Virus detected in DJI Assistant 2 For Mavic 2.0.6

[DangerWillRobinson]

I downloaded and installed DJI Assistant 2 For Mavic 2.0.6 for Windows 10 from the official website (Mavic 2 - Specifications, FAQs, Videos, Tutorials, Manuals - DJI)

Bitdefender (Bitdefender - Cybersecurity Solutions for Business and Personal Use) detected Gen:Trojan.Heur.PM.2 in Viewer.exe:



I realize this is probably a false positive and I've seen other threads about viruses detected (albeit in older versions of the software,) but I thought it would be prudent to at least mention what I found.

Also hoping someone from DJI can confirm things are OK and perhaps contact Bitdefender to get rid of the false positive for other folks who might see it like me.

Thanks!

 

[Thomas B]

Always good to be prudent. I applaud your actions to clarify the issue, especially since, as you point out, it is a common type issue. I will admit that I have never gotten a malware warning on my Mac running Kaspersky for any DJI software.

 

[Inspirephil]

Neither have I gotten any warnings about a virus on my iMac. But it’s always good to be wary of viruses that could effect the software.

 

[Keule]

Feeding the file viewer.exe to a online virus checkking tool, more engines reporting this file as suspicius/infected:

 

[zocalo]

"Heur", short for "Heuristic", means the scanner is detecting something that *might* be malware because it shares some common traits with known malware. Bkav's result also implies that the executable is packed with an executable compressor. This was a common false positive when executable compressors first really hit the malware scene, with UPX being a perfectly legitimate tool that was often used by malware authors.

I'm guessing something similar is going on here; DJI is using an executable code compression tool that is also used by a lot of malware authors, but the executable itself is almost certainly totally benign. To FP on just the use of a code compressor is pretty poor for an AV these days so I would expect there's something else getting flagged as well - a shared code library perhaps? Either way, this can usually be avoided by signing the code and, where necessary, working with the AV vendor to get a whitelist.

If you want to verify your file against mine, I have v2.0.6 installed and my files (DJIServiceCore.exe also FPs with BitDefender frequently) have the following checksums (link to a guide & tools if you're not familiar with this):

md5sum:
407e8f0b202153f6566beb438e293f29 DJIServiceCore.exe
5cf96aac6a4f1cc25bcb297c1dbd31d8 Viewer.exe

sha1sum:
b50c306921ea7481e763f4a15dc162e07495e68c DJIServiceCore.exe
542b167db516b065dd46abedd3dc5c520b64690a Viewer.exe

sha256sum:
073c0005e23b6e6cc5096150ca3785a30ad145b2c68ab6b7d74ba89127f80adc DJIServiceCore.exe
fc01df52e8ef6721cdb667b8255d1a88015e70fc605ea4d5be1e1b43c5cced2c Viewer.exe

 

[Former Member]

With a company as big as DJI, you would think that they would have worked through this problem, corrected it so nothing gets triggered on our defenseless PCS, and come up with a solution. Remember when the US Army freaked out when they thought DJI was spying?

 

[AnotherMavicPilot]

Check it with Malwarebytes, if it doesn't pick up anything you should be good.

 

[DangerWillRobinson]

"Heur", short for "Heuristic", means the scanner is detecting something that *might* be malware because it shares some common traits with known malware. Bkav's result also implies that the executable is packed with an executable compressor. This was a common false positive when executable compressors first really hit the malware scene, with UPX being a perfectly legitimate tool that was often used by malware authors.

I'm guessing something similar is going on here; DJI is using an executable code compression tool that is also used by a lot of malware authors, but the executable itself is almost certainly totally benign. To FP on just the use of a code compressor is pretty poor for an AV these days so I would expect there's something else getting flagged as well - a shared code library perhaps? Either way, this can usually be avoided by signing the code and, where necessary, working with the AV vendor to get a whitelist.

If you want to verify your file against mine, I have v2.0.6 installed and my files (DJIServiceCore.exe also FPs with BitDefender frequently) have the following checksums (link to a guide & tools if you're not familiar with this):

md5sum:
407e8f0b202153f6566beb438e293f29 DJIServiceCore.exe
5cf96aac6a4f1cc25bcb297c1dbd31d8 Viewer.exe

sha1sum:
b50c306921ea7481e763f4a15dc162e07495e68c DJIServiceCore.exe
542b167db516b065dd46abedd3dc5c520b64690a Viewer.exe

sha256sum:
073c0005e23b6e6cc5096150ca3785a30ad145b2c68ab6b7d74ba89127f80adc DJIServiceCore.exe
fc01df52e8ef6721cdb667b8255d1a88015e70fc605ea4d5be1e1b43c5cced2c Viewer.exe

I have the same checksums as you do, so I'm going to go ahead and add the files to Bitdefender's exception list. Thank you!

And thanks everyone who replied in this thread. Lots of helpful info for me. I'm brand new to this community, but already I can see it's a very supportive and friendly place. Thank you so much.

 

[AForceone]

Shame DJI never addressed this issue. This goes back to DJI Assistant 2 File Infected: tofstarter.exe ? . Each version ahs some file that seems to trigger it.

 

[Thomas B]

Shame DJI never addressed this issue. This goes back to DJI Assistant 2 File Infected: tofstarter.exe ? . Each version ahs some file that seems to trigger it.

Macs and iOS don’t do this and my Kaspersky doesn’t warn me. My Apple devices do warn that all the DJI software is unsigned. It’s a platform specific problem. I agree that they should warn the user.

 

[jagraphics]

Check it with Malwarebytes, if it doesn't pick up anything you should be good.

Not at all. Al virus chackers are about 90-95% effective. They all cover a slightly differnt 90% and it depends when they are updated. No one Virus checker can be 100%

 

[BIGDAVE]

I downloaded and installed DJI Assistant 2 For Mavic 2.0.6 for Windows 10 from the official website (Mavic 2 - Specifications, FAQs, Videos, Tutorials, Manuals - DJI)

Bitdefender (Bitdefender - Cybersecurity Solutions for Business and Personal Use) detected Gen:Trojan.Heur.PM.2 in Viewer.exe:

View attachment 64767

I realize this is probably a false positive and I've seen other threads about viruses detected (albeit in older versions of the software,) but I thought it would be prudent to at least mention what I found.

Also hoping someone from DJI can confirm things are OK and perhaps contact Bitdefender to get rid of the false positive for other folks who might see it like me.

Thanks!

INFECTED OR NOT GREAT TO SEE PEOPLE LIKE YOUR SELF ARE HELPING. THANKS!!!!!

 

[DagDerniT]

Doesn't a "virus checker" only work if it is a known virus? I updated but am grounding my new Mavic Pro until I get confirmation. Glad I still have my first Mavic available....

 

[zocalo]

Doesn't a "virus checker" only work if it is a known virus? I updated but am grounding my new Mavic Pro until I get confirmation. Glad I still have my first Mavic available....

In some cases, but most modern AVs long since gave up on trying to have code signatures for each and every virus when it became clear that virus writers had figured out to write code that modified itself on the fly to avoid detection. The current heuristic approach is to look for patterns of behaviour and other common factors (like use of code compressors, obfuscation techniques, and other fingerprints), score each hit, and if you exceed a certain threshold, classify as malicious. This is fine, but it relies on having a sufficiently accurate set of score weightings and corpus of known good/bad samples to avoid false positives. Some AV systems are better at this than others, and some applications are more prone to false positive than others, bring two of these together, e.g. BitDefender and DJI Assistant, and you get a false alarm like we're almost certainly seeing here.

 

[jagraphics]

Doesn't a "virus checker" only work if it is a known virus?

Yes. This is why they are only 90-95% effective. Also you have to make sure you update them regularly. It takes time days/ weeks for a virus to get picked up, a unique signature worked out and then distributed to the AV programs. Not al viruses are discovered the day/week they are first let loose.

I updated but am grounding my new Mavic Pro until I get confirmation. Glad I still have my first Mavic available....

Sensible precaution. However it does depend on what the RTOS is in the drone. If your Virus checker is on a PC and you have scanned the firmware and it reports a virus all it is reporting is a signature. That is a sequence of binary in bytes. IF the Drone uses a different Processor to an X86 CPU (most do) or a different OS/RTOS then it is a false positive as a Windows/X86 Virus is not going to run on a Cortex M3.

Any virus aimed at the drone firmware is "highly unlikely" to trigger a PC anti virus program.

I quite often get "viruses" flaged in files on my archive files. These are PDf's EXE's and ZIP files that have not been accessed in 10 years..... at least 9& 1/2 years before the virus indicated was born. I know it is possible to insert a virus into an old file and not touch the date stamps but this is highly unlikely also the archive is on a system not running windows.

I would think it is "unlikely" there is a virus in the DJI firmware but "unlikely" is not "100% certain"

 

[AnotherMavicPilot]

Not at all. Al virus chackers are about 90-95% effective. They all cover a slightly differnt 905 and it depends when they are updated. No one Virus checker can be 100%

No one said it was 100%, I personally think Malwarebytes is more effective than BitDefender. But I'm not gonna get all pedantic about it.

 

[jagraphics]

No one said it was 100%, I personally think Malwarebytes is more effective than BitDefender. But I'm not gonna get all pedantic about it.

You said "

Check it with Malwarebytes, if it doesn't pick up anything you should be good.

Which isn't entirely accurate.

Just our of curiosity why is Malwarebytes better than BitDefener? I would be interested in the testing that led you to that conclusion.

If you are not going to get pedantic about it then say nothing.
Being pedantic is the whole point of AV Software, software testing in general and avionic software in particular. .

 

[AnotherMavicPilot]

You said "

Which isn't entirely accurate.

Just our of curiosity why is Malwarebytes better than BitDefener? I would be interested in the testing that led you to that conclusion.

If you are not going to get pedantic about it then say nothing.
Being pedantic is the whole point of AV Software, software testing in general and avionic software in particular. .

10 Years repairing computers leads me to this opinion...

Here you go I fixed it for you:
Check it with Malwarebytes, if it doesn't pick up anything you may be good, if not try it with the 1000+ other Anti-Virus software and it also may be good, or maybe not - who knows (bangs head against the wall)

Failing this get a Mac!

Glad I got that off my chest! (not 100% glad)

 

[jagraphics]

10 Years repairing computers leads me to this opinion...

35 years embedded/critical systems SW including for Avionics led me to my opinion.
I assume your degree is in computer science then?

Here you go I fixed it for you:
Check it with Malwarebytes, if it doesn't pick up anything you may be good, if not try it with the 1000+ other Anti-Virus software and it also may be good, or maybe not - who knows (bangs head against the wall)

Which was not what you said to start with and also does not fix the problem
WHAT IS THE OS AND CPU INTHE DRONE?

Failing this get a Mac!

What difference will that make? We use MAC, PC, Unix and Linux here along with several SIL3 RTOS

Glad I got that off my chest! (not 100% glad)

Glad to help.

 

[AnotherMavicPilot]

35 years embedded/critical systems SW including for Avionics led me to my opinion.
I assume your degree is in computer science then?



Which was not what you said to start with and also does not fix the problem
WHAT IS THE OS AND CPU INTHE DRONE?



What difference will that make? We use MAC, PC, Unix and Linux here along with several SIL3 RTOS



Glad to help.

Sorry, I must've missed the part where I asked for your credentials.

As far as I'm aware, OP was simply stating what he had found, I offered a little bit of advice based on my opinion.

Now if he had wanted a lesson in Software Engineering or the in's and out's of current Anti-Virus technology, then he'd most likely post on a forum that specialises as such, however since this is a drone forum it's probably safe to say he wasn't expecting that.

But thanks for the unnecessary lesson all the same... yawn