Post by gregster » 19 Mar 2024, 09:15
slishnevsky wrote: ↑19 Mar 2024, 07:07
- How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
- Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?
Obviously, most people won't be able to determine if smth is definitely a false positive, but they have might a (strong) suspicion. That's why we recommend to send the file in question to your antivirus vendor, if in doubt - they
should have the expertise to determine if the file is actually malicious or a false positive. In addition, you'll give them the opportunity to fine-tune their products, although I wouldn't put too much hope into long-term improvements.
Apart from the legal questions that the use of "cracked" files raises, of course they can be infected with malicious code. Antivirus software uses a lot of heuristics to identify all variants of a virus (some viruses even change their own code to not get identified). This means, they depend on identifying certain similarities, patterns and behaviours, in order to even identify yet unknown variants of a virus. Of course, there are usually business secrets involved - that's why those AV vendors won't tell you exactly for which details they are looking. But a local scan should be fast (hence simplified and prone to produce false-positives) - if you send them the files, they can have a closer look.
For AHK specifically, probably one of the main problems is that in every compiled program, there is the whole (powerful) AHK interpreter included. This means, even if your script doesn't use keyboard hooks, the AV scan will still notice the ability - and perhaps a certain similarity to a virus which some knucklehead has created with AHK, because the whole interpreter is exactly the same in the virus and your own app (at least if they used the same AHK version - but of course, different AHK versions still have strong similarities).
[quote=slishnevsky post_id=563835 time=1710850052 user_id=171309]
[list=1]
[*]How can I as a user detect if it is a virus or false-positive? Is there some sort of scanner that can detect if it is a false-positive or a virus?
[*]Windows defender, when it scans downloaded file (which I know is safe, just a cracked version), it always finds some "viruses" in it and shows specific viruses names.
I don't understand, if it is false-positive (meaning there are no actual viruses in it), when how does it figure out specific viruses' names?
[/list]
[/quote]Obviously, most people won't be able to determine if smth is definitely a false positive, but they have might a (strong) suspicion. That's why we recommend to send the file in question to your antivirus vendor, if in doubt - they [i]should[/i] have the expertise to determine if the file is actually malicious or a false positive. In addition, you'll give them the opportunity to fine-tune their products, although I wouldn't put too much hope into long-term improvements.
Apart from the legal questions that the use of "cracked" files raises, of course they can be infected with malicious code. Antivirus software uses a lot of heuristics to identify all variants of a virus (some viruses even change their own code to not get identified). This means, they depend on identifying certain similarities, patterns and behaviours, in order to even identify yet unknown variants of a virus. Of course, there are usually business secrets involved - that's why those AV vendors won't tell you exactly for which details they are looking. But a local scan should be fast (hence simplified and prone to produce false-positives) - if you send them the files, they can have a closer look.
For AHK specifically, probably one of the main problems is that in every compiled program, there is the whole (powerful) AHK interpreter included. This means, even if your script doesn't use keyboard hooks, the AV scan will still notice the ability - and perhaps a certain similarity to a virus which some knucklehead has created with AHK, because the whole interpreter is exactly the same in the virus and your own app (at least if they used the same AHK version - but of course, different AHK versions still have strong similarities).