusions is not exactly known and they keep it a secret from the public.

Keep in mind that a significant number of people might be [u]reporting[/u] your software, website, or weblink as bad. To include as a prank, harassment tactic, or out of cluelessness about software. These reports can also be a factor in Google's determination. So you need to be clear about whether or not your software is or isn't malware, and be able to prove your case. Some people are clueless about software. This is on both sides. The author of the program (where the program is having unintended consequences) or those that receive the program (that are making false assumptions or false claims).

If you are a webmaster, you have a few options to dispute such a determination. Though keep in mind that your battle will usually and primarily be with Google, so you must use their website tools ([url]https://developers.google.com/web/fundamentals/security/hacked/use_search_console[/url]). If you are not a webmaster and simply providing a link, this gets a bit harder. Below includes some alternatives for battling Google's determinations that might help.

[url]https://www.stopbadware.org/request-review[/url]
StopBadware provides a so-called independent review process for your website or weblink to dispute Google's determinations.

[url]https://www.virustotal.com/gui/contact-us[/url]
VirusTotal Online contact form. They are owned by Google, but it's possible that the IT personnel that maintain that site can be helpful.
Note: you should choose this option when submitting- [c]My site/file has been improperly flagged as harmful (false positive)[/c]

[url]https://safebrowsing.google.com/safebrowsing/report_error/?hl=en[/url]
You can report that Google has made a mistake in their determination. It says incorrect phishing warning, but can also be used for false-positives (to include links) and wrongful determinations.

[url]https://support.google.com/chrome/community?hl=en[/url]
You might get the attention of Google staff that handle Chrome by posting a complaint, and where others join in to add their similar complaints.

Google Feedback
You can often find it at the bottom of a Google related page that you are on. Often, this is like putting a message in a bottle and throwing it in the ocean, as Google doesn't usually give a direct human response. Often it's more a "feel better" to ventilate anger over Google shenanigans. But, if enough people are complaining about the same things, this does seem to trigger Google algorithms so that eventually a human might look at the group of complaints.

If you are a webmaster. The usual tool to battle Google's determinations is Google Search Console.
[url]https://search.google.com/search-console/about[/url]

[mention]roysubs[/mention]
From a quick search, it appears Chrome uses the Google Safe Browsing API to determine if a download or site is malicious. You can read the articles on "[url=https://support.google.com/webmasters/answer/3258249]Malware and Unwanted Software[/url]" and "[url=https://support.google.com/webmasters/answer/9044101]Security Issues Report[/url]", however, submitting false positive reports doesn't appear to be strait forward.

[quote=Sam_ post_id=269655 time=1553634105 user_id=58223]
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
[/quote]

I'm really curious about that Sam? Here is my situation: I have a little automation tool that about 100 people are interested in using. Following your advice I use /mpress 0 to stop it compression. I then put it up on my Dropbox for them to download. As soon as they download, Chrome screams at them that this is dangerous software. If they dare to download it, their Anti-Virus (I mean "trusted crapware") screams at them that this is a virus and deletes the file. So now only half of the people dare to use the tool because they think I'm trying to install viruses on their systems :(

Do you not all find the same if you try to distribute a compiled tool using Ahk2Exe? I've even heard there are people on here that have sold Autohotkey tools as commercial software. I fail to see how since all of the Anti-VirusCrapware tools go into full tantrum mode and delete-with-prejudice any tools that I try to give to people. Please teach me how to get around this if possible as makes distributing Autohotkey tools depressingly difficult. :(

Yeah these companies have taken a lot of advantage of us

[quote=lmstearn post_id=318246 time=1584625634 user_id=71273]
Submitted two AHK (v1.1.32.00) files as per clean.zip with a custom icon to VirusTotal that had only one line in each:
[/quote]

Thanks for the report and for submitting. Will be updating the 1st post with vendors not on our list.

Msgbox Clean

Submitted two AHK (v1.1.32.00) files as per [attachment=0]clean.zip[/attachment] with a custom icon to VirusTotal that had only one line in each:
[code]Msgbox Clean[/code]
One file was an [url=https://www.virustotal.com/gui/file/1a49abf8ddbc8f5dc00eaadca3b3c785c621a6dcc365dfea0bbf59e9da309540/detection]MPress compilation[/url], the [url=https://www.virustotal.com/gui/file/82fcc6388699caf085f96b15fffb6249008c81c950ef8a588f00d52a468213a8/detection]other[/url] not.
For some AHK compilations, zipped MPress files were [url=https://security.stackexchange.com/questions/226017/why-is-virustotal-unable-to-process-file-type-for-files-packed-with-mpress]ignored by many vendors[/url], sadly, the above scan doesn't just contain the usual suspects:

[list]SecureAge APEX: Malicious[/list]
[list]CrowdStrike Falcon: Win/malicious_confidence_60% (W)[/list]
[list]Endgame: Malicious (moderate Confidence)[/list]
[list]FireEye: Generic.mg.a6f7c4814f82f139[/list]
[list]MaxSecure: Trojan.Malware.121218.susgen[/list]
[list]McAfee-GW-Edition: BehavesLike.Win32.Downloader.dh[/list]
[list]Zillya: Trojan.AutoHK.Win32.477[/list]

There's 13 more!
You know, after all these years, I'm convinced the only algorithm used in these virus detection programs is the [url=https://en.wikipedia.org/wiki/Einstellung_effect]Einstellung method[/url].

[quote=BarberH post_id=311460 time=1580111614 user_id=118658]
Thus their list (for now and because it's not updated) is not as relevant for helping the AHK community combat false-positives. We should not want people submitting to vendors that will not help stop the false-positive problem
[/quote]

This statement is strange and it might be because of the English used, but can you clarify what you mean more?

Based on what I think you might be saying:

1. This list here is updated.
2. The list here reflects major AV companies that will have an impact.
3. People should submit false-positives to AV companies, because it's the only way to get them to update their databases or re-check.
4. Submitting false-positives do make a difference. I've had and seen companies update their databases.
5. You may also need to [u]submit to many companies[/u], not just one. AV companies can be blindly adding signatures or copying from other AV companies, without doing all the needed detailed research. Push-back from users and customers causes them to re-check and verify. Thus a list such as this is important for the AHK community.

In the case of Jiangmin, it's the right move for the AHK community to inform VirusTotal (Google) and have them put some pressure on Jiangmin (or any company doing wrong) to be responsive to users and make corrections about false-positives or VirusTotal admin (or Google the owner) will remove them from the VirusTotal list.

i gonna wait for Virus Total's Return Messsage

Ana Tinoco (VirusTotal)
Jan 13, 6:09 AM PST
Hello,
I have just contacted Jiangmin. I'll keep you informed.
Regards,
Ana Tinoco - VirusTotal - www.virustotal.com
Have you tried the VirusTotal Graph?

[quote=jongyun24 post_id=308936 time=1578634821 user_id=117766]
I' still Send to mail to jiangmin a Week 1~2 Time for False Positive.
and One more Send to Total Virus.
[/quote]

You are doing the correct thing. Hopefully, Jiangmin will respond and remove the false-positive or VirusTotal (Google) will take some action towards Jiangmin for not responding to users or for unreliability.