3

I wrote a download manager (in the AutoHotKey language) for a client and it gets flagged by a minority of virus scanners (11% of the scanners used on VirusTotal) as being a trojan, malware, dropper, data stealer, etc. Since my software is none of those things I'd like to correct the erroneous flagging by these scanners. Has anyone dealt with this sort of problem before?

The real complication here is that since this is a download manager the actual signed binary I am delivering is different for each of thousands of downloads, so it's not practical that I could request each and every unique version be white listed or something.

I'd prefer not to try and use actual cloaking techniques to try and fool the anti-virus companies when I really have nothing to hide, but I'm not sure there is another choice (and I'm not sure I'd be successful). Any advice?

Quinxy von Besiex
  • 976
  • 11
  • 21
  • Reporting to the AVs is not practical under these circumstances. Have you considered using UPX or other executable packers? Does it change the outcome? – 0xC0000022L Mar 02 '11 at 21:09
  • @STATUS_ACCESS_DENIED: Doesn't that usually make it worse? – user541686 Mar 02 '11 at 22:47
  • @Mehrdad: Nope. There are some packers that are usually used for questionable purposes and are thus flagged almost unanimously without regard for the actual program mechanics. This should not be the case with UPX. – 0xC0000022L Mar 03 '11 at 01:05

2 Answers2

1

I'm answering my own question here, and sadly providing a less than satisfactory answer, but it seems the only one available...

From what I've found there is no way to prevent some anti-virus programs from falsely flagging Auto Hot Key, AutoIt, and other scripted/interpreted code. I tried numerous approaches and nothing worked.

The best approach seems to be to avoid using Auto Hot Key, AutoIt, etc. if you can, and if you must then use VirusTotal on the setup file you're planning to release in order to understand what warnings your potential users will receive. In my experience of the 40+ virus scanners that are used by Virus Total only 1-4 generally see an Auto Hot Key included code as suspicious, and those are typically unpopular, unfamiliar virus scanners which likely err on the side of caution because doing so requires fewer resources (in terms of their own manpower, in coding and signature use).

Quinxy von Besiex
  • 976
  • 11
  • 21
1

Trik has provided the following answer on the forums:

In the AutoHotkey folder (Held in ProgramFiles) there is a sub folder named 'compiler' in that folder is a file named 'upx.exe' rename that to something like upx.old (or any other file extension). That should solve the problem.

Please comment on whether this worked or not.

David
  • 4,786
  • 11
  • 52
  • 80
  • I truly appreciate the answer, and it is an excellent tip for people. In my case I'm using AutoHotKey_L and mpress for the compacting and obfuscating. (I had experienced false positives with UPX, as you say, a while back with a different app.) The anti-virus problems I have seem to relate more to behavior and do not appear to relate to the packer. For example, the heuristic "dropper" false positive. My software *does* launch a silent EXE as part of installation. That really can't be avoided, but is there no way to do that without some AV programs freaking out? – Quinxy von Besiex Mar 04 '11 at 17:07
  • Another false positive included something about stealing personal data... obviously that's so vague I have no idea what they could be talking about. Perhaps it's because the download manager fetches files from the file server and in theory I could be sending data. Again, not sure how to convince them that's ok. – Quinxy von Besiex Mar 04 '11 at 17:07