ScreenConnect/Connectwise control client exe (marked as malicious)

Ambarishrh

I just upgraded my ConnectWise Control to the latest version this morning (19.0.23234.7027) and as usual tried to upgrade my client to the latest version. Our AV caught this exe and marked as PUP

On such cases, I generally add an exclusion, but just wanted to double check before I add the exclusions and did scan on virus total & hybrid-analysis with the following results:

Virus total

Hybrid-Analysis

I had a chat with Connectwise support and the agent mentioned that we have to disable AV or add exclusions, then I shared the above links and the next thing I could see is my next chats that had hybrid-analysis link and other messages has gone, giving me a message that I've been inactive for 5 minutes and session ended!

Anyone else got an alert from AV?

scottalanmiller

PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

Ambarishrh

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

dbeato

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

It is probably a false positive, there have been some reported ransomware because of ConnectWise integration with Kaseya and Kaseya being the culprit. So Connectwise is not the isasue.

JaredBusch

@dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

It is probably a false positive, there have been some reported ransomware because of ConnectWise integration with Kaseya and Kaseya being the culprit. So Connectwise is not the isasue.

ConnectWise had issues in the past also.

dbeato

@JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

@dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

It is probably a false positive, there have been some reported ransomware because of ConnectWise integration with Kaseya and Kaseya being the culprit. So Connectwise is not the isasue.

ConnectWise had issues in the past also.

Ah gotcha... I didn't know that part.

scottalanmiller

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

Should more make you question your AV, not ScreenConnect. That you know what SC is, there's zero reason for concern. PUP for known software is meaningless. However, the real reaction should be "why is my AV flagging something so well known and obvious?" This means that your AV is crying wolf on something really simple to have avoided.

wrx7m

Been running 19.x for a week and a half (maybe longer) and have not had any issues with Webroot.

Ambarishrh

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

Should more make you question your AV, not ScreenConnect. That you know what SC is, there's zero reason for concern. PUP for known software is meaningless. However, the real reaction should be "why is my AV flagging something so well known and obvious?" This means that your AV is crying wolf on something really simple to have avoided.

If it was just my AV I would just add exclusion and move forward, but as I mentioned, the combined result of virustotal, hybrid-analysis and response from connectwise support makes me nervous. I've contacted connectwise support again to see of they can provide some valid reasons or confirmation.

scottalanmiller

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

virustotal, hybrid-analysis

Never heard of these. But that they classify as PUP, that's a meaningless category that no matter how many things classify as never should amount to concern. If you feel concern that they listed as PUP, then you are misunderstanding the purpose of the tools using that classification. PUP is for things of no real concern, if it was a different category and you trusted the tools then you could justify concern. But PUP should never cause concern because if you trust the tools, PUP is their designation for not being concerned and if you don't trust the tools them nothing that they say should cause concern.

scottalanmiller

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

I've contacted connectwise support again to see of they can provide some valid reasons or confirmation.

This doesn't make sense. You are contacting the wrong party. ConnectWise has nothing to do with the situation here. And asking why someone else calls you PUP doesn't really mean anything, what would the question even be?

dbeato

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

virustotal, hybrid-analysis

Never heard of these. But that they classify as PUP, that's a meaningless category that no matter how many things classify as never should amount to concern. If you feel concern that they listed as PUP, then you are misunderstanding the purpose of the tools using that classification. PUP is for things of no real concern, if it was a different category and you trusted the tools then you could justify concern. But PUP should never cause concern because if you trust the tools, PUP is their designation for not being concerned and if you don't trust the tools them nothing that they say should cause concern.

You haven't heard of VirusTotal?

scottalanmiller

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

I had a chat with Connectwise support and the agent mentioned that we have to disable AV or add exclusions,

This cannot be cause for concern. This is correct, if you are using tools that marked them as PUP, and PUP causes you concern, then you must exclude them. Connectwise is 100% correct here. You should have zero concern based on any of the parties involved and there should be no possible questions to Connectwise, your question should be to your AV companies as to why they would make Connectwise as PUP when it is obviously inappropriate to do so.

scottalanmiller

@dbeato no, just an online file by file virus scanner?

scottalanmiller

PUP is an indicator for software that could be bad, but isn't. ALL remote access and monitoring can be used for malicious purposes. So it is often marked as PUP. Even if every tool ever made marked something as PUP, this would never give reason for concern unless you hadn't meant to install a remote access too. But you did, you knowingly installed ConnectWise, so you should be expecting PUP warnings from to time if you don't exclude it, just like all tools will do sometimes. Since you know that you installed it intentionally, you know that the PUP warning does not apply to you.

Ambarishrh

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

PUP is an indicator for software that could be bad, but isn't. ALL remote access and monitoring can be used for malicious purposes. So it is often marked as PUP. Even if every tool ever made marked something as PUP, this would never give reason for concern unless you hadn't meant to install a remote access too. But you did, you knowingly installed ConnectWise, so you should be expecting PUP warnings from to time if you don't exclude it, just like all tools will do sometimes. Since you know that you installed it intentionally, you know that the PUP warning does not apply to you.

We do get PUP alerts on our environment and most of them are ignored. In this case if you look at the results I shared, PUP is on just my AV, some others shows as Trojan

dbeato

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

@dbeato no, just an online file by file virus scanner?

No, (although it should be for another thread) it gives you information about the file, file hash. or URL in question. Example below is the Itarian Remote Control application Executable:

It compares the has of the file to multiple AV and Technology companies to see if the hash has been flagged as malicious or not or if it is questionable.

JaredBusch

@dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

@scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

@dbeato no, just an online file by file virus scanner?

No, (although it should be for another thread) it gives you information about the file, file hash. or URL in question. Example below is the Itarian Remote Control application Executable:

It compares the has of the file to multiple AV and Technology companies to see if the hash has been flagged as malicious or not or if it is questionable.

How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

scottalanmiller

@Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

We do get PUP alerts on our environment and most of them are ignored. In this case if you look at the results I shared, PUP is on just my AV, some others shows as Trojan

Then I'd be really wary of those. The problem is, what is a Trojan to one person is remote management to another. It's like a terrorist.... everyone's army is someone else's terrorist. It's all perspective.

scottalanmiller

@JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

that's what I was expecting. If you deploy early, you get a new hash that no one has seen yet.