Jump to content

Screenconnect False Positive?


Recommended Posts

Hi,

 

We've just had a spate of alerts via ESMC on the below file being detected as PUA which is our installer for ScreenConnect (Remote Control).

Name
Win32/RemoteAdmin.ConnectWiseControl.A
Uniform Resource Identifier (URI)
file:///C:/Windows/Temp/ScreenConnect/20.11.1622.7619/ScreenConnect.ClientSetup.exe
Detection engine version
22982 (20210317)
Current engine version
22982 (20210317)

 

This is legit software and no evidence to suggest malicious so not sure if a bad module update? I do have that exact module and software on my own machine but ESET doesn't detect it. This was detected by idle state scanning our client and so far flagged up on about 20 machines in the past 1-2 hours.

 

Anyone aware of known issue here?

 

 

Link to comment
Share on other sites

  • Administrators

Potentially unsafe applications (PUsA) are not malware. They are legitimate tools that can be misused in the wrong hands or that have been misused in attacks. The detection is disabled by default. If you use a particular PUsA for legitimate purposes, create a detection exception.

Link to comment
Share on other sites

Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now.

Link to comment
Share on other sites

Ah OK, that explains why we are seeing that now.

If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that.

Link to comment
Share on other sites

  • Most Valued Members
22 hours ago, speakerbox said:

Ah OK, that explains why we are seeing that now.

If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that.

I presume it is similar to the likes of TeamViewer and such, remote access programs, which means there is a risk for misuse i.e. a lot of remote access programs are used by cybercriminals in technician scams etc. 

I'd recommend if possible, to enable any kind of two step authentication if available. I've noticed when using secure browser, Eset will also warn you if someone is connect remotely 

Link to comment
Share on other sites

  • 2 weeks later...
On 3/18/2021 at 10:38 AM, speakerbox said:

Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now.

I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too.

Link to comment
Share on other sites

13 hours ago, PMIadmin said:

I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too.

We've excluded the detection, bit of a pain having it alert 1000's of times a day over all our clients!

Link to comment
Share on other sites

  • 1 month later...

Hi I'll be reviving this post for a few points if possible

 

1. how do you exclude it for Mac\Windows users?
2. how do you tell ESET to warn the user when they are being remotely connected? 

Thanks!

Link to comment
Share on other sites

  • Administrators

1, Exclusions via the Detection panel in the ESET PROTECT console should work both for Windows and Mac.

2, You would have to create an "ask" rule for the inbound communication but it's probably not desired that the user would be able to block the connection.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...