Report False-Positives To Anti-Virus Companies

Talk about anything
bshogeman
Posts: 5
Joined: 13 Oct 2022, 07:22
Contact:

Microsoft Defender says Trojan:Script/Phonzy.B!ml inside v2.0.15 installer

Post by bshogeman » 17 May 2024, 07:52

The installing of AutoHotkey_2.0.15_setup.exe fail. Microsoft defender says there is a Trojan:Script/Phonzy.B!ml inside. It removes the file that has the trojan and then the installer fails with error
Error: This calue of type "Installation" has no property named "Hashes".
960: }
961: {
▶ 962: this.Hashes[f] := {Path: f, Hash: HashFile(f), Version: v}
963: }
964: {

Extracting the ZIp file works. But the ZIP does not include all files. There is no Compiler or binaries for the compiler. When running UX\install-ahk2exe.ahk you get the compiler. Checking in Ahk2Exe.exe for updates
Installing all updates. But when compiling WindowSpy.ahk it results in a file where it says it has a trojan again.


[Mod action: Topic moved from "Bug Reports" to this thread since antivirus software flagging a false positive is not an AHK bug.]

User avatar
boiler
Posts: 17696
Joined: 21 Dec 2014, 02:44

Re: Report False-Positives To Anti-Virus Companies

Post by boiler » 17 May 2024, 08:11

@bshogeman -- Antivirus software flagging a false positive is not an AHK bug, so your topic in "Bug Reports" was moved to this thread. You may need to temporarily disable Defender to let it install, and you may need to identify a whitelisted directory to prevent your AHK installation folder from being scanned by any antivirus software you may have.

New user

Re: Report False-Positives To Anti-Virus Companies

Post by New user » 10 Jul 2024, 00:49

Cortex XDR started to block a malicious activity on 2.0.18. But no issues with 2.0.17

Application information:
Application name: AutoHotkey installer
Application version: 2.0.18.0
Process ID: 17816
Application location: C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe
Command line: "C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe"
File origin: Hard drive on this computer

Prevention information:
Prevention date: Tuesday, July 9, 2024
Prevention time: 22:46:42
OS version: 10.0.19045.2.0.0.256.1
Component: WildFire
Status code: c0400055
Prevention description: Suspicious executable detected
Additional information 1: C:\Users\michaelf\Downloads\AutoHotkey_2.0.18_setup.exe
Additional information 2: A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E
Additional information 3: A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E
Additional information 4: 1
Additional information 6: {"trigger":1,"component":294,"cystatus":3225419861,"filePath":"C:\\Users\\michaelf\\Downloads\\AutoHotkey_2.0.18_setup.exe","fileHash":{"sha256":"A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E","sha1":"33501837A85EA22F98723746AECF5199865353F9","md5":"71E486A03AB282B75886E3712EBB1EFA"},"streamHash":{"sha256":"A30AF310F45D4076CF1580BB08015DB9A1337DDC1A99CF61829E645B196E8B2E","sha1":"33501837A85EA22F98723746AECF5199865353F9","md5":"71E486A03AB282B75886E3712EBB1EFA"},"verdict":1,"fileType":1,"fileSize":"3017216","streamFileType":1,"streamSize":"3017216"}

User avatar
gregster
Posts: 9253
Joined: 30 Sep 2013, 06:48

Re: Report False-Positives To Anti-Virus Companies

Post by gregster » 10 Jul 2024, 09:49

New user wrote:
10 Jul 2024, 00:49
Cortex XDR started to block a malicious activity on 2.0.18. But no issues with 2.0.17

New user
, there is not much point in posting individual results here. There are usually many false positives for any AHK version - but newly released ones are usually affected most.
You should instead report that to Cortex as a presumed false positive.

smith2
Posts: 8
Joined: 06 May 2024, 00:14
Contact:

Re: Report False-Positives To Anti-Virus Companies

Post by smith2 » 01 Nov 2024, 01:36

AV software often flags mpress-compressed AHK scripts as suspicious, mistaking them for obfuscated code. I've since avoided using mpress to reduce false positives, though occasional AV alerts still happen but are rarer now.

Sam_
Posts: 148
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

Post by Sam_ » 05 Dec 2024, 16:38

SentinelOne has refused to whitelist AutoHotkey (AHK_L in my case) "as they have seen multiple instances of threats utilizing it in a malicious way". Also, any emails sent to the associated email addresses in the OP are automatically rejected unless your email address exactly matches "an existing SentinelOne support user account". This means that if S1 is installed on your work/corporate computer, you're probably out of luck.

RussF
Posts: 1487
Joined: 05 Aug 2021, 06:36

Re: Report False-Positives To Anti-Virus Companies

Post by RussF » 06 Dec 2024, 07:03

It seems that (so far) just the AHK installation program is killed by SentinelOne. I struggled with an installation on a new PC until I had to just disable S1 entirely on that device in order to install it. You are correct in that whitelisting had no effect. Once installed, however, S1 seems to tolerate AHK. I run dozens of scripts daily on my own workstation with no ill effects. Will no doubt have to disable it during installation of the next update, though.

Russ

Sam_
Posts: 148
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

Post by Sam_ » 06 Dec 2024, 07:38

RussF wrote:
06 Dec 2024, 07:03
It seems that (so far) just the AHK installation program is killed by SentinelOne. I struggled with an installation on a new PC until I had to just disable S1 entirely on that device in order to install it. You are correct in that whitelisting had no effect. Once installed, however, S1 seems to tolerate AHK. I run dozens of scripts daily on my own workstation with no ill effects. Will no doubt have to disable it during installation of the next update, though.

Russ
For me it quarantines any baseline AHK_L EXEs (at least 3 different versions), but completely ignores my compiled scripts. I agree it doesn't like the installers.

Post Reply

Return to “Off-topic Discussion”