Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PyInstaller version 4.3 is resulting in exe's being removed on Windows 10 for Trojan:Win32/Wacatac.B!ml #5854

Closed
Go1den opened this issue May 21, 2021 · 2 comments
Closed

PyInstaller version 4.3 is resulting in exe's being removed on Windows 10 for Trojan:Win32/Wacatac.B!ml #5854

Go1den opened this issue May 21, 2021 · 2 comments
Labels
antivirus-false-positives For reports (usually from virus-total) that PyInstaller generated files are malware.

Comments

@Go1den
Copy link

Go1den commented May 21, 2021

Description of the issue

When compiling my application with PyInstaller 4.3, Windows is immediately removing the executable, claiming it is a Trojan called Trojan:Win32/Wacatac.B!ml. I have tried both --onefile and --onedir compilation, and neither works. Previous versions compiled just fine. What is causing PyInstaller executables to be flagged as a trojan on Win10?

Context information (for bug reports)

  • Output of pyinstaller --version: 4.3
  • Version of Python: 3.9
  • Platform: Windows 10
  • Did you also try this on another platform? Does it work there?
    No, my app is only for Windows 10.
@rokm
Copy link
Member

rokm commented May 21, 2021
edited

What is causing PyInstaller executables to be flagged as a trojan on Win10?

Malware authors using PyInstaller to build their trojans. (Combined with over-zealous machine learning on part of AV engines).

@bwoodsend
Copy link
Member

The reason that this is happening only on the latest PyInstaller is because the cycle of PyInstaller users reporting false positives to MS Defender Services -> MS Defender memorises the new bootloaders baked into PyInstaller built programs and adds it to its whitelist -> that whitelist gets put into a security update -> you install said update on your machine (probably automatically). This happens every new release...

Given that it's demonstrated that it is nothing more than a big cache of checksums (just much less efficient), I generally recommend that you turn MS Defender off.

@bwoodsend bwoodsend added the antivirus-false-positives For reports (usually from virus-total) that PyInstaller generated files are malware. label May 21, 2021
@noonchen noonchen mentioned this issue Dec 5, 2021
Closed
@michael-mueller-git michael-mueller-git mentioned this issue Apr 20, 2022
Closed
@sentenzo sentenzo mentioned this issue Aug 30, 2022
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
antivirus-false-positives For reports (usually from virus-total) that PyInstaller generated files are malware.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Go1den @rokm @bwoodsend