Windows Portable Release v4.0 flagged as Trojan:Win32/Zpevdo.B

[twkonefal]

Tried to set this up today, but contents were flagged as a Trojan by Windows Security.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fZpevdo.B&threatid=2147729093

containerfile: C:\Users\<USERNAME>\Downloads\nsz_v4.0.0_win64_portable.zip
file: C:\Users\<USERNAME>\Downloads\nsz_v4.0.0_win64_portable.zip->nsz_v4.0.0_win64_portable/nsz.exe

[frasersmith5]

This is the same for me. Ran on VirusTotal and got the following results: https://www.virustotal.com/gui/file/a694e2428f6964709d0a1b25fb705fed47c27ac41e3057143c1526574e29fa14/details

[nicoboss]

It's just a false positive that randomly appeared with latest Windows Defender intelligence update and will probably be removed again in one of the next few Windows Defender intelligence updates. Because by the time of release this false positive didn't existed there was no way for me to avoid this issue. Recompiling the exact same version, the exact same way I did for release brought detections down from 7/69 to 4/66 and fixed the Windows Defender false positive: https://www.virustotal.com/gui/file/8d755ee694c48c75fdc365b9d6b57164f4f734a759d2d23a1e21d9f9ae835f98/detection

There is really not much I can do against the incompetence of some virus detection tools. Sometimes writing them an email gets the false positives removed but often they don't even respond. The main issue is probably that I'm packing Python and all required library into a portable release. There are a lot of malicious portable python programs out there using very similar libraries (like pycryptodome for ransomware) causing my program to be wrongly detected. The only real solution would be signing the code as a trusted publisher but that costs quite some money which I'm not willing to spend.

Just always let me know if some popular Anti-Virus tool like Windows Defender wrongly flags it and I try my best to make it no longer detect it. If you don't trust my portable releases just use the pip version or run it from source. I compared the binary in question with a clean build made on a different PC and can confirm that there was never anything malicious in there.

At least for now downloading the reuploaded nsz_v4.0.0_win64_portable.zip from https://github.com/nicoboss/nsz/releases/tag/4.0.0 works perfectly fine for me however I can't promise that Windows Defender won't flag it again in a few hours especially because nothing really changed compared to last version as it's just a rebuild of the exact same source.

[Pythonic-Rainbow]

Yeah, just want to add a note that the reuploaded package has been flagged again.

[nicoboss]

I can confirm that latest Windows Devender Update KB2267602 flags it again. I might drop PyInstaller and instead use portable WinPython and write a batch script to execute it from source. I had similar issues with PyInstaller and false positive virus detection in the past for my Floatmotion project and this is how I solved it there.

[nicoboss]

I just release NSZ v4.0.1 where I replaced PyInstaller with WinPython: https://github.com/nicoboss/nsz/releases/tag/4.0.1
I spent a lot of time deleting every piece of the python standard library not required to run nsz in order to save storage and speed up extraction time by having less files to extract. This was tested on Windows 7, Windows 10 and Windows Server 2019
Thanks to everyone for reporting this!