I appreciate the effort you put in this answer. This keeps the thread alive and other people will read this too.
But it's not for me. You know, i'm a gardener and almost in retirement. Never earned money with programming or scripting. Yes, for some time I had a (small) leading role and worked with pre-defined office templates. If I wanted to change things my boss said I spent to much time for my administrative tasks!
But in the 90's I had an Amstrad (464?) personal computer where you had to load programs on casette or floppy's and if you wanted to make things work personally for you you had to program it in Basic (sure you know this but some youngsters who read this would be amazed). Commands, AHK and Visual Basic, I like to experiment with it only to keep my brain cells active. Creating unimportant programs like generating lottery numbers based on personal dates or names and so... Well, the program works but I'm still not a millionaire!
Report False-Positives To Anti-Virus Companies
-
- Posts: 6
- Joined: 23 Jun 2020, 05:01
Re: Report False-Positives To Anti-Virus Companies
Symantec has identified parts of AutoHotkey_1.1.33.00_setup.exe as malicious based on heuristic rules. I have submitted it to them as a false positive, but now I have corporate Incident Response breathing down my neck (not that I blame them, it's their job to stay on top of any and all potential threats, even tho this doesn't constitute one). Sadly, significant damage to AutoHotkey's reputation has just been done.
-
AVG and Avast are two of the best free anti virus programs out there. I use Avast, because AVG has been known to take up RAM on the computer. Just about everyone that I know that deals with computers uses Avast with Malwarebytes Anti-Malware and Firefox with the AdBlock Plus add-on, No Flash add on and NoScript add-on.
Re: Report False-Positives To Anti-Virus Companies
I personally use Windows Security / Microsoft Defender and MalwareBytes. And addtionally for programs I don't trust, I use Sandboxie.
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: Report False-Positives To Anti-Virus Companies
I have found out, that politeness, kind pleas and reporting false positives created by The Autohodkey developers is really The only one way how to eliminate false positives.
If some author of compiled .exe will suffer because false positive, it is really necessary to send The .exe file for analysis to The corresponding antivirus laboratory.
There is also other problem.
If some antivirus companies do not think, that The practice, that some programming language is based on The routine, when some code is connected to previously compiled .exe by using Compiler is dangerous because of .exe format potential possible corruption.
But in The cause of Autohodkey, it is not true. Autohodkey have been always compiled by Microsoft Visual studio compiler so machine code and format of .exe file is correct.
If ahk2exe add script inside .exe file, it always knows, where to put The script to prevent .exe file corruption. I also know, that Windows contain many complex condition blocks which are protecting users according corrupted .exe files.
Sure. Because Autohodkey belong to The high level programming languages, some hackers can really use it to make a viruses. But virus can be made also in C, Pascal language and in Assembly language too. Sure. It will always depend on The motivation of The programmer. Programming language is only a development tool which can be used or misused.
Thank all of this community, who are making Autohodkey a more and more efficient language. And Autogui and Autohodkey studio allows many programmers to have many positive experience when developing. I would like to congratulate C programmers of Autohodkey for their complex work. Screen readers have good responsiveness when navigating across Autohodkey apps GUI. Fast responsiveness when browsing editable fields, listboxes and other GUI elements is very important. And memory allocations are very very low, very good programmers job. I will try to code with my sighted mother.
If some author of compiled .exe will suffer because false positive, it is really necessary to send The .exe file for analysis to The corresponding antivirus laboratory.
There is also other problem.
If some antivirus companies do not think, that The practice, that some programming language is based on The routine, when some code is connected to previously compiled .exe by using Compiler is dangerous because of .exe format potential possible corruption.
But in The cause of Autohodkey, it is not true. Autohodkey have been always compiled by Microsoft Visual studio compiler so machine code and format of .exe file is correct.
If ahk2exe add script inside .exe file, it always knows, where to put The script to prevent .exe file corruption. I also know, that Windows contain many complex condition blocks which are protecting users according corrupted .exe files.
Sure. Because Autohodkey belong to The high level programming languages, some hackers can really use it to make a viruses. But virus can be made also in C, Pascal language and in Assembly language too. Sure. It will always depend on The motivation of The programmer. Programming language is only a development tool which can be used or misused.
Thank all of this community, who are making Autohodkey a more and more efficient language. And Autogui and Autohodkey studio allows many programmers to have many positive experience when developing. I would like to congratulate C programmers of Autohodkey for their complex work. Screen readers have good responsiveness when navigating across Autohodkey apps GUI. Fast responsiveness when browsing editable fields, listboxes and other GUI elements is very important. And memory allocations are very very low, very good programmers job. I will try to code with my sighted mother.
Re: Report False-Positives To Anti-Virus Companies
My first post - I hope is the right place to report a new detection of Trojan.Stealer.BC in Autohotkey.
I installed Autohotkey 1.1.33.09 in early August, my first download of Autohotkey.
Windows Security detected no problems on my PC. Malwarebytes Premium also finds no problems.
But when I ran a free version of Spyhunter5. It reported Trojan.Stealer.BC in 3 files in the Autohotkey compiler folder (C:\Program Files\AutoHotkey\Compiler), specifically Ahk2Exe.exe, ANSI 32-bit.bin, and Unicode 32-bit.bin
In discussion with Malwarebytes, I checked at virustotal.com, which says that 5 or 6 security vendors (out of 30 or so) have flagged these files as malicious. These other security vendors did not report detections.
Malwarebytes points out that there appear to be a lot of false positives reported at Autohotkey Forum.
I see a lot of assertions that similar detections are false positives, but how can I be sure?
Regards
Andy
I installed Autohotkey 1.1.33.09 in early August, my first download of Autohotkey.
Windows Security detected no problems on my PC. Malwarebytes Premium also finds no problems.
But when I ran a free version of Spyhunter5. It reported Trojan.Stealer.BC in 3 files in the Autohotkey compiler folder (C:\Program Files\AutoHotkey\Compiler), specifically Ahk2Exe.exe, ANSI 32-bit.bin, and Unicode 32-bit.bin
In discussion with Malwarebytes, I checked at virustotal.com, which says that 5 or 6 security vendors (out of 30 or so) have flagged these files as malicious. These other security vendors did not report detections.
Malwarebytes points out that there appear to be a lot of false positives reported at Autohotkey Forum.
I see a lot of assertions that similar detections are false positives, but how can I be sure?
Regards
Andy
Re: Report False-Positives To Anti-Virus Companies
feel free to look at the source code
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
Re: Report False-Positives To Anti-Virus Companies
I could do that, but I'm probably the wrong person - I would not know what to look for.feel free to look at the source code
I was naively wondering why AHK is the source of so many false positives, but it may be just the nature of the tool - it's just so easy to write a script that causes an innocent keystroke to send a seriously damaging command.
I am now retired, but my previous working life I was in risk management where a well-known mantra is: Prevent, Detect, Control, Mitigate, in that order. One prevention action might be submission of source code (and/or files such as ahk2exe) to security vendors for test and whitelisting. Are there any other actions that could potentially prevent AHK being the source of so many false positives?
Regards
Andy
Re: Report False-Positives To Anti-Virus Companies
i believe that answer is to your question
Antivirus companies have one goal, sell to more users, and its worse for them to let a virus through than to block some benign code that they haven't analyzed more than heuristically (and there aren't enough users to complain about)
Sad but true, I've been fighting it for over a decade with EitherMouse (well ignoring it the last half of the decade because I couldn't get anywhere to prevent it.)
looking at the source code is the only way to be sure, otherwise you're trusting the code/script or you're trusting someone else... author, antivirus vendor, etc.how can I be sure?
Antivirus companies have one goal, sell to more users, and its worse for them to let a virus through than to block some benign code that they haven't analyzed more than heuristically (and there aren't enough users to complain about)
Sad but true, I've been fighting it for over a decade with EitherMouse (well ignoring it the last half of the decade because I couldn't get anywhere to prevent it.)
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
Re: Report False-Positives To Anti-Virus Companies
Andy,
It is the makers of SpyHunter 5 who should have experts examining the clear and open source code of AutoHotkey to determine if there is a trojan in it. That AutoHotkey is open-source and thus its code is viewable, should already be a clue about certain companies pulling shenanigans. Various unethical Anti-Virus companies are trying to play customers for fools, by pretending their software is more effective than it really is or by using scare tactics. It will pretend to find all kinds of "trojans" and "malware" to scare customers that don't know any better into giving them money.
You should report the false-positive, give them a link to the source, and demand they not engage in such behavior or change any mistakes that they made.
The company that makes SpyHunter 5 is EnigmaSoft. Unless the person bought the product, it's not clear how to contact their help desk or report false positives (not a promising sign of the company's practices). However, you should be able to contact the company with the link below.
https://www.enigmasoftware.com/about-us/inquiries-feedback/
(EnigmaSoft Inquiries and Feedback)
If you get a false-positive result from a submission to VirusTotal, you can contact them too about those Anti-Virus companies, to help them select those companies that meet a high ethical and business standard and get rid of the bad ones listed on their site. Let them know your opinions and about false-positives.silentway wrote: One prevention action might be submission of source code (and/or files such as ahk2exe) to security vendors for test and whitelisting. Are there any other actions that could potentially prevent AHK being the source of so many false positives?
https://www.virustotal.com/gui/contact-us/technical-support
(Contact VirusTotal)
-
- Posts: 1472
- Joined: 05 May 2018, 12:23
Re: Report False-Positives To Anti-Virus Companies
even with a cert, an exe will have to build up reputation for it not to be flagged by defender etc. The minute you make changes you are back to square one.
Re: Report False-Positives To Anti-Virus Companies
yeah, naah
we need to setup a banner with a $1/day donation goal jimmy wales style
we need to setup a banner with a $1/day donation goal jimmy wales style
Re: Report False-Positives To Anti-Virus Companies
So we've actually racked up enough to pay for an EV cert, but after discussing with Lexikos. We are not pursuing EV cert for similar reasons to Notepad++. So in a similar fashion, checksums/Hash are posted when new versions are released.
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: Report False-Positives To Anti-Virus Companies
Have recently come across some false-positive issues with McAfee and their scanners in regards to AutoHotkey_L and AutoHotkey_H.
Found you can give information about disputed files through the Internet to McAfee, in addition to e-mailing them (see 1st post for their e-mail address).
Link below, and will update the 1st post.
https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html?region=us
(McAfee Detection Dispute Submission Form)
Found you can give information about disputed files through the Internet to McAfee, in addition to e-mailing them (see 1st post for their e-mail address).
Link below, and will update the 1st post.
https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html?region=us
(McAfee Detection Dispute Submission Form)
Re: Report False-Positives To Anti-Virus Companies
Cool
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: Report False-Positives To Anti-Virus Companies
McAfee also has another layer where developers having problems with false-positive detections can go. You have to e-mail datasubmission[at]mcafee.com, then they will provide the link where you can upload files to their False Submission site. Supposedly, the files will be part of a test rig, in which future databases are testing against.
-
- Posts: 3
- Joined: 19 Aug 2020, 14:53
Re: Report False-Positives To Anti-Virus Companies
I started working in a new company and of course one of the first things I installed was Autohotkey.
The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.
Any idea why they identify AHK as malicious and what can be done about it?
The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.
Any idea why they identify AHK as malicious and what can be done about it?
Re: Report False-Positives To Anti-Virus Companies
Info on how to contact CrowdStrike is on the first page and post.tomerstern wrote: ↑27 Jul 2022, 02:19...The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.
...what can be done about it?
This is a bit complicated, but in looking at it, I think the main factors seem to be: laziness, ignorance, sales tactics, and competitors. On the first two, if a company takes the time to do the professional research into AHK, they will see its an open-source interpreted language, and develop the ability to distinguish when programs of the language are doing something nefarious versus the wholesale smearing of a scripting language. It would be unacceptable, ridiculous, and unprofessional for an antivirus company to mark say any .js or .bat as malware. This would be a disservice to their customers and the public. This goes for any widely known scripting language, particularly open-source ones. The quality and professionalism surrounding the antivirus product is important.Any idea why they identify AHK as malicious...
As to the last ones, there can be those that are trying to "game the system" by using underhanded and unethical tactics. This can be by the company itself (trying to trick customers that their product is more effective than actually is) or 3rd parties that are trying to harm their competition (which can include filing knowingly false reports). This can only be countered by customers reporting false-positives and holding antivirus companies accountable. The public and customers have to make sure that the databases of such companies are valid and to persuade them that it needs to be looked at both carefully and constructed in a professional manner.
Return to “Off-topic Discussion”
Who is online
Users browsing this forum: No registered users and 39 guests