Binaries created using 3.5 flagged as trojan

[Alrighttt]

Hello, I realize this is very likely a false positive, but I felt the need to share this in the slight chance it's not. I've read similar git issues, but I've not seen someone report this in particular.

Here are 3 virustotal results for the same python file compiled using pyinstaller --onefile on Windows 10

#!/usr/bin/env python3
print('test')

dev (pip install https://github.com/pyinstaller/pyinstaller/archive/develop.zip)

3.5 (pip install pyinstaller)

3.4 (pip install PyInstaller==3.4)

I believe it's unrelated to the AV scan(as it also happens on 3.4), but I'm also looking for information on why these binaries are creating then running a binary at C:\Users\<USER>\Downloads\<NAME>.exe . It seems to be a different file name each time. So far I've seen invoice.exe, sample.exe, factura.exe and important_document.exe. Couldn't find any information on this in the docs or the code.

[htgoebel]

Please contact you anti-virus vendor. There is nothing we can do about this false positive.

If your anti-virus vendor considers one of the files included in the PyInstaller distribution or a file generated by PyInstaller to be malicious, there is nothing we can do about this. Even if we'd change our code, they'd change their pattern and the race starts again.

See this mailing-list thread and other tickets for his topic.

[Alrighttt]

Could you please give me information on this invoice.exe, sample.exe, factura.exe and important_document.exe thing?

edit: to be more specific

I'm also looking for information on why these binaries are creating then running a binary at C:\Users\<USER>\Downloads\<NAME>.exe . It seems to be a different file name each time. So far I've seen invoice.exe, sample.exe, factura.exe and important_document.exe. Couldn't find any information on this in the docs or the code.

[EchterAgo]

I've also seen this in 2 binaries we built with PyInstaller 3.4. I'm actually quite sure those are not malicious, our whole build is reproducible from source and we rebuild the PyInstaller bootloader. This seems to be an issue with the VirusTotal sandbox. I've done local tests on real machines and virtual machines, tracing filesystem operations and I saw no indication that these files actually get created / executed.

[EchterAgo]

From the full log on VT (top right) it looks like the uploaded exe file itself is what gets saved as important_document.exe and executed.

[EchterAgo]

This does not just affect PyInstaller users. Scanning the binary in OPSWAT MetaDefender Dynamic Analysis also shows no such file access. I'm confident that the generated binaries are clean.

[htgoebel]

Locking the issue as this is not a PyInstaller issue.