Jump to content

AnyDesk.C detected as Insecure App


Go to solution Solved by Marcos,

Recommended Posts

Hi forum

Since the last week, were having the AnyDesk app detected potentially insecure application. I guess its from the last ESET update.

Is this true? We have AnyDesk installed in all our workers laptops, so if its a bad application we have to uninstall from all endpoint and look for a new alternative

 

Thanks!

image.thumb.png.851eb8a7f7c01be2fdcd4ef369260b60.png

Link to comment
Share on other sites

  • Administrators
  • Solution

Most likely you have aggressive detection enabled. Since you use AnyDesk deliberately for legitimate purposes, please create a detection exclusion.

Link to comment
Share on other sites

  • Most Valued Members

Could it be the old versions of Anydesk? since Anydesk got compromised a while ago they were breached and their certificate was stolen so they had to make a new one , so older versions have a certificate that were taken by hackers.

Link to comment
Share on other sites

Good day, Dear @Marcos creating exclusion is not the proper approach. This was working without issue for last 3 years. This indeed started to generate warning only to one computer , mine since last week, been checking MD5 - seems legit and uninstalled/installed Anydesk again. Today started to see additional warnings to multiple computers of our network.

Thus this should be addressed by Anydesk - reputation / score system to be treated accordingly, not every single admin out there creating exclusions.

Thanks in advance..

Link to comment
Share on other sites

  • Administrators

Creating detection exclusions for applications that are detected as potentially unsafe (PUsA) but were installed with administrators' knowledge is a standard approach to dealing with PUA and PUsA detections which are not enabled by default.

Link to comment
Share on other sites

  • ESET Staff

The reason for the detection as PUsA is due to the common misuse of AnyDesk by threat actors (specifically Ransomware gangs and their affiliates).  It is not uncommon to see a threat actor place a remote desktop management software in an attempt to place a backdoor that is not using any form of malware.  Since AnyDesk is commonly seen as a popular choice by threat actors, we have an optional PUsA detection.  PUsA detections are off by default, and its likely that this option was enabled via Policy on your network.

If you use any software which is detected as PUsA, you will need to create a detection exclusion for it.

Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)
On 5/28/2024 at 9:21 AM, Nightowl said:

Could it be the old versions of Anydesk? since Anydesk got compromised a while ago they were breached and their certificate was stolen so they had to make a new one , so older versions have a certificate that were taken by hackers.

More about the breach : https://anydesk.com/en/public-statement

 

Quote

 

AnyDesk Incident Response 5-2-2024

 

Following our public statement on 2 February 2024 about a cyber incident at AnyDesk https://anydesk.com/en/public-statement-2-2-2024, we can assure you that we immediately took all necessary steps to investigate and mitigate the incident and continue to cooperate with all relevant authorities. All AnyDesk versions obtained from our official sources are safe to use. However, we recommend using the latest versions 7.0.15 and 8.0.8. The forced password reset for our customer portal my.anydesk.com was done out of an abundance of caution. We have no evidence that any customer data has been exfiltrated. Again, we also have no evidence that any end-user devices have been affected by this incident.

Transparency, company integrity and trust in our products is of paramount importance to us. However, it is the nature of a cyber incident that not all information can be made available at once. Therefore we have set up an FAQ section available at https://anydesk.com/en/faq-incident, which will be updated to address our customers' concerns and to correct any false information that may be circulating about the incident.

You can reach us by email at hotline@anydesk.com or by phone at +852 3001 1452

 

So I also believe it's better to let ESET pick them up and remove them , unless needed which can be excluded.

Edited by Nightowl
Link to comment
Share on other sites

  • Administrators

If you believe that TeamViewer or another remote admin tool has been actively misused in attacks, please contact samples[at]eset.com and we'll look into it.

Link to comment
Share on other sites

In this case, I have updated the Anydesk program to the latest version, but the ESET program detects it as before. I would like to know what to do in this case. To be safe And if exclusion anydesk  will there be a risk?

Link to comment
Share on other sites

  • Administrators

You can create a detection exclusion with the detection name via ESET PROTECT and ideally also with the path so that the tool cannot be run from a non-standard location, e.g. when dropped by an attacker for remote control.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...