Report False-Positives To Anti-Virus Companies

Talk about anything
slechtwere
Posts: 6
Joined: 23 Jun 2020, 05:01

Re: Report False-Positives To Anti-Virus Companies

Post by slechtwere » 26 Jun 2020, 09:40

I appreciate the effort you put in this answer. This keeps the thread alive and other people will read this too. :thumbup:
But it's not for me. You know, i'm a gardener and almost in retirement. Never earned money with programming or scripting. Yes, for some time I had a (small) leading role and worked with pre-defined office templates. If I wanted to change things my boss said I spent to much time for my administrative tasks!
But in the 90's I had an Amstrad (464?) personal computer where you had to load programs on casette or floppy's and if you wanted to make things work personally for you you had to program it in Basic (sure you know this but some youngsters who read this would be amazed). Commands, AHK and Visual Basic, I like to experiment with it only to keep my brain cells active. Creating unimportant programs like generating lottery numbers based on personal dates or names and so... Well, the program works but I'm still not a millionaire! :D
Sam_
Posts: 146
Joined: 20 Mar 2014, 20:24

Re: Report False-Positives To Anti-Virus Companies

Post by Sam_ » 30 Jun 2020, 14:36

Symantec has identified parts of AutoHotkey_1.1.33.00_setup.exe as malicious based on heuristic rules. I have submitted it to them as a false positive, but now I have corporate Incident Response breathing down my neck (not that I blame them, it's their job to stay on top of any and all potential threats, even tho this doesn't constitute one). Sadly, significant damage to AutoHotkey's reputation has just been done.
Martinspake

-

Post by Martinspake » 05 Dec 2020, 13:01

AVG and Avast are two of the best free anti virus programs out there. I use Avast, because AVG has been known to take up RAM on the computer. Just about everyone that I know that deals with computers uses Avast with Malwarebytes Anti-Malware and Firefox with the AdBlock Plus add-on, No Flash add on and NoScript add-on.
User avatar
joedf
Posts: 8937
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: Report False-Positives To Anti-Virus Companies

Post by joedf » 05 Dec 2020, 14:14

I personally use Windows Security / Microsoft Defender and MalwareBytes. And addtionally for programs I don't trust, I use Sandboxie. :+1:
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Janusz
Posts: 89
Joined: 18 Dec 2020, 17:47

Re: Report False-Positives To Anti-Virus Companies

Post by Janusz » 21 Dec 2020, 09:08

I have found out, that politeness, kind pleas and reporting false positives created by The Autohodkey developers is really The only one way how to eliminate false positives.

If some author of compiled .exe will suffer because false positive, it is really necessary to send The .exe file for analysis to The corresponding antivirus laboratory.
There is also other problem.
If some antivirus companies do not think, that The practice, that some programming language is based on The routine, when some code is connected to previously compiled .exe by using Compiler is dangerous because of .exe format potential possible corruption.
But in The cause of Autohodkey, it is not true. Autohodkey have been always compiled by Microsoft Visual studio compiler so machine code and format of .exe file is correct.
If ahk2exe add script inside .exe file, it always knows, where to put The script to prevent .exe file corruption. I also know, that Windows contain many complex condition blocks which are protecting users according corrupted .exe files.
Sure. Because Autohodkey belong to The high level programming languages, some hackers can really use it to make a viruses. But virus can be made also in C, Pascal language and in Assembly language too. Sure. It will always depend on The motivation of The programmer. Programming language is only a development tool which can be used or misused.

Thank all of this community, who are making Autohodkey a more and more efficient language. And Autogui and Autohodkey studio allows many programmers to have many positive experience when developing. I would like to congratulate C programmers of Autohodkey for their complex work. Screen readers have good responsiveness when navigating across Autohodkey apps GUI. Fast responsiveness when browsing editable fields, listboxes and other GUI elements is very important. And memory allocations are very very low, very good programmers job. I will try to code with my sighted mother.
silentway
Posts: 2
Joined: 15 Sep 2021, 12:44

Re: Report False-Positives To Anti-Virus Companies

Post by silentway » 15 Sep 2021, 17:05

My first post - I hope is the right place to report a new detection of Trojan.Stealer.BC in Autohotkey.
I installed Autohotkey 1.1.33.09 in early August, my first download of Autohotkey.
Windows Security detected no problems on my PC. Malwarebytes Premium also finds no problems.

But when I ran a free version of Spyhunter5. It reported Trojan.Stealer.BC in 3 files in the Autohotkey compiler folder (C:\Program Files\AutoHotkey\Compiler), specifically Ahk2Exe.exe, ANSI 32-bit.bin, and Unicode 32-bit.bin
In discussion with Malwarebytes, I checked at virustotal.com, which says that 5 or 6 security vendors (out of 30 or so) have flagged these files as malicious. These other security vendors did not report detections.
Malwarebytes points out that there appear to be a lot of false positives reported at Autohotkey Forum.

I see a lot of assertions that similar detections are false positives, but how can I be sure?

Regards
Andy
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Report False-Positives To Anti-Virus Companies

Post by tank » 15 Sep 2021, 18:21

feel free to look at the source code
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
silentway
Posts: 2
Joined: 15 Sep 2021, 12:44

Re: Report False-Positives To Anti-Virus Companies

Post by silentway » 16 Sep 2021, 09:36

feel free to look at the source code
I could do that, but I'm probably the wrong person - I would not know what to look for.
I was naively wondering why AHK is the source of so many false positives, but it may be just the nature of the tool - it's just so easy to write a script that causes an innocent keystroke to send a seriously damaging command.

I am now retired, but my previous working life I was in risk management where a well-known mantra is: Prevent, Detect, Control, Mitigate, in that order. One prevention action might be submission of source code (and/or files such as ahk2exe) to security vendors for test and whitelisting. Are there any other actions that could potentially prevent AHK being the source of so many false positives?

Regards
Andy
swagfag
Posts: 6222
Joined: 11 Jan 2017, 17:59

Re: Report False-Positives To Anti-Virus Companies

Post by swagfag » 16 Sep 2021, 10:57

silentway wrote:
16 Sep 2021, 09:36
Are there any other actions that could potentially prevent AHK being the source of so many false positives?
yeah, bend over and submit to the certificate mafia in perpetuity... except whos got that much $$$ to burn through
User avatar
gwarble
Posts: 524
Joined: 30 Sep 2013, 15:01

Re: Report False-Positives To Anti-Virus Companies

Post by gwarble » 16 Sep 2021, 13:04

i believe that answer is to your question
how can I be sure?
looking at the source code is the only way to be sure, otherwise you're trusting the code/script or you're trusting someone else... author, antivirus vendor, etc.

Antivirus companies have one goal, sell to more users, and its worse for them to let a virus through than to block some benign code that they haven't analyzed more than heuristically (and there aren't enough users to complain about)

Sad but true, I've been fighting it for over a decade with EitherMouse (well ignoring it the last half of the decade because I couldn't get anywhere to prevent it.)
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 23 Sep 2021, 08:00

silentway wrote:
16 Sep 2021, 09:36
feel free to look at the source code
I could do that, but I'm probably the wrong person - I would not know what to look for.
Andy,

It is the makers of SpyHunter 5 who should have experts examining the clear and open source code of AutoHotkey to determine if there is a trojan in it. That AutoHotkey is open-source and thus its code is viewable, should already be a clue about certain companies pulling shenanigans. Various unethical Anti-Virus companies are trying to play customers for fools, by pretending their software is more effective than it really is or by using scare tactics. It will pretend to find all kinds of "trojans" and "malware" to scare customers that don't know any better into giving them money.

You should report the false-positive, give them a link to the source, and demand they not engage in such behavior or change any mistakes that they made.

The company that makes SpyHunter 5 is EnigmaSoft. Unless the person bought the product, it's not clear how to contact their help desk or report false positives (not a promising sign of the company's practices). However, you should be able to contact the company with the link below.

https://www.enigmasoftware.com/about-us/inquiries-feedback/
(EnigmaSoft Inquiries and Feedback)

silentway wrote: One prevention action might be submission of source code (and/or files such as ahk2exe) to security vendors for test and whitelisting. Are there any other actions that could potentially prevent AHK being the source of so many false positives?
If you get a false-positive result from a submission to VirusTotal, you can contact them too about those Anti-Virus companies, to help them select those companies that meet a high ethical and business standard and get rid of the bad ones listed on their site. Let them know your opinions and about false-positives.

https://www.virustotal.com/gui/contact-us/technical-support
(Contact VirusTotal)
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: Report False-Positives To Anti-Virus Companies

Post by AHKStudent » 24 Sep 2021, 19:20

swagfag wrote:
16 Sep 2021, 10:57
silentway wrote:
16 Sep 2021, 09:36
Are there any other actions that could potentially prevent AHK being the source of so many false positives?
yeah, bend over and submit to the certificate mafia in perpetuity... except whos got that much $$$ to burn through
even with a cert, an exe will have to build up reputation for it not to be flagged by defender etc. The minute you make changes you are back to square one.
swagfag
Posts: 6222
Joined: 11 Jan 2017, 17:59

Re: Report False-Positives To Anti-Virus Companies

Post by swagfag » 24 Sep 2021, 20:36

yeah, naah
image.png
image.png (17.16 KiB) Viewed 108542 times

we need to setup a banner with a $1/day donation goal :lol: jimmy wales style
User avatar
joedf
Posts: 8937
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: Report False-Positives To Anti-Virus Companies

Post by joedf » 24 Sep 2021, 20:48

So we've actually racked up enough to pay for an EV cert, but after discussing with Lexikos. We are not pursuing EV cert for similar reasons to Notepad++. So in a similar fashion, checksums/Hash are posted when new versions are released.
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
swagfag
Posts: 6222
Joined: 11 Jan 2017, 17:59

Re: Report False-Positives To Anti-Virus Companies

Post by swagfag » 24 Sep 2021, 20:50

swagfag wrote:
16 Sep 2021, 10:57
yeah, bend over and submit to the certificate mafia in perpetuity... except whos got that much $$$ to burn through
and so weve come full circle
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 17 Oct 2021, 23:58

Have recently come across some false-positive issues with McAfee and their scanners in regards to AutoHotkey_L and AutoHotkey_H.

Found you can give information about disputed files through the Internet to McAfee, in addition to e-mailing them (see 1st post for their e-mail address).

Link below, and will update the 1st post.

https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html?region=us
(McAfee Detection Dispute Submission Form)
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 20 Oct 2021, 07:48

McAfee also has another layer where developers having problems with false-positive detections can go. You have to e-mail datasubmission[at]mcafee.com, then they will provide the link where you can upload files to their False Submission site. Supposedly, the files will be part of a test rig, in which future databases are testing against.
tomerstern
Posts: 3
Joined: 19 Aug 2020, 14:53

Re: Report False-Positives To Anti-Virus Companies

Post by tomerstern » 27 Jul 2022, 02:19

I started working in a new company and of course one of the first things I installed was Autohotkey.
The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.

Any idea why they identify AHK as malicious and what can be done about it?
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Report False-Positives To Anti-Virus Companies

Post by SOTE » 17 Aug 2022, 06:13

tomerstern wrote:
27 Jul 2022, 02:19
...The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.

...what can be done about it?
Info on how to contact CrowdStrike is on the first page and post.
Any idea why they identify AHK as malicious...
This is a bit complicated, but in looking at it, I think the main factors seem to be: laziness, ignorance, sales tactics, and competitors. On the first two, if a company takes the time to do the professional research into AHK, they will see its an open-source interpreted language, and develop the ability to distinguish when programs of the language are doing something nefarious versus the wholesale smearing of a scripting language. It would be unacceptable, ridiculous, and unprofessional for an antivirus company to mark say any .js or .bat as malware. This would be a disservice to their customers and the public. This goes for any widely known scripting language, particularly open-source ones. The quality and professionalism surrounding the antivirus product is important.

As to the last ones, there can be those that are trying to "game the system" by using underhanded and unethical tactics. This can be by the company itself (trying to trick customers that their product is more effective than actually is) or 3rd parties that are trying to harm their competition (which can include filing knowingly false reports). This can only be countered by customers reporting false-positives and holding antivirus companies accountable. The public and customers have to make sure that the databases of such companies are valid and to persuade them that it needs to be looked at both carefully and constructed in a professional manner.
Post Reply

Return to “Off-topic Discussion”