Report False-Positives To Anti-Virus Companies

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :| :mrgreen: :geek: :ugeek: :arrow: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbup: :thumbdown: :salute: :wave: :wtf: :yawn: :facepalm: :bravo: :dance: :beard: :morebeard: :xmas: :HeHe: :trollface: :cookie: :rainbow: :monkeysee: :monkeysay: :happybday: :headwall: :offtopic: :superhappy: :terms: :beer:
View more smilies

BBCode is ON
[img] is OFF
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Report False-Positives To Anti-Virus Companies

Re: Report False-Positives To Anti-Virus Companies

Post by chrispeddler » 20 May 2019, 21:54

Thank you for the info. Will do take note of this.

Re: Report False-Positives To Anti-Virus Companies

Post by nnnik » 23 Apr 2019, 11:09

They are spam bots. Quite good ones too. Took us quite long to notice this.

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 23 Apr 2019, 09:57

SOTE wrote:
23 Apr 2019, 01:29
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.
"Rachel" and "Maria" are both accounts that have connections to the same company (you can find it in their account details, see under "Website"). Other accounts with the same affiliation also made strange posts before and - from time to time - dropped a link or two (and some have been banned, iirc). They don't seem to be bots, but I strongly suspect that they mainly contribute something in order to advertize casually later and not because they have any real interest in the subject.

@mariafox and @RachelKieran, do you mind to elaborate on your strange posts here or are you ok with permanently closing your accounts?

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 23 Apr 2019, 01:29

mariafox wrote:
23 Apr 2019, 00:52
Thank god that McAfee is not included above list, this is the best Antivirus ever because of its better performance & response. Good thing is there is no available option of false detection form.
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.

Re: Report False-Positives To Anti-Virus Companies

Post by Sam_ » 18 Apr 2019, 06:02

RachelKieran wrote:
17 Apr 2019, 06:10
Antiviruses generally makes the PC performance low and sometimes it even sends virus in your computer if you do not purchase the premium version of many software.
Please cite your sources. I'm interested to know where you are getting this information.

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 14 Apr 2019, 04:54

gwarble wrote:
03 Apr 2019, 08:49
I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
Some good points.

And we have to stay on these Anti-Virus companies, because arguably a lot of this drama is about laziness. High level programmers working at these Anti-Virus companies should have a much easier time analyzing an open source interpreted scripting language, in comparison to traditionally compiled languages or closed source, to determine if there is really a threat. There are a number of ways for them to see the script, even when "bound" to the open source executable. Just no excuse for the silliness that is taking place or out of control heuristic scanners labeling anything as a threat.

Re: Report False-Positives To Anti-Virus Companies

Post by Tigerlily » 03 Apr 2019, 10:00

Yeah, hopefully at some point the ratio of false positives from AHK programs will hit a threshold that they can deem it safe. Not sure if that's what will happen though.

and Yes, not using MPRESS doesn't fix the false-positive flagging issue, however it does seem to slip under the rader more frequently for some AVs than when used.

Re: Report False-Positives To Anti-Virus Companies

Post by gwarble » 03 Apr 2019, 08:49

I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.

Re: Report False-Positives To Anti-Virus Companies

Post by Tigerlily » 03 Apr 2019, 06:10

Grumpy IT Guy wrote:
03 Apr 2019, 03:12
I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.
My work computer flags compiled ahk scripts as a few different types of malware because of my Windows Defender AV. It also won't let me download certain installers which I'm certain are safe. Some AVs will flag more or less threats. As always, do your due dilligence ensure there is no other malicious activity in your system. If you got it directly from this site, then it will be a safe false-positive.

It's important to submit as many false positive claims about this issue as possible across as many AV companies, so it shows that AHK has a safe community. Due to the nature of AHK being able to efficiently automate complex systems mixed with some bad people using AHK for nerfarious purposes, it has gained some bad reputation within the online space that we hope to change.

Re: Report False-Positives To Anti-Virus Companies

Post by Grumpy IT Guy » 03 Apr 2019, 03:12

I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.

Edit 2 : With further testing, I have discovered that using Ansi 32 bit conversion and Impress compression seems to get around Sophos, however VirusTotal still finds 8 problems with it.

Re: Report False-Positives To Anti-Virus Companies

Post by robodesign » 31 Mar 2019, 07:00

I never used MPress and I still had false positives for KeyPress OSD with no packer. However I started using the UPX packer.

In my tests, some months ago... it did not make a difference, I get the same amount of false positives with UPX or without.

Best regards, Marius.

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 26 Mar 2019, 18:56

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
Part of the reason why MPRESS creates issues with Anti-Virus vendors is that many don't have an unpacker for it. Where with UPX, the software of the Anti-Virus companies can usually unpack and inspect the contents. And use of any "exotic" or unknown packer is more likely to trigger Anti-Virus software. You might want to see if UPX won't cause you issues, or consider not using a packer.

Re: Report False-Positives To Anti-Virus Companies

Post by Tigerlily » 26 Mar 2019, 18:49

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
Sam_, I've experienced the same things, and chose to now compile without MPRESS too.

Re: Report False-Positives To Anti-Virus Companies

Post by WeedTrek » 26 Mar 2019, 17:40

thanks for this, AVG always says "whoa hold on there might be bad stuffs and the boogeyman in there, let me think you're under virus attack for the next 30 seconds" while I grind my teeth and shake my fist at the mainstream corporate elites who would only serve Gates-friendly DARPA software to the vaccinated masses.

Re: Report False-Positives To Anti-Virus Companies

Post by Sam_ » 26 Mar 2019, 16:01

More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.

Re: Report False-Positives To Anti-Virus Companies

Post by tank » 14 Mar 2019, 08:26

well actually i been fighting google. Norton only required one explanation and dispute

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 14 Mar 2019, 08:25

tank wrote:
14 Mar 2019, 07:06
Now here is a win after I disputed
http://safeweb.norton.com/report/show?url=autohotkey.com
Great! Amazing that it took them so long for them to do the right thing.

Re: Report False-Positives To Anti-Virus Companies

Post by tank » 14 Mar 2019, 07:06

Re: Report False-Positives To Anti-Virus Companies

Post by tank » 13 Mar 2019, 10:43

Just filed a report with Norton over one of our versions

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 12 Mar 2019, 15:49

gwarble wrote:
12 Mar 2019, 11:52
Are you sure?

Because antivirus company's main goal is to make money not find known patterns, so they would have an incentive to not flag legitimate software and drive away customers.

This is only speculation, but i hope to some day test it specifically.
My understanding of it, is that a code signing certificate and digital certificate helps with the UAC, not necessarily whether or not an Anti-Virus company will flag it as malware. Without it, the UAC will give the unknown publisher alert, but the Anti-Virus software is not directly tied to UAC alerts.

Since the user has to manually decide if they will proceed with the installation, after the UAC alert, then it's arguably on them. This trust from the user, also has other factors involved. For instance the reputation or trust in the website they are downloading it from or if the company/author of the software is known, not just if the software has a certificate.

Though if your executable has no product name nor file description, it's more likely to be flagged as malware. The UAC alert is not based on what you put for product name and description, but rather if you have a certificate, so these are not related.

Various websites that specialize in software can have their own testing programs, such as Softpedia. They can review and certify that your software is safe. It's not clear to what extent this has pull among the top Anti-Virus vendors, and avoids the software being flagged as malware in the future, but it's likely the website distributing your software will inform you of any problems at the time of their certifying process. But the flip side of this for a software developer is getting bad or lower than expected reviews/ratings from users (or even sly competitors) on that website, to include staff of the website reviewing the software, or their software being lumped in with their competitors versus being displayed solely on your own website without any competition or comparison.

Top