It's time to do something about these AutoHotkey antivirus false positives

[mouser]

I am fed up with these repeated ridiculous false positive antivirus triggers on autohotkey programs.

They help no one, except to the extent that they demonstrate the irresponsibility and laziness of these antivirus programs.

For those who aren't familiar with the problem I will summarize it:

• AutoHotkey is a popular scripting language for MS windows which allows people to write very cool utilities.
• Like any other programming language there is always some idiot that uses the language to write some malware program.
• But unlike other programming languages, the antivirus companies tend to not be familiar enough with autohotkey (or else to lazy to care), and when they find one of these malware programs, they add a new signature to their database which ends up marking EVERY program written in autohotkey as having a virus.
• Eventually after enough people are completely freaked out by the false alarm, and scared to death that they have a virus, and after dozens of complaints from authors, the antivirus company will inevitably remove the bad signature from their database, and things go back to normal (except for the fact that they've scared a number of people off of ever using autohotkey).
• BUT, then a new version of autohotkey comes out, and these damn antivirus companies get amnesia again, and repeat the process all over again right from the start.
• This cycle of false alarms has been going on for a couple of years now and in my opinion it is starting to cause irreparable harm to the autohotkey community.

I keep waiting for these companies to clean up their own mess but they never do.

I'd like to begin a more organized process to petition these antivirus companies to take this issue more seriously and behave more responsibly.  I don't know how much effort the official autohotkey developers have spent trying to get this issue addressed -- but this is something that really needs to be solved.  Perhaps greater communication with higher up engineers in the antivirus companies can ensure that they have proper ahk signatures of each new version included in their known-safe whitelists which would prevent them from erroneously marking generic ahk scripts as malware.

I'd like to ask ahk users and developers to organize an effort to reach out to the antivirus companies and establish a line of communication and not give up on this until it gets resolved.  DC stands ready to help in any way we can.

[mouser]

I posted on the ahk forum as well, here: http://www.autohotke...ewtopic.php?p=223437

[Deozaan]

My name is Deozaan and I approve of this statement.

[jgpaiva]

As an ahk developer, I appreciate your efforts, mouser, but honestly, I don't think there's much to be done...
Your words are very true, more than once I've been put off from updating GridMove because of these false alarms.
Still, it's good to see that more and more people are being critic againts these false alarms and reporting them instead of assuming they're right.
Truth is, while those can distinguish a virus from a stupid warning, many many more just ignore the program.

[mouser]

but honestly, I don't think there's much to be done...

If i had to guess, i'd say that the problem could be solved by a concerted effort to make the right contacts at the antivirus companies.  My guess is that they have whitelisted applications that they test with new virus definitions to avoid false positives.  And that the solution is for the AHK main coders to make sure that before releasing a new version of AHK they get it into the hands of the antivirus companies.  But this will take some effort on their parts.

[wr975]

AFAIK it's not about AHK, but the compression used when compiling. Uncompressed AHK exes shouldn't be affected. AHK's compiler is a left over from AutoIt, so I don't think something will change soon.

[mouser]

AFAIK it's not about AHK, but the compression used when compiling. Uncompressed AHK exes shouldn't be affected. AHK's compiler is a left over from AutoIt, so I don't think something will change soon.

There is one flaw in that reasoning.. the false positives always stop after some complaints, but then re-emerge on the next release of ahk.  So it does seem to be version-specific to the ahk releases, at least it seems that way to me.

[nosh]

I also suspect it's to do with UPX compression, AHK dumps upx.exe in its 'compiler' folder - perhaps they use the latest version everytime it's available & reverse the whitelisting in the process?

If this is true AHK authors could avoid false positives by using an older UPX that has been whitelisted, I suppose it should work unless ahk2exe has started using some new switch only available to the new version, one could also consider rolling back ahk2exe and whatever else is used for compiling in case of incompatibilities.

[lanux128]

the thing about the UPX compression is only partially true. when the script is compiled with upx compression, AV will still mark it as a malware only a slightly different type of malware. check out this thread here.

i've tried compiling my script without upx and also avoid compiling with the latest version of AHK unless it is absolutely necessary but to no avail. i agree it's time we make a concerted effort to make ourselves more vocal. if not, we may end up having to put a big sticky saying our software are free of malware all over the forums in an effort to convince everyone.

[mouser]

Our own app103 wrote a nice essay about this with some good links on her blog:
http://cranialsoup.b...-worm-or-trojan.html

[jdmarch]

No problems with AHK and Eset Nod32 AV

[mouser]

yeah i must say eset nod32 has never false alarmed on an ahk in the years i've been using it.  thumbs up to eset nod32 

[Davidtheo]

yeah i must say eset nod32 has never false alarmed on an ahk in the years i've been using it.  thumbs up to eset nod32 

-mouser (December 22, 2008, 11:22 PM)

Mouser Can you send me some programs written in this language I would like to test them with our Antivirus program and see what happens.

I would prefer some programs from different versions so we can do a wide amount of tests.
 

[mouser]

David,

There are DOZENS of ahk scripts on skrommel's page, both in their native ahk form and in the compiled exe form that tends to set off the antivirus alarms, a perfect page of downloads to test against:
https://www.donation...m/Software/Skrommel/

[Davidtheo]

David,

There are DOZENS of ahk scripts on skrommel's page, both in their native ahk form and in the compiled exe form that tends to set off the antivirus alarms, a perfect page of downloads to test against:
https://www.donation...m/Software/Skrommel/

-mouser (December 30, 2008, 02:13 AM)

I have run some of the scripts on skrommels page and non of them got flagged by our Antivirus Software as viruses, I do welcome you or anyone else to try for yourself and let me know if you find anything, you can download the software from http://www.kingsoftr...ch.com/download.aspx . I am also still doing some testing on other scripts on that page.