Confirm exact model/vendor → official support page.
Download only via HTTPS from vendor or verified mirror.
Verify checksum and digital signature.
Scan with VirusTotal and test in isolated environment.
Prefer HTML5/web-native clients over legacy plugins.
If your NVR is extremely old and unsupported, consider replacing it — the security risk of running an unpatched, plugin-dependent device on your network is significant.
Many modern browsers have dropped NPAPI and ActiveX support; vendors sometimes provide companion apps or new HTML5 players. If you find a "webplugin" package, investigate whether it's legacy and whether there's an HTML5 alternative.
If only an ActiveX/IE-only plugin exists, expect that you'll need Internet Explorer mode in Edge or a legacy browser; this increases exposure to vulnerabilities.
Check for required runtime dependencies (e.g., .NET, VC++ Redistributable) and whether the installer attempts to install additional software.