Trojan virus detected on 1.7.1 exe

[D4VID-B]

Went to download the EDScout.exe and Windows defender flagged it as having a virus on it. I saw that there was a similar Issue, but the virus they reported was different to what Defender found on my machine:

Let's hope this is also a false positive.
Also, if possible add a hash checksum to the important files so we can verify them.
Thank you

[joncage]

Submitted to MS for review - thanks for reporting: https://www.microsoft.com/en-us/wdsi/submission/b12018fa-6c58-4b06-8cd2-ebaa8c746e2d

Good idea r.e. the checksums.

[Gopher-nz]

Yup got same problem - I did have a few issues but I think it is working - sort of. Well v1.7 works I think.

[joncage]

From Microsoft...

We have reviewed the files and we have added detection for them to the next definition update. The latest definitions information is available here: https://www.microsoft.com/en-us/wdsi/definitions.

Thank you for contacting Microsoft.

[joncage]

Try updating your virus Defs and give it another shot. I think it has less problems with the installed version too if that helps..

[D4VID-B]

Tried again, with (what I think are) the latest Defs. Now getting this:

Any ideas why this is happening to your files? I've been setting up a number of tools for Elite and haven't had this happen anywhere.
Also (and this is somewhat off-topic) what does the Setup-EDScout.exe do? Maybe I can try using it instead.

[joncage]

My guess (and frankly I don't know) is that because I've written this in Python, used a flask web server and packaged it up with PyInstaller, that Microsoft's tools look at and say "Well this looks suspicious; Written in Python and it extracts python code and then runs it? I'd better flag this". It's becoming pretty frustrating because I have to do this every time I release another version (and apparently now multiple times).

The Setup-EDScout.exe is an installer that installs the executable to program files. I read somewhere that using an installer can help as viruses tend not to bother with installers so that may help and I may well ditch the portable EDScout.exe I'd been releasing in parallel to cut down on my work load.

I know EDDiscovery is written in C# and as that's Microsoft's language, maybe they're less suspicious of it. I think this is all part of their cunning plan to get more people writing C# and to encourage more poor developers to shell out hard earned cash to add certificates to sign the software releases.

[joncage]

Submitted again: https://www.microsoft.com/en-us/wdsi/submission/6dc85a2b-6a84-44c8-9edd-59f2a6cef07e

[Rhaedas]

A quick and not thorough Google suggests that this is a common thing with using PyInstaller for a few reasons. There's a number of problems and "solutions" on StackOverflow, not sure if any would apply here. But I did have a thought - could you go ahead and submit a new version's exe to MS as being okay as a step in releasing it? Why wait for user reports if it's going to be a thing, just get it into their system to look at and approve.

[D4VID-B]

Yeah, I can imagine this is annoying. Which is why I hate to say this, but:

This was on the Setup exe I tried downloading just now.

Also, I appreciate you sharing the submission links, but I can't access them. Microsoft just shows this when I click the link: "You are not authorized to view details for the requested submission id (6dc85a2b-6a84-44c8-9edd-59f2a6cef07e)."
I'm logged in too - don't know if that affects things. Maybe it's a defense precaution.

[D4VID-B]

Also, regarding this being in Python, maybe try contacting the devs of ED Market Connector? Their Github shows that it's 100% Python and I didn't get any antivirus hits when installing their tool

[joncage]

Also, I appreciate you sharing the submission links, but I can't access them.

To be honest, I do that mostly for my own reference to make it easy to double-check the status.

Double-checking with EDMC is a good call. Looks like they use Py2Exe rather than PyInstaller and TKinter instead of a web UI so maybe it's that or maybe they have a way of signing releases I couldn't see from a quick source-skim.

Just as annoyingly, for some reason I never see this virus alerts when I download the same .exe's from github.

Submitted for the installer here too: https://www.microsoft.com/en-us/wdsi/submission/7d6d6cb3-7706-4405-ae9b-d6e64858f6fd

MS are this time refusing to unblock the EDScout.exe so I've raised a dispute with them. More fun and games!

[joncage]

Scanning the same .exe's I've uploaded to github from my machine I get no matches:

...which just makes this all the stranger. I don't understand why defender takes such an issue with this but I'll keep on battling!

[joncage]

A quick and not thorough Google suggests that this is a common thing with using PyInstaller for a few reasons. There's a number of problems and "solutions" on StackOverflow, not sure if any would apply here. But I did have a thought - could you go ahead and submit a new version's exe to MS as being okay as a step in releasing it? Why wait for user reports if it's going to be a thing, just get it into their system to look at and approve.

I'd had the same thought (proactive submission) but you're required to specify what detection was found and as my machine never marks them as bad in the first place that's impossible for me.

[D4VID-B]

Maybe its something to do with you also being the author and having the source code on the computer, or something else related to you being the author.
I'll wait for a bit, or until MC releases another Def or something and try again. Might try to mess around with it's settings too - maybe it's possible to make it less trigger-happy...

[joncage]

Maybe its something to do with you also being the author and having the source code on the computer, or something else related to you being the author.

Yeah, possibly.

If I find some time I'll have a bit more of a dig into EDMC and how they package things. I note that they produce a .msi rather than a innosetup-generated .exe installer which may also be another avenue to solve this. Very difficult to debug multi-faceted issues like this when all you have is the Microsoft black box telling you that they sort of (and inconsistently) don't like what you're doing...