MKVToolNix logo MKVToolNix – Matroska tools for Linux/Unix and Windows

Allegedly a backdoor in my Windows installer for v2.4.1

Dear mkvtoolnix users,

I've received several reports of users that the Windows installer for 2.4.1 supposedly contains a backdoor as reported by Kaspersky Anti Virus and other scanners that use Kaspersky's engine. Here's what I have to say about that after a careful investigation:

One user wrote via email:

> I downloaded the mkvtoolnix 2.4.1 (Windows installer) from your site (
> http://www.bunkus.org/videotools/mkvtoolnix/downloads.html#windows ->
> http://www.bunkus.org/videotools/mkvtoolnix/windows/mkvtoolnix-unicode-2.4.1-setup.exe)
> and I got a warning from Kaspersky Antivirus, saying that the file is
> infected by a backdoor.

That's a false positive. I've already received several warnings from other users and scanned said file with various scanners -- no infections found (only by those who use Kaspersky's scan engine).

I'm also building the programs and installer on a Linux machine, there's no Windows involved during the build.

Additionally I've scanned my only Windows desktop that I have here with two virus scanners (one of them is constantly running anyway), again, no infections found. I'm taking anti virus security very serious.

Nevertheless, I've now provided a new installer with a new one which not even Kaspersky find's anything in:

mkvtoolnix-unicode-2.4.1-build20081207-44-setup.exe (Link removed, see below)

That file is exactly 4115100 bytes big. It's MD5 checksum is 118ff4027534058302d7006db6371c11, it's SHA1 checksum is b4a9ec6a4a474cfc1bfa20755da548da63aa4580.

Regards,
Mosu
On 08 Dec 2008.


Update on 11 Dec 2008

Kaspersky now also reports mkvtoolnix-unicode-2.4.1-build20081207-44-setup.exe to contain a backdoor. I'm still convinced this is a false positive. I've nevertheless updated the installer I'm using (NSIS) and created a new build that's not yet listed as a false positive:

mkvtoolnix-unicode-2.4.1-build20081211-45-setup.exe

Size in bytes: 4117079
MD5 checksum: 2e7c76d3b57420e211fb85f3a89f1b4a
SHA1 checksum: af0405912cb592f3c1cd2fc70a641ce9eb9af90d

You can see the result of the online scan from today at www.virustotal.com.


Update on 14 Dec 2008

I've received a reply from Kaspersky. They confirm that the original mkvtoolnix-unicode-2.4.1-setup.exe I've sent them was a false positive.

© 2002 - 2015 Moritz Bunkus   |   Imprint/Impressum