Login/Register
Program made with PyInstaller now seen as a Trojan Horse by AVG
Asked Answered
Solved pyinstallerantivirusvirus
C

16

74

About a month ago, I used PyInstaller and Inno Setup to produce an installer for my Python 3 script. My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main .exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). At first I just thought it was a false positive in AVG, but submitting the .exe file to VirusTotal I get this analysis:

https://virustotal.com/en/file/9b0c24a5a90d8e3a12d2e07e3f5e5224869c01732b2c79fd88a8986b8cf30406/analysis/1493881088/

Which shows that 11 out of 61 scanners detect a problem:

TheHacker   Trojan/Agent.am 
NANO-Antivirus  Trojan.Win32.Agent.elyxeb 
DrWeb   Trojan.Starter.7246 
Yandex  Trojan.Crypren!52N9f3NgRrY 
Jiangmin    Trojan.Agent.asnd 
SentinelOne (Static ML)     static engine - malicious 
AVG     SCGeneric.KTO 
Rising  Malware.Generic.5!tfe (thunder:5:ujHAaqkyw6C) 
CrowdStrike Falcon (ML)     malicious_confidence_93% (D) 
Endgame     malicious (high confidence)     20170503
Zillya  Dropper.Sysn.Win32.5954

Now I can't say that these other scanners are ones that I have heard of before... but still I'm concerned that it is not just AVG giving a false positive.

I have submitted the .exe file in question to AVG for their analysis. Hopefully they will back off on whatever it is that they thought they were trying to detect.

Is there anything else I can do with PyInstaller to make it so that the .exe launcher that it created won't be considered a Trojan?

Cavuoto answered 4/5, 2017 at 7:59 Comment(6)
So what is PrimerPrep.exe? Is that Inno Setup installer or the application itself?Sharma
PyInstaller creates a dist folder that has all of the bits that Python requires to run the program. The PrimerPrep.exe file is the launcher file among those bits that actually starts up the program. Inno Setup packages up that dist folder and creates the PrimerPrep Installer.exe file - a single file that installs the program into the Program Files folder, creates a desktop shortcut, etc. But if I run that installer .exe through VirusTotal, there are only 2 scanners that flag it (DrWeb and NANO). AVG says the installer is OK, even though it contains the .exe file that it flags by itself.Cavuoto
OK, so your question is actually not about Inno Setup, right? It's about PyInstaller .exe.Sharma
I hadn't really thought that through, but yes, the .exe file that supposedly has the Trojan is the one created by PyInstaller. The installer .exe created by Inno Setup actually "hides" the supposed Trojan from AVG... until it's installed, of course, when AVG will again flag it as a Trojan.Cavuoto
#22694165 github.com/pyinstaller/pyinstaller/issues/847 github.com/pyinstaller/pyinstaller/issues/603 github.com/google/spatial-media/issues/97Annulment
This is unfortunately a known issue that I also ran into a few hours ago. :/ Tried recompiling PyInstaller's bootloader, and now the number of flagged AV's went down from 9 to...8... IIRC compiling with a 64-bit PyInstaller works around the issue?Annulment
C
21

I was able to submit the file in question to AVG's "Report a false detection" page, at https://secure.avg.com/submit-sample. I received a response back fairly quickly (I can't remember exactly how long, but it was less than a day) that they had analyzed my file and determined that it did not have a virus. They said that they had adjusted their virus definitions so that it would not trigger a false positive anymore. I updated my definitions and it was still triggering, so I contacted them again with my virus definition version, and I heard back that the version I had wasn't high enough - I think there was some delay on my definitions because I get them from a local server. But within a day I had the right version of the definitions and the false positive didn't trigger anymore.

So if you have a false positive with AVG, I would recommend this solution - fairly quick and easy to get a resolution to the problem.

Cavuoto answered 8/5, 2017 at 11:30 Comment(1)
Given the recent discovery about infiltration of PyPi bleepingcomputer.com/news/security/…, maybe there is cause for concern. Windows Defender is now detecting the 'runw.exe' as a trojan.Christiachristian
P
51

I was always getting some false positives with PyInstaller from VirusTotal. This is how I fixed it:

PyInstaller comes with pre-compiled bootloader binaries for different OSs. I suggest compile them by yourself on your machine. Make sure everything is consistent on your machine. For Windows 64-bit, install Python 64-bit. Download PyInstaller 64-bit for Windows. Make sure Visual Studio (VS) corresponding to your Python is installed, check below:

https://wiki.python.org/moin/WindowsCompilers

Compile the bootloader of PyInstaller on your machine with VS. It automatically updates the run.exe, runw.exe, run_d.exe, runw_d.exe in DownloadedPyinstallerFolder\PyInstaller\bootloader\Windows-64bit. Check below for more info on how to compile the bootloader:

https://pyinstaller.readthedocs.io/en/stable/bootloader-building.html

At the end, install PyInstaller. Within the PyInstaller directory, run

python setup.py install
Peril answered 28/8, 2018 at 9:32 Comment(4)
"For Windows 64bit, install Python 64bit. Download PyInstaller 64bit for Windows" <- This helped me, thank you. I was using a pyenv fork for Windows, and installing python 3.7.0. That was wrong, I needed to install python 3.7.0-amd64. Now pyinstaller produces a binary that is no longer flagged by my university's antivirus. Note that when testing on linux, 3.7.0-amd64 refers to a version that doesn't exist, so I can't rely on pyenv's .python-version file anymore on linux. I use the PYENV_VERSION env variable instead.Lusitania
For me this didn't work at all. Before this I got 7 VirusTotal detections. After I got 15.Cadena
I have done the step of above compile bootloader and then install by "python setup.py install", but it is useless in TrendMicro OfficeScan (Apex One Security Agent) :(Valma
Using python 64bit 3.8.8 and pyinstaller 5.4.1. Bootloader compiled with MSVC 14.34 and nothing is better. Still Avast detects my compiled program as an threat!Clingfish
C
21

I was able to submit the file in question to AVG's "Report a false detection" page, at https://secure.avg.com/submit-sample. I received a response back fairly quickly (I can't remember exactly how long, but it was less than a day) that they had analyzed my file and determined that it did not have a virus. They said that they had adjusted their virus definitions so that it would not trigger a false positive anymore. I updated my definitions and it was still triggering, so I contacted them again with my virus definition version, and I heard back that the version I had wasn't high enough - I think there was some delay on my definitions because I get them from a local server. But within a day I had the right version of the definitions and the false positive didn't trigger anymore.

So if you have a false positive with AVG, I would recommend this solution - fairly quick and easy to get a resolution to the problem.

Cavuoto answered 8/5, 2017 at 11:30 Comment(1)
Given the recent discovery about infiltration of PyPi bleepingcomputer.com/news/security/…, maybe there is cause for concern. Windows Defender is now detecting the 'runw.exe' as a trojan.Christiachristian
B
10

I faced same issue for my small document register project code.

My temporary solution was to allow the app in windows defender and

other solution was to use the command pyinstaller filename.py instead of pyinstaller --onefile filename.py.

I dont know if it is correct. But it worked for me.

Banc answered 21/1, 2021 at 15:54 Comment(1)
the removal of --onefile probably helped here. According to another thread the method used by PyInstaller to bundle up the files into one archive is what makes it seem suspicious to antivirus software.Smith
W
9

I searched many blogs for weeks. But I found nothing.. Today I found a way to convert py to exe without any virus errors.

Virus Total Report

So in this method you do not need to send any reports.. Actually It is very simple.

You need to install a module named Nuitka.

python -m pip install nuitka

Then you need to open command from from the file path. And use the command; python -m nuitka --mingw64 filename.py

And that's all.

You can use the command nuitka --help

You can find more at - Nuitka Guide

Wavelength answered 17/10, 2021 at 5:46 Comment(1)
The TrendMicro OfficeScan (Apex One Security Agent) did not treat it as virus, but the exe file size is increase, so that is short term solution. thanks.Valma
C
8

I puzzled over this question for two days and finally found a problem with my application. The issue was with the application's icon.

Example for tkinter:

root.iconbitmap('./icon.ico')

When I removed this line of code, the false-positive Trojan was gone.

Also, make sure not to use --icon dependency when you are converting your .py file into .exe. Otherwise, this will cause the same false-positive Trojan detection.

Cyrilla answered 18/1, 2021 at 13:8 Comment(2)
So you're telling me we can't have an icon added? How else do you add it to your app if you don't use the flag?Smith
removing icon took down kaspersky but raised cylance.Affable
A
7

I had this same problem using python 3.8.5 and pyinstaller 4.5.1

In my case the first exe build was accepted by the antivirus (Windows Defender) but subsequent builds were flagged as having a trojan. I solved it by using the pyinstaller --clean option every time I built the executable

Acotyledon answered 23/9, 2021 at 7:42 Comment(0)
M
4

Recompile and then reinstall your Pyinstaller bootloader manually.

This was a problem I had for a while, and my friend and I figured out this resolution with the help of many others. It almost always works to resolve the issue.

I posted the specific steps on my medium blog. Shared the link below, but the basic steps are as follows

  1. Purge Pyinstaller Files within your Project and Rebuild
  2. Uninstall Pyinstaller
  3. Build a Pyinstaller Bootloader with your Compiler
  4. Install the newly compiled Pyinstaller
  5. Re-build your EXE with Pyinstaller, and make sure it’s not being be flagged as a virus

How to Resolve the Python Pyinstaller False Positive Trojan Virus

Marta answered 6/9, 2021 at 15:39 Comment(4)
I appreciate the detailed instructions, but I’m still getting the same security issues, including one from Microsoft.Alsacelorraine
@Alsacelorraine What’s the error message? Is that even after you submitted your EXE to the anti virus companies flagging?Marta
VirusTotal gave me 5 or 6 alerts after compiling with either the pre-compiled Pyinstaller or the manually compiled Pyinstaller. I was able to sign it and submit the application to Microsoft and that got it past Defender that way.Alsacelorraine
I wasn't able to complete a build with the --noconsole option, but this answer resolved the issue.Mania
E
3

Reverting back to PyInstaller 3.1.1 from 3.4 resolved similar issues on my end (at least temporarily).

Eozoic answered 13/2, 2019 at 18:8 Comment(0)
C
3

What I did was to solve this(make exe files non detectable as virus) was to downgrade pyinstaller by typing in cmd: pip install pyinstaller==4.1.0

And by the way it didn't work on 3.4.0 so I just randomly picked that version(4.1) and its pretty good looking so far :> I'm pretty sure that it works on more than only that one version but that i experienced personally

Crake answered 10/7, 2021 at 22:48 Comment(0)
N
2

As @boogie_bullfrog told, reverting to a previous version could be a solution. However I used *.spec file to store some data (like pictures and icons). I had the latest 3.5 version (August, 2019) and moving to 3.1.1 caused error when app was compiled (probably due to supporting Python 3.7).

So right now the easiest solution is to downgrade to 3.4

It supports specs from pyinstaller 3.5 and the onefile-app wasn't detected by Windows 10 built-in firewall

Nationality answered 21/8, 2019 at 9:18 Comment(1)
Unfortunately even with 3.4 Virustotal reports of 9/70 of false positive. But yes, AVG and Avast become negative virustotal.com/gui/file/…Adverse
S
1

I had a similar problem with a pyinstaller exe under Windows. Avira put that file into quarantine since it was considered potentially dangerous (due to heuristics, which means that some segments look typical for a virus, but no virus is actually found).

Keep in mind that the exe files you generate yourself are unique (as a consequence, the Avast scanner usually returns a message "you have found a rare file, we are doing a quick test", and delays execution for 15 seconds to perform a more thorough test).

My solution consists of some steps:

  • I have uploaded the exe to https://www.virustotal.com/gui/home/upload to check it with many scanners. If just one or two are detecting a virus, you should be on the safe side.
  • In order to make your local virus scanner accept the file, you can manually accept it for your computer, but this does not solve the underlying problem, so on other computers it would still be flagged as a virus.
  • Therefore I reported the file as false positive to Avira, which can simply be done by sending it by email. Other scanners have similar feedback lines. I got a feedback by email within one day that it is ok, and the scanner on my pc agrees with this now. Hope that this helps with the next iterations of my exe so that it stays clean.
Songwriter answered 16/7, 2020 at 5:54 Comment(0)
T
1

I tried to do it with PyInstaller, but the error remained, the way I had to resolve this situation was, instead of using PyInstaller I used the Cx-Freeze library, it helped me with the problem, the only difference is that setup.py must be used.

Thermic answered 30/1, 2024 at 1:41 Comment(0)
G
0

The malware is detected using pyinstaller 5.x and 6.x

I reverted the pyinstaller version to 4.10.

I tried 5.x and 6.x but thety did not solve. I'm using phyton 3.8.0.

I run: pip uninstall pyinstaller then pip install pyinstaller== (to list the versions available - if you are interested). And then pip install pyinstaller==4.10

Gaberones answered 21/2, 2024 at 16:20 Comment(0)
H
0

The problem is caused by --windowed or -w command on Pyinstaller 6.X.X. To solve this problem you have 2 ways.

1- Get rid of the "Windowed" Feature

Simply delete the command --windowed or -w on your command line but this time, the console window will be opened in background on your application start.

2- Use Pyinstaller 5.X.X version

I have tested in my system that 5.X.X versions of pyinstaller does not have that problem. So you can install that version instead of using version 6.X.X.

pip install pyinstaller==5.13.2
Halflength answered 16/3, 2024 at 19:43 Comment(0)
I
0

The way I fixed my problem was installing the latest version of PyInstaller using Github:

pip install https://github.com/pyinstaller/pyinstaller/archive/devlop.zip.

This immediately fixed the problem.

Interview answered 19/6, 2024 at 17:37 Comment(0)
G
-1

What I did to solve this problem was using cx_Freeze instead of pyinstaller: you need to make a "setup.py" then:

import sys
from cx_Freeze import setup, Executable

base = None

if sys.platform == "win32":
    base = "Win32GUI"  # Use this option to create a GUI executable on Windows

executables = [Executable("your_script.py", base=base)]

options = {
    "build_exe": {
        "packages": [],  # List of packages to include
        "include_files": [],  # List of additional files to include
    },
}

setup(
    name="YourAppName",
    version="1.0",
    description="Your application description",
    options=options,
    executables=executables
)
Greasy answered 28/12, 2023 at 9:22 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.