topic Re: I need to allow UltraVNC on the endpoint client in Endpoint

I need to allow UltraVNC on the endpoint client

TimLofgren — Tue, 17 Mar 2020 17:51:18 GMT

Hello all,

I have searched quite a bit on this and have not found a way to allow Ultra VNC (winvnc.exe) on the client endpoint. The anti-malware keeps detecting it as a threat and removing it. I have already added it to exception lists in anti-malware and SandBlast policies in SmartEndpoint. I am not sure why it keeps removing it as it is in like 4 exception lists. Any help would be much appreciated.

Tim

Re: I need to allow UltraVNC on the endpoint client

PhoneBoy — Tue, 17 Mar 2020 20:09:27 GMT

What version of the Endpoint client?
What precise logs are showing when it is removed?

Re: I need to allow UltraVNC on the endpoint client

TimLofgren — Wed, 18 Mar 2020 14:32:09 GMT

Thanks for the reply. I found where I needed to add it. I had it in many exception lists but apparently I needed it also in the one that does the periodic scan. Once it was added to that one, it stopped deleting it. I appreciate the efforts. It just took longer than I expected to find the right place to add it, or it needed it in multiple places. but it is now working.

Tim

Re: I need to allow UltraVNC on the endpoint client

PhoneBoy — Wed, 18 Mar 2020 16:48:12 GMT

For the folks following along, can you detail where you added it?

Re: I need to allow UltraVNC on the endpoint client

TimLofgren — Wed, 18 Mar 2020 17:08:41 GMT

the last place I added the exclusion to was on SmartEndpoint in the Policy tab. under the Anti-Malware policy. Right click the Periodically scan local-hard drives only and select edit shared action. Click on the link at the bottom that says Configure files and folders exclusions. Click add and add the folder of where the executable is stored. But I also added it to many other areas first. I am not sure if it needs all of them or not but I will also list the other locations.

SmartEndpoint--->Policy--->Anti-Malware...right click Scan all files upon access and select edit shared action. Add the folder location with the Add button under the Processes to exclude from scan. I also added the specific process just as a precaution. I assume if just the folder is there it will still work.

SmartEndpoint--->Policy--->Sandblast Agent Threat Extraction, Emulation and Anti-Exploit...right click on Inspect all domains and files and add the folder location to the Exclusions list in that window.

SmartEndpoint--->Policy--->Sandblast Agent Anti-Ransomware, Behavioral Guard and Forensics...right click on Default File Quarantine Settings and add the file location into the Items excluded from quarantine list. I added the location and process.

I hope this helps someone. It was a pain trying to find any of this information anywhere. I basically just had to keep poking around in the policy until I found the locations. But I found them one at a time and not all at once so I am assuming all need to be in place in order for it to work.

Tim