Antivirus

[Mediocrity228]

Why does Windows Defender and not only him detect this file as a Trojan?

[wasiejen]

Hello and thanks for using/testing the program.

Can you give some more information about what the windows defender found?

The only package I use is pynput and I do not think that this package has a trojan in it. That would be widely known because of the size of the userbasis of this package.

To be recognized as trojan is also strange. The behavior of the program is more like a key logger - it observed the input of your keyboard to realize the snap tap or key replacements. If it is recognized as a trojan then most likely because it is packed as an executable file.

I googled some and found a potential explanation:

Medium Article on python executables seen as Malware

So most likely a false positive from windows defender.

I could get the exe whitelisted from the windows defender, but as soon as I change something in the py file and repack it as exe it will most likely get a false positive from windows defender as before.

So the easiest way is to whitelist it yourself in your windows defender settings or use the py file firectly.

Will have a further look into it when not only at my phone. :-)

[wasiejen]

Here is a analysis of the current V0.40 executable:

https://www.virustotal.com/gui/file/279c96d57ad91761d9c5137d1d75cff37899350c53f2cb26d8fb6fdc0e3c2be3

20/75 virus tools seem to identify it as malware/trojan.
Clean bill from the big ones: Microsoft, Kaspersky, Symantec, Google, McAffee, Sophos, etc ...

So Windows Defender should not give a false positive.
Your Windows Defender might not be up to date?

[Mediocrity228]

In principle, it is a very good program, but the Trojan is very confusing
I always install the newest updates
Yes, look like false positive

[wasiejen]

That is quiet mysterious. I get no such warning on my windows system.

I also run the py file through VirusTotal just to see if something there is also being flagged.

https://www.virustotal.com/gui/file/d12de6f7e2e2ddab6405462c0697769f29cea8ec35c8fa4ac76f4e2dcc111ca0

But this gets a completely green bill.

So in my opinion it just seems to be the repackaging as an executable file thats produces these false flags.
I use pyinstaller for it and just add an icon to it - nothing else.

So if you are uncomfortable with this false flag, then just use the py file directly. The exe file is just for easier usage and does exactly the same as the py file. There is nothing in the program that goes beyond the in the readme described functions.

For testing purposes I created a version without sys and root checks for linux, but the results are exactly the same - and everything else is needed for it to work.

So there are 4 options for me:

1. It would be needed to report the false positives to each of the companies of the virus tools that reported false positives and provide the exe and the source code for it to be checked. And that for each new version of the executable.
   • That is definitely to much hassle xD
2. Get a Certificate to sign the exe myself.
   • That means cost for a certificate, time for it to be accepted and most likely over time and with reputation of the certificate for not being used to sign malware the false positves might get less.
   • Only makes sense if I publish more than just this one small program.
3. Remove the exe from the repo and just offer the py file
   • Problem solved, not more false positives :-), but I dont know how many use the exe file and who will be inconvenienced by removing it.
4. Do nothing yet and observe it further.
   • I tend to this wait and see approach atm. And maybe add a warning of false positives to the readme.

And I thank you for bringing up this topic, because I was totally unaware about this possibility of false positives of antivir and packed py executables. Learned something new. :-)

[Mediocrity228]

I downloaded version V0.50, Windows Defender will no longer detect the Trojan

[wasiejen]

That is good to hear. :-)
But honestly I have no idea why. xD

VirusTotal even increased to 21/75 positives with that release.