False positive thehook.dll in SciTE for AutoIt (Unclassified Malware[at]4226609)


I submitted this on the 4th of this month along with another file belonging to AutoIt. Apparently the other files have been added to the safelist, but the AV just detected thehook.dll again today. How come?

thehook.dll (Unclassified Malware@4226609) is part of the SciTE editor customized for AutoIt. It is used to generate macros to easily create scripts for the purpose of various automation tasks. So yes, by definition it is a keylogger, but it is completely benign.

Do you want me to email the file again? I can’t submit it through CIS because it paradoxically says this file is already in the safelist so I can’t submit it… 88)

Hi HeffeD,

Thanks for reporting.But the file “thehook.dll” considered as an Potentially Dangerous.
And actually it should not termed as “Unclassified Malware”.
We changed the detection as “Application/ApplicUnsaf/ApplicUnwnt” and it will be reflected in the next update.

You have an option in ScannerSettings-> Exclusions. From where you can exclude the sample from detection.

Thanks and Regards,

Wow, really??

If you’re going to start blacklisting things for being potentially dangerous, then there should be no safe list at all! Almost every application or .dll has the potential to be dangerous…

svchost is used by quite a bit of malware and yet it’s “safe”. But the potential is very definitely there!

It’s very obvious when you are recording a macro using SciTE. Yes, I want to be made aware of any applications attempting to use the .dll, but the .dll by itself is completely benign.