False trojan messages?

[Grant Paton-Simpson]

Hi,

I have just downloaded pyinstaller 2.0 onto a virtualised Windows
environment and AVG thinks "C:\Documents and Settings\username\My
Documents\Downloads\pyinstaller-2.0.zip:\pyinstaller-2.0\support\loader\Windows-32bit\runw.exe"
is infected with "Trojan horse BackDoor.Generic15.BYZX". I supposedly
had the same problem with 1.6.

Any thoughts? I suspect it might be a false positive but obviously I
need to be careful.


All the best,
Grant

[Martin Zibricky]

Grant Paton-Simpson píše v St 05. 09. 2012 v 14:40 +1200:

> Any thoughts? I suspect it might be a false positive but obviously I
> need to be careful.

I think it's definitely a false positive. I don't know how to modify the
bootloader code to make AVG happy. Could you try avg with development
version?

I think this something for avg support. They experts could tell us more
since they have access to source code.

[Grant Paton-Simpson]

Thanks Martin,

I'll do some experiments and report back.

All the best,
Grant

[Grant Paton-Simpson]

Hi Martin,

The dev version doesn't seem to trigger the same problem (from initial
experimentation). The exe created by the new version of pyinstaller (but
using the same spec file) gives an error message when run but otherwise
succeeds. The message is: WARNING: file already exists but should not:
C:/DOCUMEN~1/GRANTP~1/LOCALS~1/Temp/_MEI1922\.\pywintypes27.dll

I'll look at that tomorrow. Perhaps the issue will go away if I build a
clean spec file

Here is the one I've been using:

> # -*- mode: python -*-
>
> a = Analysis([os.path.join(HOMEPATH,'support\\_mountzlib.py'),
> os.path.join(HOMEPATH,'support\\useUnicode.py'), 'C:\\dev\\launch.py'],
> pathex=['C:\\Python27\\pyinstaller-pyinstaller-ba163ef'])
> pyz = PYZ(a.pure, level=9)
> binary_includes = [('ssleay32.dll', 'C:\\Program
> Files\\wkhtmltopdf\\ssleay32.dll', 'BINARY'),
> ('libeay32.dll', 'C:\\Program
> Files\\wkhtmltopdf\\libeay32.dll', 'BINARY'),
> ('libgcc_s_dw2-1.dll', 'C:\\Program
> Files\\wkhtmltopdf\\libgcc_s_dw2-1.dll', 'BINARY'),
> ('wkhtmltopdf.exe', 'C:\\Program
> Files\\wkhtmltopdf\\wkhtmltopdf.exe', 'BINARY'),
> ('convert.exe', 'C:\\Program
> Files\\ImageMagick-6.7.8-Q16\\convert.exe', 'BINARY'),
> ('libiconv2.dll',
> 'C:\\Windows\\System32\\libiconv2.dll', 'BINARY'),
> ('pdftk.exe', 'C:\\Windows\\System32\\pdftk.exe',
> 'BINARY'),
> ('gswin32c.exe', 'C:\\Program
> Files\\gs\\gs9.06\\bin\\gswin32c.exe', 'BINARY'),
> ('gsdll32.dll', 'C:\\Program
> Files\\gs\\gs9.06\\bin\\gsdll32.dll', 'BINARY'),
> ]
>
> exe = EXE( pyz,
> a.scripts,
> a.binaries + binary_includes,
> a.zipfiles,
> a.datas,
> exclude_binaries=False,
> name='C:\\dev\\sofastats.exe',
> icon='C:\\dev\\images\\sofa_32x32.ico',
> strip=False,
> upx=False,
> debug=False,
> console=False)
Anyway, it looks like the trojan warning was probably spurious.


All the best,
Grant

[Sebastian Hilbert]

Hi,

On Wednesday, September 05, 2012 10:35:30 PM Grant Paton-Simpson wrote:

> Hi Martin,
>
> The dev version doesn't seem to trigger the same problem (from initial
> experimentation). The exe created by the new version of pyinstaller (but
> using the same spec file) gives an error message when run but otherwise
> succeeds. The message is: WARNING: file already exists but should not:
> C:/DOCUMEN~1/GRANTP~1/LOCALS~1/Temp/_MEI1922\.\pywintypes27.dll
>
> I'll look at that tomorrow. Perhaps the issue will go away if I build a
> clean spec file
>

We have seen our share of false alarms. Fortunately heise.de scan with
something like 20 antivirus engines and only a few showed the false alarms.


Sebastian Hilbert

[Grant Paton-Simpson]

HI Sebastian,

That was my experience too. I would have hated it if my builds had
become infected.

All the best,
Grant

[Martin Zibricky]

I would love to get any feedback or programming techniques how to
improve bootloader C code to make it pass by all antiviruses.

Grant Paton-Simpson píše v Čt 06. 09. 2012 v 06:47 +1200:

[Grant Paton-Simpson]

I can only suggest the developers making other similar applications e.g.
py2app, py2exe etc etc. Have any of them solved the problem or is it a
constant risk?

[Martin Zibricky]

Grant Paton-Simpson píše v Čt 06. 09. 2012 v 07:40 +1200:

> I can only suggest the developers making other similar applications
> e.g.
> py2app, py2exe etc etc. Have any of them solved the problem or is it
> a
> constant risk?

It seems like py2exe devs contacted antivirus makers:

http://comments.gmane.org/gmane.comp.python.py2exe/1681

[Martin Zibricky]

Grant Paton-Simpson píše v St 05. 09. 2012 v 14:40 +1200:

> is infected with "Trojan horse BackDoor.Generic15.BYZX". I supposedly
> had the same problem with 1.6.

1.6 became the version 2.0.

[Martin Zibricky]

Grant Paton-Simpson píše v Čt 06. 09. 2012 v 07:40 +1200:

> I can only suggest the developers making other similar applications
> e.g.
> py2app, py2exe etc etc. Have any of them solved the problem or is it
> a
> constant risk?

I don't know much about C/Cpp programming for windows but my guess about
false antivirus positives would we:

- when compiling bootloader with msvc2008 it displays many warnings like
---
..\common\pyi_utils.c(408) : warning C4996: 'strcpy': This function or
variable
may be unsafe. Consider using strcpy_s instead. To disable deprecation,
use _CRT
_SECURE_NO_WARNINGS. See online help for details.
---
- antiviruses might experimentally check binaries for using unsafe
functions from standard C library as possible candidates for buffer
overflows.

- or other options could be the way python.dll is loaded or how a
subprocess is created.