Virus in v1.15 Setup file

Cyberweaver · Post by **Cyberweaver** » Wed Mar 04, 2020 10:48 am

Hi,

Bitdefender just detected Gen:Variant.Razy.539717 in file: mmnsis.dll during setup execution. Is this real or false positive?

Post by **mike admin** » Wed Mar 04, 2020 10:52 am

Nah, we don't ship viruses...

Virustotal:
https://www.virustotal.com/gui/file/890 ... /detection

1.15.0 hash sums

Code: Select all

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

890314d866d52779532b46ed4cf21489bb47f49e6056154524a5e923b85af4c9  Setup_MakeMKV_v1.15.0.exe
442d67d5368390263c30fca2d980ebfffb716be227b9f056b69961d2b11b26ff  makemkv-bin-1.15.0.tar.gz
a9213fa7cbf2bf2f03d90cd350ad53aa82394bc3991c440e9e369e4169f3ed06  makemkv-oss-1.15.0.tar.gz
ad4323d5141a82f11b36f1ad3f54b0f201eedfbd4597ee604fed4b616f2d06b0  makemkv_v1.15.0_osx.dmg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iHUEAREIAB0WIQQuzyMwXx/AsyABZzOU4wg6GAQmlwUCXl9efwAKCRCU4wg6GAQm
l2D8AP91bXRnc5YeaWQ+DlR3DVoEV2h485Gh9eTBFp/Xd2O+wwD/XpX4Pgxsdvqo
a68DumjodayHZqAhjq7yb1KDchhQrCs=
=h3Oh
-----END PGP SIGNATURE-----

Darsarin · Post by **Darsarin** » Wed Mar 04, 2020 4:12 pm

Yeah I got the same message from Bitdefender.

The file C:\Users\*****\AppData\Local\Temp\nsnBCF5.tmp\mmnsis.dll is infected with Gen:Variant.Razy.5397

Woodstock · Post by **Woodstock** » Wed Mar 04, 2020 4:47 pm

As always, when faced with your preferred antivirus software claiming to have found a virus, you should submit the file/URL to your vendor for them to verify it.

Ravik · Post by **Ravik** » Wed Mar 04, 2020 6:57 pm

Submitted file to BitDefender for review. Lets hope they straighten that out.

Mrdeadworry · Post by **Mrdeadworry** » Wed Mar 04, 2020 7:25 pm

The file check-sums do not match with the one you supplied above. I also use Bitdefender and it is showing the same infection.

SamuriHL · Post by **SamuriHL** » Wed Mar 04, 2020 9:00 pm

i checked the sha256 hash of my downloaded windows exe and it matches what Mike posted.

Woodstock · Post by **Woodstock** » Wed Mar 04, 2020 9:03 pm

Are sure? I downloaded the 1.15.0 setup file, then uploaded it to virustotal, and VT gave back a hash code of 890314d866d52779532b46ed4cf21489bb47f49e6056154524a5e923b85af4c9 . This hash code matches what Mike posted above and on the website.

If you're running your own hash, make SURE you are using SHA-256, or you'll get different a different hash.

mkvfanclub · Post by **mkvfanclub** » Thu Mar 05, 2020 3:21 am

VirusTotal is reporting that uninst.exe (in the MakeMKV program folder) is a virus.

14/71 engines detected a virus in uninst.exe.

https://www.virustotal.com/gui/file/9b6 ... /detection

Woodstock · Post by **Woodstock** » Thu Mar 05, 2020 5:09 am

I just ran a test and AVG reports uninst.exe as "Win32:Malware-gen" and moves it to quarantine.

When I ask google what "Win32:Malware-gen" actually is, I get a lot of hits... Many of them for files installed as part of Windows 10 Updates, as well as .NET updates.

MalwareBytes says:

Win32:Malware-gen is a heuristic detection designed to generically detect a Trojan Horse. Due to the generic nature of this threat, we are unable to provide specific information on what it does.

So, I guess the best bet is to submit the file to your favorite AV vendor, and ask them to look at this file SPECIFICALLY, and not "heuristically".

Post by **mike admin** » Thu Mar 05, 2020 12:24 pm

mkvfanclub wrote: ↑
Thu Mar 05, 2020 3:21 am
14/71 engines detected a virus in uninst.exe.
https://www.virustotal.com/gui/file/9b6 ... /detection

Interesting...
MakeMKV uses NSIS ( https://nsis.sourceforge.io/Main_Page ) installer engine. The uninstall.exe is a standard NSIS uninstaller stub ( specifically from version 2.51 ) with embedded uninstall script file. Yet, for some reason, the raw stub from NSIS distribution comes clean ( https://www.virustotal.com/gui/file/bca ... /detection ) and the same stub customized with makemkv uninstaller script hits malware warning. You can compare uninstall.exe and the "lzma_solid" stub from NSIS package (v2.51) - they are identical byte-by-byte, except for the script data payload. Please see the detail page in virustotal, specifically it lists hashes of all code and data segments in both files - they are identical
https://www.virustotal.com/gui/file/bca ... 94/details - raw nsis stub
https://www.virustotal.com/gui/file/9b6 ... 52/details - uninst.exe

p.s. There is no virus in uninstall.exe or anywhere else in MakeMKV.

IMissBigMacs2020 · Post by **IMissBigMacs2020** » Mon Apr 27, 2020 8:44 pm

I'm getting the same today as OP when installing 1.15.1.

SHA 256: E219FF9FDF45A71CEB3AA55615648B43D8EFA64B098459D9CEC9741DE11DD966 downloaded from the MakeMKV site. Will submit to Bitdefender again.

IMissBigMacs2020 · Post by **IMissBigMacs2020** » Sat May 02, 2020 8:23 pm

Update, submitted the other day to Bitdefender and it's no longer being detected (yay!) but suspect it will get detected again next version.

www.makemkv.com

MakeMKV support forum

Virus in v1.15 Setup file

Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file

Re: Virus in v1.15 Setup file