Antivirus Deleted our .ahk files (and AutoHotkey.exe)

Talk about anything
User avatar
Joe Glines
Posts: 773
Joined: 30 Sep 2013, 20:49
Location: Dallas
Contact:

Antivirus Deleted our .ahk files (and AutoHotkey.exe)

Post by Joe Glines » 06 May 2024, 13:07

The other day we found Windows Defender not only deleted AutoHotkey.exe (v2) but also all of our .ahk files. This was a first for me!
We dicuss the event more in this video


I'm curious if anyone else has experienced this. Please make sure you find a way to backup your scripts...
Joe
Sign-up for the 🅰️HK Newsletter

ImageImageImageImage:clap:
AHK Tutorials:Web Scraping | | Webservice APIs | AHK and Excel | Chrome | RegEx | Functions
Training: AHK Webinars Courses on AutoHotkey :ugeek:
YouTube

:thumbup: Quick Access Popup, the powerful Windows folders, apps and documents launcher!

RussF
Posts: 1486
Joined: 05 Aug 2021, 06:36

Re: Antivirus Deleted our .ahk files (and AutoHotkey.exe)

Post by RussF » 06 May 2024, 13:36

I got my first AV hit ever on AHK from Bitdefender (our managed AV system) at the end of March when I downloaded V2.0.12 . It did not quarantine them, just notified me as suspicious.

I've honestly never heard of Defender actually deleting files (especially scripts, which are just text files.) It should just quarantine them. You can restore them from quarantine in settings and then exclude the folders or files from being flagged.

Russ

garry
Posts: 3876
Joined: 22 Dec 2013, 12:50

Re: Antivirus Deleted our .ahk files (and AutoHotkey.exe)

Post by garry » 08 May 2024, 12:35

I copied once an ahk script to a big textfile xy.txt and this was deleted from Windows Defender MsMpEng.exe . I found the textfile as backup from notepad++
Yes, then I used > exclude folders and files

User avatar
Joe Glines
Posts: 773
Joined: 30 Sep 2013, 20:49
Location: Dallas
Contact:

Re: Antivirus Deleted our .ahk files (and AutoHotkey.exe)

Post by Joe Glines » 02 Dec 2024, 07:02

JeesWG wrote me and mentioned the below.

Norton quarantining AutoHotkey files (scripts that were currently running, and scripts opened by those scripts) and closing AutoHotkey processes (and processes opened by those scripts):
Happening on my PC since 2024-11-29:

(1) Norton was putting files into quarantine (and ending processes).
(2) Norton was blocking FileAppend, and asking for permission for future occurrences.

(1) to rescue files from quarantine:
tray icon
right-click Settings
Features tab
Quarantine
hover over a file in the listview, and click '...'
choose Extract to extract files
(note: for each file listed, there may be multiple files extracted)
(note: the modified/created dates will be set to the current time)

(2) to set permissions for applications/scripts:
tray icon
right-click Settings
App permissions tab
Add application
Manually Select App
paste in the path of a .ahk file
under Ransomware Protection, choose 'Allow' to prevent it complaining when you use FileAppend
under SafeCam, choose 'Do nothing'
under Browser Data Protection, choose 'Do nothing'

(3) to check/increase the amount of space Norton uses for quarantined files:
tray icon
right-click Settings
Features tab
Quarantine
Settings tab

It's possible that doing FileAppend in certain folders will not trigger Norton.

You may want to write a custom version of FileAppend that appends to a file in a safe folder, and/or that appends to the clipboard, to avoid the loss of information.

The tray icon has a 'Disable Auto-Protect' menu item, with options such as '5 hours' and 'permanently', this may temporarily prevent Norton from quarantining files, ending processes and blocking FileAppend, but I haven't tested this.

The scripts were being run by the latest version of AutoHotkey, v1.1.37.02. But AutoHotkey v2 may also be affected.

Please do submit any corrections or additional information.

Cheers! And good luck to you all!
Sign-up for the 🅰️HK Newsletter

ImageImageImageImage:clap:
AHK Tutorials:Web Scraping | | Webservice APIs | AHK and Excel | Chrome | RegEx | Functions
Training: AHK Webinars Courses on AutoHotkey :ugeek:
YouTube

:thumbup: Quick Access Popup, the powerful Windows folders, apps and documents launcher!

Post Reply

Return to “Off-topic Discussion”