AVG vs TicTocTitle

[sazzen]

AVG runs a scan daily on my computer. When I checked yesterday's test results I found it had listed TicTocTitle.exe as a virus and deleted it from the system.    Since they locked me out of the forum a couple of years ago, I don't know how to report a false positive to them.  I just thought someone here should know and wondered if anyone else had the same experience.

[Paul Keith]

they locked me out of the forum a couple of years ago

I don't mean to offend but when a forum does this especially a security related one, isn't it time to switch products?

Thanks for the heads up though.

[mouser]

im so sick of these antivirus false alarms on programs built with the autohotkey scripting languages.  in more reasonable times the ahk villagers would get torches by now and burn down these antivirus headquarters and i'd bring the matches.

[lanux128]

in more reasonable times the ahk villagers would get torches by now and burn down these antivirus headquarters and i'd bring the matches.

-mouser (September 24, 2008, 05:53 PM)

nice analogy but i agree.

[city_zen]

I uploaded TicTocTitle.exe to Virustotal.com to see if any other AV gave a false positive of the file.
Link to the results: http://www.virustota...f3821494004e279a7395

3 out of 36 AVs detected it as at least a suspicious file. But AVG was not one of them. Maybe they use a different version than sazzen.

[nite_monkey]

Is it flagging it because ahk uses upx to compress the exe? I've had a program in the past that avast came up saying it had a {upx:somethingrandom} virus, and it was compressed with upx

[lanux128]

even without the upx compression, some av vendors will flag it down as 'AutoIt.Worm/32' or something like that.

[sazzen]

I uploaded TicTocTitle.exe to Virustotal.com to see if any other AV gave a false positive of the file.
Link to the results: http://www.virustota...f3821494004e279a7395

3 out of 36 AVs detected it as at least a suspicious file. But AVG was not one of them. Maybe they use a different version than sazzen.

-city_zen (September 25, 2008, 12:51 AM)

FIRST THE UPDATE: This morning AVG deleted WhatColor.exe from my system.

The page you cited was last updated Sept 24. AVG deleted TicTocTitle on Sept. 23. I went to their site and hour ago to find this - Updated Sept. 28: "Added detection of new variant of Worm/Autoit, new variants of trojans Backdoor.Hupigon, VB, Proxy."

As I was writing this I returned to the page and it is gone, replaced with something else. It is also gone from the download update page. It was there just a few minutes ago!

They are  probably using AVG 8. I am still clinging to 7.5 but virus definitions shouldn't be any different. Should they?

Anyway, if it is helpful to anyone, they call the TicTocTitle virus Worm/Autoit.DCX. They call the WhatColor virus Worm/Autoit.DJV.

[sazzen]

Another thought occurs.  No one else - here - seems to have had this happen. I know I can't be the only one with these two DonationCoder programs who uses AVG. I am not very smart about viruses, can they come from out of the blue, a website, the skies, the devil or whatever and attach themselves to innocent files? 

[mouser]

I apologize for the late reply -- shame on me and the rest of us for not responding to this sooner.

While viruses so in fact infect and attach to innocent files, that's not what's happening in this case.  Over time as you get more expeienced in such thigns you'll develop a better feeling for when something is likely to be a false alarm.  The fact that these were the only programs on your pc that were alerting is a good sign that it's a false alarm.

A *great* thing to do is upload the file to an online virus checker like http://www.virustotal.com/ as was mentioned above.  If only a couple indicate it, it's probably a false alarm.  Never ignore such false alarms but always treat them with a grain of salt.

What i want to encourage skrommel and other ahk coders to do is
1) encourage the ahk developers to be more aggressive in making antivirus companies stop these false alarms
2) set up an automated procedure for recompiling their ahk exes with new versions of ahk when it comes out to at least make it easier to update.

[f0dder]

Another thought occurs.  No one else - here - seems to have had this happen. I know I can't be the only one with these two DonationCoder programs who uses AVG.

-sazzen (September 29, 2008, 05:34 PM)

Wouldn't be surprised if there's several people here who use AVG, but don't pay much attention to warnings about DonationCoder software... especially for AHK tools, since there's been several posts about false virus alarms.

[sazzen]

Wouldn't be surprised if there's several people here who use AVG, but don't pay much attention to warnings about DonationCoder software... especially for AHK tools, since there's been several posts about false virus alarms.

-f0dder (October 21, 2008, 04:34 AM)

It was impossible to ignore. AVG deleted both programs - without warning and without using quarantine. They are gone forever.

[mouser]

AVG deleted both programs - without warning and without using quarantine.

that kind of behavior by irresponsible antivirus programs is what infuriates me.  TOTALLY unacceptable.

[ewemoa]

FWIW, I've had AVG say that it has gotten rid of a file (sorry, I don't remember the exact message), but usually I've managed to find it in the Virus Vault (this is w/ AVG Free 7.5) [1] -- these days I just don't have the Resident Shield portion enabled all of the time.  I was pretty annoyed when it (seemingly -- my memory of this is fuzzy) moved files to the Virus Vault w/o giving me any choice in the matter.  I guess I'll try to pay more attention in the future -- I know, I'll use ScreenshotCaptor   [2]

I just tried the "Scan with AVG" menu item from a Windows Explorer context menu on locally compiled versions of:

• TicTocTitle
• TheEnd
• ReFocus
• RecentRun
• PutAside
• LabelControl
• GoneIn60s

The result was "No threats found" -- (I wonder whether it'd make any difference, but I didn't specify custom icon files).

(In AVG Free 7.5, perhaps it's possible to add specific exceptions for future processing, but I haven't managed to determine how so far...)


[1] It's really fond of picking on a 7 zip sfx file

[2] No wait, I need an app to be semi-continuously taking screenshots of my desktop -- and perhaps automatically deleting screenshots that are older than say an hour ago...like an airplane's black box or something.