Blue Iris Update Helper (BiUpdateHelper)

thanks, but I think my issue is different. BIUH is connecting to BI fine. registry backups and perf data is also working. just the updates are not being found as per my edit to my post above.
 
Last edited:
My Blue Iris DB is also in C:\BlueIris\db yet my update files go to ProgramData\Blue Iris\temp.

I guess someone needs to ask Ken how BI decides where to save update files.
 
Hi there

Thank you for creating and sharing BI Updater. I've just tried to install version 1.7.3 but BitDefender doesn't seem to like it:

The file C:\Users\nielk\Downloads\BiUpdateHelper_1.7.3\BiUpdateHelper.exe is infected with
Gen:Variant.MSILPerseus.213972 and was moved to quarantine. It is recommended that you run a
System Scan to make sure your system is clean.
Click to expand...

It's entirely possible that BitDefender is generating a false alarm so I thought I'd see what VirusTotal made of it. 57 of the 72 AV of the engines called by VirusTotal were happy with BiUpdateHelper.exe but 15 reported it as malware, most commonly as a variant of the MSILPerseus trojan. (I've attached a snapshot of the virustotal.com report.)

No accusations: just don't want the program to be unfairly slighted.
 

Attachments

  • 2020-04-02.png
    2020-04-02.png
    254.1 KB · Views: 16
@NielK I am 99% certain that is a false positive, however it is interesting that so many AV engines would decide the same thing. Perhaps they share components of their detection engines.
 
It is probably due to the utility I use to embed all the DLL files into the exe. I've tested 3 different release zips and they all get a mix of detections. I am going to try not embedding the DLLs and see if anything on virustotal still complains about a release.
 
I've investigated thoroughly. First I removed the DLL embedder, zipped a release candidate, and submitted to virustotal. Still detected same as before, so the cause wasn't the DLL embedder. Then I submitted all the DLLs and even the 7za.exe to virustotal and all came back clean. Only BiUpdateHelper.exe returned detections. So I proceeded to remove code from BiUpdateHelper and keep resubmitting to virustotal with a little less code in it each time. I needed to remove nearly everything before the detections went away.

1585838939420.png

This is good, because it indicates nothing is hijacking the programs I compile. The AV engines are simply false alarming based on heuristics. E.g. "this program is doing way too much registry access for its size", or something like that. I build enough programs that this isn't the first time AV engines have thrown up false positives on something I built. Usually the detections go away after some time (weeks / months).

So I decided to restore all the code and try removing bits and pieces again to see if I could identify one piece that was causing the false alarms. Most of the AV detections went away after removing all the performance data collection. This doesn't really surprise me, because in the course of performance data collection, lots of registry stuff gets done, web requests are made, and lots of details about the computer hardware is read. Even with this gone though, one more pesky AV engine thinks it found something.

1585839246767.png

I don't know what this last one is complaining about because I ended my investigation here. I can't start removing entire program features just to satisfy the fleeting whims of AV engines. We'll just have to live with the detections until they go away on their own.
 
  • Like
Reactions: th182, sebastiantombs and Ssayer
@bp2008 Thank you for looking into this. It will now be much less of a leap of faith to add the program to Bitdefender's exception list.
 
  • Like
Reactions: th182
Oh, so the temp folder can be set in Settings > Other > Temp path. Can BIUH pull this path? If not, I can just set the temp to one of the two places BIUH currently looks..
 
Last edited:
@gyrex

Thanks. I've gotten it running again. No idea what was wrong, but mono-service was unable to run it as a service anymore since about 2 days ago. No error log at all that I could find. So now it is running as a command line app ... in the background. I hate linux.
 
  • Like
Reactions: looney2ns and gyrex
Hi, tried installing BIUpdateHelper 1.8 on WIndows 2016 today and Windows Defender detected @Trojan:Win32/Masson.A!rfn
Anyone else seen this?
 

Attachments

  • Capture.PNG
    Capture.PNG
    50.5 KB · Views: 19
There hasn't been a release since before the last wave of false positive virus detections (see just a few posts above in this thread). It is a false positive.
 
  • Like
Reactions: DCee
Lots of different parts unfortunately. I tried stripping out functionality once, where I'd delete something, rebuild, and resubmit to virustotal. Sometimes the number of detections would go down. Sometimes not. I had to remove nearly everything to get the scan to report completely clean. lol.

The update helper app must look like a virus because it is so small and it reads a lot of system information from the registry and monitors some system processes and things like that.
 
  • Like
Reactions: looney2ns and sebastiantombs
I've managed to get rid of all the false positive virus detections on virustotal.com by reorganizing the internal structure of the program a bit, and un-embedding the dll files from the main executable.

BiUpdateHelper Version 1.10 should no longer trigger virus detection engines.
 
  • Like
Reactions: handinpalm, NielK, DCee and 5 others
bp2008 said:
I've managed to get rid of all the false positive virus detections on virustotal.com by reorganizing the internal structure of the program a bit, and un-embedding the dll files from the main executable.

BiUpdateHelper Version 1.10 should no longer trigger virus detection engines.
Click to expand...
Thanks for all of your work that you do.
 
  • Like
Reactions: bp2008, handinpalm, sebastiantombs and 2 others
You must log in or register to reply here.
Top Bottom