Netsurveillance: Web Plugin Upd [upd]

Executive Summary: Proceed with Caution

Current Status: The "NetSurveillance Web Plugin" is largely considered obsolete and potentially insecure by modern standards.

If you are looking for an update to view your older IP cameras on a modern browser, you will likely find that the update does not solve your problems. The technology relies on ActiveX or NPAPI, both of which have been disabled in Chrome, Edge, and Firefox for years.

1. Executive Summary

An unexpected update prompt labeled “Netsurveillance Web Plugin UPD” has appeared across several legacy video management systems (VMS) in the past 72 hours. While superficially resembling a routine codec or ActiveX update for IP camera viewers, deep packet inspection reveals anomalous behavior. This report outlines the findings of the “UPD” (suspected to stand for Universal Packet Dispatch, though the installer suggests Update) and recommends immediate containment. netsurveillance web plugin upd

3. The Anomaly: Why It’s Interesting

Standard web plugins for surveillance call home to a local NVR (Network Video Recorder) on ports 80, 443, or 554 (RTSP). The “UPD” variant does not.

Observed Behavior in a Sandbox Environment: Executive Summary: Proceed with Caution Current Status: The

• Outbound Traffic: Instead of connecting to the local camera subnet (192.168.x.x), the plugin establishes an encrypted WebSocket tunnel to a rotating set of IP addresses hosted on a bulletproof cloud provider.
• Persistence Mechanism: The plugin writes a scheduled task named "NetsurveillanceHeartbeat" that executes every 4 hours, even if the browser is closed.
• Payload Delivery: 12 hours post-installation, the plugin begins exfiltrating low-resolution thumbnail frames from the local surveillance archive—not live streams—to a remote server. This suggests the attacker is not interested in real-time viewing but in behavioral pattern analysis.

Advanced: Automating Netsurveillance Web Plugin Updates via GPO (For IT Admins)

If you manage 50+ client workstations, manual updates are impossible. Use Group Policy for silent updates:

1. Extract the MSI: Use Universal Extractor or run the installer with /extract.
2. Deploy via GPO: Assign the MSI to “Computer Configuration > Policies > Software Settings.”
3. Script cleanup: Use a startup script to delete old plugin GUIDs from HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall.
4. Whitelist URLs: Add your NVR IPs to the Internet Explorer Compatibility View List via GPO to force plugin mode.

Pro tip: Set the plugin update to run at login via schtasks /create with highest privileges. Outbound Traffic: Instead of connecting to the local

3.1 The ActiveX Standard

The NetSurveillance Plugin is almost exclusively built on ActiveX technology. This is a Microsoft framework that allows websites to run software on a user's computer.

• File Name: Typically named webrec.cab, NetSurveillance.ocx, or WebPlugin.exe.
• Browser Dependency: These plugins only function in Internet Explorer (IE) or "IE Mode" in Microsoft Edge. They will not work in Chrome, Firefox, or Safari because modern browsers have deprecated NPAPI/ActiveX support for security reasons.

3. Technical Architecture

Phase 6: Verification

1. Refresh the browser tab.
2. Click “Allow” when the browser asks for permission to run the plugin.
3. You should see live video within 5 seconds.

Installation experience

The typical download is an .exe file (often unsigned or with an expired certificate). You’ll need to:

1. Run as Administrator.
2. Close all browsers.
3. Restart your PC.
4. Configure IE security settings to enable unsigned ActiveX controls.
5. Add the NVR’s IP to Trusted Sites.

Even then, success is hit-or-miss.

Suggested alternatives (if possible)

• SmartPSS (Dahua’s desktop client) – No browser, no plugin issues.
• Upgrade NVR firmware – Newer firmware may offer HTML5/WebSocket streaming.
• Use a dedicated VMS – Blue Iris, Shinobi, or Frigate with RTSP.