VirusTotal marking each and every AutoHotKey exe as Virus !!

[anandcoral]

Well for last few days, I am trying different combination of making exe to satisfy VirusTotal.

Refer https://www.donation....msg434859#msg434859 of my NANY 2020 app Apps You Forgot.

No matter how I code or create the exe from AutoHotKey, VirusTotal is always marking 4 to 9 engines detected virus. I checked my earlier NANY apps and they are also marked now more than 10 engines.

Even without any exe packer, they are marked as virus warnings. I even checked many packers, older and newer, for confirmation, but all are marked not okay.

Then I checked ISMONISM https://www.donation....msg434768#msg434768, which Winkie is providing source code also (many thanks to him for this kind gesture), knowing very well that there is no bad code (we can see the codes) and it is non-packed exe. But alas it is also marked 4 engines virus !
https://www.virustot...db0405bba0/detection
I used Winkie's code as it is also written in AutoHotKey and source code is also provided for all to see.

So what should I do ?

I normally mention below in my app's websites and continue, as otherwise I can not create exe in AutoHotKey now.

[Select]

Anti-Virus reports malware (what to do?) :

Delete the exe and it's folder. There is nothing we can do as this is false alert and we do not have resource to request all Anti-Virus companies to update their database. Similar problem is faced by small developers worldwide, check below links,

Nir's Blog

You can see the last scan result of the exe from Virus Total web site and will find that major Anti-Virus report it as clean.

I am adding few features to my app "Apps You Forgot", but devoted more time to understand why VirusTotal  is jumping on simple AutoHotKey codes. Looks like we have to live with it.

Regards,

Anand

[BGM]

anandcoral, I was having trouble compiling my Systemus - which is also in autohotkey.  I had to add the ahk2exe application to the exclusion list for MSE in order to compile.  I've never had to do this for any autohotkey program before.  I suspect something has been changed in the recent virus definition lists.

[anandcoral]

Yes, I have also faced many problems using AVG along with irritating focus capturing popups, and have stopped all and use only Win Defender now.

So compile is passed but results of VirusTotal is problem for us now 

Regards,

Anand

[BGM]

Last year, @oblivion told me he had my TextWorx reclassified by EMSI Antimalware.  He had to email it to them, and they reclassified it.  TextWorx is ahk, too.

[publicdomain]

Well, the ultimate answer is to do an AHK transpiler to a technology that outputs "Antivirus-friendly" executable files.

i.e. AHK => C# or VB.NET => Compiled .exe file, indistinguishable from other native programs 

https://en.wikipedia...e-to-source_compiler

[mouser]

The ultimate answer should be for these antivirus companies to STOP doing this.. it's kind of outrageous and irresponsible.

[BGM]

Well, I am betting that the antivir companies have not actually tried or inspected the programs that are getting flagged.  Our NANY apps are all brand new and have no history at all.  Scanning them using standard methods may indeed trigger something that is false positive but would not trigger on a program that has the same qualities but has been reviewed.  That being said, how many programs get published all the time and how many get reviewed by antivir companies.  That being said, who knows what a NANY app will do to your computer - unless you trust the coder (which by the way is a unique quality of NANY apps - the coders have reputations on the site).  The app is new and often even untested and sometimes unfinished.  It's easy to see why antivir apps would find fault with them until the apps are actually submitted to get reclassified.

However, I am unconcerned about whether people use my apps or not.  I love it when they do, but if they don't, I will continue living my life.  Therefore, I am not going to care very much if my apps get flagged, and I am not going to chase antivir companies to reclassifiy my apps.  I love making apps and I love sharing them, and I hope people enjoy using them.  But, well, there you have my not-so-humble opinion about it all.  [I'm just blathering so I can get my number-of-posts number to increase]

[mouser]

Yes, it's understandable for antivirus programs to be skeptical of new apps, BUT the thing that is so unfair is:

1. They tend to blanket label ALL AHK written programs as dangerous, which is ridiculous and lazy.  I don't use AutoHotkey but I think it's absolutely outrageous that they do this, they are causing huge pain for coders who do.

2. They are not being truthful to users when they flag the programs.  If they popped up a message that said "This program was written in a language that we can't analyze well so we can't tell if it's dangerous" that would be one thing, but instead they inevitably pop up some obtuse message that makes the user think the antivirus program actually discovered something malicious.  IF AHK had lots of money behind it they might be able to sue these antivirus companies into not maligning their software.. but it's hard to see any incentive for the antivirus companies to shape up.  The only other leverage is for reviewers of antivirus companies to start calling them out on their bullshit.

[BGM]

[BGM shuts up]

[mouser]

What you say about trust is also true -- everyone needs to be skeptical and wary of any executable made by someone you haven't built up trust in.  In those cases, having source code goes a long way.

[publicdomain]

Hey! I agree & stand corrected!

It should read:

Well, the ultimate *TECHNICAL* answer is to do an AHK transpiler to a technology that outputs "Antivirus-friendly" executable files.

-publicdomain (January 19, 2020, 02:44 PM)

You are correct in your points regarding the proper way for the AV companies to deal with this scenario; actually taking the coders into consideration

[Target]

and its not like this is news, it's been like this for years.  Clearly there's something that needs to change, but we're not seeing any activity from either side of the fence here...

[Deozaan]

Unfortunately, the result of this abuse by these anti-virus companies is that the average person who uses a computer will see the virus scanner pop up a big, scary, red warning about the "dangerous and malicious software" they just downloaded and just say "Oh wow! That was close. This anti-virus saved me from having my computer hacked!" and then they'll pay for another year subscription to some software that is not only virtually completely useless but also worsens their computer's performance.

. . . And that's if they can get past their browser's attempts to block them from downloading (or keeping) the file in the first place.

[KodeZwerg]

Since the stuff AHK is able to do it should stay permanent as a virus/trojan/alert.
Just my humble opinion.
As always you can "trust" them after testing things out.
If you want "virus-free**", simply code the mechanism by yourself or ask how-to and you get help.
Another way would be to self-sign the .exe, than users get a "non-valid" signature warning instead of a possible infected file warning.
Or finally buy a real signed license for each .exe you give away...

** in no way i do mean that AHK is virus, but the abilities are in such a wide range, doing positive or negative things...

[anandcoral]

** in no way i do mean that AHK is virus, but the abilities are in such a wide range, doing positive or negative things...

-KodeZwerg (January 20, 2020, 06:01 AM)

Ahh..do not demean C++ and all weather VB6
They have the power to surpass AHK in all pos/neg departments. It is only that coding in AHK is easy and creates smallest (comparatively) exe. And yes Ant-Virus do respect MS created or adopted exe(s).

[Select]

One good example is SysInternals. In the past, their psexec.exe tool that can be used to execute code on remote machine, was detected as Virus by some Antivirus programs, but today, when SysInternals is a part of Microsoft, All Antiviruses show it’s clean, as
you can see from this VirusTotal report.

Read more at http://blog.nirsoft....to-small-developers/
And yes DC also tried its best for AHK https://www.donation...forum/?topic=15210.0

Regards,

Anand

[BGM]

Since the stuff AHK is able to do it should stay permanent as a virus/trojan/alert.

-KodeZwerg (January 20, 2020, 06:01 AM)

That is the case with any and all programming languages.

[Nod5]

Incorrect AV warnings against compiled AutoHotkey programs suck. It has been like this on and off for a long time. Not much individual coders can do about that I think. Something needs to change in the AV sector. But it probably won't.

[anandcoral]

Total Commander download page show below,

VirusTotal marking each and every AutoHotKey exe as Virus !!

Look like we will have to live with it and show something similar in our download pages. 

Regards,

Anand

[BGM]

Just for giggles, I took a look at my Systemus program in PE Studio.

It was marked as a trojan by 36 of 73 authourities via VirusTotal.
However, look who marked it clean:
Kaspersky
Malwarebytes (and I did this test myself, too)
Avast
ClamAV
and a few others.

Interesting!  Just thought I'd give the non-false-positive credit to those guys.

[tomos]

Firefox, using what they call "Google Safe Browsing" is blocking the AHK download page (https://www.autohotkey.com/download/1.1/) with warnings, here one:

www.autohotkey.com has been reported as containing harmful software. You can ignore the risk and go to this unsafe site.

also

The site ahead may contain harmful programs
Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

I didnt find much online and nothing on that google page about reporting false positives. I'm presuming the site hasn't been hacked -- I downloaded more recent version 1.1.32.00 and it is no threat according to MSE.  EDIT// sorry bout that: there was no content in the zip file I scanned :-/ will look elsewhere for a portable version... //EDIT

[wraith808]

Is there no content because your browser removed it?  I've seen that happen before.  On the site, it's showing as 4.8MB so there definitely should be something inside it.  I downloaded it, and there's something there.  I'm scanning it now.

UPDATE: Nothing found in it, and mine definitely had the files for the portable AHK in it.

UPDATE2: So apparently the owners of the Autohotkey site have to report it for google to fix it according to https://developers.g...acked/request_review.  I was thinking about reporting it at https://safebrowsing...eport_badware/?hl=en and putting in the comments that it's not malicious, but not sure if that would get in the way of the process.

[tomos]

Is there no content because your browser removed it?  I've seen that happen before.

-wraith808 (March 06, 2020, 10:09 AM)

that's the only possibility I can think of.
Firefox 73.0.1   

Did get portable zip elsewhere (Softpedia) and it scanned clean.

EDIT// downloading from the first links (installer or zip) is okay. I clicked on the lower link (Autohotkey 1.1*) and got the warning -- they have a warning though about the warning :-/ which I hadnt notice earlier...
VirusTotal marking each and every AutoHotKey exe as Virus !!
//EDIT