Enough with the UPX packed virus false alarms -- ENOUGH
Every month the new false positives start coming in and people freak out thinking we are serving up malware because of the false positive alerts on compiled AHK scripts.
I'm exhausted from having to put out these false positive alarm fires every %&(*% month.
I'm exhausted from all of these websites warning people that our site hosts malware, and contacting them and fixing it and then having it happen all over again the next month.
I've fought against these irresponsible antivirus companies and felt always like "why aren't the AHK people doing more to address this recurring problem".. maybe you guys are trying to get this solved i don't know, but as much as we love AHK on donationcoder, this is just getting ridiculous, and it has to stop.
If these recurring false positives always have to do with UPX-packed apps being flagged as malware, then STOP packing compiled ahk's with UPX. As soon as humanely possible.
If you want to make some option to do it with a huge warning that using this is very likely guarantee that your application is going to be flagged as a virus in a few weeks, fine.
But in my opinion, until someone puts a stop to this farce of false positives, the UPX packing when compiling ahk executables should cease immediately.
Again, i apologize for the tone -- we love AHK at donationcoder, i'm just at my wits end dealing with this stuff over and over and over and seeing our site show up in warnings for serving malware and having it always be ahk applications that are causing it. I know its not AHK fault, i know its the antivirus companies being retarded. But let's fight and get them to stop doing this, or else do the one thing that you do have control over -- stop packing with upx.
sincerely, and with love for AHK,
-mouser from donationcoder.com
And of course, distrubute your script not the compiled exe :-) The avarage donation coder has AHK installed anyway don't they?
See also <!-- m -->http://www.autohotke... ... sc&start=0<!-- m -->
and several threads related to virii and UPX on the forum.
Just to clarify there is only one: Chris. Other people are working on other version of AHK but these are not "official" some features of these other version find their way into the official release afaik.
Have you ahk people
yeah, we've already posted instructions on our forum for coders on how to delete/rename the upx executable.
it's excellent that this can be done so easily (though they need to remember to do every time they update).
But it does mean that we have to go around every time someone uploads or posts a compiled ahk script, download it, check it, and then educate them about this issue and get them to rebuild and re-upload, and do that on a constant basis.
Since this happens so regularly, and so predictably, and so consistently, I really think this should be changed to not be default behavior in ahk.
Chris has done an amazing job with it.
And that's why this is so frustrating to me.. I'm just begging Chris and others at AHK to make a higher priority of figuring out a way to stop these false positives -- by any means necessary.
by any means necessary.
I assume you are aware you can simply remove UPX from compiler directory and your own scripts are no longer compiled with UPX
also: any language can cause false-positives. you can't stop them 100%. it just depends on how anal the AntiVirus program is.
And of course, distrubute your script not the compiled exe
any language can cause false-positives. you can't stop them 100%.
this is true enough -- but does not address the fact that compiled ahk programs are consistently, reliably, and almost without exception declared (falsely) to be viruses, over and over again, month after month, year after year.
it would be comical if not for the fact that it causes so much stress to novice users and increasingly leads to web-based trust rating sites marking a website as hosting malware.
no one can prevent antivirus companies from occasionally marking a program as malware.
but the situation we have now is that compiled AHK utilities are *ALWAYS* marked (falsely) as viruses and trojans, nearly 100% of the time. (not on their initial release but always a few weeks after they have been in the wild).
this is what has to stop.. the ahk community's open letter and our own efforts to wake up the antivirus companies does not seem to be having an effect, and it's not within our power to force them to.
what i'm asking is that AHK realize how serious a problem this is and take this seriously enough to try to do something about it on this end, during the building of the compiled ahk scripts.
EndGunner has a list of some false positive forum posts:
http://www.autohotke... ... 027#140027
DerRaphael's Open Letter to AV companies initiative:
http://www.autohotke... ... px&start=0
File deadly_virus.exe received on 2010.01.08 22:02:11 (UTC) Antivirus Version Last Update Result a-squared 126.96.36.199 2010.01.08 - AhnLab-V3 188.8.131.52 2010.01.08 - AntiVir 184.108.40.206 2010.01.08 - Antiy-AVL 220.127.116.11 2010.01.08 Trojan/Win32.Vapsup.gen Authentium 18.104.22.168 2010.01.08 - Avast 4.8.1351.0 2010.01.08 - AVG 22.214.171.1240 2010.01.04 - BitDefender 7.2 2010.01.08 - CAT-QuickHeal 10.00 2010.01.08 - ClamAV 0.94.1 2010.01.08 - Comodo 3514 2010.01.08 - DrWeb 126.96.36.19922 2010.01.08 - eSafe 188.8.131.52 2010.01.07 - eTrust-Vet 35.2.7226 2010.01.08 - F-Prot 184.108.40.206 2010.01.08 - F-Secure 9.0.15370.0 2010.01.08 - Fortinet 220.127.116.11 2010.01.08 - GData 19 2010.01.08 - Ikarus T18.104.22.168.0 2010.01.08 - Jiangmin 13.0.900 2010.01.08 - K7AntiVirus 7.10.942 2010.01.08 - Kaspersky 22.214.171.124 2010.01.08 - McAfee 5855 2010.01.08 - McAfee+Artemis 5855 2010.01.08 - McAfee-GW-Edition 6.8.5 2010.01.08 Heuristic.BehavesLike.Win32.Packed.C Microsoft 1.5302 2010.01.08 - NOD32 4755 2010.01.08 - Norman 6.04.03 2010.01.08 - nProtect 2009.1.8.0 2010.01.08 - Panda 10.0.2.2 2010.01.08 - PCTools 126.96.36.199 2010.01.08 - Prevx 3.0 2010.01.08 - Rising 22.29.04.04 2010.01.08 - Sophos 4.49.0 2010.01.08 - Sunbelt 3.2.1858.2 2010.01.08 - Symantec 20091.2.0.41 2010.01.08 - TheHacker 188.8.131.52.142 2010.01.08 - TrendMicro 184.108.40.2064 2010.01.08 - VBA32 220.127.116.11 2010.01.06 - ViRobot 2010.1.8.2128 2010.01.08 - VirusBuster 18.104.22.168 2010.01.08 - Additional information File size: 207261 bytes MD5...: 1505065f6558b18d792793bfbbd1d48a SHA1..: a017cfabc6782c3725713fcbab3c86067af17d5e SHA256: 3ac19630b45c0949c36bfb311406898b808c5b0b41fb4ebdd05f8553092b8fc4 ssdeep: 6144:mCbitvA8lUcv6Jvr03OWAgCC7RSKDkoShu:mC+tvA8pv6e3OSCCFSKDkoSA<BR> PEiD..: - PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x71ed0<BR>timedatestamp.....: 0x49fde251 (Sun May 03 18:28:33 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x41000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x42000 0x31000 0x30c00 8.00 6cd9aa2547f27ae976665aae461e8c77<BR>.rsrc 0x73000 0x2000 0x1800 4.79 5ae503e98038550ace366a5d500b6507<BR><BR>( 12 imports ) <BR>> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<BR>> ADVAPI32.dll: RegCloseKey<BR>> COMCTL32.dll: -<BR>> comdlg32.dll: GetOpenFileNameA<BR>> GDI32.dll: BitBlt<BR>> ole32.dll: CoInitialize<BR>> OLEAUT32.dll: -<BR>> SHELL32.dll: DragFinish<BR>> USER32.dll: GetDC<BR>> VERSION.dll: VerQueryValueA<BR>> WINMM.dll: mixerOpen<BR>> WSOCK32.dll: -<BR><BR>( 0 exports ) <BR> RDS...: NSRL Reference Data Set<BR>- packers (Kaspersky): UPX sigcheck:<BR>publisher....: n/a<BR>copyright....: <BR>product......: <BR>description..: <BR>original name: <BR>internal name: <BR>file version.: 1, 0, 48, 03<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR> pdfid.: - trid..: UPX compressed Win32 Executable (39.5%)<BR>Win32 EXE Yoda's Crypter (34.3%)<BR>Win32 Executable Generic (11.0%)<BR>Win32 Dynamic Link Library (generic) (9.8%)<BR>Generic Win/DOS Executable (2.5%) packers (F-Prot): UPX_LZMAand here is the AHK file (compiled as deadly_virus.exe):
#NoEnv ; Recommended for performance and compatibility with future AutoHotkey releases. SendMode Input ; Recommended for new scripts due to its superior speed and reliability. SetWorkingDir %A_ScriptDir% ; Ensures a consistent starting directory. #singleInstance force CoordMode, mouse, screen #InstallKeybdHook #InstallMouseHook j:: msgbox, I AM A DEADLY VIRUS!, DETECT ME YOU CRAPPY ANTIVIRUS PROGRAMS, OR YOU FAIL!`n`n Click OK to feel my wrath! click, 92, 412 send, P Return
Reduced size is obviously the only advantage. On slow storage devices it can speed up loading by a very small amount, but some have said it otherwise slows down loading.
Anti-virus software isn't psychic, and mostly isn't intelligent. Your compiled script executable will contain code to register the keyboard/mouse hooks, delete files, shutdown the PC etc. regardless of what content the actual script has. Anti-virus software would have to interpret the script to figure out what it really does. Furthermore, keyboard/mouse hooks are obviously a legitimate feature of Windows, so it mightn't be common to detect them. Any reasonable A/V (and some unreasonable A/V's) would notify the user if and when it detected installation of the hook rather than marking any executable which uses it as a potential virus. Lastly, "viruses" self-replicate; your script does not.
I think it would be no great loss if upx.exe was removed from the installer or disabled by default.
I fully agree it should be easily removed, since upx'd exe isn't any different when it is loaded I do not see any advantage of it.
Windows also cashes AutoHotkey.exe when it's loaded from usb disk or similar so it loads only first time slower.
I also added the hooks on purpose because i wanted it to be detected. and since i made the script so small, basic and harm-free, I was expecting most/all to not detect it. now if I made a real virus in AHK, I'm sure more then 2 would pick it up.
felt like doing this for fun
but to be on-topic:
i don't mind UPX, remove or keep it, no biggy.
If there was any point in my previous post, it was that anti-virus software won't necessarily pick it up just because it's malicious. I think it's very unlikely that any antivirus would immediately (or perhaps ever) pick up your hypothetical "real virus" script, and not also pick up every other script based on the same binary, harmful or not. Or was that lower-case sarcasm? :roll:
now if I made a real virus in AHK, I'm sure more then 2 would pick it up.