Virus detected when compiling from v1.1.30.00

Report problems with documented functionality
wiens
Posts: 15
Joined: 08 Dec 2015, 05:22

Virus detected when compiling from v1.1.30.00

29 Sep 2018, 02:44

There is a bug during compiling from version v1.1.30.00

Compiling a large .ahk files with Ahk2Exe.exe is blocked by Windows Defender in Windows 10.
The Default compiling with base bin file (.bin): '(Default)' or 'v1.1.30.0 Unicode 32bit' gives a virus .exe file.

This issue wan't there in version v1.1.29.01.
User avatar
nnnik
Posts: 3553
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Virus detected when compiling from v1.1.30.00

29 Sep 2018, 02:52

Yeah you should complain to Windows Defender as this is a false positive that we can't do anything about.
When the version changes the binaries change, and your AV might cause issues.
Recommends AHK Studio
SOTE
Posts: 227
Joined: 15 Jun 2015, 06:21

Re: Virus detected when compiling from v1.1.30.00

29 Sep 2018, 06:57

wiens wrote:There is a bug during compiling from version v1.1.30.00

Compiling a large .ahk files with Ahk2Exe.exe is blocked by Windows Defender in Windows 10.
The Default compiling with base bin file (.bin): '(Default)' or 'v1.1.30.0 Unicode 32bit' gives a virus .exe file.

This issue wan't there in version v1.1.29.01.
Everyone can send a report to Microsoft telling that they have misidentified a file (false positive). When submitting a file for Microsoft to analyze, they ask you if think the file is or is not malware.
https://www.microsoft.com/en-us/wdsi/filesubmission (use this link).
("Submit a file for malware analysis")

Code: Select all

Do you believe this file contains malware?

Yes

No — this file has been incorrectly detected

Additional information

And until Microsoft correct the false positive problem, you can or your users can make an exception for the file in Windows Defender.
https://support.microsoft.com/en-us/hel ... -antivirus
(Add an exclusion to Windows Defender Antivirus)
wiens
Posts: 15
Joined: 08 Dec 2015, 05:22

Re: Virus detected when compiling from v1.1.30.00

29 Sep 2018, 11:45

It happens during the compiling of the (Default) base bin file.

This is the false-positive virus name:
Program:Win32/Unwaders.C!ml

I have submitted the compiler of AHK and the script file to Microsoft, so they can compile and see if it is a false-positive.
User avatar
Scr1pter
Posts: 579
Joined: 06 Aug 2017, 08:21
Location: Germany

Re: Virus detected when compiling from v1.1.30.00

01 Oct 2018, 13:49

Well, I have a similar problem, but I still use the 1.1.29.00 compiler.
I have a script which contains shortcuts to many files I use.
(Excel tables, text files, Word documents, folders).
One time Avira Antivir said it's a virus.
(I tried it right now again and it worked.)

However, all compiled scripts (exe) take several seconds until they get loaded.
This has been mostly the case for some weeks - for me.
When I check the file Ahk2Exe.exe, I don't see anything new/suspicious.
Modified on: 25.05.2018 03:14, file size: 856.064 Bytes

But strangely all compiled exe scripts start with a massive delay.
For this reason I switched completely to ahk-files only.

Regards
I'm not an expert, just an enthusiastic AutoHotkey user. 8-)
Please do not support cheaters!
Keyboard: Logitech G15 first generation - Mice: Logitech G9, G502, G602 - OS: Windows 7 Pro 64 Bit - AHK version: 1.1.29.00
wiens
Posts: 15
Joined: 08 Dec 2015, 05:22

Re: Virus detected when compiling from v1.1.30.00

01 Oct 2018, 18:43

I have also the massive delay (caused by Windows Defender) during compiling in 1.1.30.00. So I switched back to 1.1.29.01.
User avatar
nnnik
Posts: 3553
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Virus detected when compiling from v1.1.30.00

02 Oct 2018, 02:34

Anti Virus software is not magic. The AntiVirus Programs probably still dont know about the new version.
Thats why they make a full scan rather than skipping through the process, because they don't recognize the program.
Recommends AHK Studio
wiens
Posts: 15
Joined: 08 Dec 2015, 05:22

Re: Virus detected when compiling from v1.1.30.00

07 Oct 2018, 02:48

It has been fixed in the latest definitions of Windows Defender in Windows 10. There is no virus detection at this moment.
You can compile from version 1.1.30.00.
anotherautohotkeyusr
Posts: 8
Joined: 27 Oct 2015, 18:45

Re: Virus detected when compiling from v1.1.30.00

22 Oct 2018, 12:19

I am getting a Trojan:Win32/Fuery.B!cl detection from Defender with 1.1.30.00. Submitted file to Microsoft.
wiens
Posts: 15
Joined: 08 Dec 2015, 05:22

Re: Virus detected when compiling from v1.1.30.00

22 Nov 2018, 07:27

If you are working on a 64-bit machine change the base bin file in the compiler to 64-bit. This can fix the problem of yours.
garry
Posts: 1569
Joined: 22 Dec 2013, 12:50

Re: Virus detected when compiling from v1.1.30.00

22 Nov 2018, 07:48

disable / enable Windows Defender
moderator note: removed due to potential misuse.
User avatar
nnnik
Posts: 3553
Joined: 30 Sep 2013, 01:01
Location: Germany

Re: Virus detected when compiling from v1.1.30.00

22 Nov 2018, 08:17

Sorry but I have to remove this script - this could be used for something harmful.
Recommends AHK Studio
garry
Posts: 1569
Joined: 22 Dec 2013, 12:50

Re: Virus detected when compiling from v1.1.30.00

22 Nov 2018, 13:19

didn't knew, was just regwrite, windows defender made my small 4K computer very slow
SOTE
Posts: 227
Joined: 15 Jun 2015, 06:21

Re: Virus detected when compiling from v1.1.30.00

26 Nov 2018, 12:41

It appears that TR/Spy.Gen, Troj/Spy-AHK, Troj~AutoHK-E, TR/Crypt.XPACK.Gen2... are various old or generic threat files associated with AutoHotkey, from my basic research on it. Some of these files are 3 to 5 years old. Various anti-virus and anti-malware companies seem to be way too lazy in their identification process. To include just throwing things under a generic and vague labels with no details as to exactly what is going on other than you should hurry up and buy their product to remove threats.

Also, the heuristics of various scanners can be too sensitive, to also cause false positives. Though sometimes that can be the fault of the user playing with configuration settings.

AutoHotkey_L is a particular easy scripting language to make a MD5 hash of, pull attached user script from out of the "compiled" exe, or distinguish it from a threat as it's open source. People can literally use nothing more sophisticated than just Windows Notepad to get the user script and separate it from the AutoHotkey_L source code.

Having a hard time with AutoHotkey, is like having an issue with a .bat, .cmd, or VBScript. Not to say there can't be any sophistication or they can't cause havoc, but it's not like something made in C or assembly language, and all kinds of special tools are needed to figure out what's going on. Often, it's pretty clear to any casual programmer what it is doing, so a real experienced specialist should have an even easier time figuring out what's up.

The anti-virus/anti-malware companies that seem to excessively mislabel AutoHotkey are Sophos and Avira. And then there is Google adding to the weirdness by flagging the download site. I'm not exactly sure what's behind doing this, but it is weird.

A developer at NirSoft made a great blog post about the problem. What he said is as true today, as it was back then. Some companies have a business agenda, so arguably mislabel and create false positives for sale purposes. The more fear and confusion; they think it will get them more sales.

From NirBlog and NirSoft
http://blog.nirsoft.net/2009/05/17/anti ... developers/
Help me and other developers !


If you feel frustrated, like me, about all these false alerts, you can help me and other small developers to stop Antivirus programs from detecting innocent tools as Viruses/Trojans.

What can you do ?
Here’s some examples:

Add your comments to this article about False Positives problems you experience (As user or as software developer)
Send this post to your friends, so they’ll know more about false positive problems.
If you constantly pay for licenses and updates for your Antivirus software,
don’t hesitate to call your Antivirus company and require them to stop the false alerts.
You pay for your Antivirus product, and you deserved to get a reliable product that detect only real viruses.
If you have any contact with large magazine writer/journalist, you may try to offer him to make a research and/or write an article about all false alerts problems made by Antivirus.
Unfortunately, some magazines will never write an article against the Antivirus companies, because these companies also pay for advertising in these magazines.

In the bottom line, if the false positives problem will make too much noise in the media, the Antivirus companies will understand that false positives may also hurt their reputation and decrease their product sells, and eventually they will give more priority to fix the false alerts in their products.

Return to “Bug Reports”

Who is online

Users browsing this forum: [Shambles], Google [Bot] and 10 guests