Joulescope UI 1.0.36 flagged by anti-virus software

So, this is happening again. As of 2023-10-30T10:42Z, VirusTotal indicates that 16 of 72 antivirus programs are flagging joulescope.exe. The installer is currently clean with all vendors.

Unfortunately, some big names are on that list including Microsoft and BitDefender. I have already submitted the joulescope.exe file to Microsoft and BitDefender for false positive analysis. They will usually take action with 3 days and update their definitions.

Here is my comment on the file submission:

The joulescope.exe file is a python application built into an executable by Pyinstaller 6.1.
PyInstaller Manual — PyInstaller 6.1.0 documentation

PyInstaller is legitimate software, but it is also used by less savory applications. Binary matches on PyInstaller code are not a useful indicator for trojans and viruses, and it flags legitimate software like joulescope.exe.

Why could this be happening?

  1. We updated PyInstaller from 5.x to 6.1 with this release. PyInstaller creates exectables, and these executables will share PyInstaller binary code. Modern heuristic anti-virus software looks for these binary code patterns. It is very likely that some malicious software built with PyInstaller was correctly categorized as malicious, and the PyInstaller binary code also used by joulescope.exe was flagged as malicious, too. The anti-virus software vendors need time, more samples and data to separate the malicious code from PyInstaller.
  2. The Joulescope UI is a complicated program that relies on Python, the Python standard library, and many libraries available on pypi. Although not likely, it is possible that one of these dependencies contains a malicious software.
  3. The build process has been corrupted. The Joulescope UI is built using GitHub Actions on the stock Windows OS image from GitHub. Although it is possible that this Windows OS image is infected, it is highly unlikely.
  4. Our file storage has been corrupted. The hash of the installer exactly matches the hash from upload, so this has not occurred.

What can you do?

  1. Update your antivirus software’s definitions. The latest definitions will eventually fix the false positive detection, which is the mostly likely reason for joulescope.exe being flagged as malicious software.
  2. Report the false positive detection to your antivirus software. They usually take action within 3 days.
  3. Restore the threat and allow joulescope.exe 1.0.36 to run. Alternatively, download and run 1.0.31.
  4. Run directly from Python.
    1. Download and install Python 3.11.6.
    2. python -m pip install -U --upgrade-strategy=eager joulescope_ui
    3. python -m joulescope_ui

Unfortunately, this is not the first time that this has happened to the Joulescope UI:

I have also submitted joulescope.exe to McAfee, GData, and VIPRE for false positive analysis.

As of 2023-10-30T11:56Z, I have marked 1.0.31 as the preferred stable release again so that the Joulescope UI will no longer prompt to automatically update to 1.0.36. The Joulescope download page also shows 1.0.31 again. I will keep 1.0.31 for a few more days to give the anti-virus vendors an opportunity to analyze the file.

There are a bunch of good reasons to update to 1.0.36. Here is the changelog:

  • Added software controlled fuse support.
  • Updated to pyjoulescope_driver 1.3.20 which includes
    JS220 FPGA & FW to 1.1.0 with fuse support.
  • Updated to pyjls 0.8.2 with improved truncation recovery.
  • Added exception catch to GL string get.
  • Added Waveform widget “auto” marker statistics text position as default #224
  • Improved Waveform widget autoranging #228
  • Reduced required OpenGL API version from 4.4 to 3.3.
  • Improved sidebar flyout widget #225
    • Automatically close when mouse leaves to the right.
    • Added vertical scroll bar to flyout.
    • Converted settings widget to flyout, not pop-over.
  • Added automatic recording close on app exit #232

If you want to upgrade to 1.0.36 in the meantime, you can download here.

Alternatively, you can choose to be on the Joulescope UI beta distribution. Within the Joulescope UI, select Widgets → Settings → Common → software_update_channel → beta. Close the Settings Widget and restart the Joulescope UI.

Let’s see what Antivirus software vendors think of joulescope.exe from different Joulescope UI versions:

While investigating this issue, I noticed that only the installer executable was being signed for Windows. Signing the joulescope.exe application file definitely helps. Only 3 out of 72 now indiciate joulescope.exe as malicious, and Microsoft is now good! I can use Windows File Explorer to select the “C:\Program Files\Joulescope”, then right click “Scan with Microsoft Defender…”. The scan runs with “No current threats.”

Joulescope UI 1.0.42 (download) scans clean on VirusTotal!

In addition to fixing the anti-virus false positive detections, this release also includes the new JS220 soft-fuse and offset calibration. You can view the full changelog.

We solved this issue by switching our distribution approach from PyInstaller to Nuitka. We are also now a proud Nuitka sponsor with full access to Nuitka commercial, which will also help us better manage any false positive anti-virus detections in the future.