20 Sep 2022, 01:22
Wrong thread category. Also the 7z includes .exe files, which is why it gets flagged. And that my friend, is why I don't use an Anti-Virus. Resources being wasted while also getting false positives. Common sense gives yourself still the most security than any AV will ever do.
@alf2314 To put it more into context: the way ahk2exe works is that it uses a copy of the whole AutoHotkey interpreter. That copy gets the script injected inside of the exe as a RCDATA resource, so it's not traditional compiling into machine code, and the source is visible in plain text in the binary as well as in the memory. Why does it get flagged as a virus? Because a few script kiddies have made malware in AutoHotkey in the past and the big problem here is that AV companies often are lazy unfortunately, and they're probably not going to bother about a non-mainstream scripting language. They do flag the interpreter itself instead of the plain text script (the actual potential danger source) which is a big problem and causes massive amounts of false positives. People have attempted years ago to contact AVs to fix the issue but AVs will probably never care. With that being said, it's most likely harmless. And if you're concerned, you can look into the binary (or Resource Hacker, if it makes it easier in your case) to see the plain text script, assuming it's not compressed. If it is compressed, there's ways also to decompress it.
Also if I do a real virus investigation like an unknown exe in an unknown language, the virus scan results are one thing, however it's not uncommon that new, really destructive malware has 0 detection at the beginning. What you can do is checking the functions a program is capable of, to know it's behavior (like changing files without user consent, stealing data and sending them to a malicious server, etc.), see if the file is really large and contains lots of NULL (empty) bytes to bypass virus scanners (big red flag) and if I still decide to run it, then I do so in a virtual machine that won't have any internet access. It's not a perfect solution, but if it infects a VM, then I can roll it back to a previous snapshot and the VM is fine again.
Cheers.