Microsoft decided my PyInstaller application is a virus...

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft decided my PyInstaller application is a virus...

Andy Robinson
Hi all,

For a few years we've had a small Windows application created with PyInstaller. It connects the PhotoFinish in a Track & Field stadium with a cloud service.  It's very simple, with Tkinter, requests to talk to the web, and reads and writes local test files; nothing else.    It gets downloaded by quite tech-unsophisticated users (typically above retirement age) on the morning of a race; they just drop it on the desktop and run it, no installation program.

Last month Windows 10 started to tell people this was a virus.   Unfortunately our users are very often first-time users, and the steps to make Windows shut up and install it are quite complex and scary.   VirusTotal.com reports that it's 100% clean.

The app is here (feel free to try it, just drop on the desktop, run and you will see a window):
     https://data.opentrack.run/static/downloads/OTRUpload.exe


I reported a possible false positive to Microsoft and they said this:  "Analyst comments:  The submitted files do not meet our criteria for detection. No detection will be added for these files."   I think that means "we don't care enough about you"  :-(

This is about the third time I have had a false positive from a single EXE made with PyInstaller in the last decade.   Can anyone suggest ways to mitigate this?  Does anyone know of settings or things-included which are likely to cause this, or to mitigate against it?
Any ideas if it's the EXE itself, or the fact that it does not come "wrapped" in an MSI or InnoSetup-type installer?

Many thanks for all help

Andy Robinson
ReportLab

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft decided my PyInstaller application is a virus...

John Harrison
I had a problem like this but it was solved by using a digicert ev code signing cert. What cert are you using? 

On Thu, Jun 11, 2020, 3:31 AM Andy Robinson <[hidden email]> wrote:
Hi all,

For a few years we've had a small Windows application created with PyInstaller. It connects the PhotoFinish in a Track & Field stadium with a cloud service.  It's very simple, with Tkinter, requests to talk to the web, and reads and writes local test files; nothing else.    It gets downloaded by quite tech-unsophisticated users (typically above retirement age) on the morning of a race; they just drop it on the desktop and run it, no installation program.

Last month Windows 10 started to tell people this was a virus.   Unfortunately our users are very often first-time users, and the steps to make Windows shut up and install it are quite complex and scary.   VirusTotal.com reports that it's 100% clean.

The app is here (feel free to try it, just drop on the desktop, run and you will see a window):


I reported a possible false positive to Microsoft and they said this:  "Analyst comments:  The submitted files do not meet our criteria for detection. No detection will be added for these files."   I think that means "we don't care enough about you"  :-(

This is about the third time I have had a false positive from a single EXE made with PyInstaller in the last decade.   Can anyone suggest ways to mitigate this?  Does anyone know of settings or things-included which are likely to cause this, or to mitigate against it?
Any ideas if it's the EXE itself, or the fact that it does not come "wrapped" in an MSI or InnoSetup-type installer?

Many thanks for all help

Andy Robinson
ReportLab

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/CAKARUaCdiXLCwmBqZ5-g2bfLyS4gUcL%3D_xQ9ST8jpGyjuFYCxA%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft decided my PyInstaller application is a virus...

Andy Robinson
None, I have to admit.  We just ran PyInstaller!  We have hardly done any GUI development in the last 20 years, I thought certificates were for web servers. Learning about this now, thanks for the tip....


On Thursday, 11 June 2020 12:18:09 UTC+1, John Harrison wrote:
I had a problem like this but it was solved by using a digicert ev code signing cert. What cert are you using? 

On Thu, Jun 11, 2020, 3:31 AM Andy Robinson <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="xrAZsrErAgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">an...@...> wrote:
Hi all,

For a few years we've had a small Windows application created with PyInstaller. It connects the PhotoFinish in a Track & Field stadium with a cloud service.  It's very simple, with Tkinter, requests to talk to the web, and reads and writes local test files; nothing else.    It gets downloaded by quite tech-unsophisticated users (typically above retirement age) on the morning of a race; they just drop it on the desktop and run it, no installation program.

Last month Windows 10 started to tell people this was a virus.   Unfortunately our users are very often first-time users, and the steps to make Windows shut up and install it are quite complex and scary.   VirusTotal.com reports that it's 100% clean.

The app is here (feel free to try it, just drop on the desktop, run and you will see a window):
     <a href="https://data.opentrack.run/static/downloads/OTRUpload.exe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdata.opentrack.run%2Fstatic%2Fdownloads%2FOTRUpload.exe\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEwf9ldbUP1GYpC8FP9XMJYqcWneg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdata.opentrack.run%2Fstatic%2Fdownloads%2FOTRUpload.exe\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEwf9ldbUP1GYpC8FP9XMJYqcWneg&#39;;return true;">https://data.opentrack.run/static/downloads/OTRUpload.exe


I reported a possible false positive to Microsoft and they said this:  "Analyst comments:  The submitted files do not meet our criteria for detection. No detection will be added for these files."   I think that means "we don't care enough about you"  :-(

This is about the third time I have had a false positive from a single EXE made with PyInstaller in the last decade.   Can anyone suggest ways to mitigate this?  Does anyone know of settings or things-included which are likely to cause this, or to mitigate against it?
Any ideas if it's the EXE itself, or the fact that it does not come "wrapped" in an MSI or InnoSetup-type installer?

Many thanks for all help

Andy Robinson
ReportLab

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" rel="nofollow" target="_blank" gdf-obfuscated-mailto="xrAZsrErAgAJ" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">pyins...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/5e0b2b3d-cd11-4899-b8d1-655eb35939aco%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft decided my PyInstaller application is a virus...

Stephen Rosen
Just to offer up a datapoint: at my work, we're signing things and still got flagged by some AV software.
I doubt the cert is an EV one, but don't know offhand.


We've been planning to try the approach of recompiling the pyinstaller bootloader, potentially with some modifications to get it to appear different to the AV scanners.

The rationale is that AV scanners are incorrectly flagging the pyinstaller bootloader code, so if we change that...


I'm curious if anyone has experience taking that approach?


On Thursday, June 11, 2020 at 10:24:20 AM UTC-4, Andy Robinson wrote:
None, I have to admit.  We just ran PyInstaller!  We have hardly done any GUI development in the last 20 years, I thought certificates were for web servers. Learning about this now, thanks for the tip....


On Thursday, 11 June 2020 12:18:09 UTC+1, John Harrison wrote:
I had a problem like this but it was solved by using a digicert ev code signing cert. What cert are you using? 

On Thu, Jun 11, 2020, 3:31 AM Andy Robinson <[hidden email]> wrote:
Hi all,

For a few years we've had a small Windows application created with PyInstaller. It connects the PhotoFinish in a Track & Field stadium with a cloud service.  It's very simple, with Tkinter, requests to talk to the web, and reads and writes local test files; nothing else.    It gets downloaded by quite tech-unsophisticated users (typically above retirement age) on the morning of a race; they just drop it on the desktop and run it, no installation program.

Last month Windows 10 started to tell people this was a virus.   Unfortunately our users are very often first-time users, and the steps to make Windows shut up and install it are quite complex and scary.   VirusTotal.com reports that it's 100% clean.

The app is here (feel free to try it, just drop on the desktop, run and you will see a window):
     <a href="https://data.opentrack.run/static/downloads/OTRUpload.exe" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdata.opentrack.run%2Fstatic%2Fdownloads%2FOTRUpload.exe\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEwf9ldbUP1GYpC8FP9XMJYqcWneg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdata.opentrack.run%2Fstatic%2Fdownloads%2FOTRUpload.exe\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEwf9ldbUP1GYpC8FP9XMJYqcWneg&#39;;return true;">https://data.opentrack.run/static/downloads/OTRUpload.exe


I reported a possible false positive to Microsoft and they said this:  "Analyst comments:  The submitted files do not meet our criteria for detection. No detection will be added for these files."   I think that means "we don't care enough about you"  :-(

This is about the third time I have had a false positive from a single EXE made with PyInstaller in the last decade.   Can anyone suggest ways to mitigate this?  Does anyone know of settings or things-included which are likely to cause this, or to mitigate against it?
Any ideas if it's the EXE itself, or the fact that it does not come "wrapped" in an MSI or InnoSetup-type installer?

Many thanks for all help

Andy Robinson
ReportLab

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/pyinstaller/24ac636d-4912-4822-9e4f-4cb119a44cbao%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/2d983ed4-bf33-443c-b714-75546a527d08o%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft decided my PyInstaller application is a virus...

Peter Kaiser
In reply to this post by Andy Robinson
If you created it with UPX, you might turning UPX off.

--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/6ea43b71-aa45-4b5d-bdbe-fbb9f2f8b7b5o%40googlegroups.com.