Hello, AHK.
in this topic
viewtopic.php?f=6&t=28220
an author gives the link to download a program called WinSpy
this is the link
https://sourceforge.net/projects/winspyex/
before opening I decided to check it via Virustotal, and this is the result.
is that normal ?
WinSpy from Sourceforge is not safe to download ??!! VirusTotal reports about 10 viruses Topic is solved
Forum rules
Discuss Autohotkey related topics here. Not a place to share code.
Discuss Autohotkey related topics here. Not a place to share code.
WinSpy is reported to have 10 viruses on VirusTotal
~~~~
Last edited by alf2314 on 21 Sep 2022, 00:33, edited 1 time in total.
- Animan8000
- Posts: 58
- Joined: 11 May 2022, 05:00
- Contact:
Re: WinSpy is reported to have 10 viruses on VirusTotal Topic is solved
Wrong thread category. Also the 7z includes .exe files, which is why it gets flagged. And that my friend, is why I don't use an Anti-Virus. Resources being wasted while also getting false positives. Common sense gives yourself still the most security than any AV will ever do.
@alf2314 To put it more into context: the way ahk2exe works is that it uses a copy of the whole AutoHotkey interpreter. That copy gets the script injected inside of the exe as a RCDATA resource, so it's not traditional compiling into machine code, and the source is visible in plain text in the binary as well as in the memory. Why does it get flagged as a virus? Because a few script kiddies have made malware in AutoHotkey in the past and the big problem here is that AV companies often are lazy unfortunately, and they're probably not going to bother about a non-mainstream scripting language. They do flag the interpreter itself instead of the plain text script (the actual potential danger source) which is a big problem and causes massive amounts of false positives. People have attempted years ago to contact AVs to fix the issue but AVs will probably never care. With that being said, it's most likely harmless. And if you're concerned, you can look into the binary (or Resource Hacker, if it makes it easier in your case) to see the plain text script, assuming it's not compressed. If it is compressed, there's ways also to decompress it.
Also if I do a real virus investigation like an unknown exe in an unknown language, the virus scan results are one thing, however it's not uncommon that new, really destructive malware has 0 detection at the beginning. What you can do is checking the functions a program is capable of, to know it's behavior (like changing files without user consent, stealing data and sending them to a malicious server, etc.), see if the file is really large and contains lots of NULL (empty) bytes to bypass virus scanners (big red flag) and if I still decide to run it, then I do so in a virtual machine that won't have any internet access. It's not a perfect solution, but if it infects a VM, then I can roll it back to a previous snapshot and the VM is fine again.
Cheers.
@alf2314 To put it more into context: the way ahk2exe works is that it uses a copy of the whole AutoHotkey interpreter. That copy gets the script injected inside of the exe as a RCDATA resource, so it's not traditional compiling into machine code, and the source is visible in plain text in the binary as well as in the memory. Why does it get flagged as a virus? Because a few script kiddies have made malware in AutoHotkey in the past and the big problem here is that AV companies often are lazy unfortunately, and they're probably not going to bother about a non-mainstream scripting language. They do flag the interpreter itself instead of the plain text script (the actual potential danger source) which is a big problem and causes massive amounts of false positives. People have attempted years ago to contact AVs to fix the issue but AVs will probably never care. With that being said, it's most likely harmless. And if you're concerned, you can look into the binary (or Resource Hacker, if it makes it easier in your case) to see the plain text script, assuming it's not compressed. If it is compressed, there's ways also to decompress it.
Also if I do a real virus investigation like an unknown exe in an unknown language, the virus scan results are one thing, however it's not uncommon that new, really destructive malware has 0 detection at the beginning. What you can do is checking the functions a program is capable of, to know it's behavior (like changing files without user consent, stealing data and sending them to a malicious server, etc.), see if the file is really large and contains lots of NULL (empty) bytes to bypass virus scanners (big red flag) and if I still decide to run it, then I do so in a virtual machine that won't have any internet access. It's not a perfect solution, but if it infects a VM, then I can roll it back to a previous snapshot and the VM is fine again.
Cheers.
Re: WinSpy from Sourceforge is not safe to download ??!! VirusTotal reports about 10 viruses
@alf2314:
It's not unusual that AHK scripts get a lot of false positives from lazy antivirus vendors.
If I read the initial post of that topic correctly, the uncompiled script is included in the download. So you can inspect what you run.
PS: I merged your two topics about this, and moved it to 'General Discussion'. After all, you even made a third post about it... in just 9 minutes.
It's not unusual that AHK scripts get a lot of false positives from lazy antivirus vendors.
If I read the initial post of that topic correctly, the uncompiled script is included in the download. So you can inspect what you run.
PS: I merged your two topics about this, and moved it to 'General Discussion'. After all, you even made a third post about it... in just 9 minutes.
Re: WinSpy from Sourceforge is not safe to download ??!! VirusTotal reports about 10 viruses
hi there.gregster wrote: ↑20 Sep 2022, 01:32@alf2314:
It's not unusual that AHK scripts get a lot of false positives from lazy antivirus vendors.
If I read the initial post of that topic correctly, the uncompiled script is included in the download. So you can inspect what you run.
PS: I merged your two topics about this, and moved it to 'General Discussion'. After all, you even made a third post about it... in just 9 minutes.
1) I followed the logic only : the original topic is placed in "Scripts and Functions" category, not "General Discussions". Also, in the categories list there is no "your suggestions" or similar.
2) this is not a no-name program from nowhere. Ive seen references to tis program for about 10 times sicnce I joined the forum, thus I might think it is valued software for the community here. For this reason I thought it is important to at least point on it. Of course when I learnt about such a powerful program, that I need for my workflow, I run to download it, and was shocked with viruses "quantity". I dont believe any experienced Internet user would give a ... and just open it up. But sicnce AHK is respected forum, which is not intended to scam people, it was better to ask.
Greetings
P.S if this doesnt make sence now, can you just remove it ? or it would be better if it exists, for anyone in the future who also would feel suspicious ?
Last edited by alf2314 on 20 Sep 2022, 09:02, edited 1 time in total.
Re: WinSpy is reported to have 10 viruses on VirusTotal
Hello, @Animan8000 , thanks for your detailed reply. It seems more clearly now.Animan8000 wrote: ↑20 Sep 2022, 01:22Wrong thread category. Also the 7z includes .exe files, which is why it gets flagged...
- FanaticGuru
- Posts: 1907
- Joined: 30 Sep 2013, 22:25
Re: WinSpy from Sourceforge is not safe to download ??!! VirusTotal reports about 10 viruses
I been running the uncompiled version of the script for years without problems.
Looking through the code, it does do things that I imagine virus detection programs would not like as it interacts with other programs pretty intensely through OpenProcess which it uses to get information about other applications especially its windows and gui components.
So it might be just the standard complied AHK false flags or something more specific to WinSpy.
Either way, the WinSpy uncompiled script file looks safe to me, and it is my go-to for this type thing.
FG
Hotkey Help - Help Dialog for Currently Running AHK Scripts
AHK Startup - Consolidate Multiply AHK Scripts with one Tray Icon
Hotstring Manager - Create and Manage Hotstrings
[Class] WinHook - Create Window Shell Hooks and Window Event Hooks
AHK Startup - Consolidate Multiply AHK Scripts with one Tray Icon
Hotstring Manager - Create and Manage Hotstrings
[Class] WinHook - Create Window Shell Hooks and Window Event Hooks
Re: WinSpy from Sourceforge is not safe to download ??!! VirusTotal reports about 10 viruses
It's definitely a useful program, and its creator Alguimist is a valuable long-time member of this community, who eg created the Adventure IDE (and AutoGUI before that). But I think his WinSpy is actually not that well-known like it would deserve. Probably you have seen more references to the "WindowSpy" script which is included with any AHK installation, and which can be accessed through the context menu of a script's tray icon. That's a simple standard program which people use every day to determine coordinates and window titles.
Alguimist's WinSpy can do a lot more, but is also more complex, and probably does more things which might get the attention of an antivirus, like FG explained above.
- Animan8000
- Posts: 58
- Joined: 11 May 2022, 05:00
- Contact:
Return to “General Discussion”
Who is online
Users browsing this forum: No registered users and 9 guests