Why Antivirus Software Flags Our Binaries (False Positives) #24
Description
Summary
Some antivirus software flags our Windows executables (.exe files) as potentially malicious. This is a false positive.
Latest release with downloadable binaries: v0.4.1
What You Might See
- ✅ VirusTotal: Typically 4-10 detections out of 70+ scanners
- ✅ Windows Defender SmartScreen warnings
- ✅ Detections like:
Trojan.Generic.*,BehavesLike.Win64.Generic.*,Trojan.Blank.Script.*
Why This Happens
Our executables are built with PyInstaller, a legitimate Python packaging tool. Antivirus software flags PyInstaller executables due to:
- Packing behavior - Bundles Python runtime into single .exe (looks like malware packing)
- Self-extracting code - Extracts components at startup (triggers heuristics)
- No code signature - Unsigned binaries lack reputation scores
- Generic detection - Broad heuristics catch legitimate tools
This affects many open-source Python projects (youtube-dl, yt-dlp, streamlink, etc.)
This Is NOT Malware
Our binaries contain no malicious code. We provide multiple ways to verify:
🔐 How to Verify Safety
-
GitHub Attestations (cryptographic proof):
gh attestation verify excel-vba.exe --owner markuskiller
-
Build from source (ultimate verification):
git clone https://github.com/markuskiller/vba-edit.git cd vba-edit pip install -e .[dev] python create_binaries.py -
Review source code - Everything is public and auditable
Detailed Documentation
📚 Full explanation: SECURITY.md - False Positives from Antivirus Software
📚 Verification guide: SECURITY_VERIFICATION.md
Why We Don't Code Sign (Yet)
Code signing certificates cost $300-500/year and require business verification. We're evaluating free options like SignPath.io (target: v0.6.0+).
Help Improve Detection
If you encounter false positives, report them to antivirus vendors using their "False Positive" reporting tools. This helps the entire open-source community.