Trojan False Positive on CMS software (Sofia/34567/Top-210 cameras)

[cybermaus]

FYI

Yesterday MalwareBytes MBAM suddenly pointed to my CMS camera management software as a Trojan. Specifically file HW_H265Decoder.DLL was seen as Throjan.Tracur

Not having done any updates in a while, and this folder not being a typical target for dynamic infection, I suspected (hoped for) a false positive and reported to Malwarebytes.

Just now they confirmed it was a false positive, and they will fix it.
So if you have the same, don't worry.

 

[nayr]

its not a false positive; the malware is present on the cameras firmware.. this has been well documented.

you should be worrying.

 

[cybermaus]

Yeah, so what you are saying is that because it is know that some IoT firmware do have known malware in their firmware, a message of my PC software must be true. Even if professional experts have double checked and confirmed this specific file good?

You are either a fear-mongerer, or very badly understand how software works.


Anyway, to restate: I am not saying there are no virusses or trojans anyware on camera's. They do exist.
I am saying that the specific recent MalwareByte report on windows32 PC file HW_H265Decoder.DLL is false. Confirmed by MalwareByte support themselves after uploading and inspecting the file.

 

[nayr]

no what im saying is I have that same camera sitting in my junk bin and it came loaded with real malware that was loaded externally from a hidden iframe.. it didnt have actual malware on it but it did try to load an external page to infect me in the background.. it was not a false positive.

weather or not this malware is real; this specific camera has a history of shipping w/malware infected firmware.. so just dismissing it as a false positive is unwise on many levels.

 

[hmjgriffon]

If it's running Chinese firmware the malware is built in complete with back doors lol.

Sent from my Nexus 6P using Tapatalk

 

[alastairstevenson]

MalwareByte report on windows32 PC file HW_H265Decoder.DLL is false

If you want a second opinion - or actually maybe 30 or so of them - chuck the file at virustotal and see what it makes of it.
VirusTotal - Free Online Virus, Malware and URL Scanner

 

[cybermaus]

That at least is a sensible suggestion:

Results:
Antivirus scan for 08566bfb2a71f9d75937ea57c3756597d6ff29dc9a2819bbec6fd0c1dd83ea43 at 2017-02-03 16:24:48 UTC - VirusTotal

Not sure of that link remains visible, but as a summery:
55 scans report the file as good, only 1 (MalwareBytes) report it as bad.

To restate: This report was about the CMS software, not the camera.
BTW: my camera's are completely blocked from the internet, can only reach the CMS

 

[alastairstevenson]

Well that's a clear enough result, nails it. Especially as they now have Malwarebytes in the pool.