Report False-Positives To Anti-Virus Companies
Re: Report False-Positives To Anti-Virus Companies
09/04/2022 - It looks like a recent update to Windows Defender is causing issues with multiple reports across the interwebs, I'm being advised of my scripts are infected with Win32/Hive.ZY, scripts still run, and they are clean.
More https://www.bleepingcomputer.com/forums/t/776703/behaviorwin32hivezy-being-detected-by-windows-defender-every-few-minutes/
More https://www.bleepingcomputer.com/forums/t/776703/behaviorwin32hivezy-being-detected-by-windows-defender-every-few-minutes/
So much universe, and so little time. GNU Sir Terry.
Re: Report False-Positives To Anti-Virus Companies
Yep, I am aware of that, I was simply highlighting it so that other users wouldn't report it as an FP as it's defender that's broke in this instance, and not an FP.
Cheers
Dödel
So much universe, and so little time. GNU Sir Terry.
Re: Report False-Positives To Anti-Virus Companies
Another false-positive report to me...
I've instructed the users to report it to the AV at their convenience.
https://www.virustotal.com/gui/file/7350f50c3fc022d217821e6f416497820e6216a714c5ee859af1f36be9b740d7
https://www.autohotkey.com/download/1.1/AutoHotkey_1.1.34.04_setup.exe.sha256
I've instructed the users to report it to the AV at their convenience.
https://www.virustotal.com/gui/file/7350f50c3fc022d217821e6f416497820e6216a714c5ee859af1f36be9b740d7
https://www.autohotkey.com/download/1.1/AutoHotkey_1.1.34.04_setup.exe.sha256
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: Report False-Positives To Anti-Virus Companies
I Mean it says Report "False-Positives" but this is clearly Malware from your Download Current Version Button https://i.imgur.com/GhGQpgS.png
I was on a Virtual Machine because i always check for Malware, Rootkits, etc... when installing new Software
Virus Total Report
https://www.virustotal.com/gui/file/3938ddd994af3394fa5022b2af93f3a46598f40d5aaed3ca4f9bdd7292e83292
https://i.imgur.com/fuyBZYV.png
I was on a Virtual Machine because i always check for Malware, Rootkits, etc... when installing new Software
Virus Total Report
https://www.virustotal.com/gui/file/3938ddd994af3394fa5022b2af93f3a46598f40d5aaed3ca4f9bdd7292e83292
https://i.imgur.com/fuyBZYV.png
Re: Report False-Positives To Anti-Virus Companies
How did you determine that without submitting the file to the antivirus vendors in order to let them check thorougly? False positives are very common for AHK (and not only for AHK), often based on flawed or oversimplified heuristics.TeveL wrote: ↑12 Dec 2022, 14:13I Mean it says Report "False-Positives" but this is clearly Malware from your Download Current Version Button https://i.imgur.com/GhGQpgS.png
Afaik, 5 false positives are not totally untypical for a relatively new version of AHK. Usually that number goes down for a specific version after a while - when the antivirus vendors adjust and correct their mistakes. (From experience I would suppose that those listed are not all high quality search engines.)
PS:
It looks like your posted report is specifically about the compiler AHK2Exe. Afaik, this is open source (written itself in AHK) and available on github. So you can thoroughly check its contents and might be able to compile it yourself (you can also look up the corresponding topic on these forums and ask there about it). Btw, AHK scripts can also be used uncompiled; using AHK2Exe is optional.
You could even compile AHK yourself (from C++), if you prefer. It's also open source.
-
- Posts: 5
- Joined: 17 Dec 2015, 15:16
Re: Report False-Positives To Anti-Virus Companies
The folks that develop the files should submit them to the various antivirus vendors that are saying the files are malicious.
Re: Report False-Positives To Anti-Virus Companies
Yes, there is something to be said about being proactive. However, the antivirus vendors can be a bit tricky too, as have various processes or make seemingly arbitrary decisions. In general, we can all help, by submitting also. The more people keeping an eye on and informing antivirus vendors about errors and false positives, the better the outcomes.winbatchguru wrote: ↑28 Jan 2023, 23:44The folks that develop the files should submit them to the various antivirus vendors that are saying the files are malicious.
Re: Report False-Positives To Anti-Virus Companies
I've never seen this before. I'm pretty confident it's a false positive, but any thoughts on exactly what on the page AVG had an issue with?
Re: Report False-Positives To Anti-Virus Companies
I wanted to install v2 but our security team send me this report.
-
- Posts: 188
- Joined: 08 Jul 2019, 05:37
- Contact:
Re: Report False-Positives To Anti-Virus Companies
idk Windows defender doesn't allow .exe files but allow .ahk for some reasons
Re: Report False-Positives To Anti-Virus Companies
Hi folks
I am both new to AHK and this forum - it is a great place to be, get help and learn. Thank you very much.
Now: I would very much like to install the software, but I am not a coder, nor a tekkie person at all. I use software, a lot of it, I know my way around - but of course, I cannot judge VirusTotal reports, so I usually go by the guideline "All must be green and well".
So I downloaded today
1. AutoHotkey_2.0.3_setup.exe (from here)
11 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/a32362b2769cb3cd8caa10722c50208b7170fe82d3663e85425df416422b4d22
2. AutoHotkey_2.0.3.zip (from here)
3 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/2f0c37c4e38eb50f7b40deab672f724ea4e3edbea0384406a3778b867cda5da9
3. autohotkey_1.1.37.00_setup.exe (from Heise)
5 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/e16e14a5902618298c24b6b6a2503d83d435bd647dcbdc2a20fa5f7285c57168
Over the last few days I've downloaded (1.) several times and checked it; the warnings now have gone up to 11.
Checking these files locally gives them a clean bill of health.
Please help!
I am both new to AHK and this forum - it is a great place to be, get help and learn. Thank you very much.
Now: I would very much like to install the software, but I am not a coder, nor a tekkie person at all. I use software, a lot of it, I know my way around - but of course, I cannot judge VirusTotal reports, so I usually go by the guideline "All must be green and well".
So I downloaded today
1. AutoHotkey_2.0.3_setup.exe (from here)
11 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/a32362b2769cb3cd8caa10722c50208b7170fe82d3663e85425df416422b4d22
2. AutoHotkey_2.0.3.zip (from here)
3 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/2f0c37c4e38eb50f7b40deab672f724ea4e3edbea0384406a3778b867cda5da9
3. autohotkey_1.1.37.00_setup.exe (from Heise)
5 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/e16e14a5902618298c24b6b6a2503d83d435bd647dcbdc2a20fa5f7285c57168
Over the last few days I've downloaded (1.) several times and checked it; the warnings now have gone up to 11.
Checking these files locally gives them a clean bill of health.
Please help!
Re: Report False-Positives To Anti-Virus Companies
Just to add, I got an installation error as well for 1.1.37.00, due it being blocked by Windows Security.
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: Report False-Positives To Anti-Virus Companies
These are both relatively fresh releases - a higher number of false positives is not unusual with those. You can help to report false-positives to the AV companies.
How to do this, you can read in the first post of this topic.
From our FAQ:
https://www.autohotkey.com/docs/v1/FAQ.htm#Virus wrote:Although it is certainly possible that the file has been infected, most often these alerts are false positives, meaning that the antivirus program is mistaken. One common suggestion is to upload the file to an online service such as virustotal or Jotti and see what other antivirus programs have to say. If in doubt, you could send the file to the vendor of your antivirus software for confirmation. This might also help us and other AutoHotkey users, as the vendor may confirm it is a false positive and fix their product to play nice with AutoHotkey. [...]
Re: Report False-Positives To Anti-Virus Companies
But I do not have the qualifications to determine if these are false positives. I can't report to anyone, "These are false positives". That can only be done by someone who has the expertise and has done the necessary testing and investigation.
I am a simple end user.
I use VirusTotal and Jotti to have an extra layer of protection against malware. I download supposedly "virus checked" software from "heise" and find that sometimes VirusTotal, sometimes Jotti, sometimes both give warnings, while my local virus check gives the green light. These inconsistencies worry me.
Why are there no pgp signatures for the software, so that we can at least be sure that we are getting what you are offering? Or "hashes" (md5, sh???).
Do I think you are offering malware infected software?
No, of course not. But as a layman, do I know what happens during the download?
I am a simple end user.
I use VirusTotal and Jotti to have an extra layer of protection against malware. I download supposedly "virus checked" software from "heise" and find that sometimes VirusTotal, sometimes Jotti, sometimes both give warnings, while my local virus check gives the green light. These inconsistencies worry me.
Well, my antivirus software provider doesn't find any bug in your software, but VirusTotal and Jotti.If in doubt, you could send the file to the vendor of your antivirus software for confirmation.
Why are there no pgp signatures for the software, so that we can at least be sure that we are getting what you are offering? Or "hashes" (md5, sh???).
Do I think you are offering malware infected software?
No, of course not. But as a layman, do I know what happens during the download?
Re: Report False-Positives To Anti-Virus Companies
That's the point. If it's a false positive, only the false-positive-issuing company can correct their assessment. If they never get asked, they might never check again (some bad ones might ignore you anyway). The point of reporting false-positives is to ask those companies to re-evaluate their results (and to correct them, if they were wrong) - no one else can check their (often purely "heuristic") results, because they won't tell us their business secrets. Some of those companies will give you feedback about your request... and even correct their initial results.
We are all volunteers here, members of the same community. Currently, except lexikos and a few minor contributors to the open source code (which you could inspect, if you like, or compile yourself), we are all just simple end users of AHK. If you want something done (like a smaller amount of false positives), why not contribute yourself by trying to improve the virustotal ratings?I am a simple end user.
There are SHA256 hashes, for example you can look at our github release channel or the individual version announcements (which also contain hashes for the zip-versions): viewforum.php?f=24Why are there no pgp signatures for the software, so that we can at least be sure that we are getting what you are offering? Or "hashes" (md5, sh???).
Re: Report False-Positives To Anti-Virus Companies
Let me see if I understand you correctly: I contact Virustotal, tell them neither Jotti nor my local antimalware program have found any issue, and would they please recheck? Or do I contact each and every viruschecker individually?That's the point. If it's a false positive, only the false-positive-issuing company can correct their assessment. If they never get asked, they might never check again. The point of reporting false-positives is to ask those companies to re-evaluate their results (and to correct them) - no one else can check their results, because they won't tell us their business secrets. Some of those companies will give you feedback about your request.
Yes, there are. Checked my downloads - happy to report, they checked out!There are SHA256 hashes, for example you can look at our github release channel or the individual version announcements (which also contain hashes for the zip-versions): viewforum.php?f=24
Thanks for your time.