Malwarebytes flags RawTherapee as Ransomware

I am not sure if anyone else uses Malware Bytes but it suddenly started flagging Raw Therapee as ransomware and uninstalls it from your system. Not sure if this is an issue with the coding of Raw Therapee or with Malware Byte’s definitions but thought people here would like to know.

You should manually add the RT installer and installed folder and exe files to your anti-virus’ exclusion list.

Not much we can do about that.

Sounds suspicious

Avast has recently eaten away two RT dev installers from my laptop. (Without notification, being in “gaming” mode, to avoid advertisements.)

There is also the evil SmartScreen Win10 feature, getting less controllable with every OS update. It looks that installing “unknown” programs will become more complicated in the future. On Windows.

Not really, since modern anti virus is all heuristics and signatures, and given the fact that it’s in the anti virus’ best interest to be over aggressive and show the user the value.


All your raws are belong to us.

I hash and scan all official uploads using 60 antivirus programs before uploading them. Basically if your antivirus complains, get a better antivirus. There is also the possibility that your computer is infected and it infected the RT installer when you downloaded it.

1 Like

@chgruver @pittendrigh Well, the good thing about open source software is that things are usually very transparent, so any foul play would be found out very quickly. Of course, that becomes increasingly difficult to determine as the project grows in complexity. As long as you grab RT from trusted sources, you should be fine.

For the dev builds you can find here:

  • malwarebyte on my machine
  • systematic scan with windows defender
  • gpg signature
  • upload on google drive (with scan made by google)

from time to time use of google virustotal.

@Morgan_Hardwood do you have a bash script to send file and receive results from virustotal?

@gaaned92 I don’t use bash for that.

Ok I accept that explanation. I am a big fan of RawTherapee. It took me a long time to give up UFRAW and switch. My photographs have now, suddenly taken a big leap forward.

I also had the same today withRawtherapee 5.8 and Avast.

It said that rawtherapee tries to modify a File called “pictures”, whose path i unfortunately can’t remember, but it was somewhere in C/users/userName/…
That seems to be the reason why Avast was alerted by RawTherapee. I don’t know wha RawTherapee does there, and why. Maybe it’s just accidentally trying to get write access for something where it only needs read access? I’d be curious what it does there.

That’s the default user picture folder. If you open an image from this folder in RawTherapee, it will try to write a pp3 file for this image into the same folder.

Makes sense. But I never use this folder, and the complaint from Avast came when RT 5.8 was started the first time, before I had the chance to make it do anything. Maybe it’s writing something there as part of thumbnail generation?

Also strange that I think that Avast was complaining about a file called “pictures”, not a folder. But that might just be a confusion on Avast’s side.

1 Like