Program made with PyInstaller now seen as a Trojan Horse by AVG

Question

About a month ago, I used PyInstaller and Inno Setup to produce an installer for my Python 3 script. My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main .exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). At first I just thought it was a false positive in AVG, but submitting the .exe file to VirusTotal I get this analysis:

https://virustotal.com/en/file/9b0c24a5a90d8e3a12d2e07e3f5e5224869c01732b2c79fd88a8986b8cf30406/analysis/1493881088/

Which shows that 11 out of 61 scanners detect a problem:

TheHacker   Trojan/Agent.am 
NANO-Antivirus  Trojan.Win32.Agent.elyxeb 
DrWeb   Trojan.Starter.7246 
Yandex  Trojan.Crypren!52N9f3NgRrY 
Jiangmin    Trojan.Agent.asnd 
SentinelOne (Static ML)     static engine - malicious 
AVG     SCGeneric.KTO 
Rising  Malware.Generic.5!tfe (thunder:5:ujHAaqkyw6C) 
CrowdStrike Falcon (ML)     malicious_confidence_93% (D) 
Endgame     malicious (high confidence)     20170503
Zillya  Dropper.Sysn.Win32.5954 

Now I can't say that these other scanners are ones that I have heard of before... but still I'm concerned that it is not just AVG giving a false positive.

I have submitted the .exe file in question to AVG for their analysis. Hopefully they will back off on whatever it is that they thought they were trying to detect.

Is there anything else I can do with PyInstaller to make it so that the .exe launcher that it created won't be considered a Trojan?

Answer 1

I was always getting some false positives with PyInstaller from VirusTotal. This is how I fixed it:

PyInstaller comes with pre-compiled bootloader binaries for different OSs. I suggest compile them by yourself on your machine. Make sure everything is consistent on your machine. For Windows 64-bit, install Python 64-bit. Download PyInstaller 64-bit for Windows. Make sure Visual Studio (VS) corresponding to your Python is installed, check below:

https://wiki.python.org/moin/WindowsCompilers

Compile the bootloader of PyInstaller on your machine with VS. It automatically updates the run.exe, runw.exe, run_d.exe, runw_d.exe in DownloadedPyinstallerFolder\PyInstaller\bootloader\Windows-64bit. Check below for more info on how to compile the bootloader:

https://pyinstaller.readthedocs.io/en/stable/bootloader-building.html

At the end, install PyInstaller. Within the PyInstaller directory, run

python setup.py install

Answer 2

I was able to submit the file in question to AVG's "Report a false detection" page, at https://secure.avg.com/submit-sample. I received a response back fairly quickly (I can't remember exactly how long, but it was less than a day) that they had analyzed my file and determined that it did not have a virus. They said that they had adjusted their virus definitions so that it would not trigger a false positive anymore. I updated my definitions and it was still triggering, so I contacted them again with my virus definition version, and I heard back that the version I had wasn't high enough - I think there was some delay on my definitions because I get them from a local server. But within a day I had the right version of the definitions and the false positive didn't trigger anymore.

So if you have a false positive with AVG, I would recommend this solution - fairly quick and easy to get a resolution to the problem.

Answer 3

I faced same issue for my small document register project code.

My temporary solution was to allow the app in windows defender and

other solution was to use the command pyinstaller filename.py instead of pyinstaller --onefile filename.py.

I dont know if it is correct. But it worked for me.

Answer 4

I puzzled over this question for two days and finally found a problem with my application. The issue was with the application's icon.

Example for tkinter:

root.iconbitmap('./icon.ico')

When I removed this line of code, the false-positive Trojan was gone.

Also, make sure not to use --icon dependency when you are converting your .py file into .exe. Otherwise, this will cause the same false-positive Trojan detection.

Answer 5

I searched many blogs for weeks. But I found nothing.. Today I found a way to convert py to exe without any virus errors.

Virus Total Report

So in this method you do not need to send any reports.. Actually It is very simple.

You need to install a module named Nuitka.

python -m pip install nuitka

Then you need to open command from from the file path. And use the command; python -m nuitka --mingw64 filename.py

And that's all.

You can use the command nuitka --help

You can find more at - Nuitka Guide

Answer 6

I had this same problem using python 3.8.5 and pyinstaller 4.5.1

In my case the first exe build was accepted by the antivirus (Windows Defender) but subsequent builds were flagged as having a trojan. I solved it by using the pyinstaller --clean option every time I built the executable

Answer 7

Recompile and then reinstall your Pyinstaller bootloader manually.

This was a problem I had for a while, and my friend and I figured out this resolution with the help of many others. It almost always works to resolve the issue.

I posted the specific steps on my medium blog. Shared the link below, but the basic steps are as follows

1. Purge Pyinstaller Files within your Project and Rebuild
2. Uninstall Pyinstaller
3. Build a Pyinstaller Bootloader with your Compiler
4. Install the newly compiled Pyinstaller
5. Re-build your EXE with Pyinstaller, and make sure it’s not being be flagged as a virus

---

How to Resolve the Python Pyinstaller False Positive Trojan Virus

• Part 1. Manually Compile your Pyinstaller Bootloader
• Part 2. Working with Anti-Virus Developer(s)

Answer 8

Reverting back to PyInstaller 3.1.1 from 3.4 resolved similar issues on my end (at least temporarily).

Answer 9

As @boogie_bullfrog told, reverting to a previous version could be a solution. However I used *.spec file to store some data (like pictures and icons). I had the latest 3.5 version (August, 2019) and moving to 3.1.1 caused error when app was compiled (probably due to supporting Python 3.7).

So right now the easiest solution is to downgrade to 3.4

It supports specs from pyinstaller 3.5 and the onefile-app wasn't detected by Windows 10 built-in firewall

Answer 10

What I did was to solve this(make exe files non detectable as virus) was to downgrade pyinstaller by typing in cmd: pip install pyinstaller==4.1.0

And by the way it didn't work on 3.4.0 so I just randomly picked that version(4.1) and its pretty good looking so far :> I'm pretty sure that it works on more than only that one version but that i experienced personally

Answer 11

I had a similar problem with a pyinstaller exe under Windows. Avira put that file into quarantine since it was considered potentially dangerous (due to heuristics, which means that some segments look typical for a virus, but no virus is actually found).

Keep in mind that the exe files you generate yourself are unique (as a consequence, the Avast scanner usually returns a message "you have found a rare file, we are doing a quick test", and delays execution for 15 seconds to perform a more thorough test).

My solution consists of some steps:

• I have uploaded the exe to https://www.virustotal.com/gui/home/upload to check it with many scanners. If just one or two are detecting a virus, you should be on the safe side.
• In order to make your local virus scanner accept the file, you can manually accept it for your computer, but this does not solve the underlying problem, so on other computers it would still be flagged as a virus.
• Therefore I reported the file as false positive to Avira, which can simply be done by sending it by email. Other scanners have similar feedback lines. I got a feedback by email within one day that it is ok, and the scanner on my pc agrees with this now. Hope that this helps with the next iterations of my exe so that it stays clean.