Virus detected in DJI Assistant 2 For Mavic 2.0.6

[Jimck9]

"Check it with Malwarebytes, if it doesn't pick up anything you should be good".

I'm a retired Windows Sys Admin. Don't do windows anymore!

 

[jagraphics]

Sorry, I must've missed the part where I asked for your credentials.

As far as I'm aware, OP was simply stating what he had found, I offered a little bit of advice based on my opinion.

Now if he had wanted a lesson in Software Engineering or the in's and out's of current Anti-Virus technology, then he'd most likely post on a forum that specialises as such, however since this is a drone forum it's probably safe to say he wasn't expecting that.

But thanks for the unnecessary lesson all the same... yawn

You stated your opinion and credentials to explain why you were right.
I replied in similar fashion.
The lesson was necessary it seems.
Don't give opinions and advice when you are not qualified to do so nor get into a hissy fit when you are called on it.

 

[AnzacJack]

You stated your opinion and credentials to explain why you were right.
I replied in similar fashion.
The lesson was necessary it seems.
Don't give opinions and advice when you are not qualified to do so nor get into a hissy fit when you are called on it.

Don’t understand why you are jumping on this dude. I don’t think that there are many here with your av credentials, but there are many here that can express an opinion based on their knowledge, hence the reason most people come here to read, ask questions, learn and help others in this hobby we all enjoy.
What, I’m sure , most of us don’t want to read, is opinionated individuals that like like to pump themselves up with their own importance and bring others down.
I’m guessing here, that you don’t have significant education, masters degrees or long term experience in multirotors, but I don’t think anyone would begrudge you from having an opinion based on what ever experience you may have. (Except maybe yourself)

 

[AnzacJack]

I downloaded and installed DJI Assistant 2 For Mavic 2.0.6 for Windows 10 from the official website (Mavic 2 - Specifications, FAQs, Videos, Tutorials, Manuals - DJI)

Bitdefender (Bitdefender - Cybersecurity Solutions for Business and Personal Use) detected Gen:Trojan.Heur.PM.2 in Viewer.exe:

View attachment 64767

I realize this is probably a false positive and I've seen other threads about viruses detected (albeit in older versions of the software,) but I thought it would be prudent to at least mention what I found.

Also hoping someone from DJI can confirm things are OK and perhaps contact Bitdefender to get rid of the false positive for other folks who might see it like me.

Thanks!

Based on my experience and what I’ve read here, I think your ok mate.

 

[zocalo]

WHAT IS THE OS AND CPU INTHE DRONE?

I think you've maybe misunderstood this aspect of the problem. Curiosity aside (wild guess: some form of RTOS, or possibly Linux/BSD, running on an ARM architecture), OP was talking about part of the DJI Assistant software installed locally on their PC, not a firmware blob that would be downloaded to the drone.

There are numerous instances of various executables and DLLs in the DJI Assistant installation triggering FPs in AV software, BitDefender being particularly common, although not the only one. That can be quite scary for a layperson (OP did at least realise it was probably an FP and was looking to confirm), so an high-level explaination of what's going on to calm nerves and verify whether there's actually a problem or not seems like a good idea to me.

Really, DJI needs to be a bit more proactive in fixing this. They're not a small company, it's a mostly solved problem, and their own forums contain multiple instances of people with the problem so they can hardly be unaware of the issue. I can understand the occassional unsigned executable slipping through to release, or an FP here and there, but this is a frequent enough occurance it's now just making DJI look sloppy.

 

[BJR981S]

Yes. This is why they are only 90-95% effective. Also you have to make sure you update them regularly. It takes time days/ weeks for a virus to get picked up, a unique signature worked out and then distributed to the AV programs. Not al viruses are discovered the day/week they are first let loose.

This is not correct. The majority of AV solutions these days (Particularly Symantec) claim to protect against zero day threats. That is undetected viruses that have no signature files.

The look for Heuristic patterns and alert against them. They all now report lots of false positives.

 

[BJR981S]

I think you've maybe misunderstood this aspect of the problem. Curiosity aside (wild guess: some form of RTOS, or possibly Linux/BSD, running on an ARM architecture), OP was talking about part of the DJI Assistant software installed locally on their PC, not a firmware blob that would be downloaded to the drone.

There are numerous instances of various executables and DLLs in the DJI Assistant installation triggering FPs in AV software, BitDefender being particularly common, although not the only one. That can be quite scary for a layperson (OP did at least realise it was probably an FP and was looking to confirm), so an high-level explaination of what's going on to calm nerves and verify whether there's actually a problem or not seems like a good idea to me.

Really, DJI needs to be a bit more proactive in fixing this. They're not a small company, it's a mostly solved problem, and their own forums contain multiple instances of people with the problem so they can hardly be unaware of the issue. I can understand the occassional unsigned executable slipping through to release, or an FP here and there, but this is a frequent enough occurance it's now just making DJI look sloppy.

Agree with your comments but I think you will find that its not the DJI software that is unsigned it is the Device Drivers they use. Getting WHQL compliance for drivers with Microsoft is a very complex operation with lots of testing and requires MS to cooperate. The priority for WHQL testing is volume based. Drone drivers would not be high on the priority list.

 

[zocalo]

Agree with your comments but I think you will find that its not the DJI software that is unsigned it is the Device Drivers they use. Getting WHQL compliance for drivers with Microsoft is a very complex operation with lots of testing and requires MS to cooperate. The priority for WHQL testing is volume based. Drone drivers would not be high on the priority list.

It's a mix of both, AFAICT. Some releases of DJI Assistant seem to have properly signed .EXE binaries, others do not, and the actual drivers are even more hit and miss on being signed, although I'm not sure how many, if any, have been WHQL certified. As you say, MS certification is expensive and time consuming; even AMD video driver releases are non-WHQL more often than not.

What seems to generate the most problems with false positives though as the .EXEs in the main DJI installation folder, although I'd guess AV packages are also looking at linked files (.DLLs and .DRVs, etc.) and including them in the assessment. WHQL or not, I think DJI is big enough to at least get a certificate and sign all their binaries, which would fix some of the FPs, then could work with the AV vendors to try and minimise the rest. Being as niche as they are I doubt they'd get to 100%, but they could certainly make the situation better that it is at present.

 

[FoxhallGH]

There are a lot of anti-malware app's circulating now that also use the user-feedback to 'educate' their cloud servers as to the validity of a heuristic result. I see nothing but good in this post in that if it gives anybody the confidence to click the box on their antivirus to report that the DJI software is generating a false-positive - then it's that action that will contribute to the app' being left alone by the AV software houses that don't know it ...
Anybody who thinks it's up to DJI to get this software 'approved' with the anti-malware houses, just doesn't know how this all works ...
[and before you ask Mr @jagraphics - I've been working in IT for 35 years - and run an IT company ... AND - I also think Malwarebytes is one of the best too! ...]

 

[zocalo]

Anybody who thinks it's up to DJI to get this software 'approved' with the anti-malware houses, just doesn't know how this all works ...

No, it's not up to DJI; it's up to *both* sides - application vendors and the AV vendors to resolve any repeated FP issues. Only the AV vendors can modify their detection routines/whitelisting, DJI certainly can't do that for them, but there are a lot of people producing code and AV vendors are almost certainly going to prioritise based on reports and other feedback. That feedback has got to come from DJI and from us, their users, and since we're pretty niche we might be quite some way down the list.

DJI's issue is that they are inconsistent in their executable signing, which means that AV vendors that might have whitelisted based on DJI's cert are still going to potentially FP when DJI fails to sign, assuming enough other heuristics trip. Just being more consistent on this and making sure they always sign before release would help reduce the FPs significantly, although probably not entirely. Monitoring their own forum for reports and contacting vendors of products that most often FP is absolultely something DJI can do. I've had to do that a few times at $dayjob, and most AV vendors I've dealt with are pretty helpful at telling you why you are getting misclassified and how to fix it if you provide samples. A consistent, valid, and current vendor cert is usually a pretty good first step.

 

[Cheech Wizard]

Feeding the file viewer.exe to a online virus checkking tool, more engines reporting this file as suspicius/infected:
View attachment 64768

From what I see here you have scanned and found "PUPs" Potentially Unwanted Programs that are already in quarantine. Empty your quarantine in each program and scan again. If you REALLY need to clean, start the computer in "Safe Mode" and run all off your antivirus / anti malware programs.

 

[Cheech Wizard]

Check it with Malwarebytes, if it doesn't pick up anything you should be good.

Super Antispyware is also a great program. And CCLEANER is a MUST. both free.

 

[Cheech Wizard]

"Check it with Malwarebytes, if it doesn't pick up anything you should be good".

I'm a retired Windows Sys Admin. Don't do windows anymore!

LINUX?

 

[AnotherMavicPilot]

LINUX?

MS-DOS...

 

[Cheech Wizard]

MS-DOS...

MS-DOS...

3, or 3.1? Ha I still use MS DOS to reformat a dead HD. Linux is easier though.

 

[Cheech Wizard]

You said "

Which isn't entirely accurate.

Just our of curiosity why is Malwarebytes better than BitDefener? I would be interested in the testing that led you to that conclusion.

If you are not going to get pedantic about it then say nothing.
Being pedantic is the whole point of AV Software, software testing in general and avionic software in particular. .

AND don't forget PUPS (Potentially Unwanted Programs), kind of like Heuristics.

 

[Cheech Wizard]

No one said it was 100%, I personally think Malwarebytes is more effective than BitDefender. But I'm not gonna get all pedantic about it.

Use a few different scanning programs. They all find something different. I like Superantispyware also.

 

[Cheech Wizard]

I downloaded and installed DJI Assistant 2 For Mavic 2.0.6 for Windows 10 from the official website (Mavic 2 - Specifications, FAQs, Videos, Tutorials, Manuals - DJI)

Bitdefender (Bitdefender - Cybersecurity Solutions for Business and Personal Use) detected Gen:Trojan.Heur.PM.2 in Viewer.exe:

View attachment 64767

I realize this is probably a false positive and I've seen other threads about viruses detected (albeit in older versions of the software,) but I thought it would be prudent to at least mention what I found.

Also hoping someone from DJI can confirm things are OK and perhaps contact Bitdefender to get rid of the false positive for other folks who might see it like me.

Thanks!

"Also hoping someone from DJI can confirm things are OK and perhaps contact Bitdefender to get rid of the false positive for other folks who might see it like me."

I hope you realize this forum does not have any DJI people here. You would have to post on a different forum or contact DJI directly.

 

[AnotherMavicPilot]

Use a few different scanning programs. They all find something different. I like Superantispyware also.

I agree, SuperAntiSpyware is some decent software!

 

[Cheech Wizard]

No, it's not up to DJI; it's up to *both* sides - application vendors and the AV vendors to resolve any repeated FP issues. Only the AV vendors can modify their detection routines/whitelisting, DJI certainly can't do that for them, but there are a lot of people producing code and AV vendors are almost certainly going to prioritise based on reports and other feedback. That feedback has got to come from DJI and from us, their users, and since we're pretty niche we might be quite some way down the list.

DJI's issue is that they are inconsistent in their executable signing, which means that AV vendors that might have whitelisted based on DJI's cert are still going to potentially FP when DJI fails to sign, assuming enough other heuristics trip. Just being more consistent on this and making sure they always sign before release would help reduce the FPs significantly, although probably not entirely. Monitoring their own forum for reports and contacting vendors of products that most often FP is absolultely something DJI can do. I've had to do that a few times at $dayjob, and most AV vendors I've dealt with are pretty helpful at telling you why you are getting misclassified and how to fix it if you provide samples. A consistent, valid, and current vendor cert is usually a pretty good first step.

"]No, it's not up to DJI; it's up to *both* sides"... WRONG... it's up to you to research and keep your computer clean.