Trojan detected in 5.13?
258 views
Skip to first unread message
Dominik Niedenzu
Aug 1, 2023, 11:43:51 AM8/1/23
to PyInstaller
Hi Guys,
first let me thank you for your great work - I am a big fan of pyinstaller!
Some minutes ago, I downloaded (from pypi.org) and scanned:
pyinstaller-5.13.0-py3-none-win_amd64.whl
and got:
(Jiangmin) --> "Trojan.PSW.Multi.me".
Does anybody know whether this is a known false positive (or might this be a serious threat)?
Thanks in advance and cheers,
Dominik
Dominik Niedenzu
Aug 1, 2023, 11:43:59 AM8/1/23
to PyInstaller
Hi Guys,
first let me thank you for your great work - I am a big fan of pyinstaller!
Some minutes ago, I downloaded and scanned:
Jasper Harrison
Aug 1, 2023, 12:22:57 PM8/1/23
to pyins...@googlegroups.com
Hi Dominik,
This is almost certainly a Trojan, as unfortunately many amateur malware authors write Python-based malware which they package & release with PyInstaller. As there is a consistent binary signature across all PyInstaller executables it results in a lot of false positives.
-------- Original Message --------
This is almost certainly a Trojan, as unfortunately many amateur malware authors write Python-based malware which they package & release with PyInstaller. As there is a consistent binary signature across all PyInstaller executables it results in a lot of false positives.
Jasper Harrison, aka Legorooj
Core Developer on PyInstaller
-------- Original Message --------
--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pyinstaller...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/1598c3d2-986f-4854-a065-0cb3d3872f03n%40googlegroups.com.
Dominik Niedenzu
Aug 2, 2023, 2:39:36 AM8/2/23
to pyins...@googlegroups.com
Hey Jasper,
thanks a lot for your fast answer! But I am not sure, if I got it right - did you mean that the detection of the trojan in the pyinstaller release is wrong and almost certainly a "false positive" (so no trojan and no threat in pyinstaller at all) or did you mean the opposite? Sorry for my confusion - I am not a native speaker... :)
Cheers,
Dominik
You received this message because you are subscribed to a topic in the Google Groups "PyInstaller" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pyinstaller/JDfBdjKCQao/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pyinstaller...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/XWzYUTjtNxoxwZ7ULJMO_S1zV_v9NYb8zw6vO00o2GGoRTAJywuZh5fLz137sLRtTdpVHSHviQXzIBkcIMlA3gdQsI3cY8Wa0zCtebJTQGo%3D%40protonmail.com.
Chris Barker
Aug 2, 2023, 2:41:31 AM8/2/23
to pyins...@googlegroups.com
On Tue, Aug 1, 2023 at 9:23 AM 'Jasper Harrison' via PyInstaller <pyins...@googlegroups.com> wrote:
This is almost certainly a Trojan,
To be clear, this is almost certainly a false positive, due to someone having used PyInstaller to distribute a Trojan.
as unfortunately many amateur malware authors write Python-based malware which they package & release with PyInstaller. As there is a consistent binary signature across all PyInstaller executables it results in a lot of false positives.
So the virus scanner knows that the PyInstaller Wheel looks a LOT like a known Trojan.
So the wheel is probably safe, but unfortunately, an application built with it may get flagged as well :-(
Have I got that right?
-CHB
Jasper Harrison, aka LegoroojCore Developer on PyInstaller
-------- Original Message --------
On 1 Aug 2023, 15:23, Dominik Niedenzu < dominik....@gmail.com> wrote:
Hi Guys,first let me thank you for your great work - I am a big fan of pyinstaller!Some minutes ago, I downloaded and scanned:pyinstaller-5.13.0-py3-none-win_amd64.whland got:(Jiangmin) --> "Trojan.PSW.Multi.me".Does anybody know whether this is a known false positive (or might this be a serious threat)?Thanks in advance and cheers,Dominik--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pyinstaller...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/1598c3d2-986f-4854-a065-0cb3d3872f03n%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "PyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pyinstaller...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/XWzYUTjtNxoxwZ7ULJMO_S1zV_v9NYb8zw6vO00o2GGoRTAJywuZh5fLz137sLRtTdpVHSHviQXzIBkcIMlA3gdQsI3cY8Wa0zCtebJTQGo%3D%40protonmail.com.
Christopher Barker, Ph.D.
Oceanographer
Emergency Response Division
NOAA/NOS/OR&R (206) 526-6959 voice
7600 Sand Point Way NE (206) 526-6329 fax
Seattle, WA 98115 (206) 526-6317 main reception
Chris....@noaa.gov
Hartmut Goebel
Aug 2, 2023, 2:49:38 AM8/2/23
to pyins...@googlegroups.com, Dominik Niedenzu
Am 01.08.23 um 21:09 schrieb Dominik
Niedenzu:
thanks a lot for your fast answer! But I am not sure, if I got it right - did you mean that the detection of the trojan in the pyinstaller release is wrong and almost certainly a "false positive" (so no trojan and no threat in pyinstaller at all) or did you mean the opposite? Sorry for my confusion - I am not a native speaker... :)
Please contact you anti-virus vendor. There is nothing we can do about this false positive.
If your anti-virus vendor considers one of the files included in the PyInstaller distribution or a file generated by PyInstaller to be malicious, there is nothing we can do about this. Even if we'd change our code, they'd change their pattern and the race starts again.
See this mailing-list thread and other tickets for his topic.
--
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software Development
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software Development
Goebel Consult, Landshut
http://www.goebel-consult.de
Blog:
https://www.goebel-consult.de/blog/2019/openstreetmaps-hat-google-maps-weit-ueberholt/
Kolumne:
https://www.goebel-consult.de/blog/cissp-gefluester/2011-11-in-troja-nichts-neues/
Dominik Niedenzu
Aug 2, 2023, 3:40:37 AM8/2/23
to pyins...@googlegroups.com
Hey Chris,
thanks for clearing that up!
Cheers,
Dominik
You received this message because you are subscribed to a topic in the Google Groups "PyInstaller" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pyinstaller/JDfBdjKCQao/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pyinstaller...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pyinstaller/CALGmxEL9ZOFcJU%3Dzq%2Bf0X4E6CCmNObCrtNJzK7AJ0UOetLG7ig%40mail.gmail.com.
Dominik Niedenzu
Aug 2, 2023, 3:41:20 AM8/2/23
to Hartmut Goebel, pyins...@googlegroups.com
Hey Hartmut,
thanks a lot for your hints - I've already informed the virus scanner company - let's see, what happens :) I'll keep you informed!
Dominik
Dominik Niedenzu
Sep 26, 2023, 3:52:31 AM9/26/23
to PyInstaller
Guys, good news, it had taken a little time, as I had to contact the virus scanner company twice, but today I got the message, that the issue has been handled and indeed I did not get any false positive with Virustotal for said 5.13.0 anymore!
Cheers, Dominik
Reply all
Reply to author
Forward
0 new messages