I don’t seem to be able to find a board for False Positives and I also don’t know where to post bug reports. Anyway here are the troubles I’m having.
Firstly: The Grime Removal program is behaving oddly. It’s a bug. After informing me of five apps that were not needed, I decided to investigate. I couldn’t find information about what they were. I thought perhaps I missed something and clicked a button saying analyse again. I did this a couple of times and then all of a sudden it found nothing. I have no idea what happened or whether the apps were removed. That is annoying.
Secondly - and this is pretty bad: I have to disable Avast to download the file CheckSumVerify.au3 at the following link.
Once Avast finished doing whatever it did, I couldn’t find a way to reverse the blocked URL. How do I do that please?
Thirdly: why on Earth is the file download being blocked in the first place? What is actually triggering the FP? The code can’t be run unless you accidentally download and install AutoIt, and that’s extremely far-fetched. Even so, the code is related to security and intended to prevent unauthorized tampering with compiled scripts. Blocking the download is contrary to the objective of keeping computer users safe because injecting code into compiled scripts is both unacceptable and undesirable.
Edit: modified the forum link above to point to the exact forum post containing the blocked download.
No one can really say why it was detected, that requires analysis, but one thing the autoit stuff is regularly used by some script kiddies for malware and some of the routines could well look suspect.
Links to suspect files/sites should be modified so they aren’t active to avoid accidental exposure - change the http to hXXp in the URL.
It seems to work. We’ll see when I post the responce. The point I was trying to make was that the file is simply plain text. There are two dead giveaways - the file extension is .au3 and the encoding (although I haven’t tested it) is likely to be UTF-8. Avast is flagging a text file which would require a specific interpreter to become a threat.
Anyway, I want to know how to unblock the URL I posted here. I would also like to know what is AutoItInjector [tri]? I might have mispelled that, the Avast Threat Dectected message wasn’t visible for very long.
I know and I also understand it’s important to the developers. I suppose au3 files could represent a threat, but only to someone who decides to run code from an author they don’t trust (or if they don’t understand it) through the afore-mentioned interpreter. That person would not likely be an average user and also should be aware that running code in that way will always involve a degree of risk. That’s part and parcel of learning how to become a programmer.
I sent a message about the URL. I still don’t know how to reverse or override Avast URL blocking. This feature seems to be missing from the program.
I did all those things. It isn’t everything I want though. I want to have control over what web links I click when I know I can trust the author/s. I would like to be able to tell Avast to ignore safe URLs if it flags them as harmful when they are not.
Having to disable shields is less secure than adding a single exception. Having to tell others to disable their AV is also pretty bad. I am all for better security, and I see being forced to take such actions as a big security risk. I feel it is necessary to point this out. The risk comes from all the malicious stuff that might occur with web based scripts, not with au3 files containing code that browsers can’t even run.
This post was an accident (I meant to modify the above post), but I might as well add to it now. I have tried to discover what AutoIt:Injector-G is. On Google I find a few references, mainly from AV scans which say it is a trojan. There isn’t much detailed information. Is it written in AutoIt, or simply a general category detected by heuristics?
At some point I will be releasing a program that will become unstable if illegally decompiled. I’m wondering what AV detection tools will make of that. I will not be able to predict the result if someone breaks the EULA and tries to reverse engineer my program - I can only say that it will become unstable. The binary itself will most likely be extremely difficult to interpret (almost impossible if I do a good job).
I don’t quite know what the problem is but I’m getting more FP results. The 7zip download on this page is not malicious. I have had an older version on my computer for a while now and it appears the sha-1 hash has not altered on the earlier version but that is also throwing a FP right now. Here’s the URL where the download for the current version of this file can be found.
I have a feeling that this is just the tip of the FP iceberg. Something is seriously broken. The one thing I can’t do is download these files without disabling Avast - that makes me a little nervous. I will delete the files on my computer (I don’t need them anyway) and report this latest version.
UPDATE
I changed my mind and also sent the older 7zip file on my computer for analysis. When I tried to remove the file to the Virus Chest, Fix Automatically or Repair, I get the following error:
The operation is not supported for this type of archive. (42111)
I can delete the file manually but I didn’t try this with Avast - I guess Avast can delete the file. Malwarebytes considers the file to be clean. I have never come across this error before.
After a little searching I found another person who had the same error with a false positive, so I’ll just wait and see.
OMG, what a set of results. “Suspicious_Gen2.VXSQX” doesn’t appear to even exist - at all. Not even “Gen2.VXSQX” exists. Really Norman. :
Well I can’t be 100% certain, but it seems a bizarre coincidence that two different versions of the same program, separated by about two years, on computers thousand miles apart both get infected by the same virus without anyone noticing, unless it was there all along and has been dormant until now, or maybe someone is actually targeting the AutoIt community - also possible.
Once sent and confirmed they are generally corrected quickly. But sending just a report isn’t going to help much unless you submit samples of the detected file.
That said, autoit scripts get hit/detected on a fairly regular basis. But that is normally if it is a generic signature detection designed to catch multiple variants of similar malware.
I submitted my report about 24 hours ago along with the download URL.
Well the code may be partially useful to me for protecting my own application from decompilation. This means that whatever is throwing the FP will also prevent my program from running or even being downloaded by people with computers running Avast. I haven’t decided to use the code, but every bit of protection is potentially useful. Do you see my dilema?
Actually it’s everyone’s dilema in a way. Developers get their code ripped off and redistributed with keygens and such things. So developers try to prevent that by making the code as impenetrable as possible with lots of security features. But then the binary can’t be analysed so easily by AV companies and heuristics tend to throw a lot of false positives. Ultimately technological creativity and advancement suffers. This is a real shame.
Also, with it being an autoit script (not compiled), it is nothing more than information. It won’t run on your computer unless you know how to run it yourself, or have some malware installed that will run it secretly behind your back - in which case you the antivirus should be targeting the malware rather than the script. Blocking an AutoIt script download is akin to censorship. I am prevented from accessing data, not some rootkit or nasty virus that is going to trash my computer without warning - just plain and simple text. Here is where I think the water gets rather muddy.
‘Hiting/detecting AutoIt scripts on a fairly regular basis’ means the Avast team are misleading people to thinking a language is a virus. I really would like to know why.
As an avast user I simply can’t answer the ‘why’ questions, I’m basically recounting what I have seen over time in the forums in relation to autoit detections.
DavidR - I know you are giving assistance here by donating your free time to help people. I appreciate your responces and thank you for trying to help me.
Maybe the Avast dev team are trying to fix things and it’s just taking a little longer than I had hoped. If I still can’t access the URL in a day or two, I’ll resubmit the report.
The URL (file download link) has been submitted as a false positive twice.
The file can not be run unless you know how to run it using the AutoIt interpreter which needs to be downloaded from https://www.autoitscript.com/site/ and then installed on your system. I’ve never heard of this happening by itself. The file could also possibly be run by a malware program, but the same could be said of practically any file, so we can dismiss this as a reason to target .au3 file extensions containing nothing more than plain text, since by themselves they are totally harmless to any computer. That’s something that is unlikely to change in the foreseeable future.
What is AutoIt:Injector-G [Trj] ? Is it written in AutoIt? When did it first appear as a threat? Why is CheckSumVerify.au3 being flagged as AutoIt:Injector-G ?
URL (file download link) submitted as a false positive once.
The 7zip probably contains a compiled autoit script (file extension .exe) which may represent a threat because it will run without third party software needing to be installed. Here I accept the possibility of a threat, although the virus scans suggest that no virus scanner has a clue what it is - see for yourself:
Lot’s of apparently contradictory information. Although most virus scanners don’t find anything, the 7zip appears to possibly contain several malicious items, one of which appears to have never existed - “Gen2.VXSQX” - at least Google never heard of it. ???
After further tests with other AutoIt scripts, it is clear that Avast does not flag au3 files indiscriminately. My main concern now is about AutoIt:Injector-G. I need to know what it is. If the Avast team know something that other antivirus companies (or computer users) don’t know, then it is irresponsible to not share information about this threat. Let’s try and keep everyone safe through education!
Finally it would be a shame if I am forced to replace Avast in order to regain control of my computer, especially since it was another AutoIt user who recommended Avast to me in the first place.