False positive trojan detection
79 views
Skip to first unread message
David Cortesi
Nov 21, 2012, 7:52:42 PM11/21/12
to pyins...@googlegroups.com
I am distributing an app built with pyinstaller and a user reported
that his AVG antivirus would not allow him to execute the app because
it "had a trojan." This is surely the same as reported on this list 4
Sept, see also ticket #619.
In investigating this I installed the latest level of Parallels
internet security on the Parallels VM where I build the windows
version of the app. This AV system (Kaspersky 13.something) also
detects the "Swrort" trojan in
pyinstaller-r2000\support\loader\Windows-32bit\run.exe and runw.exe.
This is unfortunate because now I can no longer run pyinstaller on
windows at all! As soon as it tries to open run.exe during a build,
Kaspersky steps in and deletes the file, and pops up a message about
how it saved me from this trojan.
For what it's worth, the Microsoft Malicious Software removal program
scanned the system and found no problems.
Whatever it is in run.exe and runw.exe that are triggering this false
positive needs to be fixed. Windows is basically dead in the water for
now.
I have put the above info in a comment on ticket #619 but thought I'd
run it by the mailing list in case anyone has any idea how to work
around it.
that his AVG antivirus would not allow him to execute the app because
it "had a trojan." This is surely the same as reported on this list 4
Sept, see also ticket #619.
In investigating this I installed the latest level of Parallels
internet security on the Parallels VM where I build the windows
version of the app. This AV system (Kaspersky 13.something) also
detects the "Swrort" trojan in
pyinstaller-r2000\support\loader\Windows-32bit\run.exe and runw.exe.
This is unfortunate because now I can no longer run pyinstaller on
windows at all! As soon as it tries to open run.exe during a build,
Kaspersky steps in and deletes the file, and pops up a message about
how it saved me from this trojan.
For what it's worth, the Microsoft Malicious Software removal program
scanned the system and found no problems.
Whatever it is in run.exe and runw.exe that are triggering this false
positive needs to be fixed. Windows is basically dead in the water for
now.
I have put the above info in a comment on ticket #619 but thought I'd
run it by the mailing list in case anyone has any idea how to work
around it.
Martin Zibricky
Nov 22, 2012, 4:57:37 AM11/22/12
to pyins...@googlegroups.com
The temporarily workaround could be trying any executable packager, like
upx or any other from the following list:
https://en.wikipedia.org/wiki/Executable_compression
David Cortesi píše v St 21. 11. 2012 v 16:52 -0800:
upx or any other from the following list:
https://en.wikipedia.org/wiki/Executable_compression
David Cortesi píše v St 21. 11. 2012 v 16:52 -0800:
Martin Zibricky
Nov 22, 2012, 5:10:01 AM11/22/12
to pyins...@googlegroups.com
David Cortesi píše v St 21. 11. 2012 v 16:52 -0800:
> Whatever it is in run.exe and runw.exe that are triggering this false
> positive needs to be fixed. Windows is basically dead in the water for
> now.
Or another workaround is trying the debug version of bootloader
> positive needs to be fixed. Windows is basically dead in the water for
> now.
run_d.exe and runw_d.exe. I think these two might not be marked as false
positive.
claudio canepa
Nov 22, 2012, 8:32:38 AM11/22/12
to pyins...@googlegroups.com
On Wed, Nov 21, 2012 at 9:52 PM, David Cortesi <davec...@gmail.com> wrote:
I am distributing an app built with pyinstaller and a user reported
that his AVG antivirus would not allow him to execute the app because
it "had a trojan." This is surely the same as reported on this list 4
Sept, see also ticket #619.
One or two days after the false positive reported at October 11 [0] my exe was deemed clean by AVG 2013 free.
Used the exe some times since then and all was clear.
Just for completion, with AVG updated to today, my exe and the run.exe from pyinstaller 2.0 stayed clean.
Could it be that your user needs to update the AVG database ? Normally that is on auto, but who knows.
In investigating this I installed the latest level of Parallels
internet security on the Parallels VM where I build the windows
version of the app. This AV system (Kaspersky 13.something) also
detects the "Swrort" trojan in
pyinstaller-r2000\support\loader\Windows-32bit\run.exe and runw.exe.
Surely Kaspersky has some way to report false positives, it may be worth a try. (AVG response was fast, don't know about Kaspersky)
Cheers
David Cortesi
Nov 23, 2012, 11:11:08 AM11/23/12
to pyins...@googlegroups.com
> Surely Kaspersky has some way to report false positives, it may be worth a
> try. (AVG response was fast, don't know about Kaspersky)
http://support.kaspersky.com/virlab/helpdesk.html
> try. (AVG response was fast, don't know about Kaspersky)
One of the options in the dropdown subject list is "False alarm on a file"
Reply all
Reply to author
Forward
0 new messages