Norton at it again! Heur.advml.b

[Blue Kodiak]

As of a few hours ago Norton has started flagging compiled scripts as High Risk and quarantining them.

I say once again because I had the same problem back in 2017. Then it went away. But now it's back.

If I remember correctly back in 2017 it also flagged the ahk-basic ahk2exe executable as infected.

Running a full system scan right now and the tally is going up.

Not impressed - unless it really is an infection but I doubt that.

Is there a solution to this?

[nnnik]

report the false positives to norton

[AHKStudent]

All compiled scripts? I do not get any virus alerts

[Blue Kodiak]

All compiled scripts? I do not get any virus alerts

I wasn't getting them yesterday either; you never know what joys tomorrow might bring you.

[Blue Kodiak]

report the false positives to norton

I might do that after the full scan completes - as long as they don't want me to yield control of my system over to them.
I need firewall and antiviral to be safe but I try to keep this system (my development platform) as isolated as possible
to reduce the chances of something getting past them.

2,500,000 files scanned so far - its going to be a long wait.

[nnnik]

https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266
^See this

[AHKStudent]

All compiled scripts? I do not get any virus alerts

I wasn't getting them yesterday either; you never know what joys tomorrow might bring you.

How many of your compiled did it mark as a virus? What version ahk?

[Blue Kodiak]

https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266
^See this

The Norton app "should" have links but thanks anyway.
555 quarantines so far - not counting the popup notification I was getting every few minutes that caused me to start the scan.
Maybe around half of those are/were temporary files or already in the recycle bin,
Still, yesterday nothing and today it's going to be 600+ detections - some of them in files archived years ago.

[Blue Kodiak]

How many of your compiled did it mark as a virus?

See my previous reply.

What version ahk?

I was thinking some might be older ahk basic but it looks like they're all 1.1.27.07 U64

[Blue Kodiak]

OMG, the scan is still running, for almost 14 hours now.
605 hits so far but it's not as bad as I thought as most of those aren't significant.
Still not good though. Approximately 150 to 200 AHK 1.1.27.07 executables have been quarantined.

[SOTE]

OMG, the scan is still running, for almost 14 hours now.
605 hits so far but it's not as bad as I thought as most of those aren't significant.
Still not good though. Approximately 150 to 200 AHK 1.1.27.07 executables have been quarantined.

Did you submit a false positive report? You didn't clearly answer the question on that.

Were these compiled scripts? If it's the AutoHotkey.exe, then you can submit that to Norton in order to get it cleared. As an open source tool, where the source code can be viewed and compared, it shouldn't be a problem for any competent personnel to clarify and verify.

If these are fake versions of AutoHotkey, that's a different matter. If it's a fake version of AutoHotkey, Norton researches can identify such. And you can reinstall the real AutoHotkey from this website or GitHub.

https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266
(Report False-Positives To Anti-Virus Companies)

[Blue Kodiak]

Did you submit a false positive report? You didn't clearly answer the question on that.

I said I would do that when the scan is complete.
Then I can also select a quarantined file to upload - if I can get one back out of quarantine.
I can't restore them from my day-to-day account (the one I'm using); there is no restore option.
I will have to log back in as Admin and try again.
If that fails .... well then I won't have anything I can send them - brick wall.
Are there fake AHK exes around? Presumably not at autohotkey.com.
The affected exes seem to be ones that make a lot of api calls.

[SOTE]

Did you submit a false positive report? You didn't clearly answer the question on that.

I said I would do that when the scan is complete.
Then I can also select a quarantined file to upload - if I can get one back out of quarantine.
I can't restore them from my day-to-day account (the one I'm using); there is no restore option.
I will have to log back in as Admin and try again.
If that fails .... well then I won't have anything I can send them - brick wall.
Are there fake AHK exes around? Presumably not at autohotkey.com.
The affected exes seem to be ones that make a lot of api calls.

You have a group of options that you can try, which may solve the problem:

1) You can attempt to re-download a fresh copy of that version of AutoHotkey from this website or GitHub.

Might be that your previous files were corrupt or fake, where the new download will not be.

2) If your Anti-Virus detects a fresh copy as malicious...

A) You might be able to provide Norton personnel with the link to the file

Keep in mind, it's very doubtful that the version from this website or GitHub will be malicious, since code is open-source and easy to inspect.

B) Turn off your Anti-Virus temporarily, download the file from this website or GitHub, and then upload the file to Norton

3) You can make an exception in your Anti-Virus scanner to leave AutoHotkey files alone.

https://smallbusiness.chron.com/set-exclusions-norton-antivirus-61906.html
(How to Set Exclusions in Norton Antivirus)

https://community.norton.com/en/forums/nis-2017-how-whitelist-program
(How to Whitelist... a program?)

[Blue Kodiak]

You have a group of options that you can try, which may solve the problem:

Will give those a try.
That will have to be another day -- when the full scan has finished.
Over 24 hours now and it's still going.

[Blue Kodiak]

Submitted to Norton/Symantec.
Hopefully they will fix it.

[SOTE]

Submitted to Norton/Symantec.
Hopefully they will fix it.

Good to know. Please do let us know the results when you get them.

Also, Heur.AdvML.B is a heuristic detection. This type of detection is a "best guess" based on machine learning versus a verified signature, and is more likely to be a false-positive or wrong. Therefore making an exception for AutoHotkey or changing the heuristic detection settings, are some ways to get around the issue. If you Google Heur.AdvML.B, you will see many Norton/Symantec users complain about this issue.