anonymous1184/bitwarden-autotype

Anti-virus false postives

Closed this issue · 1 comments

KnightTim commented

For release v1.1.3 https://www.virustotal.com reports multiple false positives.

Results for Setup.exe, flagged by 6 vendors.
Screenshot 2021-10-11 at 21-54-59 VirusTotal - File - a33bcc809c9f2a053392f2e36b7cd7b3740f6a01f89837e31657a1357339fcc7

Results for bw-at.zip, flagged by 2 vendors.
Screenshot 2021-10-11 at 21-50-38 VirusTotal - File - c88547a98d17c2ae1309db388c1667b661a52fd737796753d3ef18343a5fcfa4

I really have no idea what is causing the AVs to flag it. I wonder if it has to do with the key generation.

A quick google search shows that is is a common problem.
This is a recent discussion of the issue on AHK forums.

anonymous1184 commented

I'm aware of the issues with AV software and AutoHotkey as I was a AutoIt user and heard about that new fork.

The issue back then was pretty limited, nowadays is plain stupid and I can't think of any other wording. The engines just scan trough the files and if they find the assets touches areas touched by a known thread your asset is marked as PUA. The best analogy I can think of is: "He has a gun, he must be a killer, right?", is just a plain duck test.

And is hypocritical because for my job I have access to EV certificates and just for the sake of testing I signed the same with one of those: zero false positives. Is not just me or AHK, the whole FOSS community* struggles with the same issue, when projects get enough traction and user base they get around the issue buying certificates trough donations, the same certificate is the use to the secure version of the site.

* Funny fact, not just Open Source, I saw once a Microsoft script (wasn't even binary) flagged as virus.

I personally use AHK_H for other projects, but that will trump the user ability to directly read the source code on the binary. I think people might have a disgruntle with that, the simple fact that is available even if they don't understand it makes the difference for a leap of faith.

The build process can take care automatically of all the possible variants (AHK_L/AHK_H signed/unsigned) but it will only add confusion to have 4 copies of the same. At this point I'm betting on having a bit of trust of the users even with those numbers of false positives. If enough people starts to mark them as safe those numbers will climb down (check AutoHotkey binary itself).

If you check the binary base file (to which the script is attached when converting it to exe) is already flagged, so in AV logic even if the file doesn't contain code yet is a virus U__U.

It's a lost battle my friend, but thanks for the concern.