More false virus warnings in compiled ahk utilities #*(%&*(#*(&#(%

[mouser]

I just sent this as a reply to 2 emails i've gotten recently, reporting viruses in skrommel's compiled ahk utilities (https://www.donation...m/Software/Skrommel/).

"ugh, this antivirus false alarm stuff can be so stressful.
i assure you, there are no viruses in donationcoder.com software.

certain antivirus programs are super paranoid about the "autohotkey",
the language that these programs are written in.  it's incredibly
frustrating when the antivirus tells people it has found viruses.  if
you search the internet for the the alarm it gives you and
"autohotkey" youll probably find a bunch of people cursing out the
antivirus and having the same problem.

which antivirus program are you using by the way?

the utility that gave you the warning is from Skrommel's One Hour
Software page, one way you can know you can trust these is that all of
them you can download the source code version in .ahk form and compile
them yourself.

my advice:
post this observance on the forum if you are still nervous so you can
get opinion of others.  try to find option in your antivirus to not do
"heuristic" or other "guessing" which might be causing it to false
alarm.

i apologize for any scare you might have -- try to see how painful
this is from our perspective when a virus scanning program goes around
telling people it has found viruses in our software.. the only thing i
can tell you is that these kinds of false alarms happen and you should
always use an antivirus program and always pay attention when it says
it finds something -- but never assume that just because it says it
found something that it really did."

[lanux128]

here is a similar thread, AVG "detects" virus in AHK..

• DimSaver being flagged by AVG Anti-Virus Free Edition

[mouser]

maybe skrommel just needs to recompile his programs with a new version of ahk..

[cranioscopical]

Using the latest version of AHK I still get the occasional alarm from AVG about
stuff of my own that I've compiled for personal use. One day's scan flags nothing,
then there's an AVG update and something gets flagged, then there's another
AVG update and the same thing (retrieved from quarantine) passes fine. 

It's annoying and has the effect of lowering the level of trust one places in anti-virus
software in general. That in itself is a dangerous trend.

[f0dder]

I'm surprised I haven't gotten any false virus warnings about fSekrit - after all, it is compressed (using PECompact), it appends data to the end of the .exe files, and copies/deletes exes... but it does sound like AV programs are getting very bad at false positives lately

[Stoic Joker]

I quit using AV on my development machine because I got tired of it deleting the projects I was working on right after they compiled. <-That drove me nutz for an hour one night.

I've never gotten any FPs with fSekrit either...which is good considering I use it from a ThumbDrive in the field quite frequently. It's got to be one of the coolest little utilities I've ever seen.

[jgpaiva]

I quit using AV on my development machine because I got tired of it deleting the projects I was working on right after they compiled. <-That drove me nutz for an hour one night.

-Stoic Joker (January 16, 2008, 06:25 AM)

That'd drive me insane!
AV's are obviously getting dumber by the day. (or viruses are getting smarter and AV's are having a hard time keeping up with them )

[justice]

maybe skrommel just needs to recompile his programs with a new version of ahk..

-mouser (January 15, 2008, 11:06 PM)

that indeed solves the problem, it's to do with the executable processor used in some versions of autohotkey that are also used to obfuscate some viruses, therefore avg assumes all software that uses it could be a virus. I've only ever noticed this with AVG btw.

[Lashiec]

The guys at AVG are getting too many false positives during too much time, perhaps it's time for them to give a good look to their detection algorithms.

BTW, mouser, you could have added to your reply that, in case of doubt, it's always good to upload a copy of the file to VirusTotal or Jotti's Malware Scan. Although if AVG gets false positives, some of the less capable (and paranoid) scanners used in those sites will flag as infected as well, marked (probably) as generic malware, but marked anyway.

[x_qxp]

 i emailed avg about false postive report on two programs  startclock & another which was called Active Ports. below is the one about startclock.
Avg responded the next day saying it was a fasle postive & to update , now i get no false postive.

The file Start-Clock.exe inside the rar/zip file is getting reported as a Worm/Autoit.AWP ,
avg free 8.0 reports that this file is a Worm/Autoit.AWP , yet i have had it on my puter using avg free 7.5 for a year or so without any problems from avg reporting it as a Worm/Autoit.AWP.
i went to web urL http://virusscan.jotti.org/ & 12 virus scanners reported the file as found nothing & 7 virus scanners did.
I attached a scrn capture of the page at http://virusscan.jotti.org/ showing results.
 ThanKs,

[lanux128]

The file Start-Clock.exe inside the rar/zip file is getting reported as a Worm/Autoit.AWP ,
avg free 8.0 reports that this file is a Worm/Autoit.AWP , yet i have had it on my puter using avg free 7.5 for a year or so without any problems from avg reporting it as a Worm/Autoit.AWP.

-x_qxp (May 12, 2008, 02:34 PM)

there is a pattern emerging. av programs looking at all compressed EXEs and conveniently flag them as viruses (Worm/Autoit.XXX). now whenever i updated AHK, i'm renaming upx.exe so that AHK compiler doesn't compile scripts as compressed EXEs.

[mediaguycouk]

Sophos has just caught Accents as being Generic Malware-A.

I've sent the program to sophos support.

[dnm]

There's a larger issue here in that a lot of these AV hits can be valid, in certain circumstances. AutoHotkey is a general purpose (and useful) tool, which means it can also be used by malware authors, especially to do the sorts of things malware often wants to do (and that AutoHotkey is good at): Windows automation! (e.g. hooking the keyboard and capturing passwords, GUI automation, network access, general system scripting, etc.). The AV engines have no way to determine the intent of any given AutoHotkey script, so they may flag them as dangerous.

This is a general problem with multi-purpose tools like AutoHotkey for AV vendors. On one hand there are power users trying to use tools like Skrommel's software, and on the other hand there are other users who are being taken advantage of by malicious users who happen to use AutoHotkey.

I'd argue that malware using AutoHotkey is pretty transparent and easy to find, comparatively speaking (it's not anywhere near as complex as a half-decent rootkit, for instance), but nonetheless, it's useful for both good and bad. I think this is unlikely, but if there are more people complaining about AV flagging AutoHotkey than there are AV vendors finding AutoHotkey-based malware in the wild or getting enough credible reports, then it's more likely they'll take it off their lists, which conversely means it's a more worthwhile tool for malware authors (since it'll go undetected by AV for longer).

There's no easy solution for AV, sadly, other than knowing what's running on your machine.

[mediaguycouk]

Well Sophos got back

Hi Graham

thank you for your email. The file that you sent to us for analysis was producing a false-positive report which has now been corrected. Please do not hesitate to contact me if I can be of any further assistance.


Regards,

Martin Elliott
Sophos Technical Support

[lanux128]

the AHK forumers are creating a letter template to shoot off to any of the AV companies that flag AHK programs as a virus.

• An open letter for Antiviral software companies