AutoHotkey Community

The results of Google Safe Browsing is very odd, particularly with a minor name change of www.autohotkey.com versus autohotkey.com. Go to Google Safe Browsing search (https://transparencyreport.google.com/s ... ing/search), and check the difference.

www.autohotkey.com or www.autohotkey.com/download/ will generate no negative reports and are safe, while removing the "www" will generate negative reports of suspicious malware from Google Safe Browsing.

There might be an issue with AutoHotkey's website DNS settings. Something to also watch out for is DNS spoofing and hijacking. Spammers will also attempt to attack websites in this way too. In the case of DNS spoofing, this is when a server is misconfigured or reconfigured by criminals and is redirecting website traffic to unauthorized servers that contain malware. DNS hijacking can happen on both the server or user's end, where malware is installed on the computer and is redirecting traffic to malware servers/websites.

Changing the DNS settings or download page directory might be enough to get off of Google's blacklist.

It appears that Google can mistakenly blacklist websites, because criminals with fake servers are redirecting to the real website or that their malware is using a company's name or the same name as their software. The real company or webmaster can be totally unaware of such activity or have nothing to do with it, but still have to deal with Google's blacklisting. Clearly, Google is not entirely forthcoming about their methods and how blacklists are validated, which then leaves a lot of room for mistakes and misunderstandings on their end.

https://youtu.be/DEkscTGKTOA
(Webinar: How to Understand and Fix Google Blacklist Warnings)

Good catch, I have modified .htaccess

joedf wrote: ↑

02 Nov 2018, 17:47

Good catch, I have modified .htaccess

While the modifications synchronizes the difference between www.autohotkey.com and autohotkey.com, it doesn't address the Google Safe Browsing issue. It appears that .htaccess was modified in the opposite direction of what many websites do, though there is no established "right" way.

Many web servers have "www" be the default. Which would be autohotkey.com automatically switches to -> www.autohotkey.com and where Google Safe Browsing has no negative reports for www.autohotkey.com/download/.

If the naked domain is the default (removing the www) so that www.autohotkey.com will automatically switch to -> autohotkey.com, that is where Google Safe Browsing is giving negative reports for. autohotkey.com/download generates negative warnings. The use of a naked domain (removing the www) can also come with what some consider to be negative consequences. The CNAME record and various redirects must be made accordingly and properly.

Using www.autohotkey.com/download/, could allow for versions of autohotkey files that don't have issues with VirusTotal or Google Safe Browsing to be served without false positive warnings. Those files can be scanned with VirusTotal and other free website malware and security scanners (https://sitecheck.sucuri.net/). This can help by being able to show Google clear records of no malware in the directory in question.

Google itself appears to recommend a variation of what I suggested, where if hackers or spammers have created unwanted links then they should be removed. This is not to say that AutoHotkey has any such directory or link created by a hacker or spammer, but rather Google Safe Browsing is falsely identifying directories and links as such. Therefore, to Google, it appears to be no different. https://developers.google.com/web/funda ... clean_site (Clean and maintain your site, by Google)

Option to use Remove URLs in Search Console to expedite removal of entirely new, undesirable, user-visible URLs created by the hacker that you don't want surfacing in Google Search results.

As an added note, some other things that can trigger Google Blacklisting, besides malware:

. illegal content, content that violates any copyright.
. Hosting phishing or scam pages.
. Redirecting to other webpages.
. Creating backdoors or sending back links

It's also suggested that you use Google Search Console, https://www.google.com/webmasters/ to engage fighting Google to clear your website. To be clear, it is of course up to you and your team as to how to go about this. These are just suggestions and observations.

Something to also be aware of, is Google arguably does a thing where once they have identified there is malware in a directory, no matter if it is a false positive or they were wrong, they don't want to/like to admit to being wrong or you have to prove them wrong. So, if you arguably can establish a clean directory(and link to it) and show that no files in that directory are malware by previous VirusTotal scan results, it will be difficult for Google to say there is any malware in that directory. You can show them proof there isn't any malware in a clean directory and clean files, forcing Google to give a clearly odd contradictory result or otherwise show you as clean. As in, directory 1 and directory 2 contains the same files, but Google is claiming directory 2 has malware. And if Google persists, then just delete directory 2 and use directory 1 which shows as clean.

To compound the problem, other anti-malware sites and anti-virus companies can partially base their results off of Google Safe Browsing, creating a Catch 22. That is, because Google Safe Browsing showed there was malware, a lazy 3rd party company might claim that directory or file has/is malware too. And then Google Safe Browsing bases their results off of anti-malware or anti-virus companies getting results from them. A crazy circle jerk, where Google Safe Browsing will not change it's results, even though wrong. The other issue is the long review process by Google, where it can take months to get a clean bill of health, in the midst of a Catch 22 circle jerk.

This is why I suggested the clean directory/clean files (verified by scan) method, as oppose to just fighting Google on a directory, link, and files they say contain malware. In fact, you could arguably put the same file in the clean directory (and new link) and prove it's not malware and clean (by numerous virus scanners). So if Google says otherwise when it's in a different directory, then it's easier to prove them wrong or simply delete the directory they claim is "bad".

Whoops, So I should switch it back? Are most google forum search results under www.* ?

joedf wrote: ↑

04 Nov 2018, 19:00

Whoops, So I should switch it back? Are most google forum search results under www.* ?

I'm a bit confused by your question. You (or your team) control what search results are seen. It will be www or not, because you configured the server to be so. I can only suggest, the ultimate decision is up to you (or your team).

And what I was referencing, was helping the AutoHotkey site show up as clean on the Google Safe Browsing scan (https://transparencyreport.google.com/s ... ing/search). I hope it is understood how terrible that it looks that your website shows the following results from Google.

Some pages on this site are unsafe

The site https://autohotkey.com/download/ contains harmful content, including pages that:

Install unwanted or malicious software on visitors’ computers

Unsafe content might only appear on some pages of a website. Check the URL of the specific directory or webpage you want to visit for more detailed safety info.

As a consequence of this warning from Google, the web browsers of Chrome and Firefox are issuing warning about links from your website and software. And arguably as a consequence, 3rd party anti-malware and anti-virus companies are issuing warnings about the AutoHotkey software. This can be bad for some people that are putting professional level trust in AutoHotkey software. Imagine talking to a boss, IT manager, or even suggesting to friends to use the software at work or their company, where there is such a warning? It's not to say that AutoHotkey software or the website is doing anything bad, or that Google isn't screwing you guys over, but it looks bad.

Anyway, I believe you guys have enough information to fix the issue (using alternative directories and links for Google inspection), if you feel so inclined.

To us it looks like Googles warnings are nonsense.
We have contacted them several times and they have given us several reasons.
I think that your suggestion is just grasping at straws.
Nonthelesss I want to see this suggestion implemented - because not everyone knows that these Google warnings are nonsense.

nnnik wrote: ↑

05 Nov 2018, 17:14

To us it looks like Googles warnings are nonsense.
We have contacted them several times and they have given us several reasons.
I think that your suggestion is just grasping at straws.
Nonthelesss I want to see this suggestion implemented - because not everyone knows that these Google warnings are nonsense.

I agree with you, that what it appears Google is doing is nonsense. It's one of the things that made me curious as to what is going on. Especially when you look at similar/other scripting/programming languages (like WinBatch, AutoIt, Python, etc...) and they don't appear to be getting targeted in the same way. To include languages that are not even open source, where their source code is not open for inspection, like AutoHotkey.

The suggestions were based on the hope there is a way to resolve this. Perhaps there being a path through Google's weirdness, tendency towards vagueness about how they do things, and their blacklisting process

Does anyone know why these warnings only affect some users? Might it be useful to take a poll of the geographical locations of those users who do get these warnings? Could it be they only appear from Google pages from certain TLDs (i.e. Google.fr, although I've tried from there with no such warning)?

Note: Google Safe Browsing sometimes falsely flags these directories as containing "harmful programs". For more information, see Safe Browsing.

(How often is "sometimes"?)

I don't get these warnings in Firefox, Chrome, Pale Moon, Internet Explorer or Opera. I never have, with any version of these browsers, at any time, with or without the "www".

Some pages on this site are unsafe

The site https://autohotkey.com/download/ contains harmful content, including pages that:

Install unwanted or malicious software on visitors’ computers

Unsafe content might only appear on some pages of a website. Check the URL of the specific directory or webpage you want to visit for more detailed safety info.

Regards,
burque505

Well if we are really grasping at straws we might as well replace the directory listing with a proper HTML site.

burque505 wrote: ↑

05 Nov 2018, 18:03

Does anyone know why these warnings only affect some users? Might it be useful to take a poll of the geographical locations of those users who do get these warnings? Could it be they only appear from Google pages from certain TLDs (i.e. Google.fr, although I've tried from there with no such warning)?

Note: Google Safe Browsing sometimes falsely flags these directories as containing "harmful programs". For more information, see Safe Browsing.

(How often is "sometimes"?)

I don't get these warnings in Firefox, Chrome, Pale Moon, Internet Explorer or Opera. I never have, with any version of these browsers, at any time, with or without the "www".

Some pages on this site are unsafe

The site https://autohotkey.com/download/ contains harmful content, including pages that:

Install unwanted or malicious software on visitors’ computers

Unsafe content might only appear on some pages of a website. Check the URL of the specific directory or webpage you want to visit for more detailed safety info.

Regards,
burque505

That's quite interesting. I thought the Google Safe Browsing warning (https://transparencyreport.google.com/s ... ing/search) would apply to all locations. You can put the AutoHotkey download link to check. And that Chrome and Firefox were putting out warnings based on the Google Safe Browsing results.

Could the difference be that you (or others) are using an older version of Chrome or Firefox, and that the warning only shows up in newer versions or certain versions?

Well, maybe certain versions. My browsers are all updated.

I have also disabled the warnings for Google chrome - might be the same for you.

Well, you can do this in Firefox too under "Options", "Privacy & Security",

Deceptive Content and Dangerous Software Protection

But such a thing should arguably not be recommended. A person can simply choose to ignore the security warning and proceed with the download or opening the file (based on going to the directory/link- https://autohotkey.com/download/1.1/), by selecting "See Details".

The site ahead may contain harmful programs

Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

Advisory provided by Google Safe Browsing.

"Go back" "See Details"

Then under "See Details"

The site ahead may contain harmful programs

Firefox blocked this page because it might try to trick you into installing programs that harm your browsing experience (for example, by changing your homepage or showing extra ads on sites you visit).

Advisory provided by Google Safe Browsing.

autohotkey.com has been reported as containing harmful software. You can ignore the risk and go to this unsafe site.

Learn more about harmful and unwanted software at Unwanted Software Policy. Learn more about Firefox’s Phishing and Malware Protection at support.mozilla.org.

Notice how ominous they make the entire autohotkey.com website look, not just the download link.

However, despite simply going to https://autohotkey.com/download/1.1/ scaring the hell out of a lot people with a big red screen, it's likely not to be obvious for various people that they can go to "See Details" to proceed or that they have options to disable the warnings (though many are likely not to). While very tech savvy people might only be slightly deterred by such a warning, that's likely not the case for "average Joe" who might not be sure what exactly is going on.

Take note that the false positive warning comes from Google, as in "Advisory provided by Google Safe Browsing". Therefore Chrome and Firefox browsers (which uses recommendations from Google Safe Browsing) are most likely to be affected and also any anti-malware company or software that uses their recommendations, where Microsoft's Internet Explorer and Edge browsers are not.

@nnnik - I don't have warnings disabled for any browser, and I don't ever get any of these warnings. Pale Moon 32-bit 28.1.0; Chrome Version 70.0.3538.77 (Official Build) (64-bit); Firefox 63.0.1 (64-bit).
Regards,
burque505

burque505 wrote: ↑

06 Nov 2018, 11:14

@nnnik - I don't have warnings disabled for any browser, and I don't ever get any of these warnings. Pale Moon 32-bit 28.1.0; Chrome Version 70.0.3538.77 (Official Build) (64-bit); Firefox 63.0.1 (64-bit).
Regards,
burque505

I see the big red warning for the AutoHotkey download directory in Firefox 63.0.1 (64-bit). So that is interesting if the warning is possibly geographical or there is something going on with the settings. If the warning is geographical, that seems odd.

For the latest version of Chrome 70.0.3538.77, I don't see the warning, but don't know if prior settings to not use "Safe Browsing" in "Settings" or various privacy settings had or have any effect on this. And while the latest version of Chrome might not be issuing a warning, not sure about how that works for previous versions (including for Firefox).

Let's also keep in mind that Google Safe Browsing (https://transparencyreport.google.com/s ... ing/search) is still issuing warnings against AutoHotkey's download directory, and some anti-malware companies. For VirusTotal, that would be ADMINUSLabs is issuing a warning against AutoHotkey, in addition to Google Safe Browsing. The issue about that is the Catch 22 circle. That is, as long as Google Safe Browsing is issuing a warning (and Google is a major player), various 3rd party anti-malware or anti-virus companies might blindly follow.

Ok, redirect changed to www.*

joedf wrote: ↑

06 Nov 2018, 23:05

Ok, redirect changed to www.*

As this is considered safe by Google Safe Browsing, www.autohotkey.com/download, this allows your team to create a new directory of files that have been scanned by VirusTotal and other malware tools, and considered clean. You would want to save the anti-malware scan results and keep them on file. In fact, you might even want to save a copy of the scan results in the same directory as the files put into it.

You would want to avoid putting files in the root directory of download, but create sub-directories instead. Example- autohotkey.com/download/1.1.30.00. In this way, Google Safe Browsing or any anti-malware company has to show specifically what file it's objecting to and can only object to a particular version of AutoHotkey, and not all versions.

As it's being done presently, Google Safe Browsing is blacklisting the entire directories of 1.1 and 2.0. It's then unclear which particular file that it's objecting to or if there are any hidden files in the directory that might be causing the problem. By giving each version of AutoHotkey it's own directory, it creates more clarity. This extra step might be a bit annoying, but it appears to be a solution for handling Google.

Another advantage of this method, is that if Google were to blacklist a directory or version of AutoHotkey, you can show them clean scans by VirusTotal and other anti-malware scanners and companies to more easily contest their attempts at blacklisting. Particularly if Google's blacklisting is not on the up and up, and has some hidden agenda attached to it.

You don't have to put every old version of AutoHotkey in a new sub-directory, but you could create archive directories. Example- autohotkey.com/download/archive or maybe call it old versions. So that the isolating of new sub-directories, is only for new versions of AutoHotkey. In such a setup, it then puts you in the position to delete the directories of 1.1 and 2.0 that Google Safe Browsing is objecting to, if they don't give you a clean report reasonably soon.

Ok good idea, I'll look into it.

When did this goddamn evil google corporation become the boogey man for the whole Internet?! You people realize in the slightest that YOUR power of decision has been stolen from you and given to a third party that doesn't care even a bit (not a byte) about YOUR interests?!
I'd have so much to say but it wouldn't be nice at all so I'll shut up. But people, PLEASE, come to your senses and start thinking for yourselves.

Is this issue still unresolved? I work with SEO for enterprise websites and diagnose these sort of "nonsense Google" problems for them and fix them.

Although it may be nonsense, it provides a bad UX for certain new and returning visitors to AHK's website. I know from experience that this can scare people away or perceive distrust or a negative view about a website and it's content, which I would hate to be the case for such an awesome site/language/tool/etc.

www. versus non-www. should not affect security or perception, the best way to go is for consistency across your entire domain (e.g. don't have some https://www.autohotkey.com pages and some https://autohotkey.com pages, choose only one and stick with it indefinitely). Having both can cause indexing issues and hurt the performance of your website. Google has recently made using HTTPS on your website a ranking factor, due to it's higher level of security for your website visitors, so that's the one you would want to worry about regarding security.. but autohotkey.com is delivered over HTTPS already so no issue there.

I kept receiving 404 errors in the documentation section when I first started using AHK, but found out it was due to a certain adblocker I was using. This prompted me to want to run an in-depth technical site audit to resolve this issue, however since removing that extension I've seen no issues. I am curious about the SEO health of autohotkey.com though.. and want the best for AHK.

LMK and I can look into this further when I'm not so busy w/ work ^^;