Approaches that always help me to reduce amount of false positives:

1. Rebuilt Pyinstaller Bootloader to use GCC compiler instead of MSVC.

2. Use obfuscation for your code before compilation. I prefer pyarmor lib and it allows to obfuscate and compile with pyinstaller straight forward by command like pyarmor gen --pack onefile main.py

3. If you call some CMD or Powershell from your code, make sure that these string calls are getting built during runtime. For example if you call CMD like my_command = "wmic csproduct get uuid" in code better do it like my_command = ''.join(['w', 'm', 'i', 'c', ...]) . I believe there should exist some Python string obfuscators but it is easy to do on your own.