False Positives on Writing Tools.exe v7.1 – Observations & Friendly Suggestions

[chriskyfung]

Hi Dev Team,

I've downloaded and tested the Writing Tools.exe v7.1 for Windows, and I’ve come across some antivirus alerts that I wanted to share—mostly just to help make sure everything keeps running smoothly for all of us.

What I’ve Noticed

• F-Secure:
  It flags the executable as "HEUR/APC."

• Jotti Malware Scan:
  Most antivirus engines say the file is clean, though Avast calls it FileRepMalware and Fortinet reports it as W32/PossibleThreat. These few warnings seem a bit over the top.

• VirusTotal:
  Out of 61 vendors, 6 flagged the file (including Fortinet and Cylance), and it got a community score of 6/81 with a “Trojan” label. Not too many, but it might give some users pause.

• MetaDefender Cloud:
  All 16 engines marked the file as clean. There were some minor behavioral hints noted (three MITRE techniques with a score of 75), but nothing that appears to be a real threat.

I also noticed similar chatter in the past Issues #130 and #155 . In those cases, it was mentioned that the alerts might be linked to the way PyInstaller packages the file—so it’s probably not something in the actual code.

My Suggestions

• Digital Signing:
  It might help to add a robust digital signature to the executable. A trusted digital signature can boost confidence among users and possibly lower false positive rates.

• Packaging Options:
  If possible, exploring alternative packaging methods to replace PyInstaller.

Thanks so much for all the work you put into Writing Tools. I hope this feedback is helpful.

Cheers :)

---

Attachments

• Jotti Malware Scan Report
  

• VirusTotal Scan Report
  

• MetaDefender Cloud Scan Report
  

[theJayTea]

Dear Chris,

This is super comprehensive and helpful—thanks so much for your time! I didn't know some of these really intriguing sites existed haha.

Once I get time after my exams, for the next release onwards, I'm going to manually compile the PyInstaller bootloader (if we use PyInstaller out of the box, it has the same signature as a ton of malware, which is the core of the false positives—a really common issue with PyInstaller). This should solve 75% of the detections, while the rest might still be sensitive to PyInstaller. Unfortunately, packaging alternatives like Nuitka are much worse in this regard.

I will also try signing the exe. From my cursory research, I'd have to end up paying a signing company to get the builds signed—if you know any way this can be done at no cost, I'd be grateful :)

Thank you again for your really comprehensive report and for your advice. I deeply appreciate your support!

Kind regards,
Jesai

[chriskyfung]

Dear Jesai,

Thanks so much for the update! It sounds like you’ve got a great plan in place.

I wanted to share a bit from my experience a few years ago. At the time, after paying a one-time registration fee for a Microsoft developer account, apps packed as MSIX installers were automatically digitally signed for free when published to the Microsoft Store. If this approach still works, it might be worth exploring. You can find more details in this blog post: How to publish your MSIX package to the Microsoft Store?. However, since that was a while back, I’m not sure whether the same method still applies today.

I also saw a Microsoft Q&A about signing Electron apps, where a Microsoft staff member shared the following options:

1. Use Microsoft’s Trusted Signing service (formerly Azure Trusted Signing)
2. Purchase a certificate from a trusted Certificate Authority
3. Use a self-signed certificate

Additionally, I came across a Reddit thread mentioning that Microsoft no longer offers free code signing certificates for Win32 apps (EXE and MSI). However, some comments suggested that free signing might still apply to MSIX/APPX installers for Windows 10/11.

It seems that Microsoft ended their free signing service in mid-2024, replacing it with a subscription model at $9.99/month for the basic plan. For more details, here are some links:
• Microsoft Launches Trusted Signing in Public Preview: an End-to-End Signing Solution for Developers
• How to initiate Identity Validation for an Individual Developer?

Considering all this, the MSIX packaging route might still be worth investigating if free signing for MSIX/APPX is still available. Either way, it’s probably a good idea to double-check the current policies before moving forward.

Best regards,
Chris

[theJayTea]

Dear Chris,

Thank you so so much for the insight! I'll be sure to deeply explore MSIX and any other possibilities when I can.

Thanks a ton again :D

Best,
Jesai