• DepthAI
  • DepthAI installation on WIN10 triggers threat protection

I've seen the same issue, but on Windows 11. Its from the depthai-viewer tool, and I have posted about it quite a bit on this issue for its GitHub repo, as I just bought an OAK-D Lite, and wanted to trace down if this is a real issue or a false positive before I installed the tools myself to play around with.

Here's a quick summary of what I've found so far.

  • From running scans on VirusTotal, it seems to affect all versions of depthai-viewer from 0.1.5 through the latest (0.2.7).
  • VirusTotal only detects it on Windows builds.
  • Only 13 AV products are detecting it on VirusTotal, and I've been re-queuing the file to VirusTotal on a daily basis to see if that number changes. It has not.
  • The specific threat signature was only added to Microsoft Defender in November, and Microsoft has little detail on it right now, and I get almost no relevant hits for the signature name on google.

I've not posted this bit on the bug yet as I'm still working on this, but here's some info on what I've done in the past day or two:
Just today I've set up a Windows 11 VM and tried compiling the tool myself (by manually replicating the steps in the github actions definition file), which indeed triggered windows defender (Meaning the exploit method is not the same as the previously mentioned ultralytics breach, which from what I can tell, would only affect builds made on GitHub's pipeline, but that means nothing about what the actual exploit is). Interestingly enough, the none of the intermediate compilation objects are setting off windows defender. If it did trigger on one of those, it would suggest that the issue is with a dependency. Since it did not, I'm back to square one of wondering exactly what is triggering this.

@erik Microsoft has a way for developers themselves to submit files for more in-depth analysis. I don't know what (if any) information they would share from that analysis, but it might be worth submitting it to them.

@marsfan thanks for the info, zrezke (developer of viewer) plans to update the viewer with newer rust version which apparently doesn't cause a warning.

@erik I saw that reply from him on the GitHub thread, which sounds like a great simple solution. I'm still spending some effort trying to trace down exactly what's causing the AV detection, because I'm not entirely sure why updated the Rust version would fix that.

I know he was planning to bump it to rust 1.74. If he can, he should bump it to at least 1.77.2, because that version fixed a 10/10 CVE related to the potential for escaping and executing remote code.

a month later

is there a work around or a solution? We bought this camera and would like to test it, but our IT would not let me run it without some confirmation it is indeed not a trojan

    yep - working a big project using ToF POE sensor in a POC and very frustrating that i cant install this at the moment. I also have no option to simply ignore (and i don't think anyone should). Is there an ETA please?

    JFgarcia to be honest - i have found luxonis customer support very bad, sent multiple questions and noone ever seems to reply. Honestly would have expected an issue likes this that effectively blocks depthai viewer install for all windows 10/11 users to a be top priority…

      JFgarcia
      Should be fixed in the next release with updated rust toolchain. We are just making some final fixes. ETA this week.

      jjb2 I have found luxonis customer support very bad, sent multiple questions and noone ever seems to reply.

      Where was this sent?

      Thanks,
      Jaka

      Same issue… just got this device. I'm a novice and if this issue just on install has been happening for over a month, I may need to consider returning it and getting something with better support :/

        Now do we know what the exploit did ?

        I had an old version of Depth viewer installed on my PC, and the Windows defender recently flagged some files from the python package.

        Was this exploit used to mine crypto similarly to ultralytics ? Was it an infostealer ?

        What do we actually know about it's effects ?

          Dams
          AFAIK we still have no clue. Microsoft hasn't put up any info regarding the detected threat and if it even is a threat. Anyway the issue should now be resolved. Please ping me if this comes to be a problem again. Will notify here if I learn more about the exploit.

          Thanks,
          Jaka

            jakaskerl I tried on the win 10 as well on win 11 as well but having the same issue as well… have you got any solution for this problem ?

              awabyounas
              Newest version should solve the problem. Make sure your viewer is v0.2.8. LMK if it still doesn't work despite using the newer version.

              Thanks,
              Jaka

              19 days later

              It looks like we have a little bit more info on the threat :

              https://threatlibrary.zscaler.com/?threatname=Bastdoor

              https://www.virusview.net/malware/Trojan/Win64/Bastdoor

              It looks like this trojan was also a keylogger and an infostealer.

              Now, as I am not a security guy, and I don t know these sources, I'm not sure how accurate these information are.

              I would still wait for the Microsoft report to be sure.

              Regardeless, anyone that got infected really needs to change all of their passwords.

              9 days later

              By infected, do you mean run the program, or just an install?

              Antivirus blocked it, but it's on my PC - What happens?

                TheOracle
                If antivirus blocked it, it was put under quarantine or straight up deleted so you should be fine.

                Thanks,
                Jaka