Report False-Positives To Anti-Virus Companies

Talk about anything
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

09 Jan 2020, 15:15

According to many Internet reports and complaints, Jiangmin seems to ignore all e-mail addresses equally.
jongyun24
Posts: 6
Joined: 18 Dec 2019, 19:13

Re: Report False-Positives To Anti-Virus Companies

10 Jan 2020, 00:40

I' still Send to mail to jiangmin a Week 1~2 Time for False Positive.
Please VirusTotal Kick the Foilish Chinease Vaccine. and One more Send to Total Virus
Luck For Everyone.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

11 Jan 2020, 20:14

jongyun24 wrote:
10 Jan 2020, 00:40
I' still Send to mail to jiangmin a Week 1~2 Time for False Positive.
and One more Send to Total Virus.
You are doing the correct thing. Hopefully, Jiangmin will respond and remove the false-positive or VirusTotal (Google) will take some action towards Jiangmin for not responding to users or for unreliability.
jongyun24
Posts: 6
Joined: 18 Dec 2019, 19:13

Re: Report False-Positives To Anti-Virus Companies

14 Jan 2020, 19:57

i gonna wait for Virus Total's Return Messsage

Ana Tinoco (VirusTotal)
Jan 13, 6:09 AM PST
Hello,
I have just contacted Jiangmin. I'll keep you informed.
Regards,
Ana Tinoco - VirusTotal - www.virustotal.com
Have you tried the VirusTotal Graph?
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

27 Jan 2020, 04:14

BarberH wrote:
27 Jan 2020, 02:53
Thus their list (for now and because it's not updated) is not as relevant for helping the AHK community combat false-positives. We should not want people submitting to vendors that will not help stop the false-positive problem
This statement is strange and it might be because of the English used, but can you clarify what you mean more?

Based on what I think you might be saying:

1. This list here is updated.
2. The list here reflects major AV companies that will have an impact.
3. People should submit false-positives to AV companies, because it's the only way to get them to update their databases or re-check.
4. Submitting false-positives do make a difference. I've had and seen companies update their databases.
5. You may also need to submit to many companies, not just one. AV companies can be blindly adding signatures or copying from other AV companies, without doing all the needed detailed research. Push-back from users and customers causes them to re-check and verify. Thus a list such as this is important for the AHK community.

In the case of Jiangmin, it's the right move for the AHK community to inform VirusTotal (Google) and have them put some pressure on Jiangmin (or any company doing wrong) to be responsive to users and make corrections about false-positives or VirusTotal admin (or Google the owner) will remove them from the VirusTotal list.
User avatar
lmstearn
Posts: 681
Joined: 11 Aug 2016, 02:32
Contact:

Re: Report False-Positives To Anti-Virus Companies

19 Mar 2020, 08:47

Submitted two AHK (v1.1.32.00) files as per
clean.zip
(709.56 KiB) Downloaded 2025 times
with a custom icon to VirusTotal that had only one line in each:

Code: Select all

Msgbox Clean
One file was an MPress compilation, the other not.
For some AHK compilations, zipped MPress files were ignored by many vendors, sadly, the above scan doesn't just contain the usual suspects:
  • SecureAge APEX: Malicious
  • CrowdStrike Falcon: Win/malicious_confidence_60% (W)
  • Endgame: Malicious (moderate Confidence)
  • FireEye: Generic.mg.a6f7c4814f82f139
  • MaxSecure: Trojan.Malware.121218.susgen
  • McAfee-GW-Edition: BehavesLike.Win32.Downloader.dh
  • Zillya: Trojan.AutoHK.Win32.477
There's 13 more!
You know, after all these years, I'm convinced the only algorithm used in these virus detection programs is the Einstellung method.
:arrow: itros "ylbbub eht tuO kaerB" a ni kcuts m'I pleH
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

21 Mar 2020, 11:59

lmstearn wrote:
19 Mar 2020, 08:47
Submitted two AHK (v1.1.32.00) files as per clean.zip with a custom icon to VirusTotal that had only one line in each:
Thanks for the report and for submitting. Will be updating the 1st post with vendors not on our list.
margotti
Posts: 1
Joined: 30 Mar 2020, 01:03

Re: Report False-Positives To Anti-Virus Companies

30 Mar 2020, 10:41

Yeah these companies have taken a lot of advantage of us
roysubs
Posts: 421
Joined: 29 Sep 2018, 16:37

Re: Report False-Positives To Anti-Virus Companies

10 Apr 2020, 07:07

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
I'm really curious about that Sam? Here is my situation: I have a little automation tool that about 100 people are interested in using. Following your advice I use /mpress 0 to stop it compression. I then put it up on my Dropbox for them to download. As soon as they download, Chrome screams at them that this is dangerous software. If they dare to download it, their Anti-Virus (I mean "trusted crapware") screams at them that this is a virus and deletes the file. So now only half of the people dare to use the tool because they think I'm trying to install viruses on their systems :(

Do you not all find the same if you try to distribute a compiled tool using Ahk2Exe? I've even heard there are people on here that have sold Autohotkey tools as commercial software. I fail to see how since all of the Anti-VirusCrapware tools go into full tantrum mode and delete-with-prejudice any tools that I try to give to people. Please teach me how to get around this if possible as makes distributing Autohotkey tools depressingly difficult. :(
Sam_
Posts: 146
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

10 Apr 2020, 09:36

@roysubs
From a quick search, it appears Chrome uses the Google Safe Browsing API to determine if a download or site is malicious. You can read the articles on "Malware and Unwanted Software" and "Security Issues Report", however, submitting false positive reports doesn't appear to be strait forward.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

10 Apr 2020, 16:02

Chrome is not Anti-Virus software. What is usually the case is they are focused on the website or weblink. The website or weblink has been reported as malware or Google's algorithm has determined the website is infected with malware or the weblink is pointing to such. Google's algorithm to determine if your weblink or website is hosting or pointing to malware is partially determined by VirusTotal (also owned by Google). How exactly that Google comes to its conclusions is not exactly known and they keep it a secret from the public.

Keep in mind that a significant number of people might be reporting your software, website, or weblink as bad. To include as a prank, harassment tactic, or out of cluelessness about software. These reports can also be a factor in Google's determination. So you need to be clear about whether or not your software is or isn't malware, and be able to prove your case. Some people are clueless about software. This is on both sides. The author of the program (where the program is having unintended consequences) or those that receive the program (that are making false assumptions or false claims).

If you are a webmaster, you have a few options to dispute such a determination. Though keep in mind that your battle will usually and primarily be with Google, so you must use their website tools (https://developers.google.com/web/fundamentals/security/hacked/use_search_console). If you are not a webmaster and simply providing a link, this gets a bit harder. Below includes some alternatives for battling Google's determinations that might help.

https://www.stopbadware.org/request-review
StopBadware provides a so-called independent review process for your website or weblink to dispute Google's determinations.

https://www.virustotal.com/gui/contact-us
VirusTotal Online contact form. They are owned by Google, but it's possible that the IT personnel that maintain that site can be helpful.
Note: you should choose this option when submitting- My site/file has been improperly flagged as harmful (false positive)

https://safebrowsing.google.com/safebrowsing/report_error/?hl=en
You can report that Google has made a mistake in their determination. It says incorrect phishing warning, but can also be used for false-positives (to include links) and wrongful determinations.

https://support.google.com/chrome/community?hl=en
You might get the attention of Google staff that handle Chrome by posting a complaint, and where others join in to add their similar complaints.

Google Feedback
You can often find it at the bottom of a Google related page that you are on. Often, this is like putting a message in a bottle and throwing it in the ocean, as Google doesn't usually give a direct human response. Often it's more a "feel better" to ventilate anger over Google shenanigans. But, if enough people are complaining about the same things, this does seem to trigger Google algorithms so that eventually a human might look at the group of complaints.

If you are a webmaster. The usual tool to battle Google's determinations is Google Search Console.
https://search.google.com/search-console/about
PIcard_1983
Posts: 6
Joined: 13 Nov 2017, 04:18

Re: Report False-Positives To Anti-Virus Companies

11 May 2020, 06:02

Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

See Attachment.
False.jpg
False.jpg (22.55 KiB) Viewed 139866 times
What can i do?
gregster
Posts: 8886
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

11 May 2020, 06:23

PIcard_1983 wrote:
11 May 2020, 06:02
What can i do?
If you think it's a false positive (which I would assume, if it wasn't infected unluckily on your computer by some third-party malware), you can report the script to Microsoft, so that they can improve their heuristics. Please see https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266#p264913 Unfortunately, AHK experiences a lot of problems with false positives.

If you are reasonably sure that it is a false positive, you could create an exception for it in Windows Defender, and start using it again. Whatever you do, act reasonably and at your own risk.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

11 May 2020, 06:49

PIcard_1983 wrote:
11 May 2020, 06:02
Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

What can i do?
You should read the 1st post. Other people don't know where you got the file from, know about any strange code that a person might be sending to others, nor have the same issue. The most direct course of action is for you to submit the file to Microsoft. You didn't have to wait for 2 weeks, it's something that you can do immediately.

Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.

What would be helpful to the community is that you tell us about what version of the AutoHotkey interpreter that you are using, where you got it from, possibly a sample of the script that you wrote that might be causing the issue. This, of course, is up to you as to which or none that you would like to do. Though it would be good to know what Microsoft says about the file you submit.
hasantr
Posts: 933
Joined: 05 Apr 2016, 14:18
Location: İstanbul

Re: Report False-Positives To Anti-Virus Companies

19 May 2020, 05:43

I notified MaxSecure, who thought Autohotkey.exe was harmful, with this mail. They said it would be resolved in the next update.

[email protected]
hasantr
Posts: 933
Joined: 05 Apr 2016, 14:18
Location: İstanbul

Re: Report False-Positives To Anti-Virus Companies

19 May 2020, 20:58

An antivirus that has just joined VirusTotale has detected Autohotkey as harmful.
I reported False Positives from this link.
https://www.secureaplus.com/features/antivirus/report-false-positive/
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

20 May 2020, 10:42

@hasantr
Good job, Hasantr. It's amazing how low quality the companies being accepted to VirusTotal are. If you can't figure out an open-source scripting language interpreter with all of its source code freely available on GitHub is not malware, then there is something very wrong.
Guest

Re: Report False-Positives To Anti-Virus Companies

25 May 2020, 01:34

SOTE wrote:
11 May 2020, 06:49
PIcard_1983 wrote:
11 May 2020, 06:02
Hello, I have been getting the following message for about 2 weeks with Windows Defender. It is a script which I have written with autohotkey.

What can i do?

You should read the 1st post. Other people don't know where you got the file from, know about any strange code that a person might be sending to others, nor have the same issue. The most direct course of action is for you to submit the file to Microsoft. You didn't have to wait for 2 weeks, it's something that you can do immediately.

Microsoft Online Submission for False-Positives: https://www.microsoft.com/en-us/wdsi/filesubmission
Note- Most people will need to select "Home customer" and then "Continue". Will give tracking of Microsoft's decision.
What would be helpful to the community is that you tell us about what version of the AutoHotkey interpreter that you are using, where you got it from, possibly a sample of the script that you wrote that might be causing the issue. This, of course, is up to you as to which or none that you would like to do. Though it would be good to know what Microsoft says about the file you submit.
Ok, many Thanks. Autohotkey-Version: v1.1.32.00

I'll report it to microsoft. I wrote the script myself. It runs a menu in the taskbar and accesses some file links on different network drives. Nothing more. It's just a support. Let's see what microsoft says.
slechtwere
Posts: 6
Joined: 23 Jun 2020, 05:01

Re: Report False-Positives To Anti-Virus Companies

23 Jun 2020, 07:54

Thank you tank and SOTE. It's nice to have people to be so attached to their community.
Personally, I don't bother sending false positives to AV companies. Because I think it's none of their business what I do with my files on my computer.
I just excluded the folder containing my scripts from scanning. In my opinion these scripts are more suspicious for them if they are just lurking somewhere, especially in the Start up folder. Once the scripts are being executed there seems to be no problem.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

23 Jun 2020, 15:14

slechtwere wrote:
23 Jun 2020, 07:54
...Personally, I don't bother sending false positives to AV companies. Because I think it's none of their business what I do with my files on my computer. I just excluded the folder containing my scripts from scanning... Once the scripts are being executed there seems to be no problem.
Thanks for your support. However, I think you might be missing the point of why it's important to report false-positives and are advocating for something that is detrimental to the community. It's not simply or only about you or I. It's about poorly run AV companies and competing parties accidentally or purposely mislabeling the software we use and rely on, which then escalates into problems for AHK users in general.

True, you can probably create an exception for yourself. However, if you use the software in a school, business, work, or give it to friends that is a different situation. Those people using the software might not have:

1) The administrative access to create an exception
2) The technical knowledge to know what to do
3) The confidence to allow the software to run or give it permission based on fears and perceived negative reputation

In addition, being mislabeled as malware, tends to have an escalating effect. As has been shown in the past, you can have web browsers, websites that host software, e-mail servers, and public opinion involved. For example, you can have the software on your website mislabeled as malware, and then get unexpectedly blocked by Chrome and Firefox. Allowing AV companies to wrongfully mislabel an entire scripting language can lead to bad surprises at the wrong time and unexpected consequences. Other examples are companies or schools not wanting programs coded in that particular scripting language, due to wrongful negative opinions, thus decreasing opportunities for those that code in that language or negatively affecting the projects they are involved in.

So it's more than just being about only ourselves, it's about the AHK community in general, reputation, public opinion, and proper business practices. Reporting false-positives helps all of us, and acts as a counter-balance to bad actors and AV companies being unscrupulous or involved in bad business practices.

Return to “Off-topic Discussion”

Who is online

Users browsing this forum: No registered users and 34 guests