Blue Iris

Hi,

I don't know if BI has a virus, but when I downloaded the latest update Microsoft (built in AV product) told me it had the Trojan:JS/Denali.A!ml.

the further details provided were:

containerfile: \\<removed>\update32.exe
file: \\<removed>update32.exe->(CABSfx)->ui3.zip->applet/loginScripts.js
webfile: \\<removed>update32.exe|https://blueirissoftware.com/50/update3 ... 1865602996

Can I have it confirmed that the update file is safe to use?

thanks

details details details

1. Where did you get the update? Via the BI update button, or, manual download?
2. What AV are you using?

Hi doverton,

Please also send an email to support, as this is mainly a user to user forum, with a bit of assistance from support ! It IS the official BI forum though

We ALL need to know if there is an issue with updates, so please let us know what you find.

Hi,

I e-mailed support at the same time I posted to the forum, but I've not had a response, so I can't say what a formal response it.

I got the update file by downloading manually, however the update inside the product also got the same reaction from Microsoft Defender, the AV product that flagged the file loginscript.js when I tried to install the update.

I'll see if I can get another AV product to scan the file.

thanks

Hi,

the response I got from support was as follows:

Hello David

The EXE files are passing here. Latest virus definitions.

The .JS is a script file used by the UI3 browser interface. This also doe snot trigger Windows Defender here. Next steps:

You can install UI3 directly from the developer, you don't have to use the version in Blue Iris, although it should be the same:

https://github.com/bp2008/ui3

I will have a closer look at that .JS file, but I'm certain it's not being used maliciously, and this is a false positive.

Thanks

Ken

Upon further investigation I found the following:
1) The file on github (loginscript.js) is identical text to the one provided by Blue Iris.
2) There is a difference in whether the file uses LF or CRLF (Unix vs Dos) text file difference
3) if I take the Github file and reformat it to include CRLF, the file fails MS anti-virus tests
4) The GitHib file has not changed in a year, so I agree, this is possibly a false positive.

I'll let you know what else I can find.

thanks

David

I have also been receiving these messages when trying to download the update. Happened again this morning. Will email support.

Oh, and my hard disk filled up again today

Somewhat troubling this one. I have sent a message to support to see if they can check

Hi,

I opened two cases with Microsoft today to get this checked out. The files have been determined by Microsoft as false positives. The confirmation of this can be seen at the locations below. Initially the files were being detected as with Trojan code, but once they had been processed they were marked as Malware free:
October 25, 2019 ba256513-6954-4bf4-bf36-4d23f10b12ca update32.exe Completed https://www.microsoft.com/en-us/wdsi/su ... 23f10b12ca
October 25, 2019 b424f610-8424-44fe-82d1-54b344386a91 loginscripts.js Completed https://www.microsoft.com/en-us/wdsi/su ... b344386a91
The comment from Microsoft after my submissions were as follows:
We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

I found that the 1st command would not work without first disabling the real time engine in Windows Defender.

I hope that helps anyone else who is having this challenge.

David

Here’s the response I received from Ken. Very prompt, I’m the slow one today! I haven’t attempted it again since

There is a .JS (Javascript) file used by UI3 (the browser interface) which apparently is being caught as a false-positive.

This may also have been impacted by the expired code-signing certificate. That was corrected with 5.0.5.2.

Please attempt the install the update once again and it is safe to override the .JS file warning.

Thanks

Ken

Good work everybody

It's BI update time in Robin Hood land. 5.0.5.2 installed with no warnings. Malwarebytes didn't raise any issues.

Make sure you have unticked "Automatic download and install"