Trojan in Pyinstaller over PIP

[Lecatron]

Dear Team,

yesterday, i tried to install the pyinstaller over pip for my 32-Bit VM.
While the installation McAfee found an trojan in the runw.exe.

Maybe this is a false positive, but this should be checked, and then transmitted to McAfee to fix this.

Within I send you the screenshot.

Thank you =)

[grajsor]

So why didn't you do just that?

…

On Thu, Jan 16, 2020 at 8:08 AM Lecatron ***@***.***> wrote: Dear Team, yesterday, i tried to install the pyinstaller over pip for my 32-Bit VM. While the installation McAfee found an trojan in the runw.exe. Maybe this is a false positive, but this should be checked, and then transmitted to McAfee to fix this. Within I send you the screenshot. Thank you =) [image: image] <https://user-images.githubusercontent.com/56350725/72501523-4dedac80-3837-11ea-9985-9925c503262a.png> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4633?email_source=notifications&email_token=AENID2IJXQAPBA5KRLTU5TTQ6ABV3A5CNFSM4KHPDHJ2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IGRXVNQ>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AENID2JW3J7E6B6SPVF4G2LQ6ABV3ANCNFSM4KHPDHJQ> .

[Lecatron]

Hi Grajsor,

cause I'm not so deep in the project to know, which files or codes are underlying in this .exe
And first, I issued this as a PIP problem, but they send me to you.

If you can tell me this, I can check this for you.

[hubuser404]

Hi Lecatron,

I encountered same problem with McAfee yesterday while installing via pip.
Also windows security founds following threat: Trojan:Win32/Wacatac.C!ml
file: C:\Users\xxx\AppData\Local\Temp\pip-install-07ehm9se\PyInstaller\build\lib\PyInstaller\bootloader\Windows-32bit\runw.exe

[jaaaaviiieer]

Hi

i have the same problem, bot with windows defender. every time i try to install via pip says that found a trojan: Wacatac.C!ml

[sourcenouveau]

This is almost certainly a false-positive detection by the antivirus vendors. It's perennial.

Anyone who encounters this should report it to their antivirus vendors. That way the vendors can updated their software to remove the false positive.

See also #2501.

[pwuertz]

If PyInstaller is a popular tool among malware authors, that would certainly cause false-positive reactions among antivirus vendors due to the shared bootloader code :(.

[htgoebel]

Please contact you anti-virus vendor. There is nothing we can do about this false positive.

If your anti-virus vendor considers one of the files included in the PyInstaller distribution or a file generated by PyInstaller to be malicious, there is nothing we can do about this. Even if we'd change our code, they'd change their pattern and the race starts again.

See this mailing-list thread and other tickets for his topic.

[Ep1cfy]

it said one for Downloads/ALLER...DEVELOP.ZIP
and another for Downloads/Staller...develop.lnk
i just download pip and i got this error
it was mbam

[htgoebel]

Please contact you anti-virus vendor. There is nothing we can do about this false positive.

If your anti-virus vendor considers one of the files included in the PyInstaller distribution or a file generated by PyInstaller to be malicious, there is nothing we can do about this. Even if we'd change our code, they'd change their pattern and the race starts again.

See this mailing-list thread and other tickets for his topic.