Microsoft Defender deleting my apps

[roysubs]

I hate Microsoft and Google and how they try to kill AutoHotkey ...

Whenever my compiled code is seen by Microsoft Defender I now get the below. What is this Fuerboos.D!cl crap ...

My question is: what can I do to prevent this? Is there a way to authorise my compiled code somehow to prevent the crappy-and-wrong detections by Microsoft and Google and AV tools?

==========

Trojan:Win32/Fuerboos.D!cl

Alert level: Severe
Status: Active
Date: 03/12/2018

Recommended action: Remove this threat now.

Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Affected items:
file: \\HP1\Drive-D\Test Tool.exe

Learn more:
https://www.microsoft.com/en-us/wdsi/th ... 2147723655

[Scr1pter]

Hi,
I have similar problems.

Just don't create exe files.
After you save a script as an AHK file, just run it with AutoHotkeyA32.exe, AutoHotkeyU32.exe or AutoHotkeyU64.exe.
I know it's not the best advice, but I never have problems running ahk files.

Regards

[JoeWinograd]

what can I do to prevent this?

Submit the file for malware analysis here:

https://www.microsoft.com/en-us/wdsi/filesubmission

Regards, Joe

[Masonjar13]

Sure, just disable Defender. Use something better, like Malwarebytes.

[SOTE]

I hate Microsoft and Google and how they try to kill AutoHotkey ...

Whenever my compiled code is seen by Microsoft Defender I now get the below. What is this Fuerboos.D!cl crap ...

My question is: what can I do to prevent this? Is there a way to authorise my compiled code somehow to prevent the crappy-and-wrong detections by Microsoft and Google and AV tools?

It's unfortunate, and in the case of Google, I'm suspicious of a business agenda against small software developers or certain programming languages.

With Microsoft, there are several measures that you can do to combat the situation:

1) Make an exception in Microsoft Defender. It should then ignore the file and let it run normally.

https://support.microsoft.com/en-us/hel ... s-security

2) Submit a false positive report to Microsoft. Specify "No — this file has been incorrectly detected"

https://www.microsoft.com/en-us/wdsi/filesubmission

Code: Select all

Do you believe this file contains malware?

Yes

No — this file has been incorrectly detected

Select the Microsoft security product used to scan the file *

Send Feedback to Google and tell them about what they are doing wrong.

[SOTE]

Sure, just disable Defender. Use something better, like Malwarebytes.

You don't have to turn Microsoft Defender off. You can make an exception, so that Defender ignores the file. Also, Malwarbytes is for malware, but doesn't exactly do Anti-Virus the best. It's arguably not complete protection, unless it's run with an Anti-Virus program that is more specifically dedicated for the purpose. And 2 other points: 1) Microsoft Defender is free 2) Microsoft has an advantage, since they have created Windows.

[swagfag]

Report it to the vendor. Are you mpressing the file?

[roysubs]

Thanks, this is good stuff.

I want it to be a .exe as it will potentially be used by a community of a few hundred people (many of whom are computer illiterates that say things like "what is a zip file?" so I need to keep is as simple as possible.

I do use the mpress flag swagfag, but I've never really worked out if it does do this (I'm illiterate when it comes to mpress! I've never known this compression, is it just done internally by the compiler, or is it a separate tool that I have to download)? Would being mpressed make it more likely to be flagged?

[SOTE]

Hi,
I have similar problems.

Just don't create exe files.
After you save a script as an AHK file, just run it with AutoHotkeyA32.exe, AutoHotkeyU32.exe or AutoHotkeyU64.exe.
I know it's not the best advice, but I never have problems running ahk files.

Regards

I think you might be only accounting for "personal use" type situations, like one person on one computer.

The problem comes when you are sharing AutoHotkey files with others or running the script on multiple computers. People are often not interested in going through any hassles or weirdness. Usually they expect an .exe that does what the creator said it will do. And this problem gets multiplied if you are creating a script for a company, school, or large group that are counting on it. It's usually way more convenient to just have an .exe that works.

And as far as the anti-virus problem, I have seen Google, Chrome, and Firefox (Mozilla) designate website directories and .zip files as malware. To include open source files on GitHub. So the website you will download the file from, is marked as bad and the download is blocked.

Various lazy or incompetent Anti-Virus companies are marking the AutoHotkey files themselves as bad, not just a compiled script. So if they see AutoHotkey.exe, AutoHotkeyA32.exe, AutoHotkeyU32.exe or AutoHotkeyU64.exe then they will falsely designate them as malware.

You have to also take in account the business agendas and profit schemes of various AV companies. That is, they can believe it's in their financial interest to spread fear and falsely label files, in order to scare people into buying or using their products. Laymen, that know little about IT or computers, will think they are protected even though the terrible AV program is making false alerts and misidentifying files. You can see this more clearly, when the AV company gives almost no information about a supposed threat. It demonstrates they did little to no research or they "borrowed" the information that a file was a threat from some 3rd party source.

[SOTE]

Thanks, this is good stuff.

I want it to be a .exe as it will potentially be used by a community of a few hundred people (many of whom are computer illiterates that say things like "what is a zip file?" so I need to keep is as simple as possible.

I do use the mpress flag swagfag, but I've never really worked out if it does do this (I'm illiterate when it comes to mpress! I've never known this compression, is it just done internally by the compiler, or is it a separate tool that I have to download)? Would being mpressed make it more likely to be flagged?

Below is an article that talks about the packers that are commonly used.
https://sarvamblog.blogspot.com/2013/05 ... ystem.html
(Nearly 70% of Packed Windows System files are labeled as Malware)

There have been several experiments, where researchers took known good files from Windows itself and packed them. Many AV companies reported it as a virus, merely based on the packer. Often, the methodology used by the AV company was laziness, so they didn't take the extra steps to determine a true threat.

Of the packers, UPX was the least likely to get flagged, because it's the most well known and it comes with an unpacker that many AV companies are likely to include with their program.

[Scr1pter]

@SOTE:
Yes, I was refering to usage by guys like us.
Of course you're right that using an exe file seems to be easier for "normal users".
(Didn't know your situation )

Regards

[Datapoint]

Of course you're right that using an exe file seems to be easier for "normal users".

I've had some success with distributing 'shortcuts' (.lnk) instead of exe's. https://autohotkey.com/boards/viewtopic ... 00#p215100

[gregster]

I want it to be a .exe as it will potentially be used by a community of a few hundred people (many of whom are computer illiterates that say things like "what is a zip file?" so I need to keep is as simple as possible.

I seriously doubt that "computer illiterates" prefer exes that cause (false) anti-virus messages...

[SOTE]

Of course you're right that using an exe file seems to be easier for "normal users".

I've had some success with distributing 'shortcuts' (.lnk) instead of exe's. https://autohotkey.com/boards/viewtopic ... 00#p215100

I agree that on the same network this solution is viable. However, that's not always the case when needing to send out an AutoHotkey script. Examples: remote users on different networks, users with notebook computers working from home, charity group where they don't work together, etc...

And if you are one of the administrators of a company's or school's IT dept, or a manager or boss, you usually have several methods available. Like simply having the Anti-Virus scanner specifically ignore your compiled .exe, since clearly the IT people should know if their own source code or script is safe or not and often can control settings on the Anti-Virus scanner.

Consequently, you still have to address the false positive issue that plagues AutoHotkey, when dealing with people and situations outside of network or direct control. This appears to be happening with other automation scripting languages like AutoIt and WinBatch. And to include small software developers or small business websites.

Here, this is where Google can quietly do massive damage and cross the line. By the way, Google owns VirusTotal too. If you are not "paying them for advertising" or directly within their business sphere of influence, it's possible they see such small or independent businesses or certain programming languages as threats, or just as bad, don't care about any damage they are doing to them. To include Google's Android OS, apps on Google Play, their Kotlin programming language, or their advertisement business (Google Ads). Even if a company or independent software developer wanted nothing whatsoever to do with Google, you still have to deal with them, because they provide a huge portal to your website and can arbitrary designate your website or software as bad malware and destroy your presence on the Internet, destroy a business, or negatively affect distribution of any software.

If Google and/or Microsoft label your software as malware, then usually this will be a big problem for any person distributing an AutoHotkey script solution to any significant amount of people. "Is this a virus?" "Is your website dangerous?" "OMG, do you know your software/website is infected?" Just the constant user backlash and questioning the legitimacy of your software can get excessively annoying.

These days, it appears a software creator or developer has no choice but to have contingency plans ready for if their software or script is falsely identified as a virus, like submitting false positive reports to Microsoft and any AV vendor that you can.
https://www.techsupportalert.com/conten ... endors.htm
(How to Report Malware or False Positives to Multiple Antivirus Vendors)

And of everyone, Google will likely be the hardest and most frustrating to deal with. Google is absolutely horrible at customer support and relations. They make their money off of software, and a lot of it from their search engine, targeted ads, and collecting personal information. Getting in contact with a direct employee of Google that has decision making control is nearly impossible. Often they have bots and software handling any issues, and as few humans as possible, to keep their profits high. Nevertheless, if you are a website master, software developer, or small business then it's best to learn how to deal with them too. That means lots of e-mailing them and feedback about false positives as well.

[Masonjar13]

You don't have to turn Microsoft Defender off. You can make an exception, so that Defender ignores the file. Also, Malwarbytes is for malware, but doesn't exactly do Anti-Virus the best. It's arguably not complete protection, unless it's run with an Anti-Virus program that is more specifically dedicated for the purpose. And 2 other points: 1) Microsoft Defender is free 2) Microsoft has an advantage, since they have created Windows.

A virus is a type of malware. Therefore, if something is protecting from malware, it inherits protecting from viruses. How well MBAM in particular handles virus-type malware, I'm unclear. They focus more on 0-day exploits, for sure.

Anyway, yes an exception would work, but you'd have to make a bunch of them. If they're kept in a single directory, you should be able to white-list the folder, and subsequently all sub-directories. In my experience, I found Defender to be a worse version of MSE, not sure how that is the case. Perhaps because I disdain Windows 10? Honestly, I haven't had any type of malware for the past 12 years, so I find Defender to be superfluous, while MBAM can be used as a highly effective scanner. But that's just me, I suppose.

As I've seen for other users, and noted here, UPX does seem to be detected less, though I wouldn't know first-hand. I use MPress for all my binaries and haven't encountered any issues.