ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ScreenConnect/Connectwise control client exe (marked as malicious)

    Scheduled Pinned Locked Moved IT Discussion
    connectwisescreenconnectantivirus
    27 Posts 5 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AmbarishrhA
      Ambarishrh @scottalanmiller
      last edited by

      @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

      PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

      Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

      dbeatoD scottalanmillerS 2 Replies Last reply Reply Quote 0
      • dbeatoD
        dbeato @Ambarishrh
        last edited by

        @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

        @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

        PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

        Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

        It is probably a false positive, there have been some reported ransomware because of ConnectWise integration with Kaseya and Kaseya being the culprit. So Connectwise is not the isasue.

        JaredBuschJ 1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch @dbeato
          last edited by

          @dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

          It is probably a false positive, there have been some reported ransomware because of ConnectWise integration with Kaseya and Kaseya being the culprit. So Connectwise is not the isasue.

          ConnectWise had issues in the past also.

          dbeatoD 1 Reply Last reply Reply Quote 0
          • dbeatoD
            dbeato @JaredBusch
            last edited by

            @JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

            @dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

            It is probably a false positive, there have been some reported ransomware because of ConnectWise integration with Kaseya and Kaseya being the culprit. So Connectwise is not the isasue.

            ConnectWise had issues in the past also.

            Ah gotcha... I didn't know that part.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Ambarishrh
              last edited by

              @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

              @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

              PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

              Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

              Should more make you question your AV, not ScreenConnect. That you know what SC is, there's zero reason for concern. PUP for known software is meaningless. However, the real reaction should be "why is my AV flagging something so well known and obvious?" This means that your AV is crying wolf on something really simple to have avoided.

              AmbarishrhA 1 Reply Last reply Reply Quote 0
              • wrx7mW
                wrx7m
                last edited by

                Been running 19.x for a week and a half (maybe longer) and have not had any issues with Webroot.

                1 Reply Last reply Reply Quote 0
                • AmbarishrhA
                  Ambarishrh @scottalanmiller
                  last edited by

                  @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                  @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

                  @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                  PUP doesn't mean malicious. Lots of remote access software gets marked as PUP. PUP is really an essentially meaningless category.

                  Agreed, we've been using screenconnect for almost 2 years now, never had the AV marking this as PUP/malicious. The support agent session and the reports from virus total/hybrid-analysis making me think twice about the client upgrade on machines

                  Should more make you question your AV, not ScreenConnect. That you know what SC is, there's zero reason for concern. PUP for known software is meaningless. However, the real reaction should be "why is my AV flagging something so well known and obvious?" This means that your AV is crying wolf on something really simple to have avoided.

                  If it was just my AV I would just add exclusion and move forward, but as I mentioned, the combined result of virustotal, hybrid-analysis and response from connectwise support makes me nervous. I've contacted connectwise support again to see of they can provide some valid reasons or confirmation.

                  scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Ambarishrh
                    last edited by

                    @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

                    virustotal, hybrid-analysis

                    Never heard of these. But that they classify as PUP, that's a meaningless category that no matter how many things classify as never should amount to concern. If you feel concern that they listed as PUP, then you are misunderstanding the purpose of the tools using that classification. PUP is for things of no real concern, if it was a different category and you trusted the tools then you could justify concern. But PUP should never cause concern because if you trust the tools, PUP is their designation for not being concerned and if you don't trust the tools them nothing that they say should cause concern.

                    dbeatoD 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Ambarishrh
                      last edited by

                      @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

                      I've contacted connectwise support again to see of they can provide some valid reasons or confirmation.

                      This doesn't make sense. You are contacting the wrong party. ConnectWise has nothing to do with the situation here. And asking why someone else calls you PUP doesn't really mean anything, what would the question even be?

                      1 Reply Last reply Reply Quote 0
                      • dbeatoD
                        dbeato @scottalanmiller
                        last edited by

                        @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                        @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

                        virustotal, hybrid-analysis

                        Never heard of these. But that they classify as PUP, that's a meaningless category that no matter how many things classify as never should amount to concern. If you feel concern that they listed as PUP, then you are misunderstanding the purpose of the tools using that classification. PUP is for things of no real concern, if it was a different category and you trusted the tools then you could justify concern. But PUP should never cause concern because if you trust the tools, PUP is their designation for not being concerned and if you don't trust the tools them nothing that they say should cause concern.

                        You haven't heard of VirusTotal?
                        2019-04-22_2230.png

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Ambarishrh
                          last edited by

                          @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

                          I had a chat with Connectwise support and the agent mentioned that we have to disable AV or add exclusions,

                          This cannot be cause for concern. This is correct, if you are using tools that marked them as PUP, and PUP causes you concern, then you must exclude them. Connectwise is 100% correct here. You should have zero concern based on any of the parties involved and there should be no possible questions to Connectwise, your question should be to your AV companies as to why they would make Connectwise as PUP when it is obviously inappropriate to do so.

                          1 Reply Last reply Reply Quote 1
                          • scottalanmillerS
                            scottalanmiller @dbeato
                            last edited by

                            @dbeato no, just an online file by file virus scanner?

                            dbeatoD 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              PUP is an indicator for software that could be bad, but isn't. ALL remote access and monitoring can be used for malicious purposes. So it is often marked as PUP. Even if every tool ever made marked something as PUP, this would never give reason for concern unless you hadn't meant to install a remote access too. But you did, you knowingly installed ConnectWise, so you should be expecting PUP warnings from to time if you don't exclude it, just like all tools will do sometimes. Since you know that you installed it intentionally, you know that the PUP warning does not apply to you.

                              AmbarishrhA 1 Reply Last reply Reply Quote 0
                              • AmbarishrhA
                                Ambarishrh @scottalanmiller
                                last edited by

                                @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                PUP is an indicator for software that could be bad, but isn't. ALL remote access and monitoring can be used for malicious purposes. So it is often marked as PUP. Even if every tool ever made marked something as PUP, this would never give reason for concern unless you hadn't meant to install a remote access too. But you did, you knowingly installed ConnectWise, so you should be expecting PUP warnings from to time if you don't exclude it, just like all tools will do sometimes. Since you know that you installed it intentionally, you know that the PUP warning does not apply to you.

                                We do get PUP alerts on our environment and most of them are ignored. In this case if you look at the results I shared, PUP is on just my AV, some others shows as Trojan

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • dbeatoD
                                  dbeato @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                  @dbeato no, just an online file by file virus scanner?

                                  No, (although it should be for another thread) it gives you information about the file, file hash. or URL in question. Example below is the Itarian Remote Control application Executable:
                                  2019-04-23_0039.png

                                  It compares the has of the file to multiple AV and Technology companies to see if the hash has been flagged as malicious or not or if it is questionable.

                                  JaredBuschJ 1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch @dbeato
                                    last edited by

                                    @dbeato said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                    @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                    @dbeato no, just an online file by file virus scanner?

                                    No, (although it should be for another thread) it gives you information about the file, file hash. or URL in question. Example below is the Itarian Remote Control application Executable:
                                    2019-04-23_0039.png

                                    It compares the has of the file to multiple AV and Technology companies to see if the hash has been flagged as malicious or not or if it is questionable.

                                    How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

                                    scottalanmillerS dbeatoD 2 Replies Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Ambarishrh
                                      last edited by

                                      @Ambarishrh said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                      We do get PUP alerts on our environment and most of them are ignored. In this case if you look at the results I shared, PUP is on just my AV, some others shows as Trojan

                                      Then I'd be really wary of those. The problem is, what is a Trojan to one person is remote management to another. It's like a terrorist.... everyone's army is someone else's terrorist. It's all perspective.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @JaredBusch
                                        last edited by

                                        @JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                        How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

                                        that's what I was expecting. If you deploy early, you get a new hash that no one has seen yet.

                                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                                        • JaredBuschJ
                                          JaredBusch @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                          @JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                          How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

                                          that's what I was expecting. If you deploy early, you get a new hash that no one has seen yet.

                                          You misunderstand. Every install will have a unique hash because the executable is BUILT by the system on the fly.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @JaredBusch
                                            last edited by

                                            @JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                            @scottalanmiller said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                            @JaredBusch said in ScreenConnect/Connectwise control client exe (marked as malicious):

                                            How is that useful? The executable is rebuilt on every install for every group that it auto links to. that makes a hash useless.

                                            that's what I was expecting. If you deploy early, you get a new hash that no one has seen yet.

                                            You misunderstand. Every install will have a unique hash because the executable is BUILT by the system on the fly.

                                            Oh, right, duh. That too. That's way bigger as it is ONLY you ever submitting them.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post