Viruses or misjudgments?

[Kevin_yeh2020]

Hi,
This is my script as below.
I used the VirusTotal website to test Moving.ahk, and it is passed, but I use Ahk2Exe to generate .exe and then test it, it is failed.
I have many scripts that cannot pass Symantec in the win10 64bit system, but no warning signs were found in 32bit.
There are other ways to generate the .exe? How can I solve this problem?
If you are willing to help me test, I would be very grateful.

Code: Select all

Gui +AlwaysOnTop
Gui, Font, S10 C000000 , Tahoma
Gui, Show, x131 y91 h40 w250,Moving
Gui, Add, Button, x10 Y5 H30 W60, Start
Gui, Add, Button, x80 Y5 H30 W60, Stop
Gui, Font, S10 cGreen
Gui, Add, Text, x150 Y12 vRunning, Status: Running
Gui, Font, S10 cRed
Gui, Add, Text, x150 Y12 vStop, Status: Stop
GuiControl, Hide, Running

#Persistent
WinGet, a_ID, ID, A
SetTimer, aa, 500
return

aa:
WinGet, a1_ID, ID, A
If ( a_ID != a1_ID )
k_ID = %a1_ID%
Return

ButtonStop:
sleep 300
Reload
return

ButtonStart:
GuiControl, Hide, STOP
GuiControl, Show, Running
Loop,
{
WinActivate, ahk_id  %k_ID%
sleep 570000
MouseMove, 500, 500
sleep 500
MouseMove, 498, 498
}
Return

GuiClose:
ExitApp

VirusTotal website address: https://www.virustotal.com/gui/home/upload
Autohotkey rev. : AutoHotkey_1.1.33.06
Installed the AutoHotkey_1.1.33.06 32bit
Win OS: Win10 64bit
Compress exe with MPRESS or USP: NO

Passed.JPG (19.93 KiB) Viewed 260 times

Failed.JPG (62.51 KiB) Viewed 260 times

[gregster]

False positives are a common problem for AutoHotkey. Unfortunately, there is no simple solution to make them go away.

Locally, on your computer, you could whitelist the specific exes in your AV software.

Generally, you can report false-positives to the falsely reporting AV companies (which can have a short-term effect for the current version) and hope that they remove these false detections for now, and improve their virus detection in the future. But tbh, there is not much hope that the problem will ever disappear completely... eg, the AHK interpreter - which is also included in every AHK exe - contains the whole key hooking stuff and a lot of other windows DLL calls - even for the simplest script - which will regularly set off some (badly adjusted) heuristic AV alarms.

btw, if I understand the remark about crowsourced YARA-rules in the screenshot correctly, it seems that AutoIt and AHK exes are intentionally targeted by some generic rules, without even analyzing what the actual files are doing - which is not great, not to say lazy, by the AV companies using these rules... anyway, it shows the general problem we are facing

[Kevin_yeh2020]

False positives are a common problem for AutoHotkey. Unfortunately, there is no simple solution to make them go away.

Locally, on your computer, you could whitelist the specific exes in your AV software.

Generally, you can report false-positives to the falsely reporting AV companies (which can have a short-term effect for the current version) and hope that they remove these false detections for now, and improve their virus detection in the future. But tbh, there is not much hope that the problem will ever disappear completely... eg, the AHK interpreter - which is also included in every AHK exe - contains the whole key hooking stuff and a lot of other windows DLL calls - even for the simplest script - which will regularly set off some (badly adjusted) heuristic AV alarms.

btw, if I understand the remark about crowsourced YARA-rules in the screenshot correctly, it seems that AutoIt and AHK exes are intentionally targeted by some generic rules, without even analyzing what the actual files are doing - which is not great, not to say lazy, by the AV companies using these rules... anyway, it shows the general problem we are facing

Hi gregster,
I understand. But if I want to use it in the company, I have to solve it. Thank you for the quick reply.

[gregster]

Well, you can report it as a false positive to the (relevant) antivirus companies (see linked list above), especially these which are used in your company.
If you are lucky, they might correct their wrong assessment in their next update, but there is obviously no guarantee.
Apart from that...

[boiler]

Does your company's implementation of Symantec allow you to manage files that are quarantined? If so, you should be able to go to Symantec's "Quarantine Management" page and identify that you want to restore that file as described here. It should leave it alone once you have identified it as safe. You should also be able to set up certain folders that will be exempt from scans or other oversight where it would remove a file unless your company has disabled that capability.

[Kevin_yeh2020]

Does your company's implementation of Symantec allow you to manage files that are quarantined? If so, you should be able to go to Symantec's "Quarantine Management" page and identify that you want to restore that file as described here. It should leave it alone once you have identified it as safe. You should also be able to set up certain folders that will be exempt from scans or other oversight where it would remove a file unless your company has disabled that capability.

Hi boiler,
Thank you for the quick reply.