Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

AntiVir False Positives with EXE made with AHK 1.0.46.08


  • Please log in to reply
24 replies to this topic
Dragyn
  • Members
  • 14 posts
  • Last active: Mar 05 2007 06:35 PM
  • Joined: 14 Aug 2005
Just an FYI, never saw this in previous versions of AutoHotkey's compiled executables. The virus was added to AntiVir last year in August, so I'm pretty sure its a change in AutoHotkey.

The virus reported to be found is:
TR/AutoIt

This is with the latest free home version of AntiVir <!-- m -->http://www.free-av.com/<!-- m -->

I'm guessing that some specific byte code that AntiVir is using to identify the AutoIt Trojan is being identified in executables generated with the latest version of AutoHotKey. (Since AutoHotkey is an AutoIt derivative I believe, that makes some possible sense?)

For now I set an exception in AntiVir to not scan my AutoHotKey generated EXE files, but that always makes me nervous in case they did get infected with some other virus in the future.

Not sure if there's anything you can do about it, or if its something AntiVir has to adjust (or if you could help them with what they need to fix) but thought I'd post here as an FYI.

Chris
  • Administrators
  • 10727 posts
  • Last active:
  • Joined: 02 Mar 2004
I think the best thing to do is for a customer to contact the company and notify them of the false positive. Although this isn't a bug in AutoHotkey, I can understand your rationale for posting in the Bugs forum.

Thanks.

Dragyn
  • Members
  • 14 posts
  • Last active: Mar 05 2007 06:35 PM
  • Joined: 14 Aug 2005
Posted in the AntiVir forums also and sent in a sample exe to their 'suspicious files' e-mail. Of course since no other product has such amazing support from the author like AutoHotkey does, we'll see when/if I get a reply from them. Thanks Chris!

Grumpy
  • Guests
  • Last active:
  • Joined: --
It is not the first false positive from this anti-virus against AutoHotkey, a quick search on the forum should show this...
Note it is not the only one overreacting. I installed PC-cillin at my work (official anti-virus) and it just classified an archive with the official IE7 install package (not yet installed...) as containing a "generic trojan" (sic). It put the file in quarantine... :-(

Dragyn
  • Members
  • 14 posts
  • Last active: Mar 05 2007 06:35 PM
  • Joined: 14 Aug 2005
Got the false positive confirmed and they said they should fix it in one of the next updates.

"We could not find a virus in the attachment you have sent us.
This is a false positive. We will take out the pattern recognition in one of our
next updates."

n-l-i-d
  • Guests
  • Last active:
  • Joined: --

and it just classified an archive with the official IE7 install package (not yet installed...) as containing a "generic trojan" (sic).


That is because it is one... :p

Good to see that AntiVir speeded up it's replies/service. I reported false positives a couple of times already, but I have been very disappointed with their response time so far...

Gast
  • Guests
  • Last active:
  • Joined: --
[email protected]

i have the same problem but a other answer from AVIRA.

The message from Avira:

Sehr geehrte Damen und Herren,


wir bedanken uns fuer Ihre Email.

In der von Ihnen eingesendeten Datei haben wir einen neuen Virus entdeckt.
Dessen Erkennungsmerkmale werden nun eingebaut, sodass er mit einem der naechsten Updates als TR/Autoit.AE erkannt wird.

Wir bedanken uns fuer Ihre Mithilfe zur Verbesserung des Virenschutzes.

Thanks for your email.

we have fount a new virus called TR/Autoit.AE in your compiled file.
The VDF file will update soon to find this virus.

sry for my Bad english.

I hope they will find a way to delete the virus.

Please dont use WOWsuche.exe. This is the infected file, i delete the file from webserver, if you use it, please delete it and scan your system.

daonlyfreez
  • Members
  • 995 posts
  • Last active: Jan 23 2013 08:16 AM
  • Joined: 16 Mar 2005
It may well be that this WOWsuche script is malicious, but I get this with a compiled script with nothing but a msgbox aswell. :x

Which is a bit too strict.

"TR/Autoit.AE" and then "No description was found matching your research criteria. "

What irritates me too is that you can choose "Ignore" what you want, the alert will still popup :x
Posted Image mirror 1mirror 2mirror 3ahk4.me • PM or Posted Image

Gast
  • Guests
  • Last active:
  • Joined: --
Hi

i have installed AHK new, the Trojan is deleted now. I think it is placed in the Compiler.src file. The file was littel bit bigger as the original after reinstalling AHK.

I have made the post because i get the mail from Avira.

WOWsuche is a script to find Quests on Webseits for WOW. It is placed on Top of Screen in Windowmode and you can simple search for Questdescriptions in Inet.

The Trojan is now deleted and the File is clean.

Update Avira and reinstall AHK, the Trojan will deleted.

Gast
  • Guests
  • Last active:
  • Joined: --
Sry i mean the AutoHotkeySC.bin not .src

n-l-i-d
  • Guests
  • Last active:
  • Joined: --
You are right, updating AHK and recompiling works. Probably Avira detects signatures of previous versions of AHK, still too strict.

jballi
  • Members
  • 1029 posts
  • Last active:
  • Joined: 01 Oct 2005
This antivirus "problem" is no big deal... until it happens to you!

AVG just updated their signatures and who woulda thunk, some pattern from the AutoHotkeySC.bin file in AHK v1.0.46.08 was tagged as a trojan. I was in antivirus hell until I upgraded AHK to v1.0.46.09 and recompiled a few scripts. What a pain in the butt! :evil:

I just spent the last 30 minutes trying to track down a place to report false positives to AVG but couldn't find jack squat. I'm usually pretty good at finding this stuff.

:?: Does anyone have an web address or email address to report false positives to AVG. :?:

Thanks in advance for your assistance.

corrupt
  • Members
  • 2558 posts
  • Last active: Nov 01 2014 03:23 PM
  • Joined: 29 Dec 2004

:?: Does anyone have an web address or email address to report false positives to AVG. :?:

Thanks in advance for your assistance.

I'm not sure but this might be a place to start. <!-- m -->http://forum.grisoft.cz/freeforum/<!-- m -->

leucocytor
  • Members
  • 2 posts
  • Last active: Dec 21 2006 09:05 AM
  • Joined: 30 Oct 2006
FYI I had the same kind of pb this afternoon and I get rid of simply by recompiling my exe whith the last Autohotkey release (AHK v1.0.46.09)

I hope this sea snake will not go back at the surface in a couple of weeks.

jballi
  • Members
  • 1029 posts
  • Last active:
  • Joined: 01 Oct 2005

I think the best thing to do is for a customer to contact the company and notify them of the false positive.

Created a post on the AVG Free forum: http://forum.grisoft.cz/freeforum/. Thank you corrupt for the address. Hopefully they will identify and resolve the issue so that this "sea snake will not go back at the surface in a couple of weeks."


Edit: I was informed by the moderator at the AVG Free forum that posting this kinda stuff on that forum wouldn't do much good. He/she gave me instructions which can be found here: http://forum.grisoft...ead.php?4,93902