Report False-Positives To Anti-Virus Companies

Talk about anything
User avatar
WeedTrek
Posts: 20
Joined: 22 Mar 2019, 14:29
Location: Cache Creek BC Canada
Contact:

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 17:40

thanks for this, AVG always says "whoa hold on there might be bad stuffs and the boogeyman in there, let me think you're under virus attack for the next 30 seconds" while I grind my teeth and shake my fist at the mainstream corporate elites who would only serve Gates-friendly DARPA software to the vaccinated masses.
My Weed Trek video archive: http://weedtrek.ca
User avatar
Tigerlily
Posts: 283
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 18:49

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
Sam_, I've experienced the same things, and chose to now compile without MPRESS too.
-TL
SOTE
Posts: 736
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

26 Mar 2019, 18:56

Sam_ wrote:
26 Mar 2019, 16:01
More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
Part of the reason why MPRESS creates issues with Anti-Virus vendors is that many don't have an unpacker for it. Where with UPX, the software of the Anti-Virus companies can usually unpack and inspect the contents. And use of any "exotic" or unknown packer is more likely to trigger Anti-Virus software. You might want to see if UPX won't cause you issues, or consider not using a packer.
robodesign
Posts: 515
Joined: 30 Sep 2017, 03:59
Facebook: marius.sucan
GitHub: mariussucan
Location: Romania
Contact:

Re: Report False-Positives To Anti-Virus Companies

31 Mar 2019, 07:00

I never used MPress and I still had false positives for KeyPress OSD with no packer. However I started using the UPX packer.

In my tests, some months ago... it did not make a difference, I get the same amount of false positives with UPX or without.

Best regards, Marius.
-------------------------
KeyPress OSD v4: GitHub or forum. (presentation video)
My home page.
Grumpy IT Guy
Posts: 1
Joined: 03 Apr 2019, 03:07

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 03:12

I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.

Edit 2 : With further testing, I have discovered that using Ansi 32 bit conversion and Impress compression seems to get around Sophos, however VirusTotal still finds 8 problems with it.
Last edited by Grumpy IT Guy on 03 Apr 2019, 06:13, edited 1 time in total.
User avatar
Tigerlily
Posts: 283
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 06:10

Grumpy IT Guy wrote:
03 Apr 2019, 03:12
I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.

On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.

Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?

Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.
My work computer flags compiled ahk scripts as a few different types of malware because of my Windows Defender AV. It also won't let me download certain installers which I'm certain are safe. Some AVs will flag more or less threats. As always, do your due dilligence ensure there is no other malicious activity in your system. If you got it directly from this site, then it will be a safe false-positive.

It's important to submit as many false positive claims about this issue as possible across as many AV companies, so it shows that AHK has a safe community. Due to the nature of AHK being able to efficiently automate complex systems mixed with some bad people using AHK for nerfarious purposes, it has gained some bad reputation within the online space that we hope to change.
-TL
gwarble
Posts: 369
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 08:49

I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
User avatar
Tigerlily
Posts: 283
Joined: 04 Oct 2018, 22:31

Re: Report False-Positives To Anti-Virus Companies

03 Apr 2019, 10:00

Yeah, hopefully at some point the ratio of false positives from AHK programs will hit a threshold that they can deem it safe. Not sure if that's what will happen though.

and Yes, not using MPRESS doesn't fix the false-positive flagging issue, however it does seem to slip under the rader more frequently for some AVs than when used.
-TL
SOTE
Posts: 736
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

14 Apr 2019, 04:54

gwarble wrote:
03 Apr 2019, 08:49
I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)

I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
Some good points.

And we have to stay on these Anti-Virus companies, because arguably a lot of this drama is about laziness. High level programmers working at these Anti-Virus companies should have a much easier time analyzing an open source interpreted scripting language, in comparison to traditionally compiled languages or closed source, to determine if there is really a threat. There are a number of ways for them to see the script, even when "bound" to the open source executable. Just no excuse for the silliness that is taking place or out of control heuristic scanners labeling anything as a threat.
Sam_
Posts: 106
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

18 Apr 2019, 06:02

RachelKieran wrote:
17 Apr 2019, 06:10
Antiviruses generally makes the PC performance low and sometimes it even sends virus in your computer if you do not purchase the premium version of many software.
Please cite your sources. I'm interested to know where you are getting this information.
SOTE
Posts: 736
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

23 Apr 2019, 01:29

mariafox wrote:
23 Apr 2019, 00:52
Thank god that McAfee is not included above list, this is the best Antivirus ever because of its better performance & response. Good thing is there is no available option of false detection form.
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.
gregster
Posts: 2810
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

23 Apr 2019, 09:57

SOTE wrote:
23 Apr 2019, 01:29
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.
"Rachel" and "Maria" are both accounts that have connections to the same company (you can find it in their account details, see under "Website"). Other accounts with the same affiliation also made strange posts before and - from time to time - dropped a link or two (and some have been banned, iirc). They don't seem to be bots, but I strongly suspect that they mainly contribute something in order to advertize casually later and not because they have any real interest in the subject.

@mariafox and @RachelKieran, do you mind to elaborate on your strange posts here or are you ok with permanently closing your accounts?
User avatar
nnnik
Posts: 4242
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Report False-Positives To Anti-Virus Companies

23 Apr 2019, 11:09

They are spam bots. Quite good ones too. Took us quite long to notice this.
Recommends AHK Studio
chrispeddler
Posts: 3
Joined: 10 May 2019, 04:30

Re: Report False-Positives To Anti-Virus Companies

20 May 2019, 21:54

Thank you for the info. Will do take note of this.
sushanthpandiri
Posts: 1
Joined: 29 Jul 2019, 07:23

Re: Report False-Positives To Anti-Virus Companies

29 Jul 2019, 07:26

Thank you SOTE for the valuable information.

Return to “Offtopic”

Who is online

Users browsing this forum: No registered users and 12 guests