Blue Iris Update Helper (BiUpdateHelper)

DarkHelmet

Getting the hang of it
Joined
Feb 26, 2017
Messages
167
Reaction score
66
thanks, but I think my issue is different. BIUH is connecting to BI fine. registry backups and perf data is also working. just the updates are not being found as per my edit to my post above.
 
Last edited:

Tinbum

Pulling my weight
Joined
Sep 5, 2017
Messages
446
Reaction score
126
Location
UK
thanks, but I think my issue is different. BIT is connecting to BI fine. registry backups and perf data is also working. just the updates are not being found as per my edit to my post above.
BIT or Blueirisupdatehelper?
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
My Blue Iris DB is also in C:\BlueIris\db yet my update files go to ProgramData\Blue Iris\temp.

I guess someone needs to ask Ken how BI decides where to save update files.
 

NielK

Getting the hang of it
Joined
Jan 2, 2018
Messages
44
Reaction score
77
Location
UK
Hi there

Thank you for creating and sharing BI Updater. I've just tried to install version 1.7.3 but BitDefender doesn't seem to like it:

The file C:\Users\nielk\Downloads\BiUpdateHelper_1.7.3\BiUpdateHelper.exe is infected with
Gen:Variant.MSILPerseus.213972 and was moved to quarantine. It is recommended that you run a
System Scan to make sure your system is clean.
It's entirely possible that BitDefender is generating a false alarm so I thought I'd see what VirusTotal made of it. 57 of the 72 AV of the engines called by VirusTotal were happy with BiUpdateHelper.exe but 15 reported it as malware, most commonly as a variant of the MSILPerseus trojan. (I've attached a snapshot of the virustotal.com report.)

No accusations: just don't want the program to be unfairly slighted.
 

Attachments

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
@NielK I am 99% certain that is a false positive, however it is interesting that so many AV engines would decide the same thing. Perhaps they share components of their detection engines.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
It is probably due to the utility I use to embed all the DLL files into the exe. I've tested 3 different release zips and they all get a mix of detections. I am going to try not embedding the DLLs and see if anything on virustotal still complains about a release.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
I've investigated thoroughly. First I removed the DLL embedder, zipped a release candidate, and submitted to virustotal. Still detected same as before, so the cause wasn't the DLL embedder. Then I submitted all the DLLs and even the 7za.exe to virustotal and all came back clean. Only BiUpdateHelper.exe returned detections. So I proceeded to remove code from BiUpdateHelper and keep resubmitting to virustotal with a little less code in it each time. I needed to remove nearly everything before the detections went away.

1585838939420.png

This is good, because it indicates nothing is hijacking the programs I compile. The AV engines are simply false alarming based on heuristics. E.g. "this program is doing way too much registry access for its size", or something like that. I build enough programs that this isn't the first time AV engines have thrown up false positives on something I built. Usually the detections go away after some time (weeks / months).

So I decided to restore all the code and try removing bits and pieces again to see if I could identify one piece that was causing the false alarms. Most of the AV detections went away after removing all the performance data collection. This doesn't really surprise me, because in the course of performance data collection, lots of registry stuff gets done, web requests are made, and lots of details about the computer hardware is read. Even with this gone though, one more pesky AV engine thinks it found something.

1585839246767.png

I don't know what this last one is complaining about because I ended my investigation here. I can't start removing entire program features just to satisfy the fleeting whims of AV engines. We'll just have to live with the detections until they go away on their own.
 

NielK

Getting the hang of it
Joined
Jan 2, 2018
Messages
44
Reaction score
77
Location
UK
@bp2008 Thank you for looking into this. It will now be much less of a leap of faith to add the program to Bitdefender's exception list.
 

DarkHelmet

Getting the hang of it
Joined
Feb 26, 2017
Messages
167
Reaction score
66
Oh, so the temp folder can be set in Settings > Other > Temp path. Can BIUH pull this path? If not, I can just set the temp to one of the two places BIUH currently looks..
 
Last edited:

NielK

Getting the hang of it
Joined
Jan 2, 2018
Messages
44
Reaction score
77
Location
UK
I have v1.8.0.0 running happily on Windows 10 pro v1909 (18363.836).
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
@gyrex

Thanks. I've gotten it running again. No idea what was wrong, but mono-service was unable to run it as a service anymore since about 2 days ago. No error log at all that I could find. So now it is running as a command line app ... in the background. I hate linux.
 

DCee

n3wb
Joined
Apr 24, 2015
Messages
8
Reaction score
8
Hi, tried installing BIUpdateHelper 1.8 on WIndows 2016 today and Windows Defender detected @Trojan:Win32/Masson.A!rfn
Anyone else seen this?
 

Attachments

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
There hasn't been a release since before the last wave of false positive virus detections (see just a few posts above in this thread). It is a false positive.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,006
Location
USA
Lots of different parts unfortunately. I tried stripping out functionality once, where I'd delete something, rebuild, and resubmit to virustotal. Sometimes the number of detections would go down. Sometimes not. I had to remove nearly everything to get the scan to report completely clean. lol.

The update helper app must look like a virus because it is so small and it reads a lot of system information from the registry and monitors some system processes and things like that.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
I've managed to get rid of all the false positive virus detections on virustotal.com by reorganizing the internal structure of the program a bit, and un-embedding the dll files from the main executable.

BiUpdateHelper Version 1.10 should no longer trigger virus detection engines.
Thanks for all of your work that you do.
 
Top