Microbe 6 Posted July 8 Share Posted July 8 Hi ESET Team, I would like to ask how to resolve this case? Action that we have taken 1. We've tried to exclude the application from detections engine, but it didn't work- since the screen connect automatically change the HASH - once you downloaded it 2. We've tried to make an exclusion from submitted file using ESET protect and restore and exclude from quarantine- but since the hash automatically change once our client download the app. 3. we also tried to disable ssl - but there's no make any difference 4. We disable 'Potentially unsafe application and it worked - we tried some exclusion from console but it didn't work Again the hash has been changing once you downloaded it . Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted July 9 Administrators Share Posted July 9 You should create a detection exclusion based on the detection name instead of the hash of the file. Quote Link to comment Share on other sites More sharing options...
Microbe 6 Posted July 9 Author Share Posted July 9 Hi Marcos, We Already tried that, but when we are tying that rule the DETECTION NAME is different : Screenconnect.remote.A Screenconnect.remote.C ETC And we tried the above action problem still exist. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted July 10 Administrators Share Posted July 10 You can create detection exclusions for both Screenconnect.Remote.A and Screenconnect.Remote.C if you don't want these detections to be reported / blocked. Quote Link to comment Share on other sites More sharing options...
Microbe 6 Posted July 11 Author Share Posted July 11 Hi Marcos, We've made a lot of exclusion, but since the screen connect - need to download whenever the client need the support. Once they open this site https://happen.screenconnect.com/ - from the end user they will received an email about the code then the code should be input from screensconnect then it will give them the installer of screen connect so that the technician will be able to connect to the machine. We do a lot of exclusion but it didn't work, however I'm just checking from ESET Online help about Potentially unsafe application: Source : https://help.eset.com/glossary/en-US/unwanted_application.html#:~:text=A Potentially Unsafe Application is,unwanted app outweigh the risks. I just want to make sure, if is that possible to turn off the PUA ? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted July 11 Administrators Share Posted July 11 Potentially unwanted applications are different that potentially unsafe applications which ScreenConnect is. It's recommended to keep detection of potentially unsafe applications turned on and create detection exclusions for detected applications that you use deliberately. Please provide logs collected with ESET Log Collector as you shouldn't need to create many exclusions and two for Screenconnect.Remote.A and Screenconnect.Remote.C should be enough if other variants are not detected. Quote Link to comment Share on other sites More sharing options...
Microbe 6 Posted July 14 Author Share Posted July 14 Thank you Marcos, Thank you for recommendation, sure we will collect the logs using ESET Log Collector and we will provide it to you. Thanks, Gil Quote Link to comment Share on other sites More sharing options...
Microbe 6 Posted July 17 Author Share Posted July 17 Hi Marcos, We already collected the logs from of affected machine, see the attached file for your reference. Thank you! Cheers, Microbe AFFECTED DEVICE_SCREENCONNECT.zip Quote Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 17 Share Posted July 17 FYI. I would be very careful in regards to overriding Eset detections in regards to ScreenConnect: https://forum.eset.com/topic/41729-screenconnect/?do=findComment&comment=187104 . Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,274 Posted July 17 Administrators Solution Share Posted July 17 As for the exclusions, the performance exclusion is wrong. Instead of the path to a file it contains the detection name. Remove it: Files with the following hashes were detected: 0021EE9DA5C4D2A69850593ED0FAB773FBDA6AB8 AEB6ACDBDE76612B00F69DF586257E98B51097C5 F96F8CD602FDAF740C58FE70189412684BA4FD46 F8A7ED9826D13C83F3DDCB119714C9FA63FEB04C 6B2C27560050C0CA43C5BDE5EA53CB9CF6F65EA6 However, only these hash-based detection exclusions exist: The file with hash F8A7ED9826D13C83F3DDCB119714C9FA63FEB04C was last detected on June 19 most likely before the hash was excluded. Creating a detection exclusion with just the detection name like this should make the app undetected: Quote Link to comment Share on other sites More sharing options...
Microbe 6 Posted July 17 Author Share Posted July 17 Hi Marcos, Thank you for your response and updates, we will follow your recommendation and inform you how we go. Thank you ! Cheers, Microbe Quote Link to comment Share on other sites More sharing options...
Microbe 6 Posted July 22 Author Share Posted July 22 Problem has been resolved you can now closed this case Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.