[BUG] Virus alarm for the .exe in the project

[ghost]

setuptools version

68.2.2

Python version

Python 3.11

OS

Windows

Additional environment information

No response

Description

When i scan the downloaded zip from master or last release 68.2.2 and scan the zip package or the different cli-.exe and gui-.exe directly, i have virus detection with virustotal.com, here are the results:
https://www.virustotal.com/gui/file/7b2e59ba9dab730c6aaa28ffb1f7a3a198e2bbb4330a974609b5193f1baeb212?nocache=1
https://www.virustotal.com/gui/file/32acc1bc543116cbe2cff10cb867772df2f254ff2634c870aef0b46c4b696fdb

I'm not so experienced with this case and worry now if the project/files are secure to execute?

Expected behavior

Expected no virus alarm.

How to Reproduce

Reproducable by re-scanning.

Output

Scanns:
https://www.virustotal.com/gui/file/7b2e59ba9dab730c6aaa28ffb1f7a3a198e2bbb4330a974609b5193f1baeb212?nocache=1
https://www.virustotal.com/gui/file/32acc1bc543116cbe2cff10cb867772df2f254ff2634c870aef0b46c4b696fdb

[abravalheri]

Hi @Widdar77, thank you very much for the report.
Are you sure this is not a false positive?

[ghost]

Hi @abravalheri

Thank you very much for the reply!

That is basically a question i want to ask a dev here cause i can't answer this.
I'm not experienced with this topic and only an end-user that can't read the code or inspect anything.
I'm dependent on the expertise of the developers.
Can you guarantee that this is a false alarm and nothing is infected?
(This package is a dependency for an app i want to use and i just scan all stuff i download to my computer)

[abravalheri]

As far as I know the only person generating the .exe files in this repository is @jaraco based on the code in https://github.com/pypa/setuptools/blob/main/launcher.c (which you can inspect to ensure it is safe for you; see also https://github.com/pypa/setuptools/blob/v68.2.2/tools/build_launchers.py). I am very sure he is not intentionally introducing any malware.

I did a quick search and this report comes up in other places for other software that ship pre-compiled stuff (e.g. in the go community) and there seems to be a generalised suspicion that the heuristics employed are prone to false positives:

• virustotal false positively detects malware (MaxSecure) restic/restic#4430
• Anti-virus false positives betamos/payload#4
• totalvirus detects Trojan.Malware.300983.susgen bleachbit/bleachbit#948
• https://steamcommunity.com/app/1482520/discussions/0/3187990555108969699/
• ...

In these issues you see stories where the provider seems to be irresponsive about false positives (I also got an NET::ERR_CERT_DATE_INVALID error when trying to access their website, which is a bit concerning for a company in the "security" field).

Maybe you should contact virustotal (which I assume to be the service you are using) and report that the MaxSecure Trojan.Malware.300983.susgen heuristic has been reported to be prone to false positives and suggest for them to investigate this further?

[abravalheri]

Another thing is that, if you install things with pip install ... instead of python setup.py install (the later is deprecated and should not be used anyway), none of the gui-*.exe or cli-*.exe files are executed.

[ghost]

Thanks for the reply. Then i could also delete the gui-.exe and cli-.exe after installation with pip install?

[abravalheri]

In theory yes, but I haven't tested...

Also note that setuptools is not a regular "package". It is a "package" for creating "packages"...
In most of the cases pip will install a brand new setuptools in an isolated Python virtual environment if you need to pip install another package that does not have a wheel published on PyPI...

The best would be exporting PIP_USE_PEP517=true environment variable to avoid those files get used. (there are other ways though to force pip to use the deprecated installation method for some packages, so some tools trying to tap into that may still be subject to failures).