Andres96 1 Posted May 27 Share Posted May 27 Hi forum Since the last week, were having the AnyDesk app detected potentially insecure application. I guess its from the last ESET update. Is this true? We have AnyDesk installed in all our workers laptops, so if its a bad application we have to uninstall from all endpoint and look for a new alternative Thanks! Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,273 Posted May 27 Administrators Solution Share Posted May 27 Most likely you have aggressive detection enabled. Since you use AnyDesk deliberately for legitimate purposes, please create a detection exclusion. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 28 Most Valued Members Share Posted May 28 Could it be the old versions of Anydesk? since Anydesk got compromised a while ago they were breached and their certificate was stolen so they had to make a new one , so older versions have a certificate that were taken by hackers. Link to comment Share on other sites More sharing options...
Laskmar 0 Posted May 28 Share Posted May 28 Good day, Dear @Marcos creating exclusion is not the proper approach. This was working without issue for last 3 years. This indeed started to generate warning only to one computer , mine since last week, been checking MD5 - seems legit and uninstalled/installed Anydesk again. Today started to see additional warnings to multiple computers of our network. Thus this should be addressed by Anydesk - reputation / score system to be treated accordingly, not every single admin out there creating exclusions. Thanks in advance.. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted May 28 Administrators Share Posted May 28 Creating detection exclusions for applications that are detected as potentially unsafe (PUsA) but were installed with administrators' knowledge is a standard approach to dealing with PUA and PUsA detections which are not enabled by default. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted May 28 ESET Staff Share Posted May 28 The reason for the detection as PUsA is due to the common misuse of AnyDesk by threat actors (specifically Ransomware gangs and their affiliates). It is not uncommon to see a threat actor place a remote desktop management software in an attempt to place a backdoor that is not using any form of malware. Since AnyDesk is commonly seen as a popular choice by threat actors, we have an optional PUsA detection. PUsA detections are off by default, and its likely that this option was enabled via Policy on your network. If you use any software which is detected as PUsA, you will need to create a detection exclusion for it. Nightowl, Peter Randziak and Aryeh Goretsky 3 Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted May 29 Most Valued Members Share Posted May 29 (edited) On 5/28/2024 at 9:21 AM, Nightowl said: Could it be the old versions of Anydesk? since Anydesk got compromised a while ago they were breached and their certificate was stolen so they had to make a new one , so older versions have a certificate that were taken by hackers. More about the breach : https://anydesk.com/en/public-statement Quote AnyDesk Incident Response 5-2-2024 Following our public statement on 2 February 2024 about a cyber incident at AnyDesk https://anydesk.com/en/public-statement-2-2-2024, we can assure you that we immediately took all necessary steps to investigate and mitigate the incident and continue to cooperate with all relevant authorities. All AnyDesk versions obtained from our official sources are safe to use. However, we recommend using the latest versions 7.0.15 and 8.0.8. The forced password reset for our customer portal my.anydesk.com was done out of an abundance of caution. We have no evidence that any customer data has been exfiltrated. Again, we also have no evidence that any end-user devices have been affected by this incident. Transparency, company integrity and trust in our products is of paramount importance to us. However, it is the nature of a cyber incident that not all information can be made available at once. Therefore we have set up an FAQ section available at https://anydesk.com/en/faq-incident, which will be updated to address our customers' concerns and to correct any false information that may be circulating about the incident. You can reach us by email at hotline@anydesk.com or by phone at +852 3001 1452 So I also believe it's better to let ESET pick them up and remove them , unless needed which can be excluded. Edited May 29 by Nightowl Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted May 31 Administrators Share Posted May 31 If you believe that TeamViewer or another remote admin tool has been actively misused in attacks, please contact samples[at]eset.com and we'll look into it. Link to comment Share on other sites More sharing options...
smootarm 0 Posted June 5 Share Posted June 5 In this case, I have updated the Anydesk program to the latest version, but the ESET program detects it as before. I would like to know what to do in this case. To be safe And if exclusion anydesk will there be a risk? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted June 5 Administrators Share Posted June 5 You can create a detection exclusion with the detection name via ESET PROTECT and ideally also with the path so that the tool cannot be run from a non-standard location, e.g. when dropped by an attacker for remote control. Nightowl 1 Link to comment Share on other sites More sharing options...
Recommended Posts