0.17.10.3_windows triggers Windows Defender.

Question

0.17.10.3_windows triggers Windows Defender.

xizar opened this issue 4 months ago · comments

Windows Defender claims that it detects "Trojan:Win32/Bearfoos.A!ml", and then chucks it in the bin.

I tested 0.17.10.2 and Windows forced a scan before it let me run it this time, but that one seems to be fine.

R Pickett · Answer 1 · Mon Jun 10 2024 13:29:16 GMT+0800 (China Standard Time)

Wow "Bearfoos" is a new one. So weird. I thought I'd maybe gotten past all that with the changes I made in 0.17.2 a couple of weeks ago, but Windows Defender never fails to surprise me. I continue to consider simply not making binary releases any more, as this is a recurring embarrassment.

The detection is certainly a false positive, a casualty of PyInstaller, but I don't want to get people into the habit of running software that Windows Defender doesn't like. Going to ponder what to do about this, but in the very short term, I'm going to remove the ZIP file from the 0.17.10.3 release and continue to encourage people to run from source instead of using the binary packages.

There's a 0.17.10.4 coming very soon, we'll see whether it also causes the problem. Thanks for the report.

R Pickett · Answer 2 · Mon Jun 10 2024 13:49:55 GMT+0800 (China Standard Time)

This is particularly tedious during times of heavy development like right now because, while there is a process to get things reviewed and whitelisted with Windows Defender, it's not instantaneous and needs to be done with every release, and then await people getting the updated Defender definitions from MS. When I'm popping out daily releases, that's just not feasible.

xizar · Answer 3 · Mon Jun 10 2024 13:55:29 GMT+0800 (China Standard Time)

I did more looking and bearfoos seems to be a false positive pretty often with the "ml" in the extension suggesting it's a flag indicating machine learning was used to do the identification.

(I respect your choice to stop providing binaries if you do. That said, if you do start to only provide source files, please provide ELI5 level explanations of how to compile them.)

R Pickett · Answer 4 · Mon Jun 10 2024 14:00:33 GMT+0800 (China Standard Time)

Yeah, the README currently has a "Running from Source" section that's not quite ELI5, but it's not particularly complicated. I should revisit that section and expand it a little bit with some more specifics and detailed steps, hopefully without getting too wordy.

R Pickett · Answer 5 · Mon Jun 10 2024 14:41:02 GMT+0800 (China Standard Time)

Oh interesting, PyInstaller just released a new version like 48 hours ago: https://pyinstaller.org/en/stable/CHANGES.html

I think I might want to force the automated build action to use a previous version.

R Pickett · Answer 6 · Mon Jun 10 2024 14:52:14 GMT+0800 (China Standard Time)

OK I just released 0.17.10.4, which is identical to 0.17.10.3 except built with the previous version of PyInstaller. I tried it out on my Windows 10 VM and Windows Defender was happy with it. Please let me know your luck when you get a chance.

xizar · Answer 7 · Tue Jun 11 2024 00:41:02 GMT+0800 (China Standard Time)

Scanned 0.17.10.4 and didn't get a hit.

At least two of those other reports I found also related to the version of pyinstaller with assertions of false positives.

R Pickett · Answer 8 · Tue Jun 11 2024 00:45:45 GMT+0800 (China Standard Time)

OK I'm gonna go ahead and close this since it's specific to 0.17.10.3, and I'll take any new reports as they come. Thanks again for the heads-up.