speakerbox 3 Posted March 18, 2021 Share Posted March 18, 2021 Hi, We've just had a spate of alerts via ESMC on the below file being detected as PUA which is our installer for ScreenConnect (Remote Control). Name Win32/RemoteAdmin.ConnectWiseControl.A Uniform Resource Identifier (URI) file:///C:/Windows/Temp/ScreenConnect/20.11.1622.7619/ScreenConnect.ClientSetup.exe Detection engine version 22982 (20210317) Current engine version 22982 (20210317) This is legit software and no evidence to suggest malicious so not sure if a bad module update? I do have that exact module and software on my own machine but ESET doesn't detect it. This was detected by idle state scanning our client and so far flagged up on about 20 machines in the past 1-2 hours. Anyone aware of known issue here? Ball Love 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted March 18, 2021 Administrators Share Posted March 18, 2021 Potentially unsafe applications (PUsA) are not malware. They are legitimate tools that can be misused in the wrong hands or that have been misused in attacks. The detection is disabled by default. If you use a particular PUsA for legitimate purposes, create a detection exception. Link to comment Share on other sites More sharing options...
speakerbox 3 Posted March 18, 2021 Author Share Posted March 18, 2021 Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted March 18, 2021 Administrators Share Posted March 18, 2021 The detection was added yesterday. Link to comment Share on other sites More sharing options...
speakerbox 3 Posted March 18, 2021 Author Share Posted March 18, 2021 Ah OK, that explains why we are seeing that now. If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted March 19, 2021 Most Valued Members Share Posted March 19, 2021 22 hours ago, speakerbox said: Ah OK, that explains why we are seeing that now. If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that. I presume it is similar to the likes of TeamViewer and such, remote access programs, which means there is a risk for misuse i.e. a lot of remote access programs are used by cybercriminals in technician scams etc. I'd recommend if possible, to enable any kind of two step authentication if available. I've noticed when using secure browser, Eset will also warn you if someone is connect remotely Link to comment Share on other sites More sharing options...
PMIadmin 0 Posted April 1, 2021 Share Posted April 1, 2021 On 3/18/2021 at 10:38 AM, speakerbox said: Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now. I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too. Link to comment Share on other sites More sharing options...
speakerbox 3 Posted April 2, 2021 Author Share Posted April 2, 2021 13 hours ago, PMIadmin said: I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too. We've excluded the detection, bit of a pain having it alert 1000's of times a day over all our clients! Link to comment Share on other sites More sharing options...
avielc 56 Posted May 27, 2021 Share Posted May 27, 2021 Hi I'll be reviving this post for a few points if possible 1. how do you exclude it for Mac\Windows users? 2. how do you tell ESET to warn the user when they are being remotely connected? Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted May 27, 2021 Administrators Share Posted May 27, 2021 1, Exclusions via the Detection panel in the ESET PROTECT console should work both for Windows and Mac. 2, You would have to create an "ask" rule for the inbound communication but it's probably not desired that the user would be able to block the connection. avielc 1 Link to comment Share on other sites More sharing options...
Recommended Posts