35

About a month ago, I used PyInstaller and Inno Setup to produce an installer for my Python 3 script. My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main .exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). At first I just thought it was a false positive in AVG, but submitting the .exe file to VirusTotal I get this analysis:

https://virustotal.com/en/file/9b0c24a5a90d8e3a12d2e07e3f5e5224869c01732b2c79fd88a8986b8cf30406/analysis/1493881088/

Which shows that 11 out of 61 scanners detect a problem:

TheHacker   Trojan/Agent.am 
NANO-Antivirus  Trojan.Win32.Agent.elyxeb 
DrWeb   Trojan.Starter.7246 
Yandex  Trojan.Crypren!52N9f3NgRrY 
Jiangmin    Trojan.Agent.asnd 
SentinelOne (Static ML)     static engine - malicious 
AVG     SCGeneric.KTO 
Rising  Malware.Generic.5!tfe (thunder:5:ujHAaqkyw6C) 
CrowdStrike Falcon (ML)     malicious_confidence_93% (D) 
Endgame     malicious (high confidence)     20170503
Zillya  Dropper.Sysn.Win32.5954

Now I can't say that these other scanners are ones that I have heard of before... but still I'm concerned that it is not just AVG giving a false positive.

I have submitted the .exe file in question to AVG for their analysis. Hopefully they will back off on whatever it is that they thought they were trying to detect.

Is there anything else I can do with PyInstaller to make it so that the .exe launcher that it created won't be considered a Trojan?

Thanks for any input.

Jeff H
  • 487
  • 1
  • 4
  • 10
  • So what is `PrimerPrep.exe`? Is that Inno Setup installer or the application itself? – Martin Prikryl May 04 '17 at 08:12
  • PyInstaller creates a dist folder that has all of the bits that Python requires to run the program. The `PrimerPrep.exe` file is the launcher file among those bits that actually starts up the program. Inno Setup packages up that dist folder and creates the `PrimerPrep Installer.exe` file - a single file that installs the program into the Program Files folder, creates a desktop shortcut, etc. But if I run that installer .exe through VirusTotal, there are only 2 scanners that flag it (DrWeb and NANO). AVG says the installer is OK, even though it contains the .exe file that it flags by itself. – Jeff H May 04 '17 at 09:18
  • OK, so your question is actually not about Inno Setup, right? It's about PyInstaller .exe. – Martin Prikryl May 04 '17 at 10:02
  • 1
    I hadn't really thought that through, but yes, the .exe file that supposedly has the Trojan is the one created by PyInstaller. The installer .exe created by Inno Setup actually "hides" the supposed Trojan from AVG... until it's installed, of course, when AVG will again flag it as a Trojan. – Jeff H May 04 '17 at 10:51
  • http://stackoverflow.com/questions/22693665/python-executables-alarms-antivirus https://github.com/pyinstaller/pyinstaller/issues/847 https://github.com/pyinstaller/pyinstaller/issues/603 https://github.com/google/spatial-media/issues/97 – kirbyfan64sos May 04 '17 at 15:45
  • This is unfortunately a known issue that I also ran into a few hours ago. :/ Tried recompiling PyInstaller's bootloader, and now the number of flagged AV's went down from 9 to...8... IIRC compiling with a 64-bit PyInstaller works around the issue? – kirbyfan64sos May 04 '17 at 15:46

7 Answers7

30

I was always getting some false positives with Pyinstaller from VirusTotal. This is how I fixed it:

Pyinstaller comes with pre-compiled bootloader binaries for different OSs. I suggest compile them by yourself on your machine. Make sure everything is consistent on your machine. For Windows 64bit, install Python 64bit. Download PyInstaller 64bit for Windows. Make sure Visual Studio (VS) corresponding to your Python is installed, check below:

https://wiki.python.org/moin/WindowsCompilers

Compile the bootloader of Pyinstaller on your machine with VS. It automatically updates the run.exe, runw.exe, run_d.exe, runw_d.exe in DownloadedPyinstallerFolder\PyInstaller\bootloader\Windows-64bit. Check below for more info on how to compile the bootloader:

https://pyinstaller.readthedocs.io/en/stable/bootloader-building.html

At the end install Pyinstaller. Within Pyinstaller directory run

python setup.py install

Mahmoud Hossam
  • 129
  • 10
Sorush
  • 1,384
  • 3
  • 14
  • 27
  • 6
    "For Windows 64bit, install Python 64bit. Download PyInstaller 64bit for Windows" – Biganon Feb 10 '20 at 05:37
  • 4
    This was really useful - rebuilding the bootloader removed lots of false detections on my application, including Microsoft Defender. – xioxox Mar 09 '20 at 19:38
  • 4
    Thank you a ton for this answer. Worked liked a charm. I did learn something though too many viruses have been compiled with the default PyInstaller bootloader and have ruined for us all. – nimig18 Sep 06 '20 at 07:44
  • 1
    For me this didn't work at all. Before this I got 7 VirusTotal detections. After I got 15. – iBent Feb 02 '21 at 18:47
9

I was able to submit the file in question to AVG's "Report a false detection" page, at https://secure.avg.com/submit-sample. I received a response back fairly quickly (I can't remember exactly how long, but it was less than a day) that they had analyzed my file and determined that it did not have a virus. They said that they had adjusted their virus definitions so that it would not trigger a false positive anymore. I updated my definitions and it was still triggering, so I contacted them again with my virus definition version, and I heard back that the version I had wasn't high enough - I think there was some delay on my definitions because I get them from a local server. But within a day I had the right version of the definitions and the false positive didn't trigger anymore.

So if you have a false positive with AVG, I would recommend this solution - fairly quick and easy to get a resolution to the problem.

Jeff H
  • 487
  • 1
  • 4
  • 10
  • Given the recent discovery about infiltration of PyPi https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/, maybe there *is* cause for concern. Windows Defender is now detecting the 'runw.exe' as a trojan. – kfsone Sep 29 '17 at 02:48
  • I appreciate knowing about this, but my problem occurred over a month before those malicious packages were uploaded, so the would not be related. – Jeff H Oct 02 '17 at 16:10
  • I don't appreciate that this was downvoted. It gave me another option on how to solve this... – Shmuel Kamensky Dec 27 '19 at 18:52
4

I faced same issue for my small document register project code.

My temporary solution was to allow the app in windows defender and

other solution was to use the command pyinstaller filename.py instead of pyinstaller --onefile filename.py.

I dont know if it is correct. But it worked for me.

John Sanjeev
  • 49
  • 1
  • 1
2

Reverting back to PyInstaller 3.1.1 from 3.4 resolved similar issues on my end (at least temporarily).

boogie_bullfrog
  • 71
  • 8
2

As @boogie_bullfrog told, reverting to a previous version could be a solution. However I used *.spec file to store some data (like pictures and icons). I had the latest 3.5 version (August, 2019) and moving to 3.1.1 caused error when app was compiled (probably due to supporting Python 3.7).

So right now the easiest solution is to downgrade to 3.4

It supports specs from pyinstaller 3.5 and the onefile-app wasn't detected by Windows 10 built-in firewall

Pavel Pereverzev
  • 319
  • 3
  • 14
  • Unfortunately even with 3.4 Virustotal reports of 9/70 of false positive. But yes, AVG and Avast become negative https://www.virustotal.com/gui/file/b0003534879798e827d8f8b45534e21d809685bb2e7ab2d5e1094dda3a03db74/detection – radioxoma Oct 03 '19 at 14:36
1

I had a similar problem with a pyinstaller exe under Windows. Avira put that file into quarantine since it was considered potentially dangerous (due to heuristics, which means that some segments look typical for a virus, but no virus is actually found).

Keep in mind that the exe files you generate yourself are unique (as a consequence, the Avast scanner usually returns a message "you have found a rare file, we are doing a quick test", and delays execution for 15 seconds to perform a more thorough test).

My solution consists of some steps:

  • I have uploaded the exe to https://www.virustotal.com/gui/home/upload to check it with many scanners. If just one or two are detecting a virus, you should be on the safe side.
  • In order to make your local virus scanner accept the file, you can manually accept it for your computer, but this does not solve the underlying problem, so on other computers it would still be flagged as a virus.
  • Therefore I reported the file as false positive to Avira, which can simply be done by sending it by email. Other scanners have similar feedback lines. I got a feedback by email within one day that it is ok, and the scanner on my pc agrees with this now. Hope that this helps with the next iterations of my exe so that it stays clean.
tfv
  • 5,130
  • 3
  • 26
  • 55
1

I puzzled over this question for two days and finally found a problem with my application. The issue was with the application's icon.

Example for tkinter:

root.iconbitmap('./icon.ico')

When I removed this line of code, the false-positive Trojan was gone.

Also, make sure not to use --icon dependency when you are converting your .py file into .exe. Otherwise, this will cause the same false-positive Trojan detection.

Alexander Borisov
  • 161
  • 5
  • I ended up here from a reddit post I found when trying to determine what "Sabsik" was. My issue had nothing to do with Python, but it had to do with a Tcl/Tk app that I had built into an .exe with Starkit. You inadvertently here super answered my question about what was going on. So I wanted to thank you for it. – Brandon Barkley May 27 '21 at 22:41