Search code examples
pythonpyinstallerantivirus

Python script distribution on Windows - options to avoid virus false positives?

Turning a .py script into an .exe on Windows seems to always result in false-positive virus detection hits.

There are LOTS of discussion threads about this on stackoverflow and elsewhere. A real good summary is here.

pyinstaller from pip, pyinstaller with local-compiled bootloader, py2exe, and nuitka are the various .exe-builders I've tried so far. Various build tools result in various hit counts on virustotal.com but it seems there will always be some hits no matter what you do - this is the world we live in.

I understand that signing is an option, though the tool being distributed is free and open-source, so the signing option probably won't be pursued.

Chasing down the antivirus vendors to report false positives each time the script is edited and the .exe is rebuilt doesn't seem like a good use of time.

The question here: is it best to give up on the idea of distributing an .exe? Is a full python installation on the end user's machine, and then just distributing the .py file, the best way to go? That option seems pretty heavy-weight and overbearing and prone to more installation issues. But, if it's the only way to avoid the antivirus dance...? Or is there another middle option?

Solution

  • This may be the best option: use the embeddable package as downloaded from python.org. The official docs spell it out in the second half of section 4.4.1 of 'Using Python on Windows'.

    In their downloads pages, after selecting a version, you can get to a page like this (for python 3.10):

    enter image description here

    Download the 'Windows embeddable package' for 32 or 64 as needed. Let's say you extract the downloaded zip to $MYDIR. Then to run your python script, e.g. from a Windows batch file, you could just have a line like

    call $MYDIR\python.exe myscript.py

    Zero threats detected on virustotal.com for $MYDIR\python.exe, since it's known and signed and trusted and unmodified. Just to be sure, I did a Windows scan of the entire directory that contains the batch file, myscript.py, and $MYDIR - no threats detected.

    This flow appears to work for this application so far. Will wait to accept this answer until it's been working for a few days.

    The downloaded 32bit embeddable package is 7.1MB and unzips to 15.6MB - not huge, not tiny, but sufficiently small for this particular app.

    Does anyone have experience with this embeddable package solution, and might know of any caveats or pitfalls?