Report False-Positives To Anti-Virus Companies

Talk about anything
User avatar
WeedTrek
Posts: 75
Joined: 22 Mar 2019, 14:29
Location: Cache Creek BC Canada
Contact:

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 17:40

thanks for this, AVG always says "whoa hold on there might be bad stuffs and the boogeyman in there, let me think you're under virus attack for the next 30 seconds" while I grind my teeth and shake my fist at the mainstream corporate elites who would only serve Gates-friendly DARPA software to the vaccinated masses.
My Weed Trek video archive: http://weedtrek.ca
User avatar
Tigerlily
Posts: 377
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 18:49

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
Sam_, I've experienced the same things, and chose to now compile without MPRESS too.
-TL
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 18:56

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
Part of the reason why MPRESS creates issues with Anti-Virus vendors is that many don't have an unpacker for it. Where with UPX, the software of the Anti-Virus companies can usually unpack and inspect the contents. And use of any "exotic" or unknown packer is more likely to trigger Anti-Virus software. You might want to see if UPX won't cause you issues, or consider not using a packer.
robodesign
Posts: 932
Joined: 30 Sep 2017, 03:59
Location: Romania
Contact:

Re: Report False-Positives To Anti-Virus Companies

31 Mar 2019, 07:00

I never used MPress and I still had false positives for KeyPress OSD with no packer. However I started using the UPX packer.

In my tests, some months ago... it did not make a difference, I get the same amount of false positives with UPX or without.

Best regards, Marius.
-------------------------
KeyPress OSD v4: GitHub or forum. (presentation video)
Quick Picto Viewer: GitHub or forum.
AHK GDI+ expanded / compilation library (on GitHub)
My home page.
Grumpy IT Guy
Posts: 1
Joined: 03 Apr 2019, 03:07

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 03:12

I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.

Edit 2 : With further testing, I have discovered that using Ansi 32 bit conversion and Impress compression seems to get around Sophos, however VirusTotal still finds 8 problems with it.
Last edited by Grumpy IT Guy on 03 Apr 2019, 06:13, edited 1 time in total.
User avatar
Tigerlily
Posts: 377
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 06:10

Grumpy IT Guy wrote:
03 Apr 2019, 03:12
I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.
My work computer flags compiled ahk scripts as a few different types of malware because of my Windows Defender AV. It also won't let me download certain installers which I'm certain are safe. Some AVs will flag more or less threats. As always, do your due dilligence ensure there is no other malicious activity in your system. If you got it directly from this site, then it will be a safe false-positive.

It's important to submit as many false positive claims about this issue as possible across as many AV companies, so it shows that AHK has a safe community. Due to the nature of AHK being able to efficiently automate complex systems mixed with some bad people using AHK for nerfarious purposes, it has gained some bad reputation within the online space that we hope to change.
-TL
User avatar
gwarble
Posts: 524
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 08:49

I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
User avatar
Tigerlily
Posts: 377
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 10:00

Yeah, hopefully at some point the ratio of false positives from AHK programs will hit a threshold that they can deem it safe. Not sure if that's what will happen though.

and Yes, not using MPRESS doesn't fix the false-positive flagging issue, however it does seem to slip under the rader more frequently for some AVs than when used.
-TL
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

14 Apr 2019, 04:54

gwarble wrote:
03 Apr 2019, 08:49
I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
Some good points.

And we have to stay on these Anti-Virus companies, because arguably a lot of this drama is about laziness. High level programmers working at these Anti-Virus companies should have a much easier time analyzing an open source interpreted scripting language, in comparison to traditionally compiled languages or closed source, to determine if there is really a threat. There are a number of ways for them to see the script, even when "bound" to the open source executable. Just no excuse for the silliness that is taking place or out of control heuristic scanners labeling anything as a threat.
Sam_
Posts: 146
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

18 Apr 2019, 06:02

RachelKieran wrote:
17 Apr 2019, 06:10
Antiviruses generally makes the PC performance low and sometimes it even sends virus in your computer if you do not purchase the premium version of many software.
Please cite your sources. I'm interested to know where you are getting this information.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

23 Apr 2019, 01:29

mariafox wrote:
23 Apr 2019, 00:52
Thank god that McAfee is not included above list, this is the best Antivirus ever because of its better performance & response. Good thing is there is no available option of false detection form.
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.
gregster
Posts: 8886
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

23 Apr 2019, 09:57

SOTE wrote:
23 Apr 2019, 01:29
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.
"Rachel" and "Maria" are both accounts that have connections to the same company (you can find it in their account details, see under "Website"). Other accounts with the same affiliation also made strange posts before and - from time to time - dropped a link or two (and some have been banned, iirc). They don't seem to be bots, but I strongly suspect that they mainly contribute something in order to advertize casually later and not because they have any real interest in the subject.

@mariafox and @RachelKieran, do you mind to elaborate on your strange posts here or are you ok with permanently closing your accounts?
User avatar
nnnik
Posts: 4500
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Report False-Positives To Anti-Virus Companies

23 Apr 2019, 11:09

They are spam bots. Quite good ones too. Took us quite long to notice this.
Recommends AHK Studio
chrispeddler
Posts: 3
Joined: 10 May 2019, 04:30

Re: Report False-Positives To Anti-Virus Companies

20 May 2019, 21:54

Thank you for the info. Will do take note of this.
jongyun24
Posts: 6
Joined: 18 Dec 2019, 19:13

Re: Report False-Positives To Anti-Virus Companies

18 Dec 2019, 19:30

* Bkav [W32.AIDetectVM.malware1]
https www.bkav.com /contact-us Broken Link for safety

* Jiangmin [Trojan.MSIL.npxv]
Virus Lab:
Virus sample report email: [email protected]
White list report email: [email protected]
Sample exchange email: [email protected]
Website cooperation and content correction:
Phone: (010) 82511166 Email: [email protected]

Please Fix that false Positive !

▼ that's Fix it
* Antiy-AVL [Trojan/Win32.Wofith]
https www.antiy.net /contacts/ Broken Link for safety
False Positive
Email: [email protected]
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

19 Dec 2019, 05:31

jongyun24 wrote:
18 Dec 2019, 19:30
* Bkav [W32.AIDetectVM.malware1]

* Jiangmin [Trojan.MSIL.npxv]

* Antiy-AVL [Trojan/Win32.Wofith]
Thanks. List updated, see 1st post.

The AutoHotkey community must always stay vigilant. Google (VirusTotal owner) continues to make many agreements with Anti-Virus companies from all over the world, who have questionable practices in updating their databases and research. So it's also up to users to help and inform them when they are wrong.
jongyun24
Posts: 6
Joined: 18 Dec 2019, 19:13

Re: Report False-Positives To Anti-Virus Companies

25 Dec 2019, 19:38

For "AutoHotkey_1.1.32.00_setup.exe"

New Guys
● Rising Antivirus [[email protected] (RDML:8rBbJKRRbqbCJoUDGXKe6w)]
report the false positive files from here : mailcenter.rising.com.cn/filecheck_en/ Broken Link for safety
*False Postive - Inquiries number: RS20191226084524270124 , RS20200107141947700674

● Still in [false Positive] : ☞ Jiangmin [Trojan.MSIL.npxv]
- Every Mail block...I used to google, Naver, Daum, Hotmail, Our Company Mail.
i think China not allow Others conturys sth.

=======================================
Cleared - * Bkav [W32.AIDetectVM.malware1]
Cleared - * Antiy-AVL [Trojan/Win32.Wofith]
=======================================

I wanna use Autohotkey in our Company.
Coz our Follish IT Security Center Only Believe Virustotal.
Last edited by jongyun24 on 07 Jan 2020, 01:20, edited 2 times in total.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

26 Dec 2019, 03:44

Jiangmin is very problematic, and appears to have been so for many years now. Huge number of reports all over the Internet of users not able to contact their support. The issue is with Google's VirusTotal using them. It might be better to contact Google's VirusTotal and request them to remove Jiangmin, since they have such problematic support issues and many false-positive reports.

VirusTotal Contributor List
https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors

Contact for VirusTotal
https://www.virustotal.com/gui/contact-us

You can also join the VirusTotal Community, which will allow voting and commenting about reviews and results.
https://support.virustotal.com/hc/en-us/articles/115003457349-Join-Community
smschulz
Posts: 4
Joined: 31 Dec 2019, 17:37

Re: Report False-Positives To Anti-Virus Companies

01 Jan 2020, 08:18

I'm surprised Kaspersky is listed. They seem to be ok
jongyun24
Posts: 6
Joined: 18 Dec 2019, 19:13

Re: Report False-Positives To Anti-Virus Companies

08 Jan 2020, 21:09

2 Weeks ago i sent to Viruatotal about Jiangmin

then said like that.

=▼= Virustotal Said =▼=
Hello,
Please, try to contact them at [email protected].
Regards,
Ana Tinoco - VirusTotal - www.virustotal.com
=▲= Virustotal Said =▲=

Return to “Off-topic Discussion”

Who is online

Users browsing this forum: No registered users and 38 guests