Report False-Positives To Anti-Virus Companies
Re: Report False-Positives To Anti-Virus Companies
thanks for this, AVG always says "whoa hold on there might be bad stuffs and the boogeyman in there, let me think you're under virus attack for the next 30 seconds" while I grind my teeth and shake my fist at the mainstream corporate elites who would only serve Gates-friendly DARPA software to the vaccinated masses.
My Weed Trek video archive: http://weedtrek.ca
Re: Report False-Positives To Anti-Virus Companies
Sam_, I've experienced the same things, and chose to now compile without MPRESS too.Sam_ wrote: ↑26 Mar 2019, 16:01More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
-TL
Re: Report False-Positives To Anti-Virus Companies
Part of the reason why MPRESS creates issues with Anti-Virus vendors is that many don't have an unpacker for it. Where with UPX, the software of the Anti-Virus companies can usually unpack and inspect the contents. And use of any "exotic" or unknown packer is more likely to trigger Anti-Virus software. You might want to see if UPX won't cause you issues, or consider not using a packer.Sam_ wrote: ↑26 Mar 2019, 16:01More often than not, I have found that AV software tends to complain about compiled AHK scripts when they have been compressed with mpress. Apparently, overzealous AV software sees compressed EXEs as an attempt to hide or obfuscate ("malicious") code, which I find a shame. As a result, I have gone away from allowing the compiler to use mpress. Every now and then I'll still have a user report that some AV program complains about a compiled script (or experience it myself), but it's much more rare.
-
- Posts: 934
- Joined: 30 Sep 2017, 03:59
- Location: Romania
- Contact:
Re: Report False-Positives To Anti-Virus Companies
I never used MPress and I still had false positives for KeyPress OSD with no packer. However I started using the UPX packer.
In my tests, some months ago... it did not make a difference, I get the same amount of false positives with UPX or without.
Best regards, Marius.
In my tests, some months ago... it did not make a difference, I get the same amount of false positives with UPX or without.
Best regards, Marius.
-------------------------
KeyPress OSD v4: GitHub or forum. (presentation video)
Quick Picto Viewer: GitHub or forum.
AHK GDI+ expanded / compilation library (on GitHub)
My home page.
KeyPress OSD v4: GitHub or forum. (presentation video)
Quick Picto Viewer: GitHub or forum.
AHK GDI+ expanded / compilation library (on GitHub)
My home page.
-
- Posts: 1
- Joined: 03 Apr 2019, 03:07
Re: Report False-Positives To Anti-Virus Companies
I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.
On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.
Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?
Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.
Edit 2 : With further testing, I have discovered that using Ansi 32 bit conversion and Impress compression seems to get around Sophos, however VirusTotal still finds 8 problems with it.
On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.
Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?
Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.
Edit 2 : With further testing, I have discovered that using Ansi 32 bit conversion and Impress compression seems to get around Sophos, however VirusTotal still finds 8 problems with it.
Last edited by Grumpy IT Guy on 03 Apr 2019, 06:13, edited 1 time in total.
Re: Report False-Positives To Anti-Virus Companies
My work computer flags compiled ahk scripts as a few different types of malware because of my Windows Defender AV. It also won't let me download certain installers which I'm certain are safe. Some AVs will flag more or less threats. As always, do your due dilligence ensure there is no other malicious activity in your system. If you got it directly from this site, then it will be a safe false-positive.Grumpy IT Guy wrote: ↑03 Apr 2019, 03:12I write a bunch of scripts for my work and Sophos has recently started blocking most of them, which is causing REAL grief.
On checking the actual Autohotkey install file (latest version) it also flags up as malware and wont even install it properly.
Any thoughts ? Is this likely to be something changed by AHK or should I just submit it ?
Edit: A very simple script of about 10 lines converted to an exe with AHK now shows up more than 11 threats on VirusTotal - this is just 1 example and is probably not worth the time it would take to submit all these false positive claims :/
I would have to consider stopping using AHK altogether which is a massive pain and a real shame.
It's important to submit as many false positive claims about this issue as possible across as many AV companies, so it shows that AHK has a safe community. Due to the nature of AHK being able to efficiently automate complex systems mixed with some bad people using AHK for nerfarious purposes, it has gained some bad reputation within the online space that we hope to change.
-TL
Re: Report False-Positives To Anti-Virus Companies
I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)
I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
EitherMouse - Multiple mice, individual settings . . . . www.EitherMouse.com . . . . forum . . . .
Re: Report False-Positives To Anti-Virus Companies
Yeah, hopefully at some point the ratio of false positives from AHK programs will hit a threshold that they can deem it safe. Not sure if that's what will happen though.
and Yes, not using MPRESS doesn't fix the false-positive flagging issue, however it does seem to slip under the rader more frequently for some AVs than when used.
and Yes, not using MPRESS doesn't fix the false-positive flagging issue, however it does seem to slip under the rader more frequently for some AVs than when used.
-TL
Re: Report False-Positives To Anti-Virus Companies
Some good points.gwarble wrote: ↑03 Apr 2019, 08:49I also haven't used mpress (or upx) since like 2010, and still get false positives all the time on compiled scripts, so it may help but it is not a total solution. Some older versions (and simpler scripts) are 1 or 2 FPs on VisusTotal, some newer compiled ahk versions (and more complex, "invasive" but functional scripts up to 11 false positives at the moment)
I also have major problems with "Microsoft Security Essentials" (which is effectively the same as Defender afaik) and programs I run and distribute throughout my workplace, even when explicitly permitted. Even though I don't bother with reporting user's complaints about false positives for EitherMouse anymore, I've started submitting to microsoft my own internal company programs just so they stop getting deleted.
And we have to stay on these Anti-Virus companies, because arguably a lot of this drama is about laziness. High level programmers working at these Anti-Virus companies should have a much easier time analyzing an open source interpreted scripting language, in comparison to traditionally compiled languages or closed source, to determine if there is really a threat. There are a number of ways for them to see the script, even when "bound" to the open source executable. Just no excuse for the silliness that is taking place or out of control heuristic scanners labeling anything as a threat.
Re: Report False-Positives To Anti-Virus Companies
Please cite your sources. I'm interested to know where you are getting this information.RachelKieran wrote: ↑17 Apr 2019, 06:10Antiviruses generally makes the PC performance low and sometimes it even sends virus in your computer if you do not purchase the premium version of many software.
Re: Report False-Positives To Anti-Virus Companies
What are you talking about? McAfee has a false-positive procedure, where you inform them by e-mail, and they are included.
Re: Report False-Positives To Anti-Virus Companies
"Rachel" and "Maria" are both accounts that have connections to the same company (you can find it in their account details, see under "Website"). Other accounts with the same affiliation also made strange posts before and - from time to time - dropped a link or two (and some have been banned, iirc). They don't seem to be bots, but I strongly suspect that they mainly contribute something in order to advertize casually later and not because they have any real interest in the subject.
@mariafox and @RachelKieran, do you mind to elaborate on your strange posts here or are you ok with permanently closing your accounts?
Re: Report False-Positives To Anti-Virus Companies
They are spam bots. Quite good ones too. Took us quite long to notice this.
Recommends AHK Studio
-
- Posts: 3
- Joined: 10 May 2019, 04:30
Re: Report False-Positives To Anti-Virus Companies
Thank you for the info. Will do take note of this.
Re: Report False-Positives To Anti-Virus Companies
* Bkav [W32.AIDetectVM.malware1]
https www.bkav.com /contact-us Broken Link for safety
* Jiangmin [Trojan.MSIL.npxv]
Virus Lab:
Virus sample report email: virus@jiangmin.com
White list report email: whitelist@jiangmin.com
Sample exchange email: sampleexchange@jiangmin.com
Website cooperation and content correction:
Phone: (010) 82511166 Email: support@jiangmin.com
Please Fix that false Positive !
▼ that's Fix it
* Antiy-AVL [Trojan/Win32.Wofith]
https www.antiy.net /contacts/ Broken Link for safety
False Positive
Email: submit@antiy.com
https www.bkav.com /contact-us Broken Link for safety
* Jiangmin [Trojan.MSIL.npxv]
Virus Lab:
Virus sample report email: virus@jiangmin.com
White list report email: whitelist@jiangmin.com
Sample exchange email: sampleexchange@jiangmin.com
Website cooperation and content correction:
Phone: (010) 82511166 Email: support@jiangmin.com
Please Fix that false Positive !
▼ that's Fix it
* Antiy-AVL [Trojan/Win32.Wofith]
https www.antiy.net /contacts/ Broken Link for safety
False Positive
Email: submit@antiy.com
Re: Report False-Positives To Anti-Virus Companies
Thanks. List updated, see 1st post.
The AutoHotkey community must always stay vigilant. Google (VirusTotal owner) continues to make many agreements with Anti-Virus companies from all over the world, who have questionable practices in updating their databases and research. So it's also up to users to help and inform them when they are wrong.
Re: Report False-Positives To Anti-Virus Companies
For "AutoHotkey_1.1.32.00_setup.exe"
New Guys
● Rising Antivirus [Trojan.Generic@ML.89 (RDML:8rBbJKRRbqbCJoUDGXKe6w)]
report the false positive files from here : mailcenter.rising.com.cn/filecheck_en/ Broken Link for safety
*False Postive - Inquiries number: RS20191226084524270124 , RS20200107141947700674
● Still in [false Positive] : ☞ Jiangmin [Trojan.MSIL.npxv]
- Every Mail block...I used to google, Naver, Daum, Hotmail, Our Company Mail.
i think China not allow Others conturys sth.
=======================================
Cleared - * Bkav [W32.AIDetectVM.malware1]
Cleared - * Antiy-AVL [Trojan/Win32.Wofith]
=======================================
I wanna use Autohotkey in our Company.
Coz our Follish IT Security Center Only Believe Virustotal.
New Guys
● Rising Antivirus [Trojan.Generic@ML.89 (RDML:8rBbJKRRbqbCJoUDGXKe6w)]
report the false positive files from here : mailcenter.rising.com.cn/filecheck_en/ Broken Link for safety
*False Postive - Inquiries number: RS20191226084524270124 , RS20200107141947700674
● Still in [false Positive] : ☞ Jiangmin [Trojan.MSIL.npxv]
- Every Mail block...I used to google, Naver, Daum, Hotmail, Our Company Mail.
i think China not allow Others conturys sth.
=======================================
Cleared - * Bkav [W32.AIDetectVM.malware1]
Cleared - * Antiy-AVL [Trojan/Win32.Wofith]
=======================================
I wanna use Autohotkey in our Company.
Coz our Follish IT Security Center Only Believe Virustotal.
Last edited by jongyun24 on 07 Jan 2020, 01:20, edited 2 times in total.
Re: Report False-Positives To Anti-Virus Companies
Jiangmin is very problematic, and appears to have been so for many years now. Huge number of reports all over the Internet of users not able to contact their support. The issue is with Google's VirusTotal using them. It might be better to contact Google's VirusTotal and request them to remove Jiangmin, since they have such problematic support issues and many false-positive reports.
VirusTotal Contributor List
https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors
Contact for VirusTotal
https://www.virustotal.com/gui/contact-us
You can also join the VirusTotal Community, which will allow voting and commenting about reviews and results.
https://support.virustotal.com/hc/en-us/articles/115003457349-Join-Community
VirusTotal Contributor List
https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors
Contact for VirusTotal
https://www.virustotal.com/gui/contact-us
You can also join the VirusTotal Community, which will allow voting and commenting about reviews and results.
https://support.virustotal.com/hc/en-us/articles/115003457349-Join-Community
Re: Report False-Positives To Anti-Virus Companies
I'm surprised Kaspersky is listed. They seem to be ok
Re: Report False-Positives To Anti-Virus Companies
2 Weeks ago i sent to Viruatotal about Jiangmin
then said like that.
=▼= Virustotal Said =▼=
Hello,
Please, try to contact them at support@jiangmin.com.
Regards,
Ana Tinoco - VirusTotal - www.virustotal.com
=▲= Virustotal Said =▲=
then said like that.
=▼= Virustotal Said =▼=
Hello,
Please, try to contact them at support@jiangmin.com.
Regards,
Ana Tinoco - VirusTotal - www.virustotal.com
=▲= Virustotal Said =▲=
Return to “Off-topic Discussion”
Who is online
Users browsing this forum: No registered users and 38 guests