Screenconnect installer flagged by SentinelOne
The newest patch wouldn't even install because SentinelOne flagged it as malware. Good job Connectwise, you're driving customers away with remarkable speed.
Welcome to our community!
Replies 8
We have managed to make exceptions in SentinelOne yesterday, however Windows Defender is now flagging ScreenConnect client files today, meaning it's likely that the installer could flag on client systems.
This is just as big a concern for us because we cannot easily make temporary exclusions and the pop-up messages that occur from Windows Defender will cause a client scare we do not wish to deal with. We have resolved this issue for now with our ScreenConnect server, but jumping from one crisis to another is getting old quickly.
Still seeing the installer being flagged this morning. Our ScreenConnect.ClientSetup.exe was removed by Defender and I'm wary of repairing it since our Access clients are still working on the old version, and the new version install may fail. Hopefully they can get this resolved with the AV vendors soon.
Still seeing the installer being flagged this morning. Our ScreenConnect.ClientSetup.exe was removed by Defender and I'm wary of repairing it since our Access clients are still working on the old version, and the new version install may fail. Hopefully they can get this resolved with the AV vendors soon.
Make a path exception for Defender for the following:
C:\Program Files (x86)\ScreenConnect\Bin
C:\Windows\SystemTemp\ScreenConnect (this is where the randomized .EXE files get placed during a deployment).
Then unquarantine the files from Defender. If you have any other endpoint protection products, either make an exclusion by file hash or the above folders, specifically on your on-prem ScreenConnect server.
This is important because the ScreenConnect.ClientSetup.exe is not signed by your code signing certificate until time of deployment from what I've found at least (at rest, this file is unsigned).
Once that's done, it should resolve the issue. Hope this helps. (Note: I am not associated with Connectwise in any way, these are just my own findings).
So far, I have not had an issue with deployment once this has occurred.
Make a path exception for Defender for the following:
C:\Program Files (x86)\ScreenConnect\Bin
C:\Windows\SystemTemp\ScreenConnect (this is where the randomized .EXE files get placed during a deployment).
Then unquarantine the files from Defender. If you have any other endpoint protection products, either make an exclusion by file hash or the above folders, specifically on your on-prem ScreenConnect server.
This is important because the ScreenConnect.ClientSetup.exe is not signed by your code signing certificate until time of deployment from what I've found at least (at rest, this file is unsigned).
Once that's done, it should resolve the issue. Hope this helps. (Note: I am not associated with Connectwise in any way, these are just my own findings).
So far, I have not had an issue with deployment once this has occurred.
Thanks, the issue we have is that there are many Access agents installed on networks where we don't control the AV setup, and we don't have the ability to set those exceptions ourselves.
Thanks, the issue we have is that there are many Access agents installed on networks where we don't control the AV setup, and we don't have the ability to set those exceptions ourselves.
Mike,
As far as I know, this only needs to be done on your on-prem ScreenConnect server. Any ScreenConnect installers pushed to your agents will be signed before it goes out. I tested this myself. So far in testing, we have not had any Windows Defender alerts on the signed installers that go out to the agents.
The fact that the updater for the server-side software was flagged as malware is more than enough of a deal breaker. We've switched over to rustdesk and had no issues with S1 or WD even when we whacked together an msi to run scripts after installing the agent.
The sad part is there were so many opportunities for them to have handled this better, but every step and every patch has just been mismanaged so poorly that even if they were to release a new patch tomorrow that put everything back the way it was a few weeks ago, the trust is gone, and it's not coming back.
we are experiencing the same thing on 20+ Machines. flags say leonem malware.
logged a ticket and no response yet.