AutoHotkey Community

Hello, AHK.

in this topic

viewtopic.php?f=6&t=28220

an author gives the link to download a program called WinSpy

this is the link
https://sourceforge.net/projects/winspyex/

before opening I decided to check it via Virustotal, and this is the result.


is that normal ?

~~~~

Wrong thread category. Also the 7z includes .exe files, which is why it gets flagged. And that my friend, is why I don't use an Anti-Virus. Resources being wasted while also getting false positives. Common sense gives yourself still the most security than any AV will ever do.

@alf2314 To put it more into context: the way ahk2exe works is that it uses a copy of the whole AutoHotkey interpreter. That copy gets the script injected inside of the exe as a RCDATA resource, so it's not traditional compiling into machine code, and the source is visible in plain text in the binary as well as in the memory. Why does it get flagged as a virus? Because a few script kiddies have made malware in AutoHotkey in the past and the big problem here is that AV companies often are lazy unfortunately, and they're probably not going to bother about a non-mainstream scripting language. They do flag the interpreter itself instead of the plain text script (the actual potential danger source) which is a big problem and causes massive amounts of false positives. People have attempted years ago to contact AVs to fix the issue but AVs will probably never care. With that being said, it's most likely harmless. And if you're concerned, you can look into the binary (or Resource Hacker, if it makes it easier in your case) to see the plain text script, assuming it's not compressed. If it is compressed, there's ways also to decompress it.

Also if I do a real virus investigation like an unknown exe in an unknown language, the virus scan results are one thing, however it's not uncommon that new, really destructive malware has 0 detection at the beginning. What you can do is checking the functions a program is capable of, to know it's behavior (like changing files without user consent, stealing data and sending them to a malicious server, etc.), see if the file is really large and contains lots of NULL (empty) bytes to bypass virus scanners (big red flag) and if I still decide to run it, then I do so in a virtual machine that won't have any internet access. It's not a perfect solution, but if it infects a VM, then I can roll it back to a previous snapshot and the VM is fine again.

Cheers.

@alf2314:
It's not unusual that AHK scripts get a lot of false positives from lazy antivirus vendors.

If I read the initial post of that topic correctly, the uncompiled script is included in the download. So you can inspect what you run.

PS: I merged your two topics about this, and moved it to 'General Discussion'. After all, you even made a third post about it... in just 9 minutes.

gregster wrote: ↑

20 Sep 2022, 01:32

@alf2314:
It's not unusual that AHK scripts get a lot of false positives from lazy antivirus vendors.

If I read the initial post of that topic correctly, the uncompiled script is included in the download. So you can inspect what you run.

PS: I merged your two topics about this, and moved it to 'General Discussion'. After all, you even made a third post about it... in just 9 minutes.

hi there.

1) I followed the logic only : the original topic is placed in "Scripts and Functions" category, not "General Discussions". Also, in the categories list there is no "your suggestions" or similar.
2) this is not a no-name program from nowhere. Ive seen references to tis program for about 10 times sicnce I joined the forum, thus I might think it is valued software for the community here. For this reason I thought it is important to at least point on it. Of course when I learnt about such a powerful program, that I need for my workflow, I run to download it, and was shocked with viruses "quantity". I dont believe any experienced Internet user would give a ... and just open it up. But sicnce AHK is respected forum, which is not intended to scam people, it was better to ask.

Greetings

P.S if this doesnt make sence now, can you just remove it ? or it would be better if it exists, for anyone in the future who also would feel suspicious ?

Animan8000 wrote: ↑

20 Sep 2022, 01:22

Wrong thread category. Also the 7z includes .exe files, which is why it gets flagged...

Hello, @Animan8000 , thanks for your detailed reply. It seems more clearly now.

gregster wrote: ↑

20 Sep 2022, 01:32

@alf2314:
If I read the initial post of that topic correctly, the uncompiled script is included in the download. So you can inspect what you run.

I been running the uncompiled version of the script for years without problems.

Looking through the code, it does do things that I imagine virus detection programs would not like as it interacts with other programs pretty intensely through OpenProcess which it uses to get information about other applications especially its windows and gui components.

So it might be just the standard complied AHK false flags or something more specific to WinSpy.

Either way, the WinSpy uncompiled script file looks safe to me, and it is my go-to for this type thing.

FG

alf2314 wrote: ↑

20 Sep 2022, 08:49

2) this is not a no-name program from nowhere. Ive seen references to tis program for about 10 times sicnce I joined the forum, thus I might think it is valued software for the community here.

It's definitely a useful program, and its creator Alguimist is a valuable long-time member of this community, who eg created the Adventure IDE (and AutoGUI before that). But I think his WinSpy is actually not that well-known like it would deserve. Probably you have seen more references to the "WindowSpy" script which is included with any AHK installation, and which can be accessed through the context menu of a script's tray icon. That's a simple standard program which people use every day to determine coordinates and window titles.
Alguimist's WinSpy can do a lot more, but is also more complex, and probably does more things which might get the attention of an antivirus, like FG explained above.

same problem

mamarich4 wrote: ↑

23 Sep 2022, 03:15

same problem

Whitelist it