py2exe windows executable is detected as a virus by many program

[urishab]

As in the title, windows applications created by py2exe have a strong signature of a virus. See for example the VirusTotal report for the windows executable bundled with version 0.10.2.1 where it's detected as a virus by 25/70 engines: https://www.virustotal.com/gui/file/950068e81a739274e3ca27149f95a5e11ce2e33bd187f76f29ff8286c1408d4b/detection

It's surprising because running the console application it gives hardly any warnings (6/71 engines): https://www.virustotal.com/gui/file/86e624f63879b478fc15341b846ef90990cb4cb2e8f80b7ee9b7ee131f2992b6/detection

Looking at the source code there is very little difference between the two. Is there a way to reduce these kind of warnings? This is quite scary for people using these executables.

[albertosottile]

I am not really sure about what we can do about this. I hope that from the code it is clear that py2exe does not include any malware. Now, some antivirus/antimalware software just started to flag as suspect anything that is not signed and not so popular.

Signing the executables in py2exe could help, but that requires buying a certificate and handling that, which is expensive both in terms of time and money. An alternative could be to submit the executables to some of these software for false-positive evaluation, but given the pace py2exe is moving right now, this could be extremely tedious and, ultimately, worthless process.

Long term, the project could be restructured to not having to rely on .exe files to run the packaging, but instead use CPython DLL extensions and load them from Python itself. This should solve the problem once and for all, but it requires a major rewrite of some critical components of this software.

In summary, I do not know what to do to mitigate this issue in the short term. As usual, I am open to suggestions/proposal/PRs.

[urishab]

Thanks alberto for giving the detailed reply. Looking online I see this is a problem even going back to 2007 so I guess there is no easy solution :( Seems pretty strange to me that anti virus would flag something as mundane as py2exe executable. I mean they are everywhere. Anyway I'll close this because I don't see anything that can be done ATM.

[Athanasius]

We've now seen this issue with EDMarketConnector's 5.0.0 release. I've done the rounds of reporting it as a false positive to the AV vendors I was informed were flagging it.

My colleague had a thought... what if developers of malicious software are actively using py2exe to package their software? That way AV vendors would be processing actual malware with py2exe code embedded and this would go some way to explaining these false positives in benign software packaged with py2exe.

[albertosottile]

This issue concerns the executables that are shipped in the py2exe wheels (e.g run_w-py3.6-win-amd64.exe). For those, the mitigation plan described in my comment above is probably the only long term solution possible.

@Athanasius You are referring to false positive issues with executables made with py2exe. I would suggest to open another issue for this problem but, I am afraid I cannot really help you. Your hypothesis is valid, however it does not help us in solving the problem. Though, personally, I have the feeling that A/Vs and antimalware just flag as suspect anything that is not common and not signed.

[Athanasius]

This issue concerns the executables that are shipped in the py2exe wheels (e.g run_w-py3.6-win-amd64.exe). For those, the mitigation plan described in my comment above is probably the only long term solution possible.

The OP said:

As in the title, windows applications created by py2exe have a strong signature of a virus.

But, yes, my comment was mostly in the way of a heads up and to mention that "maybe bad actors are utilising py2exe themselves" though.

[urishab]

I recently tried to sign a Py2EXE executable with the signtool and a digital signature. After the signing is complete the executable no longer runs. Py2Exe fails with the following message:

Fatal Python error: Py_Initialize: unable to load the file system codec
ModuleNotFoundError: No module named 'encodings'

Current thread 0x00003c34 (most recent call first):

Browsing around this seems to be a known problem and the only solution is to use the zip option in the py2exe script. But this has the downside that your code is no longer signed - only the encapsulating executable.

I'm guessing that py2exe is using the end of the file as an index to the included package and adding anything beyond the end of the original is confusing it.

Seems that PyInstaller somehow work around this problem in a non-trivial way: https://github.com/pyinstaller/pyinstaller/wiki/Recipe-Win-Code-Signing

Is there a way to add a similar workaround in py2exe?