Jump to content

Malwarebytes is flagging python exes created using PyInstaller


Recommended Posts

Malwarebytes is flagging any exe created using PyInstaller (https://www.pyinstaller.org/) as malware (Malware.AI.621701228).

I distribute a small python desktop client which I package using PyInstaller. I have recently updated to the latest version of Python / Pyinstaller and malwarebytes has suddenly started flagging the produced exe as malware. exe attached.

I am unable to attach the exe to this post. How can i send it to you?

Link to post
Share on other sites
  • 2 weeks later...

Hi, 

 

you managed to temporarily resolve this issue, but now upon repackaging a newer version of my desktop client using PyInstaller, malwarebytes has raiased a false positive again.  (Malware.AI.2399989317).

exe attached. 

I have run it using virus total.com and malwarebytes is 1 of 3 that have detected the file. The rest dont:

https://www.virustotal.com/gui/file/51ffaac18bca9a78d508bf383170416c96ad8d44fc7d88b9b00b38d4d7ec1e6c/detection

 

giblaw.zip

Link to post
Share on other sites
3 hours ago, pedz88 said:

I have run it using virus total.com and malwarebytes is 1 of 3 that have detected the file. The rest dont:

 The attached file is not detected by the consumer or commercial versions of Malwarebytes.

The engine format and configuration in VirusTotal is different than the consumer and corporate products’ default configuration. In VirusTotal Malwarebytes uses a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

This will eventually fix itself in Virustotal as well, as Malwarebytes has no control over this. Virus Total is having trouble reaching Malwarebytes cloud.

Edited by Porthos
Link to post
Share on other sites
Just now, pedz88 said:

Hi, the attached exe was detected twice by malwarebytes running on my laptop. 

This ocurred before I submitted it to virustotal.

Please be sure Malwarebytes is up to date. If after you are up to date and it is still detected please post the detection log.

 

2021-04-12_13h22_41.png

Link to post
Share on other sites

I also distribute a program packaged by pyinstaller 4.2.  According to VirusTotal, the exe is being flagged by Malwarebytes as Malware.AI.3490323308:

https://www.virustotal.com/gui/file/b83bf4d702c64cbc85e6108aa4a0206e16eb170c01c86aac744d7167063e7880/detection

I ran this same file through Malwarebytes Free 4.3.0 updated 30 minutes ago.  Interestingly, the detected threat is slightly different: Malware.AI.3189864480.

The exe file is attached.  You can also download the full installer (created with Inno Setup) here:

https://download.joulescope.com/joulescope_install/0/9/7/joulescope_setup_0_9_7.exe

 

pyinstaller is definitely a challenge for antivirus vendors.  Many legitimate tools use pyinstaller.  However, a number of less savory ones do, too.

joulescope.zip

Link to post
Share on other sites
27 minutes ago, mliberty said:

I ran this same file through Malwarebytes Free 4.3.0 updated 30 minutes ago. 

Here is a current log for staff.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/15/21
Scan Time: 5:57 PM
Log File: f02db860-9e3d-11eb-8dc4-001a7dda7102.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1251
Update Package Version: 1.0.39455
License: Premium

-System Information-
OS: Windows 10 (Build 19042.928)
CPU: x64
File System: NTFS
User: I7-PC\SAPC

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 0 min, 8 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.3189864480, C:\MALWARE TEST\JOULESCOPE\JOULESCOPE.EXE, No Action By User, 1000000, 0, 1.0.39455, 9DCFA9E6EA95DEE8BE217820, dds, 01203471, 8E42557EA9C2AAC136C768019B3A93E2, B83BF4D702C64CBC85E6108AA4A0206E16EB170C01C86AAC744D7167063E7880

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.