hasantr wrote: ↑20 Dec 2020, 11:52
No problem for autohotkey.exe. but compiled applications are thought to be viruses. I guess this will never change.
This is not a valid statement, where any compiled AutoHotkey script is labeled as a virus. This is not what is happening.
Compiled AutoHotkey scripts are bound to the interpreter, so the first case, is that if the AutoHotkey.exe is identified as malware, so will the compiled script. So the primary issue of clarification is to stop auto identification of AutoHotkey.exe as malware. This should be quite easy for Anti-Virus companies, as the source code of AutoHotkey is public and to create a hash of the AutoHotkey.exe is quite easy too. In addition, AutoHotkey's situation as an interpreted scripting language is not uncommon. AutoIt, WinBatch, Lua, Python, etc... are in the same category. Most Anti-Virus companies know how to do their job properly, it's those that don't, that we have to keep vigilant about.
Other main cases, after stopping auto mislabeling of an AutoHotkey.exe as malware (false-positive) are often as follows:
1) The use of UPX, MPRESS, or any exotic packers (compression)
While their use doesn't necessarily mean anything nefarious, various Anti-Virus heuristics can get set off by them. It depends on the Anti-Virus program used, as to how it will identify the program that is using such.
2) The executable has no detail/descriptive information nor digital signature.
It doesn't mean that those executables without such will be automatically identified as malware, but it is something that can trigger Anti-Virus heuristics, especially in combination with other traits and the executable is seeing widespread use or downloading.
3) Activities of your program that are behaviorally similar to those of well known malware and are commonly considered to be dangerous.
Doing things like trying to make changes to the registry, running at startup without permission, keyloggers, storing passwords, making changes to mass numbers of files, connecting to the Internet or suspicious webservers, etc... It's not to say that any specific behavior is nefarious, but various Anti-Virus heuristics can add them up, to come to an alert.
4) The code in your executable can be identical or similar to a previously identified malware.
This is a catch-22 type of thing, where Anti-Virus companies have to be careful and professional about what they do. Because malware used code to do something nefarious, doesn't mean the use of such code is always for such a purpose. So the Anti-Virus company has to use various other indicators.
The advantage of AutoHotkey, is that the interpreter and source code can be clearly identified as separate from each other and analyzed separately. It is actually much easier to identify what is or isn't malware with a scripting language like AutoHotkey, than with various other programming languages, if the Anti-Virus company has professionals that are aware of the scripting language and know what they are doing.
In any case, companies will sometimes get this wrong or be too general, thus customers/users have to provide push-back when they get it wrong (false-positive) and let them know about it.