Jump to content

Recommended Posts

Hi,

 

We've just had a spate of alerts via ESMC on the below file being detected as PUA which is our installer for ScreenConnect (Remote Control).

Name
Win32/RemoteAdmin.ConnectWiseControl.A
Uniform Resource Identifier (URI)
file:///C:/Windows/Temp/ScreenConnect/20.11.1622.7619/ScreenConnect.ClientSetup.exe
Detection engine version
22982 (20210317)
Current engine version
22982 (20210317)

 

This is legit software and no evidence to suggest malicious so not sure if a bad module update? I do have that exact module and software on my own machine but ESET doesn't detect it. This was detected by idle state scanning our client and so far flagged up on about 20 machines in the past 1-2 hours.

 

Anyone aware of known issue here?

 

 

Link to post
Share on other sites
  • Administrators

Potentially unsafe applications (PUsA) are not malware. They are legitimate tools that can be misused in the wrong hands or that have been misused in attacks. The detection is disabled by default. If you use a particular PUsA for legitimate purposes, create a detection exception.

Link to post
Share on other sites

Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now.

Link to post
Share on other sites

Ah OK, that explains why we are seeing that now.

If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that.

Link to post
Share on other sites
  • Most Valued Members
22 hours ago, speakerbox said:

Ah OK, that explains why we are seeing that now.

If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that.

I presume it is similar to the likes of TeamViewer and such, remote access programs, which means there is a risk for misuse i.e. a lot of remote access programs are used by cybercriminals in technician scams etc. 

I'd recommend if possible, to enable any kind of two step authentication if available. I've noticed when using secure browser, Eset will also warn you if someone is connect remotely 

Link to post
Share on other sites
  • 2 weeks later...
On 3/18/2021 at 10:38 AM, speakerbox said:

Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now.

I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too.

Link to post
Share on other sites
13 hours ago, PMIadmin said:

I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too.

We've excluded the detection, bit of a pain having it alert 1000's of times a day over all our clients!

Link to post
Share on other sites
  • 1 month later...

Hi I'll be reviving this post for a few points if possible

 

1. how do you exclude it for Mac\Windows users?
2. how do you tell ESET to warn the user when they are being remotely connected? 

Thanks!

Link to post
Share on other sites
  • Administrators

1, Exclusions via the Detection panel in the ESET PROTECT console should work both for Windows and Mac.

2, You would have to create an "ask" rule for the inbound communication but it's probably not desired that the user would be able to block the connection.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...