Program made with PyInstaller now seen as a Trojan Horse by AVG

pyinstaller onefile detected as virus
virustotal
pyinstaller alternatives
pyinstaller windows defender
py2exe
pyinstaller debug
sophos pyinstaller
python to exe

About a month ago, I used PyInstaller and Inno Setup to produce an installer for my Python 3 script. My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main .exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). At first I just thought it was a false positive in AVG, but submitting the .exe file to VirusTotal I get this analysis:

https://virustotal.com/en/file/9b0c24a5a90d8e3a12d2e07e3f5e5224869c01732b2c79fd88a8986b8cf30406/analysis/1493881088/

Which shows that 11 out of 61 scanners detect a problem:

TheHacker   Trojan/Agent.am 
NANO-Antivirus  Trojan.Win32.Agent.elyxeb 
DrWeb   Trojan.Starter.7246 
Yandex  Trojan.Crypren!52N9f3NgRrY 
Jiangmin    Trojan.Agent.asnd 
SentinelOne (Static ML)     static engine - malicious 
AVG     SCGeneric.KTO 
Rising  Malware.Generic.5!tfe (thunder:5:ujHAaqkyw6C) 
CrowdStrike Falcon (ML)     malicious_confidence_93% (D) 
Endgame     malicious (high confidence)     20170503
Zillya  Dropper.Sysn.Win32.5954 

Now I can't say that these other scanners are ones that I have heard of before... but still I'm concerned that it is not just AVG giving a false positive.

I have submitted the .exe file in question to AVG for their analysis. Hopefully they will back off on whatever it is that they thought they were trying to detect.

Is there anything else I can do with PyInstaller to make it so that the .exe launcher that it created won't be considered a Trojan?

Thanks for any input.

I was always getting some false positives with Pyinstaller from VirusTotal. This is how I fixed it:

Pyinstaller comes with pre-compiled bootloader binaries for different OSs. I suggest compile them by yourself on your machine. Make sure everything is consistent on your machine. For Windows 64bit, install Python 64bit. Download PyInstaller 64bit for Windows. Make sure Visual Studio (VS) corresponding to your Python is installed, check below:

https://wiki.python.org/moin/WindowsCompilers

Compile the bootloader of Pyinstaller on your machine with VS. It automatically updates the run.exe, runw.exe, run_d.exe, runw_d.exe in DownloadedPyinstallerFolder\PyInstaller\bootloader\Windows-64bit. Check below for more info:

https://pythonhosted.org/PyInstaller/bootloader-building.html

At the end install Pyinstaller. Within Pyinstaller directory run

python setup.py install

My PyInstaller-compiled .exe progs are victims of antiviruses : Python, My programs compiled via PyInstaller are constantly getting detected by antiviruses, /program-made-with-pyinstaller-now-seen-as-a-trojan-horse-by- avg. Guts Avg am Made With PyInstaller Now Seen As A Trojan Horse By AVG. My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main .exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). Red Sun Guts - Berserk - T-Shirt

I was able to submit the file in question to AVG's "Report a false detection" page, at https://secure.avg.com/submit-sample. I received a response back fairly quickly (I can't remember exactly how long, but it was less than a day) that they had analyzed my file and determined that it did not have a virus. They said that they had adjusted their virus definitions so that it would not trigger a false positive anymore. I updated my definitions and it was still triggering, so I contacted them again with my virus definition version, and I heard back that the version I had wasn't high enough - I think there was some delay on my definitions because I get them from a local server. But within a day I had the right version of the definitions and the false positive didn't trigger anymore.

So if you have a false positive with AVG, I would recommend this solution - fairly quick and easy to get a resolution to the problem.

False-Positive � Issue #2988 � pyinstaller/pyinstaller � GitHub, False Positives: Antiy-AVL - Trojan/Win32.Shelma Avast - Win32:Evo-gen [Susp] AVG - Win32:Evo-gen [Susp] Jiangmin - Tro. Join GitHub today If your anti- virus vendor considers one of the files included in the PyInstaller distribution which would be a problem to make a false positive removal request� Related: Program made with PyInstaller now seen as a Trojan Horse by AVG – Stevoisiak Apr 3 '18 at 17:19 Check how-to-recompile-the-bootloader-of-pyinstaller . it's not difficult to rebuild the bootloader , and pyinstaller has more external libraries support than py2exe . – thewaywewere Mar 18 at 19:50

Reverting back to PyInstaller 3.1.1 from 3.4 resolved similar issues on my end (at least temporarily).

AVG (and other antiviruses) reports exe file as containing virus , Join GitHub today pyinstaller-tickets-migration opened this issue on Oct 18, 2014 � 19 comments them, flagging them as containing a Trojan Horse ( backdoor.generic.byzx) produces a warning (this may be a dangerous program -- keep it?) A couple of exe's that I built using the multipackage option were also� There seems to be workaround to recompile PyInstaller's bootloader "runw.exe". Program made with PyInstaller now seen as a Trojan Horse by AVG how to recompile the bootloader of Pyinstaller

As @boogie_bullfrog told, reverting to a previous version could be a solution. However I used *.spec file to store some data (like pictures and icons). I had the latest 3.5 version (August, 2019) and moving to 3.1.1 caused error when app was compiled (probably due to supporting Python 3.7).

So right now the easiest solution is to downgrade to 3.4

It supports specs from pyinstaller 3.5 and the onefile-app wasn't detected by Windows 10 built-in firewall

Do AV's treat Python as a virus? – Python Coder, When the code was frozen to a single file with PyInstaller, Virus Total came up with 26 out Now click on 'real time scanner' and click the + sign to open list. In this Stack overflow post, about AVG and Python, there is a possible used by your app was also used in some Trojan type app by a virus maker. FinTrinity aims to make a backup of your game on your Desktop, but it never hurts for you to make an additional, manual, backup! Note that Windows may say the windows executable is a virus. This is a known issue with the way that I built : the file and I'm working on getting it resolved. It is not a virus. This warning is a false positive.

PyInstaller, After I managed to create a single-file exe with PyInstaller, there was a problem: it identifies how the program executes and deduces how it was built. false positives to Norton/Kaspersky/whateverwowitis, but seeing that it's still an Yeah , up to now the typical virus programs (which basically act upon� I'm sure this has come up before, but a tiny pyinstaller created exe is being seen as malware by windows 10. Is there any way to create simple single file applications which don't get this treatment? The intended users are unlikely to understand how to adjust the scanner to whitelist the application.--Robin Becker--

False trojan messages?, is infected with "Trojan horse BackDoor.Generic15.BYZX". bootloader code to make AVG happy. Could you try avg with The exe created by the new version of pyinstaller (but using the same spec binary_includes = [('ssleay32.dll', 'C:\\ Program > We have seen our share of false alarms. Fortunately� Hi. Today my AVG Internet security started detecting and securing a couple of Trojan Horse threats. However ,the same AVG threat detection message keeps coming back, sometimes every couple of seconds. Is the virus really eliminated? How can get rid of if that it is not the case? Thank you threat: trojan horse Exploit.SWF_c.APS

RNA2Drawer / Blog, PyInstaller has some history with false alarms (see Stack Overflow thread: / 43777106/program-made-with-pyinstaller-now-seen-as-a-trojan-horse-by-avg). Dismiss Join GitHub today. GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.

Comments
  • So what is PrimerPrep.exe? Is that Inno Setup installer or the application itself?
  • PyInstaller creates a dist folder that has all of the bits that Python requires to run the program. The PrimerPrep.exe file is the launcher file among those bits that actually starts up the program. Inno Setup packages up that dist folder and creates the PrimerPrep Installer.exe file - a single file that installs the program into the Program Files folder, creates a desktop shortcut, etc. But if I run that installer .exe through VirusTotal, there are only 2 scanners that flag it (DrWeb and NANO). AVG says the installer is OK, even though it contains the .exe file that it flags by itself.
  • OK, so your question is actually not about Inno Setup, right? It's about PyInstaller .exe.
  • I hadn't really thought that through, but yes, the .exe file that supposedly has the Trojan is the one created by PyInstaller. The installer .exe created by Inno Setup actually "hides" the supposed Trojan from AVG... until it's installed, of course, when AVG will again flag it as a Trojan.
  • OK, so please remove references to Inno Setup from your question. Inno Setup people won't help you and PyInstaller people get confused by the Inno Setup reference.
  • "For Windows 64bit, install Python 64bit. Download PyInstaller 64bit for Windows" <- This helped me, thank you. I was using a pyenv fork for Windows, and installing python 3.7.0. That was wrong, I needed to install python 3.7.0-amd64. Now pyinstaller produces a binary that is no longer flagged by my university's antivirus. Note that when testing on linux, 3.7.0-amd64 refers to a version that doesn't exist, so I can't rely on pyenv's .python-version file anymore on linux. I use the PYENV_VERSION env variable instead.
  • This was really useful - rebuilding the bootloader removed lots of false detections on my application, including Microsoft Defender.
  • Given the recent discovery about infiltration of PyPi bleepingcomputer.com/news/security/…, maybe there is cause for concern. Windows Defender is now detecting the 'runw.exe' as a trojan.
  • I appreciate knowing about this, but my problem occurred over a month before those malicious packages were uploaded, so the would not be related.
  • I don't appreciate that this was downvoted. It gave me another option on how to solve this...
  • Unfortunately even with 3.4 Virustotal reports of 9/70 of false positive. But yes, AVG and Avast become negative virustotal.com/gui/file/…