Trojan warning from Windows Defender and several other AV monitors with pyinstaller 3.6

[OdiumE]

Hi, as the title says, I got this warning when I tried to install v2.16.1.
I have used pyfa for several years, never have gotten any warning before, always worked.
Anyway, I didn't dear to install it.

I got this report from Windows Defender. See picture of my screen (attached)

But: Is this some issue with Windows Defender?

Btw Pyfa is great!
Kind regards,
OdiumE

[biwakoacami]

I can confirm that I'm seeing the same thing with 2.16.1 zip file. Pyfa.exe gets flagged as infected with Trojan:Win32/Detplock which seems similar to issue #2040. Have no issue with my files from the 2.16.0 zip.

[DarkFenX]

Posted an explanation to reddit, gonna repost it here as well.

It was reported on russian forums already. I've made a post describing what was changed and how builds are generated (so that IT nerds can see that build system is safe from my interference). I guess, will have to translate it here, since it affects more people than just russian community.

Since Pyfa builds had issues in the past, I started doing virustotal check of windows exe build with every release. This release I also checked it, 2/68, quite acceptable.

Once I started receiving reports about issues, I checked zip build, 1/56. And exe file of installed/unzipped build itself, 8/73, that's a surprise - until this moment I thought that all contents are unpacked and verified during an AV scan.

So, to know why all of these detections appeared all of the sudden, you can check what was changed here. Not many changes, and nothing could trigger AV checks besides library changes. 3 libraries were changed: wxpython from 4.0.6 to 4.0.7.post2, pyinstaller from 3.3 to the latest version 3.6 (due to security issue in older versions), and pip was updated to 20th version just before final builds have started. Out of those libraries pyinstaller change is likely to trigger AV, because it's the software which wraps a python program with all its dependencies into a binary build (for all platforms, not just windows).

Builds are generated by jobs on well-known 3rd party sites, under account which was set up by Blitzmann (who made them and as they just work I did not bother with ownership transfer), you can review job logs here: windows, mac. These jobs upload generated builds right to the release page without my personal interference. You can verify that builds were uploaded under Blitzmann's credentials at the time the jobs were running via github API.

There is no way any malicious software gets into these builds from my machine, and all the changes between releases are visible on GitHub.

So, I suspect that updated pyinstaller is triggering those AV monitors. Its repo has multiple issues about false positives closed by the maintainers with "ask AV companies to do something about false positives, we are not responsible for that".

If anyone has any expertise on how to tackle such issues - I'm glad to listen. I might just try to contact AV companies, but no idea what else could be done about it.

[OdiumE]

Thank you for a thorough answer!
I had to ask here because of the gravity of the Windows Defender report.
All the best!

[DarkFenX]

Also fyi i checked the release by installing in on mcafee-monitored win8.1 machine before publishing it.

[DarkFenX]

First step would be to determine what's included in the exe. PyInstaller installs bunch of scripts which can be used to explore compiled binaries, one of such scripts is archive_viewer.py.

dfx@kreo:~/.local/lib/python3.7/site-packages/PyInstaller/utils/cliutils$ python3 archive_viewer.py ~/Downloads/pyfa-v2.16.1-win/pyfa.exe
 pos, length, uncompressed, iscompressed, type, name
[(0, 244, 309, 1, 'm', 'struct'),
 (244, 1093, 1800, 1, 'm', 'pyimod01_os_path'),
 (1337, 4330, 9322, 1, 'm', 'pyimod02_archive'),
 (5667, 7347, 18621, 1, 'm', 'pyimod03_importers'),
 (13014, 1871, 4187, 1, 's', 'pyiboot01_bootstrap'),
 (14885, 236, 284, 1, 's', 'pyi_rth_pkgres'),
 (15121, 1102, 1804, 1, 's', 'pyi_rth_multiprocessing'),
 (16223, 277, 333, 1, 's', 'pyi_rth_certifi'),
 (16500, 394, 531, 1, 's', 'pyi_rth__tkinter'),
 (16894, 312, 380, 1, 's', 'pyi_rth_mplconfig'),
 (17206, 227, 256, 1, 's', 'pyi_rth_mpldata'),
 (17433, 2004, 3229, 1, 's', 'pyfa'),
 (19437, 9225954, 9225954, 0, 'z', 'PYZ-00.pyz')]

pyfa seems to be pyfa.py in python-compiled form, so nothing interesting.

However, PYZ-00.pyz is archive with all the pyfa sources as well as libraries' sorces: https://gist.github.com/DarkFenX/b87d266bfec77177f11c8f01a58670a9

So AV warnings might indeed be connected to pyfa code itself (but they still might be not). Unfortunately I will not have access to Windows machine until tomorrow, so I am unable to experiment with it for now.

[DarkFenX]

So as temporary solution I just rolled back pyinstaller version to 3.3. Will use newer version once I can make exes which do not get flagged by everything.

To those who had issues with v2.16.1 - please try v2.16.2 and tell me if it works for you.

[DarkFenX]

Apparently 64 bit executables do not get flagged, so might just switch to those.

[DarkFenX]

Results after I updated all major components:

• installer exe 0/68
• package zip 1/59
• unpacked pyfa.exe 3/70.

Not that bad, to my taste.

[DarkFenX]

Closing, won't be actual starting from next release