If you downloaded a Python-based app and Defender immediately flagged it as malware, here is what is actually happening and why it is almost always a false positive.
If you have downloaded a Python-based desktop app and had Windows Defender immediately flag it as malware, you are not alone. It happens to nearly every PyInstaller-compiled executable, and it is almost always a false positive. Here is what is actually going on.
PyInstaller packages a Python script into a single .exe by bundling the Python interpreter, all dependencies, and your source code into one file. When that exe runs, it extracts its contents to a temporary directory and executes from there. This extraction-and-run pattern is exactly what a lot of dropper malware uses, so heuristic antivirus scanners flag it based on behavior alone, without looking at what the code actually does.
The specific detection name is usually something like Trojan:Win32/Wacatac or Win32/Casdet. Neither is a real malware family. They are heuristic classifier labels that basically mean "this executable has behavioral characteristics we associate with malware." PyInstaller trips exactly those heuristics.
The PyInstaller project has documented this problem for years. The Electron team ran into the same class of issue. Other popular tools like Nuitka and cx_Freeze have the same problem. It is not specific to my software or my code.
A valid code signature tells Defender that the exe came from a verified publisher and suppresses most of these warnings. But code signing requires a certificate from a certificate authority, and those cost roughly $100 to $500 per year depending on the provider. For free software with no revenue, that is hard to justify.
I am aware this creates a trust problem and I take it seriously. Every download on this site includes a SHA-256 checksum, each project page describes exactly what the software does, and VirusTotal is always an option for independent verification.