Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AVG (and other antiviruses) reports exe file as containing virus #603

Closed
pyinstaller-tickets-migration opened this Issue Oct 18, 2014 · 19 comments

Comments

Projects
None yet
3 participants
@pyinstaller-tickets-migration
Copy link

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/09/05
Original reporter: *brianboggs AND mchsi DOT COOM *

I've compiled a script to an exe file, but our PCs equipped with AVG free virus scanner will not execute them, flagging them as containing a Trojan Horse (backdoor.generic.byzx)

@htgoebel

This comment has been minimized.

Copy link
Member

htgoebel commented Oct 18, 2014

Original date: 2012/09/05

IMHO AVG needs to solve this problem. I don't see how we could.

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/09/05
Original reporter: anonymous

Replying to [comment:1 htgoebel]:

IMHO AVG needs to solve this problem. I don't see how we could.
I will contact them as well. They seem to have a process for flagging false alarms...

@matysek

This comment has been minimized.

@matysek

This comment has been minimized.

Copy link
Member

matysek commented Oct 18, 2014

Original date: 2012/09/21

I think that the virus positives might be related to bootloader not being compliant with Data Execution Prevention.

Recently someone reported that an application frozen

We should find some programming guidelines for Data Execution Prevention if there are any.

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/10/03
Original reporter: anonymous

#599 was marked as a duplicated but seems a bit different. In this case Sophos on mac is reporting that runw.exe is a virus.

@matysek

This comment has been minimized.

Copy link
Member

matysek commented Oct 18, 2014

Original date: 2012/10/03

Replying to [comment:6 anonymous]:

#599 was marked as a duplicated but seems a bit different. In this case Sophos on mac is reporting that runw.exe is a virus.

In what way different? It seems similar to me.

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/10/29
Original reporter: anonymous

This affects Trend Micro as well.

@matysek

This comment has been minimized.

Copy link
Member

matysek commented Oct 18, 2014

Original date: 2012/10/29

Replying to [comment:8 anonymous]:

This affects Trend Micro as well.

Do you have any suggestion how it could be fixed?

The only short-term solution seems to be change the C code structure completely. To ensure the executable is not known to antiviruses.

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/11/06
Original reporter: anonymous

It doesn't seem to be flagged in trend micro anymore (using the latest release). I think that they have updated their definitions.

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/11/12
Original reporter: anonymous

Hi,
same issue here. During the installation of Pyinstaller OfficeScan flagged Win32 run.exe as virus. Solution/workaround here was to UPX the run.exe
Regards
Ales

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/11/18
Original reporter: anonymous

OfficeScan problem with run.exe reproduced here, any chance to get OfficeScan to update their definitions?

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/12/17
Original reporter: Bryan A DOT Jones

I also have problems with my virus scanner (Sophos for PC), which detects support/loader/Windows-32bit/run.exe as virus/malware. When I install my frozen app on other's computer, I also see various virus warnings. Likewise, simply downloading my app in Google Chrome produces a warning (this may be a dangerous program -- keep it?).

I did some looking at the commit history on github. On my PC, Sophos is happy until rev b793f5b. The previous recompile was at 17d5baa, less than 20 commits away; of those, only a few have changes to the bootloader source. If I compiled each of these source changes and tested, would someone be able and willing to try to work around the change that triggers the virus warnings?

@matysek

This comment has been minimized.

Copy link
Member

matysek commented Oct 18, 2014

Original date: 2012/12/18

I remember someone on irc mentioned as the workaround using mpress to bypass the false alarm. mpress is a tool similar upx.

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2012/12/27
Original reporter: *markperrymiller AND gmail DOT COOM *

Adding a data point to this one, in case it is helpful. Symantec just flagged and quarantined run.exe as Trojan.Gen on my Windows XP machine. A couple of exe's that I built using the multipackage option were also flagged on the same scan. If memory serves, I am using the most recent development version of PyInstaller (downloaded Nov. 6th).

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2013/01/03
Original reporter: *veto AND myridia DOT COOM *

I'm using mpress workaround and it works on Housecall, Avast and McAfee,
but with Avira it still shows a virus warning

@pyinstaller-tickets-migration

This comment has been minimized.

Copy link
Author

pyinstaller-tickets-migration commented Oct 18, 2014

Original date: 2013/01/04
Original reporter: *yakbay AND gmail DOT COOM *

This problem starts after the following change:

commit b793f5b
Author: Martin Zibricky mzibr.public@gmail.com
Date: Sat Sep 1 00:03:21 2012 +0200

Issue #371: Recompile windows bootloader.
@matysek

This comment has been minimized.

Copy link
Member

matysek commented Oct 18, 2014

Original date: 2013/01/21

This is the link to the first bootloader that is detected as virus: b793f5b

We should:

  • look what bootloader code changes could cause false positives
  • recompile bootloader in the 2.1dev version - after recompilation it is reported to not cause false positives.

@matysek matysek closed this Oct 18, 2014

@matysek

This comment has been minimized.

Copy link
Member

matysek commented Oct 18, 2014

Original date: 2013/02/22

This should be fixed in latest develop branch:

  • win32 bootloader is recompiled
  • it is reported that bootloader no longer causes antivirus false
  • not sure why it was reported to cause false positives
  • Later it would be good to find out the code changes causing antivirus alerts
    • I created #671 for that.

For details see #38

@htgoebel

This comment has been minimized.

Copy link
Member

htgoebel commented Oct 18, 2014

Original date: 2013/03/05

The only correct way to deal with antivirus is to report them that they are wrong. If we are working around them, we simply start a cat-and-mouse game that never ends.

dmaze pushed a commit to diffeo/pyinstaller that referenced this issue Jun 30, 2016

David Maze
Remove all of the bootstrappers except Linux-64bit.
This is only a change in the setup.py script, so prepackaged wheels
won't include Windows binaries that trigger virus scanners
(see e.g. pyinstaller#603 and many
subsequent issues).

dmaze pushed a commit to diffeo/pyinstaller that referenced this issue Jul 1, 2016

David Maze
Remove all of the bootstrappers except Linux-64bit.
This is only a change in the setup.py script, so prepackaged wheels
won't include Windows binaries that trigger virus scanners
(see e.g. pyinstaller#603 and many
subsequent issues).

@codewarrior0 codewarrior0 referenced this issue Jun 15, 2017

Closed

Trojan? #323

kujenga added a commit to diffeo/pyinstaller that referenced this issue Jan 14, 2019

Remove all of the bootstrappers except Linux-64bit.
This is only a change in the setup.py script, so prepackaged wheels
won't include Windows binaries that trigger virus scanners
(see e.g. pyinstaller#603 and many
subsequent issues).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.