AHK2EXE Compiled Script False Positives... Again Topic is solved

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
Gedrean
Posts: 22
Joined: 02 Jun 2019, 09:10

AHK2EXE Compiled Script False Positives... Again

16 May 2021, 17:12

I know this is a running issue, but I'm trying to figure this out.

I got onto a new system, so I figured updating AHK and A2E and everything else, along with Studio and all the other editors, would do me some good.

Every time I compile now, my EXE gets flagged and banned in %temp% because of Windows Defender.
The most common times are when I have it set to compress using UPX.
Each compile SEEMS to flag with a different malware, which tells me WD is using Heuristics and the jibberish from UPX is causing it.

Now, to be frank, I don't want to DISABLE Windows Defender, and adding exceptions each script compile time is a pretty lousy approach. Also, adding a folder exception for %temp% is probably one of the worst things one could do, if one doesn't want random viruses to have a better opening.

So, is there a way to tell AHK2EXE to instead build its compile in a DIFFERENT directory, one that I --could-- add an exception for, so that I don't have it catching these scripts as I'm compiling them?

Is there something I'm doing wrong?

A2E version 1.1.33.09
I set up my AHK2EXE settings as:
BIN: Default Unicode 64 (but this happens when I use compiler directives to say that it should compile with Unicode-64, and output to a specific directory, so I get 32 and 64 bit builds)
Compress with: UPX

I chose UPX because MPRESS didn't seem to work right in my previous build, and UPX had some pretty good results - I'm looking at under a full meg for a pretty large script plus installfiles.
User avatar
mikeyww
Posts: 26600
Joined: 09 Sep 2014, 18:38

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 17:20

Yes, you can set a destination path and then exclude the directory from Defender. I have my AHK scripts in one directory that is excluded. You can omit UPX if needed-- tends to be a problem.
Gedrean
Posts: 22
Joined: 02 Jun 2019, 09:10

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 17:26

mikeyww wrote: Yes, you can set a destination path and then exclude the directory from Defender. I have my AHK scripts in one directory that is excluded. You can omit UPX if needed-- tends to be a problem.
The problem I'm running into is I used compiler directives in my script to set the destination path.
Both my script directory, and my output directory, are covered by WD Exclusions.
However, the compilation seems to just concat all the files into one in the %temp% directory, then run UPX on it, before renaming it and moving it as an exe.
The problem comes as soon as UPX finishes WD swoops in and nukes it out of %temp%, and then AHK2EXE can't rename the file and move it to the output directory where it's safe.

Could I somehow --change-- or add a feature to change where the compilation/concatenation/UPX-ification occurs?
User avatar
mikeyww
Posts: 26600
Joined: 09 Sep 2014, 18:38

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 17:42

OK. Need some other folks here who know about more about the compiler.
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 17:45

It will cycle through a few false virus alerts and if you allow each one it will leave you alone for a while
Gedrean
Posts: 22
Joined: 02 Jun 2019, 09:10

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 17:48

AHKStudent wrote: It will cycle through a few false virus alerts and if you allow each one it will leave you alone for a while
Yeah and I totally get that I could, one at a time, do TOFU like that, but it's a terrible approach to security and frankly I'm at the point where it's about a 50/50 whether I get an EXE or I have to compile a half dozen times to get one, even disabling UPX.

So, at this point, I mean, I really don't accept the idea of "just make an exception for %temp%" because that's just a terrible idea, dangerous as all get out.

I'm considering figuring out, is there a way I could use compiler directives to REDIRECT the use of A_Temp in Ahk2exe to make it put them somewhere else?
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 18:09

Gedrean wrote:
16 May 2021, 17:48
AHKStudent wrote: It will cycle through a few false virus alerts and if you allow each one it will leave you alone for a while
Yeah and I totally get that I could, one at a time, do TOFU like that, but it's a terrible approach to security and frankly I'm at the point where it's about a 50/50 whether I get an EXE or I have to compile a half dozen times to get one, even disabling UPX.

So, at this point, I mean, I really don't accept the idea of "just make an exception for %temp%" because that's just a terrible idea, dangerous as all get out.

I'm considering figuring out, is there a way I could use compiler directives to REDIRECT the use of A_Temp in Ahk2exe to make it put them somewhere else?
Are you sure if you point it somewhere else windows defender wont alert? Why do you think its just a a_temp issue?
Gedrean
Posts: 22
Joined: 02 Jun 2019, 09:10

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 18:28

AHKStudent wrote: Are you sure if you point it somewhere else windows defender wont alert? Why do you think its just a a_temp issue?
I have a directory, D:\Output - which is where all my output compilations go.
I added that path, plus D:\Scripts, to my WD Exclusions list.
They won't scan there.
When I have the %temp% directory open in view, and compile from right-click compile, or Compile command in AHK studio, I see the .tmp file shows up in %temp%, and WD flags it.

As a temporary measure, if I open cmd, and do SET TEMP=D:\Output\Temp or something liek that, and SET TMP same, and then run the script compile thru that, I can see in that D:\Output\Temp directory the tmp files show up, and disappear, and I have executables coming into D:\Output\64 and \32 and \A32 and so on.

I can tell it destination location in the GUI, same thing, it still builds it in %temp%.

So I know it's an A_TEMP issue because that is where the AHK2EXE is putting the files to build them.
And I'd like to tell it to change its working directory. Preferrably without having to either rewrite AHK2EXE (but I may have to at this rate) or build some convoluted thing other than a batch file to compile. (Because I like(d) to compile from AHK Studio when it worked!)
TAC109
Posts: 1098
Joined: 02 Oct 2013, 19:41
Location: New Zealand

Re: AHK2EXE Compiled Script False Positives... Again  Topic is solved

16 May 2021, 19:28

What you can do in Windows Defender is set a process exclusion for Ahk2Exe.exe. This should allow your compilations to go through without being flagged.
My scripts:-
XRef - Produces Cross Reference lists for scripts
ReClip - A Text Reformatting and Clip Management utility
ScriptGuard - Protects Compiled Scripts from Decompilation
I also maintain Ahk2Exe
Gedrean
Posts: 22
Joined: 02 Jun 2019, 09:10

Re: AHK2EXE Compiled Script False Positives... Again

16 May 2021, 20:31

TAC109 wrote:
16 May 2021, 19:28
What you can do in Windows Defender is set a process exclusion for Ahk2Exe.exe. This should allow your compilations to go through without being flagged.
This is a viable solution. I also added upx.exe to allow the compression to hit. Thanks!
EDIT: I didn't even realize you could add processes.
bxdobs
Posts: 18
Joined: 06 Mar 2018, 19:05

Re: AHK2EXE Compiled Script False Positives... Again

25 May 2021, 17:30

Having a similar situation with Microsoft Security Essentials except it was also deleting the exe files.

Added an AHK exception in MSE to no avail ... will try the AHK2EXE.exe exception in MSE ... as well as move the compiled scripts to a folder that can be excluded in MSE
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: AHK2EXE Compiled Script False Positives... Again

25 May 2021, 17:55

bxdobs wrote:
25 May 2021, 17:30
Having a similar situation with Microsoft Security Essentials except it was also deleting the exe files.

Added an AHK exception in MSE to no avail ... will try the AHK2EXE.exe exception in MSE ... as well as move the compiled scripts to a folder that can be excluded in MSE
Depending on the version of Windows Defender or Microsoft Security Essentials, you might be able to add exceptions for file type (.ahk) or process, not just a specific file.

Maybe you want to send a false-positive report to Microsoft. They will give you results back in 24 hours or less. If enough people send in reports, it can possibly clear the problem by the next antivirus update.
SpaceCaptainMG
Posts: 2
Joined: 10 Dec 2021, 10:12

Re: AHK2EXE Compiled Script False Positives... Again

10 Feb 2023, 07:38

Gedrean wrote:
16 May 2021, 17:26
mikeyww wrote: Yes, you can set a destination path and then exclude the directory from Defender. I have my AHK scripts in one directory that is excluded. You can omit UPX if needed-- tends to be a problem.
The problem I'm running into is I used compiler directives in my script to set the destination path.
Both my script directory, and my output directory, are covered by WD Exclusions.
However, the compilation seems to just concat all the files into one in the %temp% directory, then run UPX on it, before renaming it and moving it as an exe.
The problem comes as soon as UPX finishes WD swoops in and nukes it out of %temp%, and then AHK2EXE can't rename the file and move it to the output directory where it's safe.

Could I somehow --change-- or add a feature to change where the compilation/concatenation/UPX-ification occurs?
I'm in the same boat now. SentinelOne has decided that my compiled scripts are viruses, particularly the tmp files created during compiling.

I really need a way to specify an alternate directory for the compiling to occur in that can be whitelisted. @TAC109 help :(
lbna834n
Posts: 1
Joined: 10 Feb 2023, 15:44

Re: AHK2EXE Compiled Script False Positives... Again

10 Feb 2023, 16:10

Create a new bat file
:@ECHO OFF
:: Ensures a consistent starting directory.
CD /D "%~dp0"
:: Keep variables local to this app
:SETLOCAL
:: Set temp var
SET "TEMP=T:\Temp\"
SET "TMP=T:\Temp\"
start "" "C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe" /gui /in %*
TAC109
Posts: 1098
Joined: 02 Oct 2013, 19:41
Location: New Zealand

Re: AHK2EXE Compiled Script False Positives... Again

10 Feb 2023, 17:46

@SpaceCaptainMG
You need to report the flagged programs as false positives to your antivirus company. See this list for additional information. Scroll down for SentinelOne.

Cheers
My scripts:-
XRef - Produces Cross Reference lists for scripts
ReClip - A Text Reformatting and Clip Management utility
ScriptGuard - Protects Compiled Scripts from Decompilation
I also maintain Ahk2Exe
Gedrean
Posts: 22
Joined: 02 Jun 2019, 09:10

Re: AHK2EXE Compiled Script False Positives... Again

15 Sep 2023, 12:50

lbna834n wrote:
10 Feb 2023, 16:10
Create a new bat file

Code: Select all

:@ECHO OFF
:: Ensures a consistent starting directory.
CD /D "%~dp0"
:: Keep variables local to this app
:SETLOCAL
:: Set temp var
SET "TEMP=T:\Temp\"
SET "TMP=T:\Temp\"
start "" "C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe"  /gui /in %*
Holy Zombie Thread, Batman!

I was kind of surprised to see a reply to this 2 year old post.

I wanted to share that I had actually come up with a solution - albeit inelegant solution, it's still a solution.

I built a script for AHK to compile these because I forgot about SETLOCAL at the time, and because I compile 3 scripts at a time (I have library functions shared between each that I update from time to time, so making new versions of all my scripts works better than forgetting to update one of them).

The batch file mentioned above has the additional functionality of being a drag and drop compile solution - drag your script to the batch file in Explorer, and the compile is run against the dropped file(s).

SADLY: The --only-- thing these solutions don't solve is the fact that I still cannot compile using AHK Studio - as AHK Studio made changes in its code where it compiles, and it explicitly specifies output location to be the same as the script location. This overrides in-script directives, a huge miss on AHK Studio's part. :-( I use separate output directories because my script directory is ENORMOUS, and I want to easily have the same file name for different architectures as I deploy my scripts to different systems.

@SpaceCaptainMG You can either use the batch file suggested above by @lbna834n or the following script:

Code: Select all

EnvSet, TEMP, T:\Temp
EnvSet, TMP, T:\Temp
RunWait "C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe"
 /in "[SCRIPT FILE HERE]"
 /compress 2
You can also adjust the parameters in the batch file mentioned above or the script I mention to include the /compress 2 if you use UPX like I do, or disable /gui, or however you want.

Also don't forget to adjust T:\Temp or whatever you use for your exception directory for temp files. Mine is D:\Output\Temp and it works great as I just exception-listed D:\Output

P.S.: I modified the quoted text to make the code in a code block

P.P.S: Also, check out the dos/command line function "pushd" and "popd" - I use it instead of CD /D because it pushes the given directory (in this case, "pushd %~dp0") to the directory stack, and does not change the actual execution location, which has some notable behavioral differences that I find helpful - namely when I'm done, I can do "popd" and then I am back at the running directory, good for running system commands if needed without path interference.

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: dunnerca, TAC109, wilkster and 119 guests