False Positive virus alert on EVACopy
EVACopy is written in AutoIt, which is a legitimate programming language. Unfortunately, there are some reasons why an AutoIt application may make some anti-virus programs go berserk:
- AutoIt is both powerful and simple, therefore it was misused in the past for illegitimate purposes, such as game bots and simple malware.
- Some years back, a worm named AutoIT (which had nothing to do with the programming language) was rampaging the web. Most anti-virus programs went into panic over it. Some never recovered.
- Any AutoIt application identifies itself as such. So, some anti-virus vendors go lazy and do not bother to actually check it for threats.
Now, with the most prominent anti-virus vendors, like Symantec or McAfee, their reputation is important, so they will check and double-check before alerting. Since EVACopy is clean, they will treat it as such.
For the less well known anti-virus vendors, their best chance of becoming well known is to be the first to find a new virus. ''Hey, look at me! I found this virus before Symantec did! Now will you purchase me for your enterprise?''
So, they alert on anything and everything.
In the past I took the effort of communicating this issue to some anti-virus vendors. Some did update their engines, but I trust them not, and I got tired of this. So, if your anti-virus says EVACopy (or any other file, for that matter) is infected, submit it to VirusTotal. If no threat is detected by a prominent anti-virus engine, then kick your anti-virus program out the window.
(Note: a detection rate as small as 4/~50 is actually clean; a real threat will probably rate near 40/~50).
VirusTotal analysis for EVACopy latest release can be found here. Note that EVACopy is NOT considered a threat by the following vendors:
- Symantec (except of their inane so-called "reputation" rating)
- McAfee
- Trend-Micro
- Kaspersky
- Microsoft
- ESET-NOD32
- BitDefender
- Sophos
- ClamAV
- AVG
- Avast
... and many others.
Final Notes
Remember: a chance of infection always exists, so never treat any alert as False Positive until checked!
Also, now that you know EVACopy is clean, you may consider excluding it from your anti-virus scan. THIS IS A BAD IDEA, because if a virus does manage to infect EVACopy in the future, your anti-virus will not detect it!