It appears that TR/Spy.Gen, Troj/Spy-AHK, Troj~AutoHK-E, TR/Crypt.XPACK.Gen2... are various old or generic threat files associated with AutoHotkey, from my basic research on it. Some of these files are 3 to 5 years old. Various anti-virus and anti-malware companies seem to be way too lazy
in their identification process. To include just throwing things under a generic
and vague labels with no details as to exactly what is going on other than you should hurry up and buy their product to remove threats.
Also, the heuristics of various scanners can be too sensitive, to also cause false positives. Though sometimes that can be the fault of the user playing with configuration settings.
AutoHotkey_L is a particular easy scripting language to make a MD5 hash of, pull attached user script from out of the "compiled" exe, or distinguish it from a threat as it's open source. People can literally use nothing more sophisticated than just Windows Notepad to get the user script and separate it from the AutoHotkey_L source code.
Having a hard time with AutoHotkey, is like having an issue with a .bat, .cmd, or VBScript. Not to say there can't be any sophistication or they can't cause havoc, but it's not like something made in C or assembly language, and all kinds of special tools are needed to figure out what's going on. Often, it's pretty clear to any casual programmer what it is doing, so a real experienced specialist should have an even easier time figuring out what's up.
The anti-virus/anti-malware companies that seem to excessively mislabel AutoHotkey are Sophos and Avira. And then there is Google adding to the weirdness by flagging the download site. I'm not exactly sure what's behind doing this, but it is weird.
A developer at NirSoft made a great blog post about the problem. What he said is as true today, as it was back then. Some companies have a business agenda, so arguably mislabel and create false positives for sale purposes. The more fear and confusion; they think it will get them more sales.
From NirBlog and NirSoft
http://blog.nirsoft.net/2009/05/17/anti ... developers
Help me and other developers !
If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.
What can you do ?
Here’s some examples:
Add your comments to this article about False Positives problems you experience (As user or as software developer)
Send this post to your friends, so they’ll know more about false positive problems.
If you constantly pay for licenses and updates for your Antivirus software,
don’t hesitate to call your Antivirus company and require them to stop the false alerts.
You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses.
If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.
In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.