this post was submitted on 28 Sep 2023
60 points (94.1% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

55085 readers
311 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 2 years ago
MODERATORS
 

I just tried opening a video I had gotten from Pahe many years ago, from an external USB drive, and have now gotten a Windows Security warning, 'Do you want to open this file?' (see top part of attached image)

I moved the file to another folder and renamed it from the original title (it was an episode of 'The Blacklist') to 'Movie.mkv and still get the warning. All files in the folder (22 of them) give this warning, plus some other videos I got from Pahe in the past. Clicking the checkbox 'always ask before opening this file' does not keep other files in the same folder from also showing the warning. I tried changing the default video player to PotPlayer, same warning comes up.

The only thing I can think of is that in the metadata of the file (bottom part of image), under 'Encoded By', it shows a URL, 'pahe (DOT) in and pahe (DOT) li'

Is there any way this could actually be a security issue? If not, is there a way to 'green light' my MKV files on my local drives?

Thanks in advance

top 26 comments
sorted by: hot top controversial new old
[–] aeronmelon@lemm.ee 28 points 1 year ago (2 children)

.mkv files are just containers with a bunch of separate files inside. You can theoretically hide any kind of file inside, including an executable, so it might just be a blanket warning.

[–] sebinspace@lemmy.world 9 points 1 year ago (2 children)

Hence the name “matryoshka”

[–] Kelo@lemmy.world 1 points 1 year ago

Oh, wow. TIL

[–] AnUnusualRelic@lemmy.world 1 points 1 year ago

That's the case for a lot of media and generic data formats.

[–] dingus@lemmy.ml 20 points 1 year ago* (last edited 1 year ago) (1 children)

What's the actual warning? Is is the one about "do you really trust this file you found online?" or is it Windows Defender saying it's infected?

It could potentially recognize from the metadata that the files were downloaded from the internet, but I'm not sure why it would do it to just a video file.

I tend to get warnings for things I install from the internet, not just video files I've downloaded.

[–] phx@lemmy.ca 12 points 1 year ago (1 children)

It could also be an actual infected file that wasn't caught by AV before, but is with updated signatures. That or the current signatures could have a false positive. It happens

[–] dingus@lemmy.ml 11 points 1 year ago

Exactly, which is why the type of warning they're getting matters.

[–] Overboard8171@startrek.website 10 points 1 year ago (2 children)

Has any of you considered pirated files might be marked someday for automatic deletion? Until that happens, Windows Defender tries scaring you into not using them.

[–] kryllic@programming.dev 5 points 1 year ago

I would just love to see the fallout if Microsoft did this, just arbitrarily remove content it deems to not be suitable for its users. More Linux converts for sure

[–] verdantbanana@lemmy.world 0 points 1 year ago (1 children)

we are already here

pirated hogwarts legacy will have the main exe automatically deleted by defender upon execution

Yah but that's not new, AV never liked the packers. The difference here is the silent deletion :(

[–] GoldCross@lemmy.dbzer0.com 10 points 1 year ago (1 children)

I used MKVToolNix to checkout the video file. Inside the MKV container appears to be: an H264 video file, an AAC audio file, 3x VobSubs, chaptering info, and 'global tags'. If I uncheck the 'Global Tags' entry and save the rest an a new MKV, the video opens in Windows 10 without any warning message from Windows Security.

I don't see anything in the properties data for 'global tags' that looks suspicious, or even has any entries at all (such as for timestamps, video properties, color information, color mastering meta information, etc. I don't know WHY having a 'global tags' "thing" in the MKV is causing the security warning.

Unless there's a way to have Windows 'ignore' the 'global tags' part of an MKV, I guess I will just re-multiplex the videos with that part removed.

(Sorry it took so long to reply, I didn't have my lemmy password saved to my online password manager and had to wait until I got back to my media PC to update the posts)

Thanks for the replies

[–] Onihikage@beehaw.org 3 points 1 year ago (1 children)

I suspect what you really did by removing the global tags was change the file's hash to something brand new so it was no longer on Defender's list of suspicious files. Try removing different aspects of the MKV or add a random text file as an extra subtitle and see if any of those MKVs are also flagged; they probably won't be.

[–] IverCoder@lemm.ee 2 points 1 year ago

If it's this, it's likely that the MKV file OP had just happened to hash-collide with a different known malware and caused Defender to recognize it.

[–] db2@sopuli.xyz 8 points 1 year ago

Try removing or overwriting that tag, see if it fixes it.

[–] Moonrise2473@feddit.it 8 points 1 year ago (1 children)
[–] Automated_Handprint@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago)

This is it. I remember watching a video about this a while ago but can't find it. It has nothing to do with pahe or mkv

[–] 01189998819991197253@infosec.pub 7 points 1 year ago (1 children)

Upload it to VirusTotal and let their meta engine scan it.

[–] GoldCross@lemmy.dbzer0.com 5 points 1 year ago (1 children)

Thx for the suggestion, I forgot about doing that. However, VirusTotal shows a 0 / 59 for any threats.

If virus total says is not infected, I would say the likelihood of it being infected is very very low.

[–] HumanPerson@sh.itjust.works 3 points 1 year ago

This is something Windows is known to do. I don’t use Windows and don’t know how to disable it other than installing Linux, but it is definitely safe.

[–] taaz@biglemmowski.win 3 points 1 year ago

Scan it eith different AV, like MBAM for example and if it also detects try googling the name of the detected malware.

[–] GoldCross@lemmy.dbzer0.com 2 points 1 year ago

This is what VLC shows in media information for the file

[–] GoldCross@lemmy.dbzer0.com 2 points 1 year ago (1 children)

I thought I embedded the warning message in the first post, trying again here

[–] skullgiver@popplesburger.hilciferous.nl 7 points 1 year ago* (last edited 1 year ago)

I've never seen an MKV file carry the Mark of the Web before.

Are you sure that's just a video file, and not a shady combination of an executable and an MKV? It's not exactly hard to give an executable the Windows icon for an MKV file and call it Movie.mkv.exe (or mask the executable nature in some other way).

There are also various know exploits for (old versions of) media players that may trigger security warnings for all kinds of files, although Windows will usually quarantine those rather than prompt you like this.