Jump to content

Screenconnect (Connect wise ) ESET Blockings


Go to solution Solved by Marcos,

Recommended Posts

Hi ESET Team, 

I would like to ask how to resolve  this case?

 

Action that we have taken

1. We've tried to exclude the application from detections engine, but it didn't work- since the screen connect automatically change the HASH - once you downloaded it

2. We've tried to make an exclusion  from submitted file using ESET protect and restore and exclude from quarantine- but since the hash automatically change once our client download the app.

3. we also tried to disable ssl - but there's no make any difference

4. We disable 'Potentially unsafe application and it worked - we tried some exclusion from console but it didn't work 

Again the hash has been changing once you downloaded it .

 

 

 

image.thumb.png.43b711e1d9af94d1d19b66c51ec8b660.png

 

Link to comment
Share on other sites

  • Administrators

You should create a detection exclusion based on the detection name instead of the hash of the file.

Link to comment
Share on other sites

Hi Marcos,

 

We Already tried that, but when we are tying that rule the DETECTION NAME is different :

 

Screenconnect.remote.A

Screenconnect.remote.C

 

ETC

And we tried the above action problem still exist.

 

Link to comment
Share on other sites

  • Administrators

You can create detection exclusions for both Screenconnect.Remote.A and Screenconnect.Remote.C if you don't want these detections to be reported / blocked.

Link to comment
Share on other sites

Hi Marcos, 

We've made a lot of exclusion, but since the screen connect - need to download whenever the client need the  support.

Once they open this site https://happen.screenconnect.com/  - from the end user they will received an email about the code

then the code should be input from screensconnect then it will give them the installer of screen connect so that the technician will be able to connect to the machine. 

 

We do a lot of exclusion but it didn't work, however I'm just checking from ESET Online help about Potentially unsafe application:

image.thumb.png.ca2a41cdaec0145f57360a624f98683c.png

Source : https://help.eset.com/glossary/en-US/unwanted_application.html#:~:text=A Potentially Unsafe Application is,unwanted app outweigh the risks.

I just want to make sure, if is that possible to turn off the PUA ? 

 

 

Link to comment
Share on other sites

  • Administrators

Potentially unwanted applications are different that potentially unsafe applications which ScreenConnect is. It's recommended to keep detection of potentially unsafe applications turned on and create detection exclusions for detected applications that you use deliberately.

Please provide logs collected with ESET Log Collector as you shouldn't need to create many exclusions and two for Screenconnect.Remote.A and Screenconnect.Remote.C should be enough if other variants are not detected.

Link to comment
Share on other sites

  • Administrators
  • Solution

As for the exclusions, the performance exclusion is wrong. Instead of the path to a file it contains the detection name. Remove it:

image.png

 

Files with the following hashes were detected:

0021EE9DA5C4D2A69850593ED0FAB773FBDA6AB8
AEB6ACDBDE76612B00F69DF586257E98B51097C5
F96F8CD602FDAF740C58FE70189412684BA4FD46
F8A7ED9826D13C83F3DDCB119714C9FA63FEB04C
6B2C27560050C0CA43C5BDE5EA53CB9CF6F65EA6

However, only these hash-based detection exclusions exist:

image.png

The file with hash F8A7ED9826D13C83F3DDCB119714C9FA63FEB04C was last detected on June 19 most likely before the hash was excluded.

Creating a detection exclusion with just the detection name like this should make the app undetected:

image.png

image.png

Link to comment
Share on other sites

  • Marcos changed the title to Screenconnect (Connect wise ) ESET Blockings

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...