This article will explain:
- Why python code compiled with pyinstaller or py2exe are often flagged as malware of viruses or trojan horses
- What you can do about it
- Provides a full (and constantly evolving) list of how to report these falee positives to virus providers
- How to stop this happening in the future
Python code is often distributed as source code, but sometimes there’s a need to distribute it in a more user friendly format: such as a compiled .exe file.
This is super convenient for your users, but it can be a real headache for developers. Compiling the code is typically done using a library called pyinstaller or py2exe, and this is not a straightforward as you might imagine (although luckily there are lots of tutorials on how to get it working).
But once you’ve compiled the program then the real trouble starts…
Code compiled using pyinstaller or py2exe is often incorrectly to be malware or a virus or a trojan by various antivirus programs. It can often have scary names like Trojan:Win32/Wacatac.C!ml.
This is most likely what is known in the virus industry as a “false positive”. Your code might not be doing anything malicious, but because it was compiled in a way that looks a bit like other code which might do malicious things antivirus judges it to be a virus.
This is annoying as it has serious implications on how your code can be distributed. Windows automatically quarantines certain files which is judges to be malicious, meaning that your users can’t run them without jumping through extra hoops or turning Windows Defender off altogether (a bad idea). And many distribution sites require a clean bill of health on your code before they will distribute it.
The good news is that you can fix this, although it takes a bit of work.
Step 1: Find out how big the problem is
A free website called VirusTotal is your friend here. This allows you to upload your file and see which of the many anti virus programs deems it to be malware. This is the first step to tackling the problem.
As you can see here, my completely innocuous code has been deemed to be malware by 7 out of 69 anti-virus programs. (To be clear: it is not malicious at all; these are false positives).
The next step is to tackle each of these false positives in turn.
Step 2: Tackle Windows Defender first
By far (FAR!) the most important anti virus program to tackle is Windows Defender.
A small percentage of your users might be using Jiangmin or McAfee or Malwarebytes anti-virus, but if you’re distributing for Windows then literally 100% of your users will be using Windows Defender. It is also more pro active than other anti virus programs (and will, when it’s worried enough about a file, make it actually impossible for your users to run it rather than just warning).
The great news it that Microsoft are awesome at dealing with false positives for malware reports.
They have a website set up which allows you to report false positives: https://www.microsoft.com/en-us/wdsi/filesubmission
You can submit your file (you need a Microsoft Account) along with a short note explaining why you think it’s a false positive. I typically say something like:
My file (attached) has been incorrectly identified as malware by Windows Defender. The identified detection is Trojan:Win32/Wacatac.C!ml.
It is common for files compiled from python using pyinstaller to be incorrectly identified as malware in this way.
This is innocous software which does not contain malware. The source code is available at: https://github.com/hankhank10/findmyplane-client
I would be grateful if you would review and remove this detection.
The first time I submitted this sort of request I fully expected it to disappear into a black hole and for me to never hear back. Far from it. Microsoft are on it when it comes to this.
As soon as you submit you get a tracker id by email which you can use to track your case in real time as they analyse it. They have an actual human review your program and revert to you, in my experience within a few hours. Even on the weekend. Assuming they have deemed it clean it will be whitelisted and the detection removed immediately (although it might take 24 hours for the whitelist to roll out to all users as they update their Windows Defender).
Step 3: Tackle everyone else
Most antivirus companies have a similar ways of submitting false positives, although they vary in method and how quickly they respond.
Companies like Microsoft, Avast, Sophos and Bitdefender win a gold star for having easy online forms which allow you to submit false positives easily and being quick (hours) to respond.
Companies like Malwarebytes make it a little harder: they require you to create a forum account to submit a false malware positive, but at least they’re super responsive (again within hours).
Some companies make it a bit harder for you. Ikarus only accepts submissions by email (which can be difficult as Gmail freaks out if you try to send an .exe over email). Some (Sangfor, I’m looking at you) require you to sign up to a pretty elaborate account system, most of which is in Mandarin Chinese, before accepting your submission. But all of these are still pretty responsive in actually reviewing your file and getting back to you — it’s rare that it takes more than 24 hours to review and whitelist.
The worst by a country mile in my experience is McAfee. They have a bunch of different, but similarly, named antivirus products and it’s incredibly unclear where to actually submit the false positive report. VirusTotal says that McAfee thinks my code is Artemis!35935B12295F but McAfee-GW-Edition thinks my code is BehavesLike.Win64.CoinMiner.vc. But go on the McAfee website and its not clear which product is which because they only talk about home and business and enterprise and, wait is it McAfee or Avert Labs I’m dealing with here because they seem to be the same… but subtly different? WTF?
McAfee are also incredibly slow in responding. It takes 3–4 days to even get an automated response saying they’ve received your code.
Step 4: Keep firefighting
The bad news is that even once you’ve got the all clear on your code by reporting false positives and getting them whitelisted, that’s not the end of the battle.
Need to update your code and produce a new executable? You’re basically back to square one. The whitelist only related to the particular executable you submitted. Even if you change one line of code this will change the hash from the file and mean that antivirus programs throw up false positives for your python code once again.
There’s a good chance you’ll spend more time trying to remove these false positives for each release than you will actually coding it.
The good news is that you’ll become very focused on ensuring your code works perfectly before releasing it.
Step 5: Consider a code signature
Signing your code costs money (minimum around €60 a year) and comes with some pain (it takes a few days to get, you need to submit various documents such as driving licence — plus a selfie of you holding it — and bills showing your address, to prove you’re a real person).
It also isn’t an instant solution: anti virus providers won’t instantly white list your code just because it’s signed.
But signing your code does allow you to build reputation over time. Unsigned code essentially starts from scratch each time, but if you sign your code then as it is downloaded over and over and whitelisted over and over you should start to build “reputation” with anti virus providers which means your pyinstaller or py2exe programs are flagged as malware less and less.
Who to contact to report your code as false positives
Virus Total tracks ~70 anti virus and anti malware providers.
Keeping track of how to submit your code to each of them following a false positive is not straightforward.
I maintain a full list here (https://github.com/hankhank10/false-positive-malware-reporting) of where and how to report your code as a false positive.