Report False-Positives To Anti-Virus Companies

Talk about anything
User avatar
MrDodel
Posts: 96
Joined: 28 Apr 2021, 09:03
Location: Event Horizon

Re: Report False-Positives To Anti-Virus Companies

Post by MrDodel » 04 Sep 2022, 08:34

09/04/2022 - It looks like a recent update to Windows Defender is causing issues with multiple reports across the interwebs, I'm being advised of my scripts are infected with Win32/Hive.ZY, scripts still run, and they are clean.

More https://www.bleepingcomputer.com/forums/t/776703/behaviorwin32hivezy-being-detected-by-windows-defender-every-few-minutes/
So much universe, and so little time. GNU Sir Terry.

Ben the Coder

Re: Report False-Positives To Anti-Virus Companies

Post by Ben the Coder » 04 Sep 2022, 09:45

MrDodel wrote:
04 Sep 2022, 08:34
09/04/2022 - It looks like a recent update to Windows Defender is causing issues with multiple reports across the interwebs, I'm being advised of my scripts are infected with Win32/Hive.ZY, scripts still run, and they are clean.
You might want to look at this.
Ben :)

User avatar
MrDodel
Posts: 96
Joined: 28 Apr 2021, 09:03
Location: Event Horizon

Re: Report False-Positives To Anti-Virus Companies

Post by MrDodel » 05 Sep 2022, 02:19

Ben the Coder wrote:
04 Sep 2022, 09:45
MrDodel wrote:
04 Sep 2022, 08:34
09/04/2022 - It looks like a recent update to Windows Defender is causing issues with multiple reports across the interwebs, I'm being advised of my scripts are infected with Win32/Hive.ZY, scripts still run, and they are clean.
You might want to look at this.
Ben :)
Yep, I am aware of that, I was simply highlighting it so that other users wouldn't report it as an FP as it's defender that's broke in this instance, and not an FP.

Cheers
Dödel
So much universe, and so little time. GNU Sir Terry.

Ben the Coder

Re: Report False-Positives To Anti-Virus Companies

Post by Ben the Coder » 05 Sep 2022, 09:37

Ah, I see.


TeveL

Re: Report False-Positives To Anti-Virus Companies

Post by TeveL » 12 Dec 2022, 14:13

I Mean it says Report "False-Positives" but this is clearly Malware from your Download Current Version Button https://i.imgur.com/GhGQpgS.png

I was on a Virtual Machine because i always check for Malware, Rootkits, etc... when installing new Software

Virus Total Report
https://www.virustotal.com/gui/file/3938ddd994af3394fa5022b2af93f3a46598f40d5aaed3ca4f9bdd7292e83292
https://i.imgur.com/fuyBZYV.png

gregster
Posts: 8885
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 12 Dec 2022, 14:56

TeveL wrote:
12 Dec 2022, 14:13
I Mean it says Report "False-Positives" but this is clearly Malware from your Download Current Version Button https://i.imgur.com/GhGQpgS.png
How did you determine that without submitting the file to the antivirus vendors in order to let them check thorougly? False positives are very common for AHK (and not only for AHK), often based on flawed or oversimplified heuristics.

Afaik, 5 false positives are not totally untypical for a relatively new version of AHK. Usually that number goes down for a specific version after a while - when the antivirus vendors adjust and correct their mistakes. (From experience I would suppose that those listed are not all high quality search engines.)

PS:
It looks like your posted report is specifically about the compiler AHK2Exe. Afaik, this is open source (written itself in AHK) and available on github. So you can thoroughly check its contents and might be able to compile it yourself (you can also look up the corresponding topic on these forums and ask there about it). Btw, AHK scripts can also be used uncompiled; using AHK2Exe is optional.
You could even compile AHK yourself (from C++), if you prefer. It's also open source.

winbatchguru
Posts: 5
Joined: 17 Dec 2015, 15:16

Re: Report False-Positives To Anti-Virus Companies

Post by winbatchguru » 28 Jan 2023, 23:44

The folks that develop the files should submit them to the various antivirus vendors that are saying the files are malicious.

SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 02 Feb 2023, 06:19

winbatchguru wrote:
28 Jan 2023, 23:44
The folks that develop the files should submit them to the various antivirus vendors that are saying the files are malicious.
Yes, there is something to be said about being proactive. However, the antivirus vendors can be a bit tricky too, as have various processes or make seemingly arbitrary decisions. In general, we can all help, by submitting also. The more people keeping an eye on and informing antivirus vendors about errors and false positives, the better the outcomes.

Sam_
Posts: 146
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

Post by Sam_ » 19 Mar 2023, 23:04

I've never seen this before. I'm pretty confident it's a false positive, but any thoughts on exactly what on the page AVG had an issue with?
AVG vs autohotkey.com.png
AVG vs autohotkey.com.png (113.25 KiB) Viewed 49048 times

pauloxoxe
Posts: 2
Joined: 18 Mar 2023, 09:20

Re: Report False-Positives To Anti-Virus Companies

Post by pauloxoxe » 20 Mar 2023, 07:20

I wanted to install v2 but our security team send me this report.
securityReport.png
securityReport.png (258.71 KiB) Viewed 49019 times

User avatar
boiler
Posts: 16705
Joined: 21 Dec 2014, 02:44

Re: Report False-Positives To Anti-Virus Companies

Post by boiler » 20 Mar 2023, 07:26

pauloxoxe wrote: I wanted to install v2 but our security team send me this report.
So…green check mark?


User avatar
xMaxrayx
Posts: 136
Joined: 06 Dec 2022, 02:56
Contact:

Re: Report False-Positives To Anti-Virus Companies

Post by xMaxrayx » 26 Jun 2023, 17:05

idk Windows defender doesn't allow .exe files but allow .ahk for some reasons
-----------------------ヾ(•ω•`)o------------------------------
https://github.com/xmaxrayx/

User avatar
ItisI
Posts: 56
Joined: 03 Jul 2023, 11:50

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 04 Jul 2023, 10:01

Hi folks :)

I am both new to AHK and this forum - it is a great place to be, get help and learn. Thank you very much.

Now: I would very much like to install the software, but I am not a coder, nor a tekkie person at all. I use software, a lot of it, I know my way around - but of course, I cannot judge VirusTotal reports, so I usually go by the guideline "All must be green and well".

So I downloaded today

1. AutoHotkey_2.0.3_setup.exe (from here)
11 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/a32362b2769cb3cd8caa10722c50208b7170fe82d3663e85425df416422b4d22


2. AutoHotkey_2.0.3.zip (from here)
3 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/2f0c37c4e38eb50f7b40deab672f724ea4e3edbea0384406a3778b867cda5da9


3. autohotkey_1.1.37.00_setup.exe (from Heise)
5 security vendors and no sandboxes flagged this file as malicious
https://www.virustotal.com/gui/file/e16e14a5902618298c24b6b6a2503d83d435bd647dcbdc2a20fa5f7285c57168

Over the last few days I've downloaded (1.) several times and checked it; the warnings now have gone up to 11.

Checking these files locally gives them a clean bill of health.

Please help!

User avatar
joedf
Posts: 8937
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: Report False-Positives To Anti-Virus Companies

Post by joedf » 04 Jul 2023, 11:24

Just to add, I got an installation error as well for 1.1.37.00, due it being blocked by Windows Security.
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]

gregster
Posts: 8885
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 04 Jul 2023, 11:48

ItisI wrote:
04 Jul 2023, 10:01
Checking these files locally gives them a clean bill of health.

Please help!
These are both relatively fresh releases - a higher number of false positives is not unusual with those. You can help to report false-positives to the AV companies.
How to do this, you can read in the first post of this topic.

From our FAQ:
https://www.autohotkey.com/docs/v1/FAQ.htm#Virus wrote:Although it is certainly possible that the file has been infected, most often these alerts are false positives, meaning that the antivirus program is mistaken. One common suggestion is to upload the file to an online service such as virustotal or Jotti and see what other antivirus programs have to say. If in doubt, you could send the file to the vendor of your antivirus software for confirmation. This might also help us and other AutoHotkey users, as the vendor may confirm it is a false positive and fix their product to play nice with AutoHotkey. [...]

User avatar
ItisI
Posts: 56
Joined: 03 Jul 2023, 11:50

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 01:14

But I do not have the qualifications to determine if these are false positives. I can't report to anyone, "These are false positives". That can only be done by someone who has the expertise and has done the necessary testing and investigation.

I am a simple end user.

I use VirusTotal and Jotti to have an extra layer of protection against malware. I download supposedly "virus checked" software from "heise" and find that sometimes VirusTotal, sometimes Jotti, sometimes both give warnings, while my local virus check gives the green light. These inconsistencies worry me.
If in doubt, you could send the file to the vendor of your antivirus software for confirmation.
Well, my antivirus software provider doesn't find any bug in your software, but VirusTotal and Jotti.

Why are there no pgp signatures for the software, so that we can at least be sure that we are getting what you are offering? Or "hashes" (md5, sh???).

Do I think you are offering malware infected software?

No, of course not. But as a layman, do I know what happens during the download?

gregster
Posts: 8885
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 05 Jul 2023, 01:29

ItisI wrote:
05 Jul 2023, 01:14
But I do not have the qualifications to determine if these are false positives. I can't report to anyone, "These are false positives". That can only be done by someone who has the expertise and has done the necessary testing and investigation.
That's the point. If it's a false positive, only the false-positive-issuing company can correct their assessment. If they never get asked, they might never check again (some bad ones might ignore you anyway). The point of reporting false-positives is to ask those companies to re-evaluate their results (and to correct them, if they were wrong) - no one else can check their (often purely "heuristic") results, because they won't tell us their business secrets. Some of those companies will give you feedback about your request... and even correct their initial results.
I am a simple end user.
We are all volunteers here, members of the same community. Currently, except lexikos and a few minor contributors to the open source code (which you could inspect, if you like, or compile yourself), we are all just simple end users of AHK. If you want something done (like a smaller amount of false positives), why not contribute yourself by trying to improve the virustotal ratings?
Why are there no pgp signatures for the software, so that we can at least be sure that we are getting what you are offering? Or "hashes" (md5, sh???).
There are SHA256 hashes, for example you can look at our github release channel or the individual version announcements (which also contain hashes for the zip-versions): viewforum.php?f=24

User avatar
ItisI
Posts: 56
Joined: 03 Jul 2023, 11:50

Re: Report False-Positives To Anti-Virus Companies

Post by ItisI » 05 Jul 2023, 01:45

That's the point. If it's a false positive, only the false-positive-issuing company can correct their assessment. If they never get asked, they might never check again. The point of reporting false-positives is to ask those companies to re-evaluate their results (and to correct them) - no one else can check their results, because they won't tell us their business secrets. Some of those companies will give you feedback about your request.
Let me see if I understand you correctly: I contact Virustotal, tell them neither Jotti nor my local antimalware program have found any issue, and would they please recheck? Or do I contact each and every viruschecker individually?
There are SHA256 hashes, for example you can look at our github release channel or the individual version announcements (which also contain hashes for the zip-versions): viewforum.php?f=24
Yes, there are. Checked my downloads - happy to report, they checked out!

Thanks for your time.

Post Reply

Return to “Off-topic Discussion”