Currently, the unattended installer file will work forever. However, partner would like the unattended installer file to stop working after X days so that anyone who uses an older installer won't be able to randomly add it to any machines.
One thing you could do at the moment is set up filters on your session groups to check for a specific value in one of the custom properties, and then set that custom property to that value for any installers you make going forward (and on your existing sessions).
Of course, how practical this is might depend on how many session groups you have and how often you make new installers, so it's really just a workaround, but it's a way to limit where new sessions from old installers show up and make it more difficult to use them for phishing.
We have a former customer compromised by ransomware and had our ScreenConnect client install file uploaded/exfiltrated as part of the attack. We're concerned about how that file may now be used as part of a spear-phishing attack against us, or other associated security risks now that a ransomware gang has published our SC install file on their site for the public to see, download, and utilize. An expiring installer would be helpful for this type of situation.
Hi I wanted to follow up on this thread to see if this will be in production soon. We too have this issue of old installers being used to test access to our instance. Driving my InfoSec team crazy! Thanks
You must be new to Screenconnect....till security flaws hit at least 10 years old they stay on the TODO list.
2 years to go...
Hi I wanted to follow up on this thread to see if this will be in production soon. We too have this issue of old installers being used to test access to our instance. Driving my InfoSec team crazy! Thanks
Windows defender has started more agressive, and persistent .exe downloading of files of all ages and running them in AV VM sandboxes for amalysis.
It's now at a level of 20-40/week of fake agents and rising.
Please raise this in the consideration list. I'm also going to do some work to see if there are other risks from this asymmetrickey embedded in the .exe and msi installers.
If I had bad intentions, I'd extract this key, and create a script that would start generating agents. I wonder what would happen to Screenconnect with say, 2 million dummy agents (I bet it'll fall over well before that). Sounds like quite an effective way of killing every screenconnect server on the planet because there are no protections at this time.
Seeing repeated installers WITHOUT MY CONSENT is a security issue. This is a good idea to begin rectification. I would also like an option to request a code to run the physical EXE///MSI installer. That way virtual play labs and hackers can't consistently get as much success as they are currently. They told me it was a Antivirus that sent the file for a scan, which could happen. But in my case, the client that came back repeated, no longer existed, nor did the computer from which it originally was on. SOMEWHERE a hacker had old data. The expiration then in deed would help!
A bit late on my response, but the good news at least is that there is no way for the Guest client to gain access to the protected data of the server - so even with the agents popping up into the list, your data is safe. The Guest checks in and allows you access to that machine, but it's one way only. I definitely see how this situation could be an inconvenience and annoyance though!
Seeing repeated installers WITHOUT MY CONSENT is a security issue. This is a good idea to begin rectification. I would also like an option to request a code to run the physical EXE///MSI installer. That way virtual play labs and hackers can't consistently get as much success as they are currently. They told me it was a Antivirus that sent the file for a scan, which could happen. But in my case, the client that came back repeated, no longer existed, nor did the computer from which it originally was on. SOMEWHERE a hacker had old data. The expiration then in deed would help!
It would also be nice to be notified when a new session is created along with the originating public IP address.
Please add to to the list. I'm having some funny connections showing up:
Not sure if I should be worried, I'm told not to, but then others say I might have to.
Random machines show up in our instance.
This may be due to a published installer for my instance.
Want the ability to delete or disable previous installers.