This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: TR/Crypt.XPACK.Gen-4 in easy_install.exe
Type: security Stage:
Components: Versions: Python 3.4
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, dstufft, larry, ncoghlan, vinay.sajip
Priority: release blocker Keywords:

Created on 2013-12-06 21:13 by christian.heimes, last changed 2022-04-11 14:57 by admin. This issue is now closed.

File name Uploaded Description Edit
easyinstall.png christian.heimes, 2013-12-06 21:13
Messages (8)
msg205402 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-12-06 21:13
Since today test_venv fails because Avira Antivir claims that easy_install.exe contains the trojan horse TR/Crypt.XPACK.Gen-4. I haven't seen the issue before. I'm running CPython default on Windows 7 64bit with Avira 13.
msg205407 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-12-06 21:43
7 of 47 AV programs detect malicious software in PIPs easy_install.exe:

Agnitum 	Packed/MPress 	20131206
AhnLab-V3 	Trojan/Win32.TesA 	20131206
AntiVir 	TR/Crypt.XPACK.Gen4 	20131206 
Bkav 	HW32.CDB.9028 	20131206 
McAfee-GW-Edition 	Heuristic.BehavesLike.Win32.Suspicious-BAY.K 	20131206 
TrendMicro 	PAK_Generic.001 	20131206
TrendMicro-HouseCall 	PAK_Generic.001 	20131206
msg205461 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-12-07 15:26
I found the offenders. distlib's wrapper scripts are detected as malicious programs by some anti virus programs.


msg205463 - (view) Author: Vinay Sajip (vinay.sajip) * (Python committer) Date: 2013-12-07 16:05
Hmmm. I use mpress ( to compress the executables. These AV results seem to be false positives, given that the files are green-lit by Symantec, Sophos, McAfee, Kaspersky, F-Prot, AVG, Avast and a bunch of other reputable AV products (based on Christian's links).

I suppose the executables could be shipped uncompressed (apparently the UPX compressor also sometimes causes false positives with AV software - and UPX can't compress 64-bit executables).

There have been complaints in the past that Avira's heuristics are not careful enough:

That link points to a 2011 thread.
msg205464 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-12-07 16:09
How are you creating these files anyway? I can't find any documentation or source files in distlib.
msg205466 - (view) Author: Vinay Sajip (vinay.sajip) * (Python committer) Date: 2013-12-07 16:18
It's in the docs at e.g.

and in the code at e.g.

The project to generate the launchers is at
msg205589 - (view) Author: Vinay Sajip (vinay.sajip) * (Python committer) Date: 2013-12-08 18:06
This commit in distlib uses uncompressed launcher executables which pass the checks:
msg206226 - (view) Author: Vinay Sajip (vinay.sajip) * (Python committer) Date: 2013-12-15 11:24
I've released distlib 0.1.5 on PyPI. This release uses uncompressed launchers which (at the time of writing) pass the checks on
Date User Action Args
2022-04-11 14:57:55adminsetgithub: 64112
2013-12-15 11:24:37vinay.sajipsetstatus: open -> closed
resolution: fixed
messages: + msg206226
2013-12-08 18:06:47vinay.sajipsetmessages: + msg205589
2013-12-07 16:18:40vinay.sajipsetmessages: + msg205466
2013-12-07 16:09:40christian.heimessetmessages: + msg205464
2013-12-07 16:05:23vinay.sajipsetmessages: + msg205463
2013-12-07 15:26:39christian.heimessetnosy: + vinay.sajip
messages: + msg205461
2013-12-06 21:43:13christian.heimessetmessages: + msg205407
2013-12-06 21:13:58christian.heimescreate