Blackmagic Forum

Hi all,

Just downloaded the 18.0.1 update to Resolve Studio. When unzipping the installer on a Windows 10 machine with Windows Defender Antivirus real-time scanning turned on, Windows Defender issues an alert that the installer is infected with something called a "ravadon.e" trojan.

I did not launch the installer after receiving this warning.

Since the Defender virus definition files change all the time, I wanted you to know this came from version 1.373.277.0 of Defender - updated on 8/13/2022 at 8:47AM Central Daylight Time in the USA.

Has anyone else seen this? Did some sort of malware actually creep into this release? How should Resolve Studio customers proceed?

Thanks!

Tim

I wanted to update my Resolve Studio 17 to 18 today and while unzipping the download file, I get a warning from Defender about DaVinci_Resolve_Studio_18.0.1_Windows.exe being infected with Trojan:Win32/Ravadon.E

Malwarebytes (Free) doesn't see anything but I'm still hesitant to install. The file is too large to scan online with VirusTotal.

Just looking for assurances that this is a known false positive.

If you downloaded from the Blackmagic Support page then there is no problem. I use Windows Defender and get no such warning about Resolve.

I only have Defender on my PC editor and did not have this problem. How did you download the update? From the BM site or from within Resolve?

+1 skierevans.

where did you get the download from?

+1 charles

Same as Charles for me.

That's not normal, Tim.

I only have Defender on my PC editor and did not have this problem. How did you download the update? From the BM site or from within Resolve?

Sorry, I should have included the source. The .zip came from clicking the "download" button on the update notice that comes up within Resolve when a new version is available. So it should have been the official Blackmagic .zip.

I think it's quite likely that this is a "false positive" - but was afraid to proceed with the install until I'd made an attempt to confirm.

There are thousands of Windows 10 machines with Defender out there running Resolve Studio... and of those thousands, some hundreds to thousands have likely downloaded this 18.0.1 update, of those who have downloaded the update, at least a good percentage of them will have up-to-date virus definition files installed for Defender. So if this is a real issue, several more people besides just me should be experiencing it.

I'll hold off another few days. If I don't hear any me-too's here in the forum about others with this issue, I'll feel a lot more confident.

I, too, use only Defender and never see this warning. This is the only place where you should be downloading from, BMD's own Support page.

I got the exact virus warning, also from Windows Defender upon unzipping the downloaded file.

Originally, I downloaded via the popup in Resolve offering an update. Then after getting the warning, I downloaded again through the link on the BMD website. Same error.
I'm afraid to run the installation file until I can download a "clean" file.

I've moved my replies to a similar thread at viewforum.php?f=21

Hi all,

"ravadon.e" trojan.

If you google that all I see is various references to the Nvidia gaming drivers.

You should try the Nvidia Studio driver. Also only download Nvidia drivers from nvidia.com. Not had any problems with Defender warnings doing this.

You might need to consider if that trojan is already lurking on your computer and not actually part of the Resolve download.

I too get this same warning, and also got the file via the update tool inside Resolve.
Any response from BMD on this? seems like a problem beyond 1 user according to this thread...

Eli

I, too, would feel better were there some sort of input from BMD developers.

Some have commented about the infection we're all detecting being related to nVidia drivers on our machines. I would reiterate that the warning appears when doing nothing more than unzipping the Resolve installer.... the unzip utility is just reading the .zip, uncompressing the contents, and writing the uncompressed .exe installer. Defender is doing nothing more than watching what the unzip utility is writing to disk. It sees a pattern match and issues an alert.

It's also nearly certain that Resolve contains libraries of code copied in from from nVidia repositories to assist BMD programmers in accessing the GPU and other features of those graphics card models.... without having to code all the low-level stuff. So an nVidia related trojan could have crept in to the latest nVidia-provided developer library that BMD incorporated (quite innocently and with good intentions) into this release. Nothing to do with the nVidia drivers on the client machine(s).... Nothing intentional on anyone's part... but stuff like that happens sometimes.

Can anyone bump this anomaly "upstairs" to the developers and see what they say?

Thanks!

Tim

What app did you use to extract (unzip) the files? I use the one built into Windows.

File extraction.jpg (70.79 KiB) Viewed 2373 times

I have not had this problem with the 18.0.1 Studio version nor the download of the latest Studio driver from Nvidia.
The one thing I don't do is use the update notifications from BMD.

UPDATE
I have literally just done a test by downloading Studio 18.0.1 and unzipping it. No trojan detected by Defender. So as I said the trojan may already be on your computer. I would give it a scan if I were you.

This is happening to too many people to think they all hot Trojan horse anyway, especially since this is linked directly to an installation file from BMD.
So this needs to be addressed on another level.

Eli

Well, I've just downloaded the free version of 18.0.1 and unzipped that. Still no trojan warning. So I cannot reproduce this problem with my system.

What app did you use to extract (unzip) the files? I use the one built into Windows.

I use the same.

I have not had this problem with the 18.0.1 Studio version nor the download of the latest Studio driver from Nvidia.

I've not had and issues/reports from the latest nVidia studio driver either. However, there's no telling what nVidia developer kit version might be embedded in Resolve. That's a different thing than the drivers and is dowloaded and used by folks who develop software to work with nVidia products.

The one thing I don't do is use the update notifications from BMD.

I downloaded both and ran CRC checks on the exe's. The .zips dowwnloaded using each method have the same CRC - meaning they are bit-for-bit identical.

UPDATE
I have literally just done a test by downloading Studio 18.0.1 and unzipping it. No trojan detected by Defender.

The Defender version that's giving the warning is v1.373.277.0 of Defender. Perhaps your version is different (newer or older)? I keep looking for new updates for Defender but haven't had Windows Update offer to download one yet. I'll keep trying that too.

So as I said the trojan may already be on your computer. I would give it a scan if I were you.

I've done that and my system is clean. However, we already know the (potentially false positive) "infection" is in the Resolve installer .exe... that's because Defender reported the Davinci Resolve installer .exe that was being extracted as the infected file... I can make the warning from Defender appear over and over, just by attempting to re-extract this file from the .zip (where the virus signature is masked because the data in the .zip is compressed).

This is a real puzzler... there are some (perhaps only a few) who are having this issue and others (perhaps many) who can't reproduce the issue.. the version of Defender mentioned above (1.373.277.0) could likely be a critical requirement. I'll keep looking for both defender updates and for newer versions of the installer .zip (different CRC and/or time/date stamp) than the one I have now.

Thanks!

Tim

It is not unheard of for Windows Defender and other AV software to give false-flags. This usually happens because, simply by coincidence, there's a sequence of bytes in the code that just happens to match the fingerprint that the AV software is using to identify malware.

BMD should be onto this ASAP because until we've confirmed it is just a false-flag then you'll still be taking a risk if you want to put this code onto your system.

I'm running Defender v1.373.421.0 on Windows 10 with nVidia Studio Driver 511.65

If I unzip the download file using 7-Zip v22.01 I get the warning during the extraction.
If I unzip the file using Windows 10 Explorer, I do not get a warning.

If I scan the .exe after it is extracted using either 7-Zip or Explorer, I do not get a warning.

If I extract any other .zip file using 7-Zip, I do not get a warning, so I do not think it is a 7-Zip problem.

My Threadripper is Win 10 Pro 21H2 with Defender 1.373.421.0 Second PC is 4790K with Win10 Home 21H2 same version numbers as Threadripper. I do not have 7 Zip installed on any PC so extraction was Windows. Download was with Chrome in both cases. Seems like 7 Zip is involved in some way.

Seems like 7 Zip is involved in some way.

That's what I use. Never had any warnings about Resolve.