AutoHotkey Community

I appreciate the effort you put in this answer. This keeps the thread alive and other people will read this too.
But it's not for me. You know, i'm a gardener and almost in retirement. Never earned money with programming or scripting. Yes, for some time I had a (small) leading role and worked with pre-defined office templates. If I wanted to change things my boss said I spent to much time for my administrative tasks!
But in the 90's I had an Amstrad (464?) personal computer where you had to load programs on casette or floppy's and if you wanted to make things work personally for you you had to program it in Basic (sure you know this but some youngsters who read this would be amazed). Commands, AHK and Visual Basic, I like to experiment with it only to keep my brain cells active. Creating unimportant programs like generating lottery numbers based on personal dates or names and so... Well, the program works but I'm still not a millionaire!

Symantec has identified parts of AutoHotkey_1.1.33.00_setup.exe as malicious based on heuristic rules. I have submitted it to them as a false positive, but now I have corporate Incident Response breathing down my neck (not that I blame them, it's their job to stay on top of any and all potential threats, even tho this doesn't constitute one). Sadly, significant damage to AutoHotkey's reputation has just been done.

AVG and Avast are two of the best free anti virus programs out there. I use Avast, because AVG has been known to take up RAM on the computer. Just about everyone that I know that deals with computers uses Avast with Malwarebytes Anti-Malware and Firefox with the AdBlock Plus add-on, No Flash add on and NoScript add-on.

I personally use Windows Security / Microsoft Defender and MalwareBytes. And addtionally for programs I don't trust, I use Sandboxie.

I have found out, that politeness, kind pleas and reporting false positives created by The Autohodkey developers is really The only one way how to eliminate false positives.

If some author of compiled .exe will suffer because false positive, it is really necessary to send The .exe file for analysis to The corresponding antivirus laboratory.
There is also other problem.
If some antivirus companies do not think, that The practice, that some programming language is based on The routine, when some code is connected to previously compiled .exe by using Compiler is dangerous because of .exe format potential possible corruption.
But in The cause of Autohodkey, it is not true. Autohodkey have been always compiled by Microsoft Visual studio compiler so machine code and format of .exe file is correct.
If ahk2exe add script inside .exe file, it always knows, where to put The script to prevent .exe file corruption. I also know, that Windows contain many complex condition blocks which are protecting users according corrupted .exe files.
Sure. Because Autohodkey belong to The high level programming languages, some hackers can really use it to make a viruses. But virus can be made also in C, Pascal language and in Assembly language too. Sure. It will always depend on The motivation of The programmer. Programming language is only a development tool which can be used or misused.

Thank all of this community, who are making Autohodkey a more and more efficient language. And Autogui and Autohodkey studio allows many programmers to have many positive experience when developing. I would like to congratulate C programmers of Autohodkey for their complex work. Screen readers have good responsiveness when navigating across Autohodkey apps GUI. Fast responsiveness when browsing editable fields, listboxes and other GUI elements is very important. And memory allocations are very very low, very good programmers job. I will try to code with my sighted mother.

My first post - I hope is the right place to report a new detection of Trojan.Stealer.BC in Autohotkey.
I installed Autohotkey 1.1.33.09 in early August, my first download of Autohotkey.
Windows Security detected no problems on my PC. Malwarebytes Premium also finds no problems.

But when I ran a free version of Spyhunter5. It reported Trojan.Stealer.BC in 3 files in the Autohotkey compiler folder (C:\Program Files\AutoHotkey\Compiler), specifically Ahk2Exe.exe, ANSI 32-bit.bin, and Unicode 32-bit.bin
In discussion with Malwarebytes, I checked at virustotal.com, which says that 5 or 6 security vendors (out of 30 or so) have flagged these files as malicious. These other security vendors did not report detections.
Malwarebytes points out that there appear to be a lot of false positives reported at Autohotkey Forum.

I see a lot of assertions that similar detections are false positives, but how can I be sure?

Regards
Andy

feel free to look at the source code

feel free to look at the source code

I could do that, but I'm probably the wrong person - I would not know what to look for.
I was naively wondering why AHK is the source of so many false positives, but it may be just the nature of the tool - it's just so easy to write a script that causes an innocent keystroke to send a seriously damaging command.

I am now retired, but my previous working life I was in risk management where a well-known mantra is: Prevent, Detect, Control, Mitigate, in that order. One prevention action might be submission of source code (and/or files such as ahk2exe) to security vendors for test and whitelisting. Are there any other actions that could potentially prevent AHK being the source of so many false positives?

Regards
Andy

silentway wrote: ↑

16 Sep 2021, 09:36

Are there any other actions that could potentially prevent AHK being the source of so many false positives?

yeah, bend over and submit to the certificate mafia in perpetuity... except whos got that much $$$ to burn through

i believe that answer is to your question

how can I be sure?

looking at the source code is the only way to be sure, otherwise you're trusting the code/script or you're trusting someone else... author, antivirus vendor, etc.

Antivirus companies have one goal, sell to more users, and its worse for them to let a virus through than to block some benign code that they haven't analyzed more than heuristically (and there aren't enough users to complain about)

Sad but true, I've been fighting it for over a decade with EitherMouse (well ignoring it the last half of the decade because I couldn't get anywhere to prevent it.)

silentway wrote: ↑

16 Sep 2021, 09:36

feel free to look at the source code

I could do that, but I'm probably the wrong person - I would not know what to look for.

Andy,

It is the makers of SpyHunter 5 who should have experts examining the clear and open source code of AutoHotkey to determine if there is a trojan in it. That AutoHotkey is open-source and thus its code is viewable, should already be a clue about certain companies pulling shenanigans. Various unethical Anti-Virus companies are trying to play customers for fools, by pretending their software is more effective than it really is or by using scare tactics. It will pretend to find all kinds of "trojans" and "malware" to scare customers that don't know any better into giving them money.

You should report the false-positive, give them a link to the source, and demand they not engage in such behavior or change any mistakes that they made.

The company that makes SpyHunter 5 is EnigmaSoft. Unless the person bought the product, it's not clear how to contact their help desk or report false positives (not a promising sign of the company's practices). However, you should be able to contact the company with the link below.

https://www.enigmasoftware.com/about-us/inquiries-feedback/
(EnigmaSoft Inquiries and Feedback)

silentway wrote: One prevention action might be submission of source code (and/or files such as ahk2exe) to security vendors for test and whitelisting. Are there any other actions that could potentially prevent AHK being the source of so many false positives?

If you get a false-positive result from a submission to VirusTotal, you can contact them too about those Anti-Virus companies, to help them select those companies that meet a high ethical and business standard and get rid of the bad ones listed on their site. Let them know your opinions and about false-positives.

https://www.virustotal.com/gui/contact-us/technical-support
(Contact VirusTotal)

swagfag wrote: ↑

16 Sep 2021, 10:57

silentway wrote: ↑

16 Sep 2021, 09:36

Are there any other actions that could potentially prevent AHK being the source of so many false positives?

yeah, bend over and submit to the certificate mafia in perpetuity... except whos got that much $$$ to burn through

even with a cert, an exe will have to build up reputation for it not to be flagged by defender etc. The minute you make changes you are back to square one.

yeah, naah

---

we need to setup a banner with a $1/day donation goal jimmy wales style

So we've actually racked up enough to pay for an EV cert, but after discussing with Lexikos. We are not pursuing EV cert for similar reasons to Notepad++. So in a similar fashion, checksums/Hash are posted when new versions are released.

swagfag wrote: ↑

16 Sep 2021, 10:57

yeah, bend over and submit to the certificate mafia in perpetuity... except whos got that much $$$ to burn through

and so weve come full circle

Have recently come across some false-positive issues with McAfee and their scanners in regards to AutoHotkey_L and AutoHotkey_H.

Found you can give information about disputed files through the Internet to McAfee, in addition to e-mailing them (see 1st post for their e-mail address).

Link below, and will update the 1st post.

https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html?region=us
(McAfee Detection Dispute Submission Form)

Cool

McAfee also has another layer where developers having problems with false-positive detections can go. You have to e-mail datasubmission[at]mcafee.com, then they will provide the link where you can upload files to their False Submission site. Supposedly, the files will be part of a test rig, in which future databases are testing against.

I started working in a new company and of course one of the first things I installed was Autohotkey.
The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.

Any idea why they identify AHK as malicious and what can be done about it?

tomerstern wrote: ↑

27 Jul 2022, 02:19

...The installation finished successfully, however trying to run AutoHotkey.exe I am getting a CrowdStrike Falcon Sensor error:
A process was blocked because malicious behavior was detected.

...what can be done about it?

Info on how to contact CrowdStrike is on the first page and post.

Any idea why they identify AHK as malicious...

This is a bit complicated, but in looking at it, I think the main factors seem to be: laziness, ignorance, sales tactics, and competitors. On the first two, if a company takes the time to do the professional research into AHK, they will see its an open-source interpreted language, and develop the ability to distinguish when programs of the language are doing something nefarious versus the wholesale smearing of a scripting language. It would be unacceptable, ridiculous, and unprofessional for an antivirus company to mark say any .js or .bat as malware. This would be a disservice to their customers and the public. This goes for any widely known scripting language, particularly open-source ones. The quality and professionalism surrounding the antivirus product is important.

As to the last ones, there can be those that are trying to "game the system" by using underhanded and unethical tactics. This can be by the company itself (trying to trick customers that their product is more effective than actually is) or 3rd parties that are trying to harm their competition (which can include filing knowingly false reports). This can only be countered by customers reporting false-positives and holding antivirus companies accountable. The public and customers have to make sure that the databases of such companies are valid and to persuade them that it needs to be looked at both carefully and constructed in a professional manner.