Bad Setup File? (Virus Detected)
Bad Setup File? (Virus Detected)
Hopefully this is the right area to post this in, and I didn't see a direct email address to email.
I was attempting to update MakeMKV and Edge, Chrome, and FF all said it was infected with a virus. Thinking this was just a fluke I grabbed the file down on my Linux box and checked the hashes.
Listed SHA256:
99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8 Setup_MakeMKV_v1.14.1.exe
Actual Downloaded SHA256:
ea974bdfac2d460cdefb3d98a176318b011eeb39b4eb4214078c3285657f3cb2 Setup_MakeMKV_v1.14.1.exe
I ran it through Virustotal as well and it came back with 0 hits (that's not definitive since zero-days can make it through) but a good indicator that it isn't malicious.
https://www.virustotal.com/#/file/ea974 ... /detection
Any information would be great as this is has always been a great product / service you have provided.
			
			
													I was attempting to update MakeMKV and Edge, Chrome, and FF all said it was infected with a virus. Thinking this was just a fluke I grabbed the file down on my Linux box and checked the hashes.
Listed SHA256:
99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8 Setup_MakeMKV_v1.14.1.exe
Actual Downloaded SHA256:
ea974bdfac2d460cdefb3d98a176318b011eeb39b4eb4214078c3285657f3cb2 Setup_MakeMKV_v1.14.1.exe
I ran it through Virustotal as well and it came back with 0 hits (that's not definitive since zero-days can make it through) but a good indicator that it isn't malicious.
https://www.virustotal.com/#/file/ea974 ... /detection
Any information would be great as this is has always been a great product / service you have provided.
					Last edited by lordzero on Sat Nov 24, 2018 6:21 pm, edited 1 time in total.
									
			
									
						Re: Bad Setup File?
The SHA256 for the file virustotal downloaded and tested matches what's posted on the website for the Windows executable:
99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8
https://www.virustotal.com/#/url/ef6f9e ... /detection
They have zero of 70 tests showing a problem. Not sure how you would have gotten a file with a different hash... I'm assuming you downloaded from http://makemkv.com/download/ ,and not the non-secure URL. They should be the same, but the use of https removes much of the risk of a "man in the middle" substitution.
As always, if you have ANY suspicion, submit the file to your favorite antivirus company's site for them to verify. This is especially true if your vendor's AV pops up a "generic" warning.
The stored hash in your VirusTotal link is different, though, than the hash it got when it processed my request. Did you upload the file, or submit it as a URL?
			
			
									
									99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8
https://www.virustotal.com/#/url/ef6f9e ... /detection
They have zero of 70 tests showing a problem. Not sure how you would have gotten a file with a different hash... I'm assuming you downloaded from http://makemkv.com/download/ ,and not the non-secure URL. They should be the same, but the use of https removes much of the risk of a "man in the middle" substitution.
As always, if you have ANY suspicion, submit the file to your favorite antivirus company's site for them to verify. This is especially true if your vendor's AV pops up a "generic" warning.
The stored hash in your VirusTotal link is different, though, than the hash it got when it processed my request. Did you upload the file, or submit it as a URL?
MakeMKV Frequently Asked Questions
FAQ about BETA and PERMANENT keys.
How to aid in finding the answer to your problem: Activating Debug Logging
						FAQ about BETA and PERMANENT keys.
How to aid in finding the answer to your problem: Activating Debug Logging
Re: Bad Setup File?
I have the same issue on Windows 7.
Microsoft Security Essentials claims to find "Trojan:Win32-Skeeyah.G" on Setup_MakeMKV_v1.14.1.exe.
Did an download to my linux box, too an it has the correct hash there, also scanning it with ClamAV didn't find anything.
Copying this file to Windows (SSH), again, is showing an issue. The file seems to get deleted immediately, as I couldn't find it on my machine.
			
			
									
									
						Microsoft Security Essentials claims to find "Trojan:Win32-Skeeyah.G" on Setup_MakeMKV_v1.14.1.exe.
Did an download to my linux box, too an it has the correct hash there, also scanning it with ClamAV didn't find anything.
Copying this file to Windows (SSH), again, is showing an issue. The file seems to get deleted immediately, as I couldn't find it on my machine.
Re: Bad Setup File?
I pulled directly from the website. Windows browser requests all light up with it had a virus.
On my Linux box I grabbed it via wget
user@Earth:~# wget http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe
--2018-11-24 10:21:45-- http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe
Resolving makemkv.com (makemkv.com)... 104.24.105.123, 104.24.104.123, 2606:4700:30::6818:697b, ...
Connecting to makemkv.com (makemkv.com)|104.24.105.123|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11658752 (11M) [application/x-msdownload]
Saving to: ‘Setup_MakeMKV_v1.14.1.exe’
100%[==============================================================================>] 11,658,752 8.11MB/s in 1.4s
2018-11-24 10:21:47 (8.11 MB/s) - ‘Setup_MakeMKV_v1.14.1.exe’ saved [11658752/11658752]
Then ran sha256sum on it:
user@Earth:~# sha256sum Setup_MakeMKV_v1.14.1.exe
ea974bdfac2d460cdefb3d98a176318b011eeb39b4eb4214078c3285657f3cb2 Setup_MakeMKV_v1.14.1.exe
I agree that VT shows nothing malicious but being in the field, this isn't 100%. There is a (small) chance I would argue that someone replaced the file if the sha's aren't matching. Maybe a way to test this is to reupload 1.14.1 to the site and reverify the sha.
			
			
									
									
						On my Linux box I grabbed it via wget
user@Earth:~# wget http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe
--2018-11-24 10:21:45-- http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe
Resolving makemkv.com (makemkv.com)... 104.24.105.123, 104.24.104.123, 2606:4700:30::6818:697b, ...
Connecting to makemkv.com (makemkv.com)|104.24.105.123|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11658752 (11M) [application/x-msdownload]
Saving to: ‘Setup_MakeMKV_v1.14.1.exe’
100%[==============================================================================>] 11,658,752 8.11MB/s in 1.4s
2018-11-24 10:21:47 (8.11 MB/s) - ‘Setup_MakeMKV_v1.14.1.exe’ saved [11658752/11658752]
Then ran sha256sum on it:
user@Earth:~# sha256sum Setup_MakeMKV_v1.14.1.exe
ea974bdfac2d460cdefb3d98a176318b011eeb39b4eb4214078c3285657f3cb2 Setup_MakeMKV_v1.14.1.exe
I agree that VT shows nothing malicious but being in the field, this isn't 100%. There is a (small) chance I would argue that someone replaced the file if the sha's aren't matching. Maybe a way to test this is to reupload 1.14.1 to the site and reverify the sha.
Re: Bad Setup File?
Ohh and I uploaded the file to VT. So it did it's own sha calc
			
			
									
									
						Re: Bad Setup File?
Uploaded my file to virustotal, looks not so good to me:
https://www.virustotal.com/#/file/99897 ... /detection
			
			
									
									
						https://www.virustotal.com/#/file/99897 ... /detection
Re: Bad Setup File? (Virus Detected)
This is very strange - when I have VirusTotal fetch the file from https://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe, it finds nothing, and computes the SHA256 as matching the posted file. It says 0 of 70 tests found problems.
When I download the file myself, run sha256sum on it, I get the same hash. My up-to-date AVG says no problems with the file.
When I upload the file to VT, it reports the exact same hash, but now says 5 of 66 engines had an issue with the file.
I compared the copies I downloaded just now with the copy I downloaded on 11/10 (two weeks ago), and they are byte-for-byte identical.
sha256sum hash on all files is 99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8.
Given that the threat Microsoft says it is protecting you from is over TWO YEARS old (Microsoft says 1 year, others say 2), it is doubly strange that so few virus detection engines seem to find it in the setup program; They all should, if it is really there.
Again, I suggest uploading the file to your favorite antivirus provider for a second opinion.
			
			
									
									When I download the file myself, run sha256sum on it, I get the same hash. My up-to-date AVG says no problems with the file.
When I upload the file to VT, it reports the exact same hash, but now says 5 of 66 engines had an issue with the file.
I compared the copies I downloaded just now with the copy I downloaded on 11/10 (two weeks ago), and they are byte-for-byte identical.
sha256sum hash on all files is 99897048fe1aef6668f20d4ff326cad0ddf44f0a5a4c08d4760b25530b3e39d8.
Given that the threat Microsoft says it is protecting you from is over TWO YEARS old (Microsoft says 1 year, others say 2), it is doubly strange that so few virus detection engines seem to find it in the setup program; They all should, if it is really there.
Again, I suggest uploading the file to your favorite antivirus provider for a second opinion.
MakeMKV Frequently Asked Questions
FAQ about BETA and PERMANENT keys.
How to aid in finding the answer to your problem: Activating Debug Logging
						FAQ about BETA and PERMANENT keys.
How to aid in finding the answer to your problem: Activating Debug Logging
Re: Bad Setup File? (Virus Detected)
If you look deeply into the results of VirusTotal you may recognize, that the "engines" there differ between "url" and "file". 
So, eg. "Microsoft" as engine shows not up in "url".
It also says "5/66" not "0/70". That explains the different output, but of course not the info that Woodstock gave.
I also uploaded some of the old files, and they produce similar output:
- 1.14.0 https://www.virustotal.com/#/file/73ee0 ... /detection
- 1.12.2 https://www.virustotal.com/#/file/1b1e9 ... /detection
			
			
									
									
						So, eg. "Microsoft" as engine shows not up in "url".
It also says "5/66" not "0/70". That explains the different output, but of course not the info that Woodstock gave.
I also uploaded some of the old files, and they produce similar output:
- 1.14.0 https://www.virustotal.com/#/file/73ee0 ... /detection
- 1.12.2 https://www.virustotal.com/#/file/1b1e9 ... /detection
Re: Bad Setup File? (Virus Detected)
http://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe (and https://...) set off my Win 10 machine too...
			
			
									
									
						Re: Bad Setup File? (Virus Detected)
I have the same problem with version 1.14.1 on my Windows 10 computer - Windows being fully updated.
I use the Windows Defender as my anti virus programme, and the Setup file for the new version 1.14.1 is immediately recognized as the Win32/Skeeyah.G virus. The installation of the programme is finished instantly, and the whole programme is removed from my PC.
After a short time in agony I downloaded the previous version 1.14.0 and saw that this version causes no problem at all. Hence I am still a happy user of the MakeMKV programme.
I suspect that somewhere in the programming code of the new version is hidden some string, which by the Defender is mistaken for the virus??
			
			
									
									
						I use the Windows Defender as my anti virus programme, and the Setup file for the new version 1.14.1 is immediately recognized as the Win32/Skeeyah.G virus. The installation of the programme is finished instantly, and the whole programme is removed from my PC.
After a short time in agony I downloaded the previous version 1.14.0 and saw that this version causes no problem at all. Hence I am still a happy user of the MakeMKV programme.
I suspect that somewhere in the programming code of the new version is hidden some string, which by the Defender is mistaken for the virus??
Re: Bad Setup File? (Virus Detected)
I used this link just now and installed fine. I use Eset 32 and nothing popped up. For the fun of it, I am running a full virus scan on my computer and so far 0 threats. Wonder what this is all about.blufoot wrote: ↑Sun Nov 25, 2018 12:46 amhttp://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe (and https://...) set off my Win 10 machine too...
Re: Bad Setup File? (Virus Detected)
Well the paranoid side of me (and well, being in the industry) would think that one option is that the download site was compromised. this could be solved by reuploading the file to the server (and fixing however they go onto the server).
the other option is that there is some kind of dynamic coding going on that is making the virus detection engines go a bit crazy.
			
			
									
									
						the other option is that there is some kind of dynamic coding going on that is making the virus detection engines go a bit crazy.
Re: Bad Setup File? (Virus Detected)
And it is quite important to be paranoid today... I'm in the industry, too, and get paid to be paranoid. 
What concerns me is that multiple people have reported downloading a file with a DIFFERENT hash than in the signed hash list on the site. I've pulled the file multiple times (both HTTP and HTTPS), on multiple days, first on 11/10, most recently 11/24, and two different versions of sha256sum always give the published hash code; why do some others get a different hash?
Could it be that Windows Defender is modifying the EXE on download so that it has a different hash?
			
			
									
									What concerns me is that multiple people have reported downloading a file with a DIFFERENT hash than in the signed hash list on the site. I've pulled the file multiple times (both HTTP and HTTPS), on multiple days, first on 11/10, most recently 11/24, and two different versions of sha256sum always give the published hash code; why do some others get a different hash?
Could it be that Windows Defender is modifying the EXE on download so that it has a different hash?
MakeMKV Frequently Asked Questions
FAQ about BETA and PERMANENT keys.
How to aid in finding the answer to your problem: Activating Debug Logging
						FAQ about BETA and PERMANENT keys.
How to aid in finding the answer to your problem: Activating Debug Logging
Re: Bad Setup File? (Virus Detected)
I'm sure its possible, though unlikely. it would have to be polymorphic code for something to be like that.
			
			
									
									
						- 
				mike admin
- Posts: 4083
- Joined: Wed Nov 26, 2008 2:26 am
- Contact:
Re: Bad Setup File? (Virus Detected)
Did you check the SHA256 hash of the file with http://www.makemkv.com/download/makemkv-sha-1.14.1.txt ? Do you know if antivirus tags a specific file or the whole installer?blufoot wrote: ↑Sun Nov 25, 2018 12:46 amhttp://makemkv.com/download/Setup_MakeMKV_v1.14.1.exe (and https://...) set off my Win 10 machine too...
p.s. There are no viruses/trojans in MakeMKV...