Bitdefender Gen:Variant:Graftor.591808

[weilerhot99]

I have v1.17.2 for Windows - all registered. I went to install v.1.17.3 for windows today and had the following from Bitdefender.

The file ...\wincdarb_inst.exe is infected with Gen:variant.Graftor.591808 and was moved to quarantine.

Does anyone know if this is a false positive?

Thanks/

[Ezatoka]

Hmm the whole setup file doesn't have much of a problem on VirusTotal:
https://www.virustotal.com/gui/file/cc6 ... 1675405471

here is the wincdarb_inst.exe
https://www.virustotal.com/gui/file/043 ... 1675433956

and here the wincdarb_inst64.exe
https://www.virustotal.com/gui/file/8a2 ... 1675438035

Personally I would suspect a false positive, as why should the 32bit version have something bad, but the 64bit version not? But that's just my opinion.

[weilerhot99]

Any views on how to move forward?

15 vendors find something of interest with the 32 but version, but the hope is it’s a false positive.

Do we wait for malware vendors to catch up and recognise it’s a fp, or is it actually a concern?

Not sure what to do, but my personality is risk averse, so I’ll stay on current version for now.

Thanks

[dcoke22]

Did you download 1.17.3 from makemkv.com? Did you verify the SHA256 hash?

[mike admin]

I've even added an explicit comment at vt - https://www.virustotal.com/gui/file/043 ... /community. The file itself is 13 kilobytes, it is a 32-bit service installer - literally, it calls few windows APIs and exits. You can't pack much malware in 13 kilobytes, seriously.

After getting the alert I've double-checked the file and compared the hashes. The above VT link is for file that I've uploaded from the clean build machine.
And, as mentioned above, this file is open-source GPL with full source code available at https://www.makemkv.com/download/wincdarb/ .
Not to mention, that this file never executes on 64-bit system.

Absolute nonsense. At least, I'm not alone:
https://github.com/mailhog/MailHog/issues/154
https://answers.microsoft.com/en-us/win ... 2f93c9dd3f
https://www.reddit.com/r/antivirus/comm ... acatacbml/

The file is attached to this message, see for yourself if you have the skill. Literally, one page of code in disassembler...

p.s. All these detections are based on machine learning. Robots are killing us, people.

[rhw168]

I downloaded the wincdarbinst.zip file and ran Microsoft Defender Offline scan on the zip file.
And it came out clean: "3 files scanned, 0 threats found."

So the warning from Microsoft Defender (reported in viewtopic.php?f=1&t=30183):

Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
App: Setup_MakeMKV_v1.17.3.exe
Publisher: Unknown publisher

Has gotta be a false-positive warning.

[weilerhot99]

Thanks, Mike.

I appreciate the comprehensive reply.

I don’t have the smarts to look at the code! Wish I did.

Thanks again/

[Knight]

I have version 1.17.1.
I went to install the latest version, at the moment that appeared the part of choosing the place where I was going to install my Bitdefender antivirus informed that it was disinfecting, I closed the installation wizard immediately. I tried to find in the Bitdefender notifications something about virus, but there was nothing.
I scanned the files in Virustotal and this is what I got:

https://www.virustotal.com/gui/file/cc6 ... /detection

PS: I have already confirmed the SHA256 hash

[mike admin]

my Bitdefender antivirus informed that it was disinfecting

The file in question that is reported by bitdefender is actually not used on 64-bit systems (most of the systems today). So even if it "disinfects" that file, the installation will continue without an error on 64-bit system.

[Knight]

my Bitdefender antivirus informed that it was disinfecting

The file in question that is reported by bitdefender is actually not used on 64-bit systems (most of the systems today). So even if it "disinfects" that file, the installation will continue without an error on 64-bit system.

I understand, but I specifically downloaded the 64-bit version.
It didn't show the name of the supposed virus, unlike the colleague who opened the post, mine just reported that my computer was being disinfected.
The strange thing is that on the VIRUSTOTAL site only one Russian antivirus accuses the 64-bit version of having viruses, the most renowned antiviruses don't accuse anything, including Bitdefender.

[Ezatoka]

I understand, but I specifically downloaded the 64-bit version

At least for Windows the setup file is always both:

MakeMKV 1.17.3 for Windows
Requires Windows XP or later, x86 or x64.

[weilerhot99]

Just an observation.

When rerunning the virus total links from the second post, the number of providers indicating a concern (for the 32 bit file) has dropped from 15 to 9. Bitdefender (my scanner) has gone from +ve to not detecting any issues now.

Seems like the virus total site can adapt as it learns more.

[Knight]

I understand, but I specifically downloaded the 64-bit version

At least for Windows the setup file is always both:

MakeMKV 1.17.3 for Windows
Requires Windows XP or later, x86 or x64.

That's right, my mistake, sorry.