px.exe 18 security vendors and no sandboxes flagged this file as malicious

[michaelsstuff]

18 viruscanner flagged the 0.8.4 release for windows as a potential thread / trojan:

https://www.virustotal.com/gui/file/429e9aee6afb7e671cf37aadafced60c2b99844f0344c0a3426c62993c336db2

[nmartinho]

I confirm. Windows Defender quarantined px.exe today.

Detected: Trojan:Script/Phonzy.A!ml
Status: Quarantined
File: C:\Downloads\px-v0.8.4-windows\px.exe

[rafazafar]

Having same issue.

URL Categories: Software/Hardware
Reputation: Minimal Risk (0) Minimal Risk
File Name: px-v0.8.4-windows.zip|px.exe
Ensured Types: application/executable
Virus Name: Artemis

[is-smok]

Same here.

[MrFly72]

Same here. 0.8.3 will still work, 0.8.4 is detected by Defender.

[tps800]

And it is not the only one. A variety of other *exe packed python scripts, even a simple one just printing "Hello World!" is flagged as malicious. Looks like all these have the same code inside, leading to the very same message of various malware scanners.

[tps800]

px.exe is flagged, but the git cloned, manual installed one not. Seems the packer is the one thing the scanners find malicious.

[genotrance]

Funny how it suddenly is a problem after 3 months. This has been an ongoing issue with posting binaries. Usually someone submits a false positive request to the sites. Any help here will be greatly appreciated.

Alternative is to simply install Px on an existing Python install with the wheels archive.

[mindsolve]

Well, the manual analysis by Microsoft after my submission as false-positive is also kind of strange - either nobody actually looked at the file, or something is really amiss:

[genotrance]

Doesn't look like we can make any progress here without Nuitka commercial support.

ANTONIOPSD/CaptionIMG#1

I greatly prefer shipping wheels which can be downloaded and installed offline with Python but agree it is not for everyone. If anyone has any ideas how to improve this, please let me know. I moved away from PyInstaller since it had its own issues. Came back with Nuitka but no escape from this virus nuisance.

[michaelsstuff]

McAfee response was positive:

Dear Sir/Madam,

Thank you for contacting us.

We have reviewed your submission for whitelisting of your software and the submitted files have been Whitelisted.

Regards,

McAfee Data Submission Team

[tps800]

All times the same: as soon as some malware-provider uses a tool to package his malware the anti-malware front indices the tool to pack and will, until someone starts suing them, not change mind.

Microsoft (and Microtrend) refuse to change mind indicating a simple "hello World"-Python-Program packed with Nuitka. They did not find any virus/malware inside, but since this tool was used to pack malware, they think it is ok to indicate ALL python programs packed with it as malware.

[mindsolve]

Yeah, seems like it. Regarding Defender, I'm going to try and submit a new request via a corporate account. Maybe that helps.

In general, I see three (theoretically) possible ways forward:

1. Continue with Nuitka and current process, accepting that every new release needs to be submitted to antimalware as false-positive.

• Maybe establish a checklist where to submit the files to before (public) release so that they have a relatively clean reputation before users use/see them
• Maybe see if code signing could be an option. This is not free, but for open source projects relatively cheap (e.g. certum open source code signing)

2. Stop distributing compiled binaries (source or wheels only), but maybe with some installer scripts or one-line commands to make it a little easier to use/set up
3. Investigate whether a "compiled" executable is needed, or maybe a stripped-down portable Python (WinPython?) could be bundled instead. These "vanilla" Python binaries are way more used and have therefore higher trust by antimalware software.

[MrFly72]

I also put this to MS through our Enterprise support and they stated, that the Signature has been changed and that the file should not be detected anymore.
I was not able to test so far, as time does not permit.

[mindsolve]

Looks like Microsoft now actually changed the detection!

[genotrance]

Thank you everyone for your efforts in this area! Some thoughts around next steps:

1. Continue with Nuitka and current process, accepting that every new release needs to be submitted to antimalware as false-positive.

• Maybe establish a checklist where to submit the files to before (public) release so that they have a relatively clean reputation before users use/see them

If we can identify a list of sites where this needs to be done, that might be a start. Px isn't changing very fast so it might be the most sensible option.

• Maybe see if code signing could be an option. This is not free, but for open source projects relatively cheap (e.g. certum open source code signing)

Seems expensive for a few releases a year, plus I'm not sure it guarantees that the file won't be flagged.

2. Stop distributing compiled binaries (source or wheels only), but maybe with some installer scripts or one-line commands to make it a little easier to use/set up

We already have pre-packaged wheels with a one line install - python -m pip install px-proxy --no-index -f /path/to/wheels. It is documented in the README but still requires an existing Python install.

3. Investigate whether a "compiled" executable is needed, or maybe a stripped-down portable Python (WinPython?) could be bundled instead. These "vanilla" Python binaries are way more used and have therefore higher trust by antimalware software.

This might be a viable option - I need to look into it to see if we end up with a px.exe (Python stub).

[genotrance]

I spent some time on 3. above and came up with this zip file with the following steps:

• Download the embeddable Python zip for Windows
• Extract to a folder and start a shell in it
• Download https://bootstrap.pypa.io/get-pip.py
• Install pip with .\python get-pip.py
• Install px-proxy with .\python -m pip install px-proxy
• Remove pip with .\python -m pip uninstall setuptools wheel pip (extra 20MB of stuff)
• Delete get-pip.py which is 2MB
• Update python310._pth to include Lib and Lib\site-packages
• Compress libcrypto and python310.dll with UPX (done with Nuitka as well)

Now this zip can be extracted and used on any Windows system to run Px and its dependencies. You can either run: python -m px or Scripts\px.exe.

Advantages:

• Uses standard Python exe - no virus problem
• Minimal ZIP size of 13MB with Python, Px and dependencies - a meg larger than Nuitka
• Less than 1/2 a minute to create if automated unlike Nuitka which takes a few minutes and has many dependencies of its own

If someone can download px-v0.8.4-embed.zip and test and provide feedback, I'll really appreciate it.

[mindsolve]

Hi! This sounds great!
I've tested the file you attached and can confirm that Virustotal and my Defender have no problems with the files 👍

Though unfortunately the .exe file in the Scripts folder doesn't work for me, with the following error message:
Fatal error in launcher: Unable to create process using '"C:\Users\gt\Downloads\py3\python.exe" "C:\Users\<MYUSERNAME>\Downloads\px-v0.8.4-embed\Scripts\px.exe" ': The system cannot find the file specified.
If I remember correctly, the generated .exe files do save the path to "their" interpreter in the executable itself, so they are not portable.

But your second method, running px via python.exe -m px, works flawlessly :)

[genotrance]

Thanks for testing! That's dumb that the path is hardcoded but makes sense. I have a simple fix - need to move px.exe to the python folder and edit it to just say "python" instead of the full path. It works for me but again could do with a test :)

[mindsolve]

Jup, seems to work fine. Keeping it at the original place and replacing the path with ..\python.exe also works.
But for distributing, your option probably works better for users (with the executable directly in the main directory).

[MrFly72]

Looks like the pattern kicks it again for defender ?

[genotrance]

Looks like the pattern kicks it again for defender ?

@MrFly72 - do you mean the Nuitka build doesn't work again or this embedded zip I posted above?

[MrFly72]

Sorry for not being clear. I mean the official download with nutika

[aurril]

Virus signatures for Sophos have been updated. They don't detect version 0.8.4 as malware anymore.

[genotrance]

This is fixed in v0.9.0 still in development - see branch.

Px binaries for Windows will now be built using the Python Embedded binary instead of Nuitka. See tools.py embed() if curious. Will post binaries after development and test is complete.

[genotrance]

v0.9.0 has been released.