run.exe as malware #3802
Comments
|
I don't know what is causing this, but I've ran PyInstaller (and therefore, the bootloader) many times without issue, and without any viruses harming anything. |
|
I also get same warning for runw.exe in (Windows-32bit) from AhnLab V3 vaccine. But runw.exe in Windows-64bit is fine. |
|
I just got bit by this as well and can confirm that the 32-bit
I have no idea what MalwarePatrol is (nor do I have it installed on my testing machine) but it seems as though Windows Defender (with threat definitions updated to version 1.277.1168.0) relies on its signature db and will not allow PyInstaller to be installed via pip as a result. Frustratingly, neither Windows Defender nor pip provides any user-facing indication as to what is going on -- pip just throws an EnvironmentError. Anyway, disabling Windows Defender's "real-time protection" "fixes" the issue for now, allowing PyInstaller to be installed normally. |
|
Related/duplicate: #2501. |
|
Please contact you anti-virus vendor. There is nothing we can do about this false positive. If your anti-virus vendor considers one of the files included in the PyInstaller distribution or a file generated by PyInstaller to be malicious, there is nothing we can do about this. Even if we'd change our code, they'd change their pattern and the race starts again. See this mailing-list thread and other tickets for his topic. |
|
Until last version 4.2 their was no issue for me, just now updated pyinstaller to v4.5 to tryout splash screen feature.
Update1:
please see what is difference, why Update2:I downloaded
|
|
You're chasing smoke and mirrors I'm afraid. I haven't written it up yet but we've been monitoring the AV detection situation and the results are that they are hopelessly sporadic. One day there are 10 different flavours of malware detection - within days (or sometimes hours) they'll all have gone again. Carry out your experimentations again in a few days and the results will likely be the opposite of what they are now. Unfortunately, these AV engines all share data via a Global Threat Intelligence network so that if one AV engine generates a bogus rule which mislabels our bootloaders as malicious, then the others all join in making it look like 10 different engines have detected malware when in reality one cocked up and 9 decided to join the party and copy the broken one. There is virtually no difference between the 4 executables we ship. The windowed variants are compiled with a flag to say no console and the debug variants have a few print statements in them. The reasons some perform so much better than others is not because of the contents but where they're used. Generally, if someone somewhere has written genuine malware with PyInstaller then whichever variant of the bootloader they used will be hunted down by these AV engines. If you get a chance to test new bootloaders before they get on PyPI (which I do) you'll see that they all come out clean then the AV detections start popping up over the course of the week after release. So it's not the contents of the files that are the problem - rather it's that people (and likely including malware authors) are using them. |
|
Hi @bwoodsend, Thanks for you detailed reply. In this scenario Hope AV engines understands the issue. |
This issue probably have been discussed, my anti-virus (Mcaffe-Livesafe) quarantined the file:
C:\Program Files\Python37\Lib\site-packages\PyInstaller\bootloader\Windows-32bit\run.exe
My first thought is false positive, but by checking the file in Virus total it is marked in 10 different anti-virus engines:
My questions:
1- is this file really a malware?
2- if it is safe, is having it missing affect the application?
The text was updated successfully, but these errors were encountered: