How to stop anti virus software flagging your Python application as malware

Compiling your application into an executable makes it easy to distribute to users. Popular tools to do this are pyinstaller or py2exe.

However one downside is that compiled Python code is frequently picked up by anti virus software as malicious, with scary sounding names like Wacatac.B!ml.

These are generally false positives, but they can be deeply unsettling for users.

In particular with Windows Defender, this can also make it effectively impossible for users to use your software since it may be placed into "quarantine" which means it cannot be used without disabling Windows Defender.

This guide explains steps which can resolve this and allow you to distribute your compiled python files without them being incorrectly identified as malware, a virus or a trojan.

Step 1: Check which anti-virus engines are flagging your software

Uploading your file to virustotal will let you know which engines are identifying your software as malware.

Step 2: Report these as "false positives" to the anti-virus providers

Anti-virus providers are surprisingly pro-active in responding to reports of false positives. The analysis and action can occur within hours.

I generally submit the file, politely explain the issue and include a link to my source code.

Unfortunately there's a good chance that every time you recompile your code for changes you will get re-added to the "naughty list" because the new executable has a different hash. Unfortunately there's not much to do other than keep re-submitting. If you have digitally signed your executable then you should built reputation over time.

Very important: Make sure you as submitting as a false positive. Often there are similar forms which you can use to submit software which you think is malware.

List of links to report false positives

Provider	Link	Method
Windows Defender	https://www.microsoft.com/en-us/wdsi/filesubmission	Online form
Avast	https://www.avast.com/false-positive-file-form.php	Online form
MalwareBytes	https://forums.malwarebytes.com/forum/42-file-detections/	Create forum account and post
Comodo	https://www.comodo.com/home/internet-security/submit.php	Online form
Symantec	https://symsubmit.symantec.com/	Online form
Norton	https://submit.norton.com/?type=FP	Online form
Sophos	https://support.sophos.com/support/s/filesubmission?language=en_US	Online form
Avira	https://www.avira.com/en/analysis/submit?utm_source=CS&utm_medium=KB	Online form
Bitdefender	https://www.bitdefender.com/consumer/support/answer/40673/	Online form
F-Secure	https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample	Online form
AVG	https://www.avg.com/en-us/false-positive-file-form	Online form
Sangfor	https://sec.sangfor.com.cn/user_feedback?lang=EN-US	Online form
Ikarus	false-positive@ikarus.at	email
McAfee	virus_research@avertlabs.com	email with subject line starting FALSE
Dr Web	https://vms.drweb.com/sendvirus/?lng=en	Online form
ClamAV	https://www.clamav.net/reports/fp	Online form
SecureAge	https://www.secureage.com/article-report-false-positive	Online form

Another good idea: Get a digital certificate

This isn't an immediate fix, but getting a digital certificate to "sign" your executables will allow you to build reputation with anti virus software.

You can get a certificate for €60 a year with Comodo. They require you to provide various kinds of identification and the process can take around 48 hours.

Once you have the certificate you can sign the EXE using Microsoft's SignTool which is included with Windows SDK.