Issue 46452: Possible false detection of Windows LZMA library as a malware by Avast

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/90610

classification

Title:	Possible false detection of Windows LZMA library as a malware by Avast
Type:		Stage:	resolved
Components:	Windows	Versions:	Python 3.10, Python 3.9

process

Status:	closed	Resolution:	third party
Dependencies:		Superseder:
Assigned To:		Nosy List:	paul.moore, steve.dower, thfetoile, tim.golden, zach.ware
Priority:	normal	Keywords:

Created on 2022-01-21 10:29 by thfetoile, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (4)
msg411105 - (view)	Author: Nathan/Eilisha Shiraini (thfetoile)	Date: 2022-01-21 10:29
Sending this here for information mostly On Windows, a recent (2022-01-21) Avast update makes it target the binary LZMA module embedded in Python 3.9 and 3.10. I'm talking about this file: <Python install directory>\DLLs\_lzma.pyd I've run a VirusTotal scan of the 3.10 version of the file, which has returned 2 positives out of 67 at the time I'm writing this: https://www.virustotal.com/gui/file/f904b02720b6498634fc045e3cc2a21c04505c6be81626fe99bdb7c12cc26dc6 Can you confirm this is a false positive? Given the VirusTotal result I'm assuming it is, however I'd like to get official confirmation.
msg411106 - (view)	Author: Nathan/Eilisha Shiraini (thfetoile)	Date: 2022-01-21 10:34
Also I should have added: I have already reported the file to Avast as a possible false positive, and I'm working on an app that heavily relies on LZMA so this has a high impact for me.
msg411133 - (view)	Author: Steve Dower (steve.dower) *	Date: 2022-01-21 15:12
I don't think we've changed anything here in years, so I'd be very surprised if something new was in there. More likely somebody PyInstaller'd some malware and the scanners picked up a generic part of it as the signature. Reporting it as a false positive should let them compare against the original sample and correct it.
msg411135 - (view)	Author: Nathan/Eilisha Shiraini (thfetoile)	Date: 2022-01-21 15:21
Thanks for the quick response. It seems Avast was just as quick, I updated my AV's databases a few minutes ago and now it doesn't repost the files as malware. Same for the VirusTotal scans.

History
Date	User	Action	Args
2022-04-11 14:59:55	admin	set	github: 90610
2022-01-21 23:42:35	terry.reedy	set	status: open -> closed resolution: third party stage: resolved
2022-01-21 15:21:14	thfetoile	set	messages: + msg411135
2022-01-21 15:12:57	steve.dower	set	messages: + msg411133
2022-01-21 10:34:20	thfetoile	set	messages: + msg411106
2022-01-21 10:29:02	thfetoile	create