Hello,
I'm using Autohotkey for serveral years now and i have build numerous applications/tools for both private and business environments. Let me be clear, i do not build virus or mallware like applications and i compile my programs on a clean (virtual) computer that is not connected to the internet but when i check my compiled executables on sites like https://www.virustotal.com/ some of them (not all) generate false positive hits on some of the anti virus scans for various mallware or other malicious software. One of my largest executable eventually generated false positive on 15 out of 57 anti virus scanners. I know this is a problem experienced by other developers as well (see http://stackoverflow.com/questions/4237 ... y-software).
I am getting most hits for the following malicious software:
Gen:Variant.Kazy.517327
Trojan.Win32.VBKrypt!O
Is there any way to prevent such false positives other than reporting this to the antivirus software developers? Are other Autohotkey users expirence the same problem?
I hope someone can help.
Regards,
Ferry
False positive on antivirus programs
Re: False positive on antivirus programs
Hello Ferry.
And welcome to the Autohotkey Community forums.
Some of the false-positives AHK executables get are related to the use of Mpress (there is a flag to disable it's usage on the native compiler), so you may try and disable that flag. The most complained drawback to doing this is that anyone will be able to see your source by just opening the EXE on notepad and scrolling down (not that Mpress will make it much harder than that for a programer though).
Also, if this doesn't work, not much can be done about that AFAIK. Perhaps trying a different packer, but i won't guarantee. The thing is that AutoHotkey doesn't really "compile" to an EXE, so all EXEs will have code for all of the functionality the original AutoHotkey EXE has, and having code in your EXE that calls APIs to record keystrokes (in example), regardless of whether it will be used or not, simply makes AVs go mad
Thats all i have for you at the moment.
Best wishes
And welcome to the Autohotkey Community forums.
Some of the false-positives AHK executables get are related to the use of Mpress (there is a flag to disable it's usage on the native compiler), so you may try and disable that flag. The most complained drawback to doing this is that anyone will be able to see your source by just opening the EXE on notepad and scrolling down (not that Mpress will make it much harder than that for a programer though).
Also, if this doesn't work, not much can be done about that AFAIK. Perhaps trying a different packer, but i won't guarantee. The thing is that AutoHotkey doesn't really "compile" to an EXE, so all EXEs will have code for all of the functionality the original AutoHotkey EXE has, and having code in your EXE that calls APIs to record keystrokes (in example), regardless of whether it will be used or not, simply makes AVs go mad
Thats all i have for you at the moment.
Best wishes
"What is suitable automation? Whatever saves your day for the greater matters."
Barcoder - Create QR Codes and other Barcodes using only Autohotkey !!
Archmage Gray - A fantasy shooter game fully coded in AutoHotkey
Barcoder - Create QR Codes and other Barcodes using only Autohotkey !!
Archmage Gray - A fantasy shooter game fully coded in AutoHotkey
Re: False positive on antivirus programs
Hi Gio,
Thanks for your reply. I will do some tests regarding the use of mpress.exe. Is it possible to still use UPX.exe? Are there any other alternatives for mpress or upx? I'm not really worried about the code being visable or not but i'am worried about false positives and people claiming your program contains a virus.
Regards,
Ferry
Thanks for your reply. I will do some tests regarding the use of mpress.exe. Is it possible to still use UPX.exe? Are there any other alternatives for mpress or upx? I'm not really worried about the code being visable or not but i'am worried about false positives and people claiming your program contains a virus.
Regards,
Ferry
Re: False positive on antivirus programs
I have had that issue with mpress also. But even without it, my compiled exe file will sometimes be flagged and quarantined by Norton on my system. I have had a few users complain about their AV software removing the exe when they try to install it. Part of that is that I wrap it with a software protection/licensing interface package, and that has been known to get false positives no matter what kind of code it's wrapped around (the exe file from a compiled C++ application, typically).
Who is online
Users browsing this forum: RandomBoy and 184 guests