Pyinstaller EXE detected as Virus? (Solutions and Alternatives)

by

PyInstaller, a popular tool for converting Python scripts into standalone executables, has become a go-to choice for developers seeking to distribute their applications. However, a rising concern among users revolves around their PyInstaller EXE files being detected and flagged as a Virus by Antivirus software.

In this article, we’ll delve into the reasons behind this phenomenon and explore various strategies to address and overcome the challenges posed by antivirus detections.

Table Of Contents
  1. Why is your Pyinstaller EXE detected as a Virus?:
  2. Testing with VirusTotal:
  3. Solutions: Pyinstaller EXE detected as Virus
  4. 6. Submit a report to the Antivirus Organization
  5. Conclusion

Why is your Pyinstaller EXE detected as a Virus?:

Before delving into solutions, it’s crucial to understand why PyInstaller-generated EXE files might trigger antivirus alerts. It has little to do with your actual code, as even the most simplest of programs will end up being flagged. In reality, there are many other external factors at play.

  • Due to the popularity and widespread usage of Python, it is not uncommon for hackers or cyber-criminals to distribute malware, trojans, and ransomware using Python + PyInstaller. This is the first issue, as anti-viruses will see similarities between the EXE’s generated by you, and by the malware produced by criminals.

  • Whenever you download an executable from somewhere, you might have seen a popup that asks you if you are sure you want to run the file. You may also see some publisher information in the popup, or a warning message if there is an unknown publisher. When you, as an individual publish an EXE (doesn’t matter what technique you used to make the EXE), you are effectively a stranger in the Anti-virus’s eyes. You have no identity, or authenticity.


It is usually a combination of several of these different reasons that your pyinstaller program will get detected as a virus or malware. We will discuss how to mitigate some (if not all) of these problems in this article, which will hopefully be enough to pass undetected through any anti-virus.

Testing with VirusTotal:

One effective way to ascertain whether your PyInstaller-generated EXE is being detected as a Virus by popular antivirus software is to use the virustotal website. Virustotal allows you to upload your file and scans it with multiple antivirus engines, and lets you know which ones have flagged your EXE as a Virus/Malware, and what warning they have raised.

Pyinstaller EXE detected as Virus?

This website also serves as a good point of reference. Before you begin applying any of the techniques in this article, go and check your EXE by uploading it into the site. Note down how many antiviruses are detecting your EXE as harmful.

Then as you apply each solution, one by one, keep rechecking to see whether there was any improvement.

Solutions: Pyinstaller EXE detected as Virus

A list of solutions for how to avoid your application being flagged by an antivirus. If you have any suggestions, let us know in the comments section, and we will add them to this list.


1. Avoid onefile Mode:

Explanation:
Using PyInstaller’s onefile mode compiles the Python interpreter, your script, and all dependencies into a single compressed executable. This compression can trigger false positives in antivirus scans due to the executable’s compressed nature.

Steps:

  1. Open your terminal or command prompt.
  2. Navigate to your project directory.
  3. Instead of using --onefile in your PyInstaller command, opt for a bundled directory structure by excluding the --onefile option. You can also manually specify the directory mode by using the --onedir option.

2. Build the PyInstaller Bootloader Yourself:

Explanation:
Building the PyInstaller bootloader from source allows you to create a customized version, reducing the likelihood of triggering antivirus alerts. By default, PyInstaller comes with pre-compiled bootloader binaries for different Operating Systems. By compiling the bootloader on your own system, you make the process more consistent (and unique) potentially avoiding patterns that resemble malicious software.

Steps:

  1. Delete any existing PyInstaller related files from your project, such as the build, dist, and __pycache__ folders.
  2. Uninstall PyInstaller using the command: pip uninstall pyinstaller.
  3. Download and Install a C/C++ compiler (if you don’t already have one). For Windows Users, the easiest way of doing this (with very little manual work required) is to download the Visual Studio C/C++ compiler.
  4. Clone the PyInstaller repository from GitHub, or download it as a Zip file. Extract the contents of the folder, and place them in the directory where you want PyInstaller to be installed.
  5. Navigate to the bootloader subdirectory in the PyInstaller folder.
  6. To compile the bootloader, run the following command: python ./waf all (If this command doesn’t work, refer to this documentation page for PyInstaller which explains how to compile the bootloader in detail).
  7. Now go (cd) into the folder you created (or chose) for installing PyInstaller, and run the following command: python.exe setup.py install
  8. Now rebuild your EXE using your new PyInstaller library.
  9. Upload the newly created EXE to the virustotal website to check if there was any improvement.

3. Code Signing Certificate:

Explanation:
Obtaining a code signing certificate is a proactive measure to establish the legitimacy of your application. Code signing involves digitally signing your executable with a certificate issued by a trusted certificate authority (CA). This enhances the trustworthiness of your application and reduces the likelihood of triggering antivirus detections.

Steps:

  1. Obtain a code signing certificate from a trusted certificate authority. Here is a list of certificate providers that Microsoft recommends.
  2. Sign your PyInstaller-generated executable using a tool like signtool or integrated signing options in your development environment.

4. Use Nuitka as an Alternative

Explanation:
Nuitka, an alternative to PyInstaller, takes a different approach by converting Python scripts into optimized C code before compilation. This process results in executables that may have a lower chance of triggering antivirus alerts, making it a viable alternative for developers facing persistent issues with PyInstaller. Nuitka has much of the same features as PyInstaller, such as onefile mode. On top of all this, Nuitka is also faster and more secure than PyInstaller. Only downside is the extra time taken for compiling, as it involves multiple stages (convert to C, then compile).

Steps:

  1. Install Nuitka using the recommended method for your operating system. This can be done using the command pip install nuitka.
  2. Compile your Python script using the Nuitka compiler using the command: python -m nuitka --standalone yourfile.py
  3. Distribute the generated executable to users.

For a more detailed tutorial on Nuitka, and how to customize it, refer to this guide.

5. Utilize Inno Setup or Similar Tools:

Explanation:
Packaging your application with tools like Inno Setup provides a workaround to antivirus detection by creating a more traditional installer. This method avoids direct reliance on PyInstaller’s executable and may reduce the likelihood of false positives. If your application is getting flagged before it even gets to run, this solution will most likely help (as the Inno Setup created EXE is more trustworthy).

Steps:

  1. Download and install Inno Setup or a similar packaging tool.
  2. Follow the script wizard which Inno Setup will prompt you with to create a configuration script for your application. This is fairly easy to follow along with.
  3. Include your PyInstaller-generated executable and dependencies in the installer package (part of the script wizard process).
  4. Compile the script to generate a distributable installer for your application.

If you need a detailed guide with screenshots of all steps, here is a link to our Inno Setup Guide.

6. Submit a report to the Antivirus Organization

Explanation:
Many antivirus software come with a reporting feature, which allow you to report false positives. They will then review your application, and update their virus definitions based on the report. If there is a particular antivirus which is causing you trouble, this will be a good option.

Steps:

  1. Use the virustotal website to determine which antiviruses are flagging your application.
  2. Use the report feature (if available) to have your application greenlit.

Conclusion

Whether through adjusting PyInstaller settings, exploring alternative compilation tools like Nuitka, utilizing packaging tools like Inno Setup, or purchasing code signing certificates, developers have a range of strategies to overcome antivirus detection hurdles and ensure their applications reach users seamlessly. All you need is a little effort (or lots of money!)

This marks the end of the “Pyinstaller EXE detected as Virus?” Article. Any questions about the article content can be asked in the comments section below.

facebookShare on Facebook
TwitterTweet
FollowFollow us
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments