Welcome Guest.   Make a donation to an author on the site September 18, 2014, 06:45:34 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2013! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: More false virus warnings in compiled ahk utilities #*(%&*(#*(&#(%  (Read 13122 times)
mouser
First Author
Administrator
*****
Posts: 33,357



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« on: January 15, 2008, 09:17:11 PM »

I just sent this as a reply to 2 emails i've gotten recently, reporting viruses in skrommel's compiled ahk utilities (http://www.donationcoder.com/Software/Skrommel/).

"ugh, this antivirus false alarm stuff can be so stressful.
i assure you, there are no viruses in donationcoder.com software.

certain antivirus programs are super paranoid about the "autohotkey",
the language that these programs are written in.  it's incredibly
frustrating when the antivirus tells people it has found viruses.  if
you search the internet for the the alarm it gives you and
"autohotkey" youll probably find a bunch of people cursing out the
antivirus and having the same problem.

which antivirus program are you using by the way?

the utility that gave you the warning is from Skrommel's One Hour
Software page, one way you can know you can trust these is that all of
them you can download the source code version in .ahk form and compile
them yourself.

my advice:
post this observance on the forum if you are still nervous so you can
get opinion of others.  try to find option in your antivirus to not do
"heuristic" or other "guessing" which might be causing it to false
alarm.

i apologize for any scare you might have -- try to see how painful
this is from our perspective when a virus scanning program goes around
telling people it has found viruses in our software.. the only thing i
can tell you is that these kinds of false alarms happen and you should
always use an antivirus program and always pay attention when it says
it finds something -- but never assume that just because it says it
found something that it really did."
Logged
lanux128
Global Moderator
*****
Posts: 6,089



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: January 15, 2008, 10:37:28 PM »

here is a similar thread, AVG "detects" virus in AHK..

DimSaver being flagged by AVG Anti-Virus Free Edition
Logged

mouser
First Author
Administrator
*****
Posts: 33,357



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: January 15, 2008, 11:06:34 PM »

maybe skrommel just needs to recompile his programs with a new version of ahk..
Logged
cranioscopical
Friend of the Site
Supporting Member
**
Posts: 4,170



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: January 15, 2008, 11:18:58 PM »

Using the latest version of AHK I still get the occasional alarm from AVG about
stuff of my own that I've compiled for personal use. One day's scan flags nothing,
then there's an AVG update and something gets flagged, then there's another
AVG update and the same thing (retrieved from quarantine) passes fine. 

It's annoying and has the effect of lowering the level of trust one places in anti-virus
software in general. That in itself is a dangerous trend.



Logged

Chris
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #4 on: January 16, 2008, 05:25:01 AM »

I'm surprised I haven't gotten any false virus warnings about fSekrit - after all, it is compressed (using PECompact), it appends data to the end of the .exe files, and copies/deletes exes... but it does sound like AV programs are getting very bad at false positives lately Sad
Logged

- carpe noctem
Stoic Joker
Honorary Member
**
Posts: 5,260



View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: January 16, 2008, 06:25:30 AM »

I quit using AV on my development machine because I got tired of it deleting the projects I was working on right after they compiled. <-That drove me nutz for an hour one night.

I've never gotten any FPs with fSekrit either...which is good considering I use it from a ThumbDrive in the field quite frequently. It's got to be one of the coolest little utilities I've ever seen.
Logged
jgpaiva
Global Moderator
*****
Posts: 4,710



Artificial Idiocy

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #6 on: January 16, 2008, 06:28:49 AM »

I quit using AV on my development machine because I got tired of it deleting the projects I was working on right after they compiled. <-That drove me nutz for an hour one night.
huh huh That'd drive me insane!
AV's are obviously getting dumber by the day. (or viruses are getting smarter and AV's are having a hard time keeping up with them Wink )
Logged

justice
Supporting Member
**
Posts: 1,888



Solve issues simply.

View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: January 16, 2008, 07:28:34 AM »

maybe skrommel just needs to recompile his programs with a new version of ahk..
that indeed solves the problem, it's to do with the executable processor used in some versions of autohotkey that are also used to obfuscate some viruses, therefore avg assumes all software that uses it could be a virus. I've only ever noticed this with AVG btw.
Logged

Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #8 on: January 16, 2008, 11:43:54 AM »

The guys at AVG are getting too many false positives during too much time, perhaps it's time for them to give a good look to their detection algorithms.

BTW, mouser, you could have added to your reply that, in case of doubt, it's always good to upload a copy of the file to VirusTotal or Jotti's Malware Scan. Although if AVG gets false positives, some of the less capable (and paranoid) scanners used in those sites will flag as infected as well, marked (probably) as generic malware, but marked anyway.
Logged
x_qxp
Participant
*
Posts: 6

View Profile Give some DonationCredits to this forum member
« Reply #9 on: May 12, 2008, 02:34:31 PM »

 i emailed avg about false postive report on two programs  startclock & another which was called Active Ports. below is the one about startclock.
Avg responded the next day saying it was a fasle postive & to update , now i get no false postive.

The file Start-Clock.exe inside the rar/zip file is getting reported as a Worm/Autoit.AWP ,
avg free 8.0 reports that this file is a Worm/Autoit.AWP , yet i have had it on my puter using avg free 7.5 for a year or so without any problems from avg reporting it as a Worm/Autoit.AWP.
i went to web urL http://virusscan.jotti.org/ & 12 virus scanners reported the file as found nothing & 7 virus scanners did.
I attached a scrn capture of the page at http://virusscan.jotti.org/ showing results.
 ThanKs,
Logged
lanux128
Global Moderator
*****
Posts: 6,089



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #10 on: May 12, 2008, 07:45:05 PM »

The file Start-Clock.exe inside the rar/zip file is getting reported as a Worm/Autoit.AWP ,
avg free 8.0 reports that this file is a Worm/Autoit.AWP , yet i have had it on my puter using avg free 7.5 for a year or so without any problems from avg reporting it as a Worm/Autoit.AWP.

there is a pattern emerging. av programs looking at all compressed EXEs and conveniently flag them as viruses (Worm/Autoit.XXX). now whenever i updated AHK, i'm renaming upx.exe so that AHK compiler doesn't compile scripts as compressed EXEs.

Logged

mediaguycouk
Supporting Member
**
Posts: 244


see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #11 on: May 13, 2008, 05:58:22 AM »

Sophos has just caught Accents as being Generic Malware-A.

I've sent the program to sophos support.
Logged

Learning C# - Graham Robinson
dnm
Charter Member
***
Posts: 23

View Profile Give some DonationCredits to this forum member
« Reply #12 on: May 13, 2008, 03:26:41 PM »

There's a larger issue here in that a lot of these AV hits can be valid, in certain circumstances. AutoHotkey is a general purpose (and useful) tool, which means it can also be used by malware authors, especially to do the sorts of things malware often wants to do (and that AutoHotkey is good at): Windows automation! (e.g. hooking the keyboard and capturing passwords, GUI automation, network access, general system scripting, etc.). The AV engines have no way to determine the intent of any given AutoHotkey script, so they may flag them as dangerous.

This is a general problem with multi-purpose tools like AutoHotkey for AV vendors. On one hand there are power users trying to use tools like Skrommel's software, and on the other hand there are other users who are being taken advantage of by malicious users who happen to use AutoHotkey.

I'd argue that malware using AutoHotkey is pretty transparent and easy to find, comparatively speaking (it's not anywhere near as complex as a half-decent rootkit, for instance), but nonetheless, it's useful for both good and bad. I think this is unlikely, but if there are more people complaining about AV flagging AutoHotkey than there are AV vendors finding AutoHotkey-based malware in the wild or getting enough credible reports, then it's more likely they'll take it off their lists, which conversely means it's a more worthwhile tool for malware authors (since it'll go undetected by AV for longer).

There's no easy solution for AV, sadly, other than knowing what's running on your machine.
Logged
mediaguycouk
Supporting Member
**
Posts: 244


see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #13 on: May 14, 2008, 04:34:30 AM »

Well Sophos got back
Quote
Hi Graham

thank you for your email. The file that you sent to us for analysis was producing a false-positive report which has now been corrected. Please do not hesitate to contact me if I can be of any further assistance.


Regards,

Martin Elliott
Sophos Technical Support
Logged

Learning C# - Graham Robinson
lanux128
Global Moderator
*****
Posts: 6,089



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: May 20, 2008, 01:25:15 AM »

the AHK forumers are creating a letter template to shoot off to any of the AV companies that flag AHK programs as a virus. Thmbsup

An open letter for Antiviral software companies
Logged

Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.047s | Server load: 0.09 ]