Screenconnect (Connect wise ) ESET Blockings

[Microbe 6]

Hi ESET Team, 

I would like to ask how to resolve  this case?

 

Action that we have taken

1. We've tried to exclude the application from detections engine, but it didn't work- since the screen connect automatically change the HASH - once you downloaded it

2. We've tried to make an exclusion  from submitted file using ESET protect and restore and exclude from quarantine- but since the hash automatically change once our client download the app.

3. we also tried to disable ssl - but there's no make any difference

4. We disable 'Potentially unsafe application and it worked - we tried some exclusion from console but it didn't work 

Again the hash has been changing once you downloaded it .

 

 

 

 

[Marcos 5,274]

You should create a detection exclusion based on the detection name instead of the hash of the file.

[Microbe 6]

Hi Marcos,

 

We Already tried that, but when we are tying that rule the DETECTION NAME is different :

 

Screenconnect.remote.A

Screenconnect.remote.C

 

ETC

And we tried the above action problem still exist.

 

[Marcos 5,274]

You can create detection exclusions for both Screenconnect.Remote.A and Screenconnect.Remote.C if you don't want these detections to be reported / blocked.

[Microbe 6]

Hi Marcos, 

We've made a lot of exclusion, but since the screen connect - need to download whenever the client need the  support.

Once they open this site https://happen.screenconnect.com/  - from the end user they will received an email about the code

then the code should be input from screensconnect then it will give them the installer of screen connect so that the technician will be able to connect to the machine. 

 

We do a lot of exclusion but it didn't work, however I'm just checking from ESET Online help about Potentially unsafe application:

Source : https://help.eset.com/glossary/en-US/unwanted_application.html#:~:text=A Potentially Unsafe Application is,unwanted app outweigh the risks.

I just want to make sure, if is that possible to turn off the PUA ? 

 

 

[Marcos 5,274]

Potentially unwanted applications are different that potentially unsafe applications which ScreenConnect is. It's recommended to keep detection of potentially unsafe applications turned on and create detection exclusions for detected applications that you use deliberately.

Please provide logs collected with ESET Log Collector as you shouldn't need to create many exclusions and two for Screenconnect.Remote.A and Screenconnect.Remote.C should be enough if other variants are not detected.

[Microbe 6]

Thank you Marcos, 

Thank you for recommendation, sure we will collect the logs using ESET Log Collector and we will provide it to you.

 

Thanks, 

Gil

[Microbe 6]

Hi Marcos, 

 

We already collected the logs from of affected machine, see the attached file for your reference.

 

 

Thank you!

 

 

Cheers,

Microbe

AFFECTED DEVICE_SCREENCONNECT.zip

[itman 1,748]

FYI. I would be very careful in regards to overriding Eset detections in regards to ScreenConnect: https://forum.eset.com/topic/41729-screenconnect/?do=findComment&comment=187104 .

[Marcos 5,274]

As for the exclusions, the performance exclusion is wrong. Instead of the path to a file it contains the detection name. Remove it:

 

Files with the following hashes were detected:

0021EE9DA5C4D2A69850593ED0FAB773FBDA6AB8
AEB6ACDBDE76612B00F69DF586257E98B51097C5
F96F8CD602FDAF740C58FE70189412684BA4FD46
F8A7ED9826D13C83F3DDCB119714C9FA63FEB04C
6B2C27560050C0CA43C5BDE5EA53CB9CF6F65EA6

However, only these hash-based detection exclusions exist:

The file with hash F8A7ED9826D13C83F3DDCB119714C9FA63FEB04C was last detected on June 19 most likely before the hash was excluded.

Creating a detection exclusion with just the detection name like this should make the app undetected:

[Microbe 6]

Hi Marcos,

Thank you for your response and updates, we will follow your recommendation and inform you how we go.

 

Thank you !

 

Cheers, 

Microbe

[Microbe 6]

Problem has been resolved you can now closed this case