[solved] Windows Defender killed DirectShow dll (1 Viewer)

[Eaglehawk]

I'm pretty sure it's a false positive:

TrojanSpy:Win32/Skeeyah.A!rfn

C:\Program Files (x86)\Team MediaPortal\MP2-Client\Plugins\VideoPlayers\DirectShowWrapper.dll

 

[HTPCSourcer]

I'm pretty sure it's a false positive:
C:\Program Files (x86)\Team MediaPortal\MP2-Client\Plugins\VideoPlayers\DirectShowWrapper.dll

Well, I am not.

I don't get an an alert here when explicitely testing the file with Defender. The file on my system is version 2.16.4.7790 with a size of 257 kB

 

[Eaglehawk]

Yep, same version. Size is 263,680 bytes.

Definition 1.223.788.0 still claiming it's infected.

Here's the report on my file:

https://www.virustotal.com/en/file/...5829b4821c23702e1a0257e2463319d7b8c/analysis/

 

[HTPCSourcer]

OK, the latest available definitions (from today) trigger the same alert here. I did update this morning when the new definitions were not yet available.

47 of 56 online scanners have no issue with it, the others suspect some keylogging elements. I believe that you can safely ignore the alert.

 

[Eaglehawk]

I agree, let's hope it doesn't kill too many MP2 installs

 

[JohnHind]

I'm seeing this too - reluctant to just take a majority verdict of virus scanners particularly when reputible ones like Kaspersky are reporting it - maybe the others are just slower to update? Could MediaPortal team scan a known good version to confirm this is false positive? Maybe also publish a checksum so we can be sure this is not a targeted attack with someone slipping in a "ringer" file?

 

[Eaglehawk]

Some hash information...

http://www.isthisfilesafe.com/sha1/4C1F36D0454FA3C9CD464C4BA94BD6DFF88667CD_details.aspx

 

[JohnHind]

@Eaglehawk - That is the hash of the file that EMSIsoft say is infected! I meant the hash of the file that MediaPortal team officially distribute and stand by as safe. If it is a false positive, the file will be the same, but if it is a ringer someone else has infiltrated after instalation, then it would be different and probably the same as the one EMSIsoft tested. However, for the record my copy of the file matches the EMSIsoft report.

 

[HTPCSourcer]

@morpheus_xx ,

I don't think that we have changed the file since we released Spring 16.

Any comments?

 

[TiVo]

I installed MP 2 for the first time from the official download over the last week.
One as client / server to a 64 bit Windows 10 (upgrade from 7).
One as a client to a 64 bit Windows 10 (upgrade from 7).
One as a client to a 64 bit Windows 10 new purchase OEM.

All three had Windows Defender quarantine C:\Program Files (x86)\Team MediaPortal\MP2-Client\Plugins\VideoPlayers\DirectShowWrapper.dll as above.