Report False-Positives To Anti-Virus Companies

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :| :mrgreen: :geek: :ugeek: :arrow: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbup: :thumbdown: :salute: :wave: :wtf: :yawn: :facepalm: :bravo: :dance: :beard: :morebeard: :xmas: :HeHe: :trollface: :cookie: :rainbow: :monkeysee: :monkeysay: :happybday: :headwall: :offtopic: :superhappy: :terms: :beer:
View more smilies

BBCode is ON
[img] is OFF
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Report False-Positives To Anti-Virus Companies

Re: Report False-Positives To Anti-Virus Companies

by Janusz » 21 Dec 2020, 09:08

I have found out, that politeness, kind pleas and reporting false positives created by The Autohodkey developers is really The only one way how to eliminate false positives.

If some author of compiled .exe will suffer because false positive, it is really necessary to send The .exe file for analysis to The corresponding antivirus laboratory.
There is also other problem.
If some antivirus companies do not think, that The practice, that some programming language is based on The routine, when some code is connected to previously compiled .exe by using Compiler is dangerous because of .exe format potential possible corruption.
But in The cause of Autohodkey, it is not true. Autohodkey have been always compiled by Microsoft Visual studio compiler so machine code and format of .exe file is correct.
If ahk2exe add script inside .exe file, it always knows, where to put The script to prevent .exe file corruption. I also know, that Windows contain many complex condition blocks which are protecting users according corrupted .exe files.
Sure. Because Autohodkey belong to The high level programming languages, some hackers can really use it to make a viruses. But virus can be made also in C, Pascal language and in Assembly language too. Sure. It will always depend on The motivation of The programmer. Programming language is only a development tool which can be used or misused.

Thank all of this community, who are making Autohodkey a more and more efficient language. And Autogui and Autohodkey studio allows many programmers to have many positive experience when developing. I would like to congratulate C programmers of Autohodkey for their complex work. Screen readers have good responsiveness when navigating across Autohodkey apps GUI. Fast responsiveness when browsing editable fields, listboxes and other GUI elements is very important. And memory allocations are very very low, very good programmers job. I will try to code with my sighted mother.

Re: Report False-Positives To Anti-Virus Companies

by joedf » 05 Dec 2020, 14:14

I personally use Windows Security / Microsoft Defender and MalwareBytes. And addtionally for programs I don't trust, I use Sandboxie. :+1:

-

by Martinspake » 05 Dec 2020, 13:01

AVG and Avast are two of the best free anti virus programs out there. I use Avast, because AVG has been known to take up RAM on the computer. Just about everyone that I know that deals with computers uses Avast with Malwarebytes Anti-Malware and Firefox with the AdBlock Plus add-on, No Flash add on and NoScript add-on.

Re: Report False-Positives To Anti-Virus Companies

by Sam_ » 30 Jun 2020, 14:36

Symantec has identified parts of AutoHotkey_1.1.33.00_setup.exe as malicious based on heuristic rules. I have submitted it to them as a false positive, but now I have corporate Incident Response breathing down my neck (not that I blame them, it's their job to stay on top of any and all potential threats, even tho this doesn't constitute one). Sadly, significant damage to AutoHotkey's reputation has just been done.

Re: Report False-Positives To Anti-Virus Companies

by slechtwere » 26 Jun 2020, 09:40

I appreciate the effort you put in this answer. This keeps the thread alive and other people will read this too. :thumbup:
But it's not for me. You know, i'm a gardener and almost in retirement. Never earned money with programming or scripting. Yes, for some time I had a (small) leading role and worked with pre-defined office templates. If I wanted to change things my boss said I spent to much time for my administrative tasks!
But in the 90's I had an Amstrad (464?) personal computer where you had to load programs on casette or floppy's and if you wanted to make things work personally for you you had to program it in Basic (sure you know this but some youngsters who read this would be amazed). Commands, AHK and Visual Basic, I like to experiment with it only to keep my brain cells active. Creating unimportant programs like generating lottery numbers based on personal dates or names and so... Well, the program works but I'm still not a millionaire! :D

Re: Report False-Positives To Anti-Virus Companies

by SOTE » 23 Jun 2020, 15:14

slechtwere wrote:
23 Jun 2020, 07:54
...Personally, I don't bother sending false positives to AV companies. Because I think it's none of their business what I do with my files on my computer. I just excluded the folder containing my scripts from scanning... Once the scripts are being executed there seems to be no problem.
Thanks for your support. However, I think you might be missing the point of why it's important to report false-positives and are advocating for something that is detrimental to the community. It's not simply or only about you or I. It's about poorly run AV companies and competing parties accidentally or purposely mislabeling the software we use and rely on, which then escalates into problems for AHK users in general.

True, you can probably create an exception for yourself. However, if you use the software in a school, business, work, or give it to friends that is a different situation. Those people using the software might not have:

1) The administrative access to create an exception
2) The technical knowledge to know what to do
3) The confidence to allow the software to run or give it permission based on fears and perceived negative reputation

In addition, being mislabeled as malware, tends to have an escalating effect. As has been shown in the past, you can have web browsers, websites that host software, e-mail servers, and public opinion involved. For example, you can have the software on your website mislabeled as malware, and then get unexpectedly blocked by Chrome and Firefox. Allowing AV companies to wrongfully mislabel an entire scripting language can lead to bad surprises at the wrong time and unexpected consequences. Other examples are companies or schools not wanting programs coded in that particular scripting language, due to wrongful negative opinions, thus decreasing opportunities for those that code in that language or negatively affecting the projects they are involved in.

So it's more than just being about only ourselves, it's about the AHK community in general, reputation, public opinion, and proper business practices. Reporting false-positives helps all of us, and acts as a counter-balance to bad actors and AV companies being unscrupulous or involved in bad business practices.

Re: Report False-Positives To Anti-Virus Companies

by slechtwere » 23 Jun 2020, 07:54

Thank you tank and SOTE. It's nice to have people to be so attached to their community.
Personally, I don't bother sending false positives to AV companies. Because I think it's none of their business what I do with my files on my computer.
I just excluded the folder containing my scripts from scanning. In my opinion these scripts are more suspicious for them if they are just lurking somewhere, especially in the Start up folder. Once the scripts are being executed there seems to be no problem.

Re: Report False-Positives To Anti-Virus Companies

by Guest » 25 May 2020, 01:34

SOTE wrote:
11 May 2020, 06:49
PIcard_1983 wrote:
11 May 2020, 06:02
Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

What can i do?

You should read the 1st post. Other people don't know where you got the file from, know about any strange code that a person might be sending to others, nor have the same issue. The most direct course of action is for you to submit the file to Microsoft. You didn't have to wait for 2 weeks, it's something that you can do immediately.

Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.
What would be helpful to the community is that you tell us about what version of the AutoHotkey interpreter that you are using, where you got it from, possibly a sample of the script that you wrote that might be causing the issue. This, of course, is up to you as to which or none that you would like to do. Though it would be good to know what Microsoft says about the file you submit.
Ok, many Thanks. Autohotkey-Version: v1.1.32.00

I'll report it to microsoft. I wrote the script myself. It runs a menu in the taskbar and accesses some file links on different network drives. Nothing more. It's just a support. Let's see what microsoft says.

Re: Report False-Positives To Anti-Virus Companies

by SOTE » 20 May 2020, 10:42

@hasantr
Good job, Hasantr. It's amazing how low quality the companies being accepted to VirusTotal are. If you can't figure out an open-source scripting language interpreter with all of its source code freely available on GitHub is not malware, then there is something very wrong.

Re: Report False-Positives To Anti-Virus Companies

by hasantr » 19 May 2020, 20:58

An antivirus that has just joined VirusTotale has detected Autohotkey as harmful.
I reported False Positives from this link.
https://www.secureaplus.com/features/antivirus/report-false-positive/

Re: Report False-Positives To Anti-Virus Companies

by hasantr » 19 May 2020, 05:43

I notified MaxSecure, who thought Autohotkey.exe was harmful, with this mail. They said it would be resolved in the next update.

[email protected]

Re: Report False-Positives To Anti-Virus Companies

by SOTE » 11 May 2020, 06:49

PIcard_1983 wrote:
11 May 2020, 06:02
Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

What can i do?
You should read the 1st post. Other people don't know where you got the file from, know about any strange code that a person might be sending to others, nor have the same issue. The most direct course of action is for you to submit the file to Microsoft. You didn't have to wait for 2 weeks, it's something that you can do immediately.

Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.

What would be helpful to the community is that you tell us about what version of the AutoHotkey interpreter that you are using, where you got it from, possibly a sample of the script that you wrote that might be causing the issue. This, of course, is up to you as to which or none that you would like to do. Though it would be good to know what Microsoft says about the file you submit.

Re: Report False-Positives To Anti-Virus Companies

by gregster » 11 May 2020, 06:23

PIcard_1983 wrote:
11 May 2020, 06:02
What can i do?
If you think it's a false positive (which I would assume, if it wasn't infected unluckily on your computer by some third-party malware), you can report the script to Microsoft, so that they can improve their heuristics. Please see https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266#p264913 Unfortunately, AHK experiences a lot of problems with false positives.

If you are reasonably sure that it is a false positive, you could create an exception for it in Windows Defender, and start using it again. Whatever you do, act reasonably and at your own risk.

Re: Report False-Positives To Anti-Virus Companies

by PIcard_1983 » 11 May 2020, 06:02

Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

See Attachment.
False.jpg
False.jpg (22.55 KiB) Viewed 26824 times
What can i do?

Re: Report False-Positives To Anti-Virus Companies

by SOTE » 10 Apr 2020, 16:02

Chrome is not Anti-Virus software. What is usually the case is they are focused on the website or weblink. The website or weblink has been reported as malware or Google's algorithm has determined the website is infected with malware or the weblink is pointing to such. Google's algorithm to determine if your weblink or website is hosting or pointing to malware is partially determined by VirusTotal (also owned by Google). How exactly that Google comes to its conclusions is not exactly known and they keep it a secret from the public.

Keep in mind that a significant number of people might be reporting your software, website, or weblink as bad. To include as a prank, harassment tactic, or out of cluelessness about software. These reports can also be a factor in Google's determination. So you need to be clear about whether or not your software is or isn't malware, and be able to prove your case. Some people are clueless about software. This is on both sides. The author of the program (where the program is having unintended consequences) or those that receive the program (that are making false assumptions or false claims).

If you are a webmaster, you have a few options to dispute such a determination. Though keep in mind that your battle will usually and primarily be with Google, so you must use their website tools (https://developers.google.com/web/fundamentals/security/hacked/use_search_console). If you are not a webmaster and simply providing a link, this gets a bit harder. Below includes some alternatives for battling Google's determinations that might help.

https://www.stopbadware.org/request-review
StopBadware provides a so-called independent review process for your website or weblink to dispute Google's determinations.

https://www.virustotal.com/gui/contact-us
VirusTotal Online contact form. They are owned by Google, but it's possible that the IT personnel that maintain that site can be helpful.
Note: you should choose this option when submitting- My site/file has been improperly flagged as harmful (false positive)

https://safebrowsing.google.com/safebrowsing/report_error/?hl=en
You can report that Google has made a mistake in their determination. It says incorrect phishing warning, but can also be used for false-positives (to include links) and wrongful determinations.

https://support.google.com/chrome/community?hl=en
You might get the attention of Google staff that handle Chrome by posting a complaint, and where others join in to add their similar complaints.

Google Feedback
You can often find it at the bottom of a Google related page that you are on. Often, this is like putting a message in a bottle and throwing it in the ocean, as Google doesn't usually give a direct human response. Often it's more a "feel better" to ventilate anger over Google shenanigans. But, if enough people are complaining about the same things, this does seem to trigger Google algorithms so that eventually a human might look at the group of complaints.

If you are a webmaster. The usual tool to battle Google's determinations is Google Search Console.
https://search.google.com/search-console/about

Re: Report False-Positives To Anti-Virus Companies

by Sam_ » 10 Apr 2020, 09:36

@roysubs
From a quick search, it appears Chrome uses the Google Safe Browsing API to determine if a download or site is malicious. You can read the articles on "Malware and Unwanted Software" and "Security Issues Report", however, submitting false positive reports doesn't appear to be strait forward.

Re: Report False-Positives To Anti-Virus Companies

by roysubs » 10 Apr 2020, 07:07

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
I'm really curious about that Sam? Here is my situation: I have a little automation tool that about 100 people are interested in using. Following your advice I use /mpress 0 to stop it compression. I then put it up on my Dropbox for them to download. As soon as they download, Chrome screams at them that this is dangerous software. If they dare to download it, their Anti-Virus (I mean "trusted crapware") screams at them that this is a virus and deletes the file. So now only half of the people dare to use the tool because they think I'm trying to install viruses on their systems :(

Do you not all find the same if you try to distribute a compiled tool using Ahk2Exe? I've even heard there are people on here that have sold Autohotkey tools as commercial software. I fail to see how since all of the Anti-VirusCrapware tools go into full tantrum mode and delete-with-prejudice any tools that I try to give to people. Please teach me how to get around this if possible as makes distributing Autohotkey tools depressingly difficult. :(

Re: Report False-Positives To Anti-Virus Companies

by margotti » 30 Mar 2020, 10:41

Yeah these companies have taken a lot of advantage of us

Re: Report False-Positives To Anti-Virus Companies

by SOTE » 21 Mar 2020, 11:59

lmstearn wrote:
19 Mar 2020, 08:47
Submitted two AHK (v1.1.32.00) files as per clean.zip with a custom icon to VirusTotal that had only one line in each:
Thanks for the report and for submitting. Will be updating the 1st post with vendors not on our list.

Re: Report False-Positives To Anti-Virus Companies

by lmstearn » 19 Mar 2020, 08:47

Submitted two AHK (v1.1.32.00) files as per
clean.zip
(709.56 KiB) Downloaded 624 times
with a custom icon to VirusTotal that had only one line in each:

Code: Select all

Msgbox Clean
One file was an MPress compilation, the other not.
For some AHK compilations, zipped MPress files were ignored by many vendors, sadly, the above scan doesn't just contain the usual suspects:
  • SecureAge APEX: Malicious
  • CrowdStrike Falcon: Win/malicious_confidence_60% (W)
  • Endgame: Malicious (moderate Confidence)
  • FireEye: Generic.mg.a6f7c4814f82f139
  • MaxSecure: Trojan.Malware.121218.susgen
  • McAfee-GW-Edition: BehavesLike.Win32.Downloader.dh
  • Zillya: Trojan.AutoHK.Win32.477
There's 13 more!
You know, after all these years, I'm convinced the only algorithm used in these virus detection programs is the Einstellung method.

Top