So, this is happening again. As of 2023-10-30T10:42Z, VirusTotal indicates that 16 of 72 antivirus programs are flagging joulescope.exe. The installer is currently clean with all vendors.
Unfortunately, some big names are on that list including Microsoft and BitDefender. I have already submitted the joulescope.exe file to Microsoft and BitDefender for false positive analysis. They will usually take action with 3 days and update their definitions.
Here is my comment on the file submission:
The joulescope.exe file is a python application built into an executable by Pyinstaller 6.1.
PyInstaller Manual — PyInstaller 6.1.0 documentation
PyInstaller is legitimate software, but it is also used by less savory applications. Binary matches on PyInstaller code are not a useful indicator for trojans and viruses, and it flags legitimate software like joulescope.exe.
Why could this be happening?
- We updated PyInstaller from 5.x to 6.1 with this release. PyInstaller creates exectables, and these executables will share PyInstaller binary code. Modern heuristic anti-virus software looks for these binary code patterns. It is very likely that some malicious software built with PyInstaller was correctly categorized as malicious, and the PyInstaller binary code also used by joulescope.exe was flagged as malicious, too. The anti-virus software vendors need time, more samples and data to separate the malicious code from PyInstaller.
- The Joulescope UI is a complicated program that relies on Python, the Python standard library, and many libraries available on pypi. Although not likely, it is possible that one of these dependencies contains a malicious software.
- The build process has been corrupted. The Joulescope UI is built using GitHub Actions on the stock Windows OS image from GitHub. Although it is possible that this Windows OS image is infected, it is highly unlikely.
- Our file storage has been corrupted. The hash of the installer exactly matches the hash from upload, so this has not occurred.
What can you do?
- Update your antivirus software’s definitions. The latest definitions will eventually fix the false positive detection, which is the mostly likely reason for joulescope.exe being flagged as malicious software.
- Report the false positive detection to your antivirus software. They usually take action within 3 days.
- Restore the threat and allow joulescope.exe 1.0.36 to run. Alternatively, download and run 1.0.31.
- Run directly from Python.
- Download and install Python 3.11.6.
python -m pip install -U --upgrade-strategy=eager joulescope_ui
python -m joulescope_ui
Unfortunately, this is not the first time that this has happened to the Joulescope UI: