Skip to content

Trying to release your software sucks, mostly because of antivirus false positives. I don't have an answer, but I do have a list of links to help get your code whitelisted.

Notifications You must be signed in to change notification settings

hankhank10/false-positive-malware-reporting

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 

Repository files navigation

How to stop anti virus software flagging your Python application as malware

Compiling your application into an executable makes it easy to distribute to users. Popular tools to do this are pyinstaller or py2exe.

However one downside is that compiled Python code is frequently picked up by anti virus software as malicious, with scary sounding names like Wacatac.B!ml.

These are generally false positives, but they can be deeply unsettling for users.

In particular with Windows Defender, this can also make it effectively impossible for users to use your software since it may be placed into "quarantine" which means it cannot be used without disabling Windows Defender.

This guide explains steps which can resolve this and allow you to distribute your compiled python files without them being incorrectly identified as malware, a virus or a trojan.

Step 1: Check which anti-virus engines are flagging your software

Uploading your file to virustotal will let you know which engines are identifying your software as malware.

Step 2: Report these as "false positives" to the anti-virus providers

Anti-virus providers are surprisingly pro-active in responding to reports of false positives. The analysis and action can occur within hours.

I generally submit the file, politely explain the issue and include a link to my source code.

Unfortunately there's a good chance that every time you recompile your code for changes you will get re-added to the "naughty list" because the new executable has a different hash. Unfortunately there's not much to do other than keep re-submitting. If you have digitally signed your executable then you should built reputation over time.

Very important: Make sure you as submitting as a false positive. Often there are similar forms which you can use to submit software which you think is malware.

List of links to report false positives

Provider Link Method
Windows Defender https://www.microsoft.com/en-us/wdsi/filesubmission Online form
Avast https://www.avast.com/false-positive-file-form.php Online form
MalwareBytes https://forums.malwarebytes.com/forum/42-file-detections/ Create forum account and post
Comodo https://www.comodo.com/home/internet-security/submit.php Online form
Symantec https://symsubmit.symantec.com/ Online form
Norton https://submit.norton.com/?type=FP Online form
Sophos https://support.sophos.com/support/s/filesubmission?language=en_US Online form
Avira https://www.avira.com/en/analysis/submit?utm_source=CS&utm_medium=KB Online form
Bitdefender https://www.bitdefender.com/consumer/support/answer/40673/ Online form
F-Secure https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample Online form
AVG https://www.avg.com/en-us/false-positive-file-form Online form
Sangfor https://sec.sangfor.com.cn/user_feedback?lang=EN-US Online form
Ikarus false-positive@ikarus.at email
McAfee virus_research@avertlabs.com email with subject line starting FALSE
Dr Web https://vms.drweb.com/sendvirus/?lng=en Online form
ClamAV https://www.clamav.net/reports/fp Online form
SecureAge https://www.secureage.com/article-report-false-positive Online form

Another good idea: Get a digital certificate

This isn't an immediate fix, but getting a digital certificate to "sign" your executables will allow you to build reputation with anti virus software.

You can get a certificate for €60 a year with Comodo. They require you to provide various kinds of identification and the process can take around 48 hours.

Once you have the certificate you can sign the EXE using Microsoft's SignTool which is included with Windows SDK.

About

Trying to release your software sucks, mostly because of antivirus false positives. I don't have an answer, but I do have a list of links to help get your code whitelisted.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published