Resolving False Positive Trojan Horse Detections in PyInstaller-Generated Executables by AVG

Dec 06, 2025 · Programming · 11 views · 7.8

Keywords: PyInstaller | false positive | AVG

Abstract: This article addresses the issue where executables generated by PyInstaller are falsely flagged as Trojan horses (e.g., SCGeneric.KTO) by AVG and other antivirus software. It analyzes the causes, including suspicious code patterns in pre-compiled bootloaders. The core solution involves submitting false positive samples to AVG for manual analysis, leading to quick virus definition updates. Additionally, the article supplements this with technical methods like compiling custom bootloaders to reduce detection risks. Through case studies and code examples, it provides a comprehensive guide from diagnosis to resolution, offering practical insights for developers.

Problem Background and Diagnosis

After packaging a Python 3 script into an installer using PyInstaller and Inno Setup, the generated .exe file is detected as an SCGeneric Trojan horse by AVG Business Edition AntiVirus. Analysis via VirusTotal shows that 11 out of 61 scanners report similar issues, including TheHacker, DrWeb, and Yandex. This indicates that false positives may not be limited to AVG but result from multiple antivirus engines misjudging code patterns in PyInstaller outputs.

Core Solution: Submitting False Positive Samples

Based on best practices, the most effective resolution is to report false positives directly to antivirus vendors. For AVG, files can be uploaded via its official sample submission page (https://secure.avg.com/submit-sample). Experience shows that AVG typically completes analysis and updates virus definitions within 24 hours. For instance, after submission, users receive confirmation that the file is virus-free, but it is crucial to ensure local virus definition versions are synchronized. If false positives persist post-update, check for version lags and contact support if necessary.

Supplementary Technical Solution: Compiling Custom Bootloaders

PyInstaller uses pre-compiled bootloaders to launch packaged applications. These binaries might be flagged as suspicious due to widespread use. To mitigate false positives, compile bootloaders manually. First, ensure a consistent development environment: for Windows 64-bit systems, install 64-bit Python and the corresponding version of Visual Studio (refer to Python Windows Compilers Guide). Then, compile the bootloader following PyInstaller documentation (Bootloader Building Guide), replacing default files like run.exe. Finally, reinstall PyInstaller:

python setup.py install

This method reduces false positive rates by generating unique binary code that minimizes matches with known malware patterns.

Implementation Steps and Considerations

In practice, follow this sequence: first, use tools like VirusTotal to confirm the scope of false positives; second, submit samples to major antivirus vendors (e.g., AVG); concurrently, consider compiling custom bootloaders as a long-term preventive measure. Note that manual compilation requires correct environment setup to avoid packaging failures. Additionally, regularly updating PyInstaller versions can reduce compatibility issues.

Conclusion

False positive Trojan horse detections for PyInstaller-packaged files are common, primarily due to heuristic detection of code patterns by antivirus software. By submitting false positive samples and compiling custom bootloaders, this issue can be effectively resolved. Developers should choose solutions based on their specific contexts to ensure smooth application distribution and usage.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.