Welcome to our community!

Add Improvements to .exe files in C:\Program Files (x86)\ScreenConnect\Bin and C:\SystemTemp\ScreenConnect\XX.XX.XX.XXXX folders to prevent anti virus false positives.

Avatar
Reina Mishima
  • updated
  • Pending Review

Antivirus solutions like Sentinel One and Defender are creating alerts/quarantines for randomized .EXE files in C:\SystemTemp\ScreenConnect\25.4.25.9313 folder after upgrade and certificate setup. The ScreenConnect.ClientSetup.exe and ScreenConnect.Client.exe files in the C:\Program Files (x86)\ScreenConnect\Bin folder are also affected and not signed by ConnectWise or our own configured code signing certificate.

Replies 5
Avatar
0
fineware sistemi

Same problem with SentinelOne

Avatar
0
nathan levandowski

Same issue with crowdstrike seeing randomly generated EXE names:

C:\Windows\SystemTemp\ScreenConnect\25.5.3.9371\GR4LipPSs0qK.exe

Avatar
0
Brendon W

we use Sentinel and are experiencing the same problem.

Avatar
0
Juergen Meier

Workaround for Microsoft Defender: Issue this powershell script (e.g. using the Command Toolbox extension) to add  Defender AV Exclusions for ScreenConnect server:

$Exclusions=@("C:\Windows\SystemTemp\ScreenConnect\", "C:\Program Files (x86)\ScreenConnect\")
Set-MpPreference -ExclusionPath $Exclusions

Use the Powershell command "(Get-MpPreference).ExclusionPath" to verify the exclusions. Works on all Windows machines with Defender (10, 11, and Server 2019,2022,2025)

Avatar
0
Juergen Meier

A general comment from me:

ScreenConnect is a remote control and access software. That's what it is.

Malware scanners that utilize heuristics (or in modern terms: "AI") to determine potential malware behavior will always generate "false positives" on software like the ScreenConnect agent, BECAUSE it is remote control and access software, and that's what these anti-malware products are supposed to find.


You can and probably should use your service contracts with your AV vendor to make them cooperate with ConnectWise and fix their products to properly identify and automatically whitelist *legitimate* remote control and access software, instead of generating false positives and blocking you.

Some AV vendors already do just that, that's why this only happens so some.


Customer support portal powered by UserEcho