MakeMKV 1.9.10 identified as virus

[poptop69]

Avira identifes 1.9.10 as containing a virus:

"Setup_MakeMKV_v1.9.10.exe containing the pattern 'HEUR/APC (Cloud)' was blocked."

Can someone explain this?

[Woodstock]

That you would have to ask Avira... because their website doesn't give a very good description:

A generic detection routine designed to detect common family characteristics shared in several variants. This special detection routine was developed in order to detect unknown variants and will be enhanced continuously.

AVG says it is clean.

Avira says it uses a string it has seen in unspecified "dangerous" files. It also flags Microsoft Outlook Express for the same string, according to a web search. Although, I personally think that isn't really a false hit...

If you want, you can submit the file to be reviewed using the link to the Avira's justification for the warning above.

[andi219]

Kaspersky and 360 say also it´s clean.

[Mikkel48]

Setup_MakeMKV_v1.9.10.exe - Downloaded today to upgrade but the latest paid version of Avira Antivirus Pro flagged and blocked it (as per the OP).
I scanned using free version of Malewarebytes (clean), SuperAntispyware (OK) and SpyBot also clean.
So I assume its ok to use. I see another poster also checked it OK.

[poptop69]

I would imagine that it's a false positive. I wouldn't think that MakeMKV would intentionally push out a malicious file. But I would like, however, to hear from one of the developers as to what was done different with this version that might have caused this?

Thanks for the tip Woodstock, I'll submit the file to Avira. I'll post back here with their response.

[Woodstock]

Reading their "advertisement" on Wikipedia, I can see why Avira is popping up false positives... To keep things small and fast, they look for more generic strings than other antivirus programs, and then have to check a list of exceptions for programs the fail the first test, but aren't virus or trojan programs. Which is why they listed Outlook Express for a while.

[poptop69]

Officially a false positive from Avira. Hopefully they'll add the program as an exception.

File ID Filename Size (Byte) Result
28782746 Setup_MakeMKV_v1.9.10.exe 8.13 MB FALSE POSITIVE
28783338 mmnsis.dll 15.5 KB FALSE POSITIVE
28783339 uninst.exe 104.65 KB FALSE POSITIVE
28783313 Setup_MakeMKV_v1....S].nsi 83.82 KB CLEAN
28783314 Setup_MakeMKV_v1....io.dll 16.5 KB CLEAN
28783315 Setup_MakeMKV_v1....64.dll 20.5 KB CLEAN
28783316 Setup_MakeMKV_v1....kv.dll 147 KB CLEAN
28783317 Setup_MakeMKV_v1....64.dll 257.5 KB CLEAN
28783318 Setup_MakeMKV_v1....bd.dll 28 KB CLEAN
28783319 Setup_MakeMKV_v1....64.dll 33.5 KB CLEAN
28783320 Setup_MakeMKV_v1....qt.dll 4.12 MB CLEAN
28783321 Setup_MakeMKV_v1....kv.exe 99.01 MB CLEAN
28783322 Setup_MakeMKV_v1.9...mo.gz 11.02 KB CLEAN
28783323 Setup_MakeMKV_v1.9...mo.gz 10.6 KB CLEAN
28783324 Setup_MakeMKV_v1.9...mo.gz 10.62 KB CLEAN
28783325 Setup_MakeMKV_v1.9...mo.gz 10.08 KB CLEAN
28783326 Setup_MakeMKV_v1.9...mo.gz 12.59 KB CLEAN
28783327 Setup_MakeMKV_v1.9...mo.gz 12.52 KB CLEAN
28783328 Setup_MakeMKV_v1.9...mo.gz 10.17 KB CLEAN
28783329 Setup_MakeMKV_v1.9...mo.gz 12.09 KB CLEAN
28783330 Setup_MakeMKV_v1.9...mo.gz 12.98 KB CLEAN
28783331 Setup_MakeMKV_v1.9...mo.gz 11.93 KB CLEAN
28783332 Setup_MakeMKV_v1.9...mo.gz 10.23 KB CLEAN
28783333 Setup_MakeMKV_v1.9...mo.gz 10.22 KB CLEAN
28783334 Setup_MakeMKV_v1.9...mo.gz 9.78 KB CLEAN
28783335 Setup_MakeMKV_v1....on.exe 3.69 MB CLEAN
28783336 Setup_MakeMKV_v1....64.exe 4.55 MB CLEAN
28783337 Setup_MakeMKV_v1....ec.exe 81.5 KB CLEAN
28783338 Setup_MakeMKV_v1....is.dll 15.5 KB FALSE POSITIVE
28783339 Setup_MakeMKV_v1....st.exe 104.65 KB FALSE POSITIVE

[bonrea]

I too have encountered virus warnings. This is from Norton Anti-Virus

Filename: makemkvcon64.exe
Threat name: SONAR.Heur.C!g17Full Path: Not Available

____________________________

____________________________


On computers as of 
4/16/2016 at 4:38:41 PM

Last Used 
4/16/2016 at 4:38:41 PM

Startup Item 
No

Launched 
Yes

SONAR Protection monitors for suspicious program activity on your computer.


____________________________


makemkvcon64.exe Threat name: SONAR.Heur.C!g17
Locate


Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.


____________________________


Source: External Media

Source File:
idman.exe

File Created:
setup_makemkv_v1.9.10.exe

File Created:
makemkvcon64.exe

____________________________

File Actions

File: c:\program files (x86)\makemkv\ makemkvcon64.exe Threat Removed
____________________________

Registry Actions

Registry change: HKEY_USERS\S-1-5-21-1986219432-401483032-693208647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\ Internet Settings->ProxyEnable:0, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\S-1-5-21-1986219432-401483032-693208647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ Connections->SavedLegacySettings:..., Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\S-1-5-21-1986219432-401483032-693208647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ Content->CachePrefix, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\S-1-5-21-1986219432-401483032-693208647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ Cookies->CachePrefix:Cookie:, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\S-1-5-21-1986219432-401483032-693208647-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ History->CachePrefix:Visited:, Registry Hive: 64 bit Repaired
Registry change: HKEY_USERS\S-1-5-21-1986219432-401483032-693208647-1000\SOFTWARE\ MakeMKV->app_UpdateLastCheck:16906, Registry Hive: 64 bit Repaired
____________________________

Network Actions

Event: Symantec IDS signature detected on network traffic (Performed by c:\program files (x86)\makemkv\makemkvcon64.exe, PID:9524) No action taken
Event: Symantec IDS signature detected on network traffic (Performed by c:\program files (x86)\makemkv\makemkvcon64.exe, PID:8056) No action taken
____________________________

System Settings Actions

Event: Process start (Performed by c:\program files (x86)\makemkv\makemkvcon64.exe, PID:9524) No action taken
Event: Process start: c:\program files (x86)\makemkv\ makemkvcon64.exe, PID:9524 (Performed by c:\program files (x86)\makemkv\makemkvcon64.exe, PID:9524) No action taken
Event: Process start (Performed by c:\program files (x86)\makemkv\makemkvcon64.exe, PID:8056) No action taken
Event: Process start: c:\program files (x86)\makemkv\ makemkvcon64.exe, PID:8056 (Performed by c:\program files (x86)\makemkv\makemkvcon64.exe, PID:8056) No action taken
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

[Woodstock]

Strangely, although NAV told you the risk was "very high", their website says different:

SONAR.Heur.C!g17
Risk Level 1: Very Low

And, like Avira's warning, it seems to be based on very broad criteria:

SONAR.Heur.C!g17 is a heuristic detection for suspicious processes based on certain attributes and behaviors.

They MAY be looking at the fact that the makemkv.com server is in Russia, and MakeMKV checks for updates when it starts, and if an SVQ file is needed for a particular rip. There is not a whole lot that can be done about that.

I suggest submitting the file to Symantec for review.