The installing of AutoHotkey_2.0.15_setup.exe fail. Microsoft defender says there is a Trojan:Script/Phonzy.B!ml inside. It removes the file that has the trojan and then the installer fails with error
Error: This calue of type "Installation" has no property named "Hashes".
960: }
961: {
▶ 962: this.Hashes[f] := {Path: f, Hash: HashFile(f), Version: v}
963: }
964: {
Extracting the ZIp file works. But the ZIP does not include all files. There is no Compiler or binaries for the compiler. When running UX\install-ahk2exe.ahk you get the compiler. Checking in Ahk2Exe.exe for updates
Installing all updates. But when compiling WindowSpy.ahk it results in a file where it says it has a trojan again.
[Mod action: Topic moved from "Bug Reports" to this thread since antivirus software flagging a false positive is not an AHK bug.]
Report False-Positives To Anti-Virus Companies
Re: Report False-Positives To Anti-Virus Companies
@bshogeman -- Antivirus software flagging a false positive is not an AHK bug, so your topic in "Bug Reports" was moved to this thread. You may need to temporarily disable Defender to let it install, and you may need to identify a whitelisted directory to prevent your AHK installation folder from being scanned by any antivirus software you may have.
Re: Report False-Positives To Anti-Virus Companies
Cortex XDR started to block a malicious activity on 2.0.18. But no issues with 2.0.17
Application information:
Application name: AutoHotkey installer
Application version: 2.0.18.0
Process ID: 17816
Application location: C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe
Command line: "C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe"
File origin: Hard drive on this computer
Prevention information:
Prevention date: Tuesday, July 9, 2024
Prevention time: 22:46:42
OS version: 10.0.19045.2.0.0.256.1
Component: WildFire
Status code: c0400055
Prevention description: Suspicious executable detected
Additional information 1: C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe
Additional information 2: A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E
Additional information 3: A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E
Additional information 4: 1
Additional information 6: {"trigger":1,"component":294,"cystatus":3225419861,"filePath":"C:\\Users\\michaelf\\Downloads\\AutoHotkey_2.0.18_setup.exe","fileHash":{"sha256":"A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E","sha1":"33501837A85EA22F98723746AECF5199865353F9","md5":"71E486A03AB282B75886E3712EBB1EFA"},"streamHash":{"sha256":"A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E","sha1":"33501837A85EA22F98723746AECF5199865353F9","md5":"71E486A03AB282B75886E3712EBB1EFA"},"verdict":1,"fileType":1,"fileSize":"3017216","streamFileType":1,"streamSize":"3017216"}
Application information:
Application name: AutoHotkey installer
Application version: 2.0.18.0
Process ID: 17816
Application location: C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe
Command line: "C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe"
File origin: Hard drive on this computer
Prevention information:
Prevention date: Tuesday, July 9, 2024
Prevention time: 22:46:42
OS version: 10.0.19045.2.0.0.256.1
Component: WildFire
Status code: c0400055
Prevention description: Suspicious executable detected
Additional information 1: C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe
Additional information 2: A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E
Additional information 3: A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E
Additional information 4: 1
Additional information 6: {"trigger":1,"component":294,"cystatus":3225419861,"filePath":"C:\\Users\\michaelf\\Downloads\\AutoHotkey_2.0.18_setup.exe","fileHash":{"sha256":"A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E","sha1":"33501837A85EA22F98723746AECF5199865353F9","md5":"71E486A03AB282B75886E3712EBB1EFA"},"streamHash":{"sha256":"A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E","sha1":"33501837A85EA22F98723746AECF5199865353F9","md5":"71E486A03AB282B75886E3712EBB1EFA"},"verdict":1,"fileType":1,"fileSize":"3017216","streamFileType":1,"streamSize":"3017216"}
Re: Report False-Positives To Anti-Virus Companies
New user wrote: ↑10 Jul 2024, 00:49Cortex XDR started to block a malicious activity on 2.0.18. But no issues with 2.0.17
New user, there is not much point in posting individual results here. There are usually many false positives for any AHK version - but newly released ones are usually affected most.
You should instead report that to Cortex as a presumed false positive.
Re: Report False-Positives To Anti-Virus Companies
AV software often flags mpress-compressed AHK scripts as suspicious, mistaking them for obfuscated code. I've since avoided using mpress to reduce false positives, though occasional AV alerts still happen but are rarer now.
Re: Report False-Positives To Anti-Virus Companies
SentinelOne has refused to whitelist AutoHotkey (AHK_L in my case) "as they have seen multiple instances of threats utilizing it in a malicious way". Also, any emails sent to the associated email addresses in the OP are automatically rejected unless your email address exactly matches "an existing SentinelOne support user account". This means that if S1 is installed on your work/corporate computer, you're probably out of luck.
Re: Report False-Positives To Anti-Virus Companies
It seems that (so far) just the AHK installation program is killed by SentinelOne. I struggled with an installation on a new PC until I had to just disable S1 entirely on that device in order to install it. You are correct in that whitelisting had no effect. Once installed, however, S1 seems to tolerate AHK. I run dozens of scripts daily on my own workstation with no ill effects. Will no doubt have to disable it during installation of the next update, though.
Russ
Russ
Re: Report False-Positives To Anti-Virus Companies
For me it quarantines any baseline AHK_L EXEs (at least 3 different versions), but completely ignores my compiled scripts. I agree it doesn't like the installers.RussF wrote: ↑06 Dec 2024, 07:03It seems that (so far) just the AHK installation program is killed by SentinelOne. I struggled with an installation on a new PC until I had to just disable S1 entirely on that device in order to install it. You are correct in that whitelisting had no effect. Once installed, however, S1 seems to tolerate AHK. I run dozens of scripts daily on my own workstation with no ill effects. Will no doubt have to disable it during installation of the next update, though.
Russ