Subscriber Discussion

Hikvision HD-TVI DVR Exported Video Infected?

Avatar
Jon Dillabaugh
Jun 17, 2016
Pro Focus LLC

We are evaluating a Hikvision DS-7208HGHI-SH TVI DVR firmware v. 3.1.10 and after exporting some clips via USB drive, the contents that it adds was as follows:

When I attempt to open PLAYER.EXE, my Malwarebytes quarantines the file immediately.

Anyone else have this issue? I can play the file using VLC without issues.

(1)
(1)
(1)
JH
John Honovich
Jun 17, 2016
IPVM

It could be a false positive from Malwarebytes. I am not sure how to verify it one way or the other.

I forwarded this to Hikvision. Recently, they have not been responding to our technical requests but I am hoping they take this report seriously.

U
Undisclosed #1
Jun 19, 2016
IPVMU Certified

I forwarded this to Hikvision. Recently, they have not been responding to our technical requests.

They don't support third party malware.

(1)
(1)
(2)
(6)
JD
Jason Dziegiel
Jun 17, 2016
IPVMU Certified

You could go to VirusTotal and upload the player and it will check various different antivirus programs.

May be a false positive but this would be a good way to know for sure.

(3)
Avatar
Jon Dillabaugh
Jun 17, 2016
Pro Focus LLC

7/55 sounds like it is a false positive?

U
Undisclosed #1
Jun 17, 2016
IPVMU Certified

The critical piece of information is *how* was this flagged? Generally there are two type of detection, signature based and heuristic based.

If its signature based, which means that an exact portion of the bytecode of player.exe matches a known virus then 99% it is likely to be an actual virus.

If its a heuristc one, then the conclusions are 'soft' and based on general criteria that may be too broadly applied.

Also, you must keep in mind that a lot of these av products share the same heuristic program, so what loks like 7 matches may really be 1 or 2 unique engines.

Do you have this screen?

You could try disabling heuristics and see if it still gets flagged or not.

Avatar
Luis Carmona
Jun 17, 2016
Geutebruck USA • IPVMU Certified

I agree it could be a false positive, but how many times has this been reported with other brands?

(hehe)

UM
Undisclosed Manufacturer #2
Jun 17, 2016

I once wrote a simple Windows program in C++ that did nothing more than pop up an empty window. In fact it was unmodified code from Microsoft's Visual Studio MFC wizard. So I knew for a fact that it contained no viruses (I had the full source code and compiled it myself.) I submitted it for Virus scanning to virustotal.com and it scanned it with about 40 or so different virus scanners and from memory, two of them came back positive - which of course was wrong. So false positives are perhaps more common than you think.

Avatar
Jon Dillabaugh
Jun 17, 2016
Pro Focus LLC

Did you get your version of VS from Baidu Yunpan?

UM
Undisclosed Manufacturer #2
Jun 18, 2016

I got it from Microsoft MSDN downloads, all clean and paid for. I have just been trying to repeat it, but I can't, this time no false positives, but when I tried it over a year or two ago, I swear it had a couple of false hits.

But, I just uploaded another application I had written and just compiled from source code, and I did get 1 out of 55 false hits, however that application been put through a packer (UPX), so that might be why.

U
Undisclosed #1
Jun 18, 2016
IPVMU Certified

I once wrote a simple Windows program in C++ that did nothing more than pop up an empty window.

Suspicious, don't you think?

UM
Undisclosed Manufacturer #2
Jun 18, 2016

That a couple of obscure AV scanners out of about 50 gave false positives? Is it really that Suspicious? It is possible I had ran them through the UPX packer and just don't remember, but I don't think i did.

U
Undisclosed #1
Jun 18, 2016
IPVMU Certified

That a couple of obscure AV scanners out of about 50 gave false positives? Is it really that Suspicious?

No, it's not.

What I said was suspicious was your program that did nothing but pop-up an empty window. Gen 1 algorithms were infamous for triggering on the specious:

Heuristics on the other hand is a very different ball game and this is how most false positives are generated. In the early days of heuristics, these detections were triggered because something was exhibiting behavior similar to that of known malware, or not typical of the file type it was supposed to be. Unfortunately, in order to wring the last drop of nonsense out of claims by vendors to protect against everything, heuristic detection rules have been expanded to include such bizarre incidences as the host website not having much traffic. Quite obviously, most software from new developers will fall into this category and so be automatically flagged as dangerous. - Gizmo's

UM
Undisclosed Manufacturer #2
Jun 18, 2016

I figure that if it really deserved to be categorized as suspicious, it would have been the more reputable scanners that would have flagged it. And I doubt any of them would have been so sophisticated that they could know that the program only popped up a window. More likely, they just weren't very good.

U
Undisclosed #1
Jun 18, 2016
IPVMU Certified

First, let me make clear when I said:

Suspicious, don't you think?

I was being facetious. I didn't believe it suspicious, but a its just the sort of thing that a fledgling AV heuristic might erroneously find suspicious.

And I doubt any of them would have been so sophisticated that they could know that the program only popped up a window. More likely, they just weren't very good.

More likely both sophisticated (or trying to be) AND not very good.

Why? Because unsophisticated AV relies only on matching exact signatures, i.e. strings of bytecode, against known threats. It couldn't get much simpler.

Sure a developer *could* mess this up, but in your case there were two programs that reported it. Moreover, as you admit yourself, the code consisted of little more than stock MS libraries that would be present on 90% of all target machines, as well as the test machines of the the developers tested.

Also, for the last 10 years, AV programs even cheap ones, have had rudimentary heuristics built-in.

Are they sophisticated enough to know your program just puts up a blank window, with no input, and the code dead ends? This is what Symantec says about heuristics in general:

...the dynamic heuristic scanner uses CPU emulation to gather its information. After some initial sanity checks, the dynamic heuristic scanner loads the suspect executable file into a virtual computer and emulates its execution. The program being emulated has no idea it is running inside of a simulated computer; it believes it’s running on a real system. As the program runs within the virtual computer, it exhibits behaviors that are cataloged by the dynamic scanner.

The problem with this approach is that virus writers know about heuristics, so they intentionally write code that tries to obscure what it normally does, usually by not activating anything hinky unless it knows it's really 'in the Wild'. Instead it just acts like a simple program doing nothing.

Like your real program does.

Also, btw, this Trojan.agent.ply of Jon's is also a heuristic match. You can tell by the description. If it were an exact signature match it would tell you the full description of the "known" virus.

Instead, it is just telling us that there is a behavior that looks suspicious. But it's just a guess.

UM
Undisclosed Manufacturer #2
Jun 18, 2016

I don't disagree with any of that, but I will say I am not convinced enough regarding the state of the art of "heuristic scanners using CPU emulation..." or similar methods to hand any money over to AV companies for those features. These days I prefer to rely on safe browsing habits instead, and the default products built into Windows 10. Why? because in the last few years, they only ever give me false positives (although they may be still be worth buying for their firewalls and other utilities)

Incidentally, one problem that is quite annoying for developers is adding license protection code and making that code hard to reverse engineer (for example code virtualization techniques). Annoyingly, malware writers use these same tools/products to make it hard to reverse engineer and extract their code, so AV products have a tendency to flag any application containing some of these license protection products as suspicious. Only way seems to be to submit your application to the virus vendors for the purpose of creating white lists - although I have not tried this.

MI
Matt Ion
Jun 19, 2016

FWIW, I've had a few different police departments report that 3xLogic's Vigil DV Player gave them a virus warning, but it's never been consistent, and I've never been able to gather enough examples to tell if it was related to the version of DV Player, or the specific scanner they were using (none have ever been willing or able to disclose that information).

Either way, it's always been a false positive.

I suspect with the Vigil player it may be related to the fact it installs a third-party codec... maybe the same problem with the HIK player?

(1)
Avatar
Jon Dillabaugh
Jul 05, 2016
Pro Focus LLC

Hikvision has reached out to me to confirm this was a false positive. They asked that I followed up to mention this.

(1)
MI
Matt Ion
Jul 06, 2016

They're learning :)

UM
Undisclosed Manufacturer #3
Jul 06, 2016

What do you mean they are learning? I think they've always known what answer to give to help make a sale.

U
Undisclosed #4
Jul 06, 2016

Now we just have to hope they don't become self-aware.....

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions