Auto update for Channels DVR screwing up recordings, can it be disabled?

Chief · July 9, 2017, 4:22am

Is there a way to turn off auto updates for the Channels DVR server software for Mac? I’m getting tired of having failed recordings because the software decided to update itself. Since the code has changed the dvr service can’t connect to the internet when it restarts after the update - I have to authorize the new executable for security reasons. Since it can’t touch getchannels.com, I’m guessing to validate the account, the service never fully starts and recordings fail. Since we have no idea when these updates may pop in, this makes it impossible to trust the DVR to record scheduled shows.

This will also be the result if someone’s internet goes down and the server gets restarted, failed recordings - probably not a good thing to have your cord cutting solution rely upon connection to the internet to be usable. You might want to think about using some sort of license file or something instead of relying on internet connectivity.

I have no problem applying the updates when they come down, I just need to be the one driving the ship to avoid these problems.

Thanks,

Chief

tmm1 · July 9, 2017, 5:00am

There is currently no way to do this.

I’m not sure what you’re using to control network access, but one option is to whitelist the path to the DVR executable so it doesn’t need to be authorized every time.

This sounds like a bug… access to getchannels.com is not required for the DVR to function. The log might print some errors about this, but scheduled recordings should still proceed. The license details are cached on disk and valid for up to a week.

If your security software is throwing up a prompt to re-authorize when the network access is attempted, then it’s possible it’s causing the DVR to halt until you accept, which effectively breaks all DVR functions.

We explicitly designed and tested the DVR to make sure it continues to function without internet access. I just re-tested this case and it works as expected after a reboot.

TeddyR · July 9, 2017, 6:01am

I have seen a similar issues with three setups. The first was where the location had an inline proxy enabled with authorization required for internet access. They had routers with WCCP enabled to redirect traffic to local squid caches which in turn were configured to require password for any sites not on the whitelist. The second was a location that had a forcepoint appliance that did the same thing. The third (and easiest to fix) was a home router with “alternate” firmware that had a built-in proxy configured to authenticate. The admin on the second site allowed the whitelisting of traffic from the dvr (since it was used by the CFO …) but the first site refused. YMMV.

tmm1 · July 9, 2017, 6:40am

If you’re already mucking around with network ACLs, one way to disable auto-update is to disallow https traffic to channels-dvr.s3.amazonaws.com. Then when you want to manual update, you could allow traffic and click the “check for updates” button.

Keep in mind that your DVR or clients may stop working at any point if you don’t keep them reasonably up to date. We make big changes quickly and old versions of our software are unsupported.

Chief · July 9, 2017, 5:32pm

I use a few different solutions to lock down any executables that change w/o direct input from myself, with Sophos UTM between my internal and external networks. Whitelisting the path is a bad practice from a security standpoint and is not an option. When the executable changes, all network access for that file is halted - which, in this day and age of rampant malware/ransomware, is what I recommend for ALL systems. This is most likely what’s breaking the DVR functionality, as no network access is allowed until I authorize the changed code for the executable. I’m guessing that the only ppl seeing this problem are the ones who are acutely aware of the current security threats out there and lock down our systems accordingly. I’m glad to see that they traffic I saw reaching out for getchannels.com when the DVR app was updated and restarted wasn’t for licensing purposes, thanks for clearing that up.

I think it would be a great benefit for stability to add the ability to just notify when updates are available, and let the user choose when to apply them. For security reasons, I always avoid forced updates. For now, I’ll use your suggestion of blocking access to the update site, as failed recordings aren’t an option. I run daily maintenance on the server, so it’s not a problem to manually update.

All said, this is absolutely the best DVR solution I’ve found for anything (let alone the Mac) and I’ve tried a lot of them. I’m really impressed with the immediate access to dev’s we have here in the forums. As long as I can use the software securely, it’s hands-down the option for me. The apps are a little pricey, but that’s easy to accept with the level of support and frequent updates we see. Keep up the good work!

Thanks,

Chief

ImNotSerious · July 9, 2017, 8:28pm

I don’t use whitelisting at home, just at work, but most solutions provide hash,path, certificate whitelisting. Are the executables signed? Normal whitelisting software could just trust the Fancy Bits signing cert, and then updates would work fine.

tmm1 · July 9, 2017, 10:10pm

Yes all the executables are signed

Chief · July 9, 2017, 11:12pm

I prefer avoid whitelisting when I can, I like more granular control. One problem is that there’s a new directory created with each update of channels-dvr. I guess I could whitelist through the upper level dir recursively, but still a lot to go through for control that I would like to see baked into the software. The biggest problem for me is one of full control over what happens to your system, when updates happen, etc.

In any case, I’ve got it sorted now so it can’t update w/o action from me, and that’s what was required. I would just like to see a software switch and update notifications, rather than having to jump into the nuts and bolts of things. Time to get back to enjoying the DVR

Thanks,
Chief

djcastaldo · July 10, 2017, 9:22pm

if you are bored and can’t find any malware on your system, just install a ton of bloated ‘security’ software to slow down your system and make your apps nonfunctional. Then, at least you can spend your time trying to make things work the way they are supposed to.

Chief · July 10, 2017, 10:28pm

Or if you are bored you can go through forums and make comments that don’t add to the discussion - like we both now have done

djcastaldo · July 10, 2017, 11:00pm

I was just pointing out that putting a bunch of garbage software on your computer that breaks stuff and slows things down is probably not the best way to secure your system.

Here is a good security plan:
trust the computers on your lan
pay attention to the ports that you open to the outside world.
be wary of unsigned files and data from places like public newsgroups, email, torrents… in fact, don’t even use these.

keep your software up-to-date.
macOS has built-in malware definitions that update daily.

djcastaldo · July 10, 2017, 11:43pm

oh yeah, and backups. A good plan for backups / system snapshots can be a great tool. You can use a backup to replace stuff that may have been accidentally deleted or recover your important data in the case of hardware failure.