Windows defender tells me that a virus is in the autohotkey setup file

22 Apr 2024, 09:06

I downloaded from the official website "AutoHotkey_2.0.13_setup.exe" and windows defender tells me that there is a trojan: "Trojan:Win32/Tnega!MSR"
I already installed autohotkey 2.0.13, and I encountered no issues, I followed windows defender instructions and I removed the virus (or at least I think and hope I did).

- Has this happened to someone else?
- Could it be a false positive or should I worry?

Thanks in advance

22 Apr 2024, 09:10

The file checksums / hashes are provided here:
viewtopic.php?p=568805#p568805

If they match, it's very likely a false positive.
Please have a look at our false positives topic here:
viewtopic.php?f=17&t=62266

22 Apr 2024, 09:12

Unfortunately, AutoHotkey gets regularly false positives from AV software, especially (but not limited to) new releases.
https://www.autohotkey.com/docs/v2/FAQ.htm#Virus
viewtopic.php?f=17&t=62266

If you download from this page or the github release page (https://github.com/AutoHotkey/AutoHotkey/releases), you should be fine.
There are also SHA256 hashes you can check against. For v2.0.13, these would be

https://github.com/AutoHotkey/AutoHotkey/releases wrote:SHA256 hash
D7646CA3A26760FE5633288D79D7B6A44CFC19A85C5315F94E0861963F1C601E AutoHotkey_2.0.13_setup.exe
A7DB865B054314D253293A1F427D3A155DA5164060804AAC431020E26A40E1AD AutoHotkey_2.0.13.zip

Edit: too late

22 Apr 2024, 09:24

The file checksums / hashes are provided here:
viewtopic.php?p=568805#p568805

If they match, it's very likely a false positive.

Thank you for your fast response
I'm not very comuter literate, could you explain what should I do to check if they match?

22 Apr 2024, 09:51

There are different utilities which can do this. If you have a recent MS Powershell version installed, this should work: https://www.se.com/us/en/faqs/FAQ000244427/
Worked here (where Windows Defender also originally quarantined the latest AHK installer and I had to restore it):

ps.png: (15.79 KiB) Downloaded 314 times

garry · 22 Apr 2024, 10:02

Windows Defender deleted my big text-file (xy.txt) with contained ahk scripts
It's possible to exclude some folders/files from scanning .

---------------------
https://www.theregister.com/2024/04/21/microsoft_national_security_risk/
-- Why Microsoft is a national security threat • The Register
------------------

https://www.theregister.com/2024/04/22/edr_attack_remote_data_deletion/
-- Researchers: Windows Defender attack can delete databases • The Register
Researchers at US/Israeli infosec outfit SafeBreach last Friday discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files.
And, they asserted, the hole could remain exploitable – even after both vendors claim to have patched the problem.
---------------------

https://www.bleepingcomputer.com/news/security/autohotkey-malware-is-now-a-thing/ 2018-03-30
-- AutoHotkey Malware Is Now a Thing
------------------

22 Apr 2024, 10:17

Thank you!
They matched.

(where Windows Defender also originally quarantined the latest AHK installer and I had to restore it)

So it happened to you too? I'm relieved, that probably means that it was a false positive

Thank you to all of you

Windows defender tells me that a virus is in the autohotkey setup file

Windows defender tells me that a virus is in the autohotkey setup file

Re: Windows defender tells me that a virus is in the autohotkey setup file

Re: Windows defender tells me that a virus is in the autohotkey setup file

Re: Windows defender tells me that a virus is in the autohotkey setup file

Re: Windows defender tells me that a virus is in the autohotkey setup file

Re: Windows defender tells me that a virus is in the autohotkey setup file

Re: Windows defender tells me that a virus is in the autohotkey setup file

Who is online