topic Re: AnyDesk - on compliant DH version in Endpoint

AnyDesk - on compliant DH version

Mitja-S3NEXT — Fri, 04 Oct 2024 06:50:40 GMT

anydesk.exe

Suspicious Events:

User Execution: Malicious File: anydesk.exe; Subvert Trust Controls: Code Signing: anydesk.exe;

Incident Details:

anydesk.exe(ecae8b9c820ce255108f6050c26c37a1);

Client verasion : 88.60.0087

Will there be (planned) global solution (is a support ticket on this case already open?, I assume that many users/customers are facing the same problem) or do we have to put exclusions on every tenant of our customers?

Re: AnyDesk - on compliant DH version

RS_Daniel — Fri, 04 Oct 2024 15:02:30 GMT

Hi,

Yes, same question here. Anydesk is blocked/deleted with E2 engine.

Re: AnyDesk - on compliant DH version

the_rock — Fri, 04 Oct 2024 18:13:14 GMT

What did TAC say?

Andy

Re: AnyDesk - on compliant DH version

PhoneBoy — Fri, 04 Oct 2024 20:04:01 GMT

This is likely a false positive that should be reported to TAC.

Re: AnyDesk - on compliant DH version

PhoneBoy — Thu, 17 Oct 2024 17:35:57 GMT

To close the loop on this, it appears that AnyDesk is now treated as a Potentially Unwanted Application.
See: https://support.checkpoint.com/results/sk/sk182752

If AnyDesk is legitimately used in your environment, you will need to crate a local exception.

Re: AnyDesk - on compliant DH version

skandshus — Tue, 22 Oct 2024 20:42:13 GMT

Yep seeing same issue here..

Re: AnyDesk - on compliant DH version

skandshus — Tue, 22 Oct 2024 20:43:19 GMT

How are we able to push this as an MSP to all tenants?

Re: AnyDesk - on compliant DH version

PhoneBoy — Tue, 22 Oct 2024 20:48:23 GMT

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/MSSP-View/MSSP_Global_Exclusions.htm?TocPath=Managed%20Security%20Service%20Providers%20%20(MSSP)%7CGlobal%20Exclusions%7C_____0#Global_Exclusions

Re: AnyDesk - on compliant DH version

skandshus — Tue, 22 Oct 2024 20:50:37 GMT

apparantly i still dont have access to all tenant's "smart exclusions"
do you know how i can activate that part?

Re: AnyDesk - on compliant DH version

MikeB — Tue, 22 Oct 2024 20:52:57 GMT

And what happened to the previous categorization "Riskware" for this type of software? The Antimalware policy had the possibility of not detecting it. does this no longer apply to E2?

Re: AnyDesk - on compliant DH version

skandshus — Tue, 22 Oct 2024 21:01:20 GMT

Im honestly unsure how checkpoint expect us to whitelist this

Everytime i right click in the eventlogs to automatically add it to global exclusion it just created a exclusion with a SHA1 value..
it does this everytime(with a different value)
So that exclusion isnt worth much

Re: AnyDesk - on compliant DH version

PhoneBoy — Tue, 22 Oct 2024 21:24:27 GMT

The certificate used to sign the application should be excluded from Forensics Monitoring.

Re: AnyDesk - on compliant DH version

skandshus — Tue, 22 Oct 2024 21:26:32 GMT

The certificate used for signing?? That’s a new one for me. Is there any examples somewhere perhaps?

Re: AnyDesk - on compliant DH version

PhoneBoy — Tue, 22 Oct 2024 21:47:05 GMT

Endpoint is not my strong suit 🙂
However, it appears this is where you set it for "legacy" exclusions (specifically for Forensics > Anti-Ransomware and Behavioral Guard): https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-Common-for-HEP-HB/Legacy-Exclusions.htm?tocpath=Configuring%20Endpoint%20Policy%7CConfiguring%20the%20Threat%20Prevention%20Policy%7CAdding%20Exclusions%20to%20Rules%7CLegacy%20Exclusions%7C_____2#Adding_Global_Exclusions_..29

Re: AnyDesk - on compliant DH version

skandshus — Wed, 23 Oct 2024 06:46:32 GMT

Would you expect that can work?

but how do i get the certificate when app is being blocked

Re: AnyDesk - on compliant DH version

Mitja-S3NEXT — Wed, 23 Oct 2024 12:06:17 GMT

Maybe a workaround, install anydesk and make an exception to the installed path "c:\Program files\AnyDesk......".
How do you install it when it is blocked? You can temporarly disable the protection with these settings on every client.

Re: AnyDesk - on compliant DH version

skandshus — Wed, 23 Oct 2024 12:36:45 GMT

yep i can disable security features. But.. that seems really out of boundary that its should even be considered just because you wanna install some software. Check Point should have a feaseable solution to installation/whitelisting software without having to disable security feature before installing 🙂

and if i need to "re-deploy" Anydesk to computer, i cant mass disable features on all endpoint og remotely re-enable again 🙂

Re: AnyDesk - on compliant DH version

PhoneBoy — Wed, 23 Oct 2024 12:41:37 GMT

According to the internal notes of the SK documenting AnyDesk as PUA, yes.
Suggest engaging with the TAC here.

Re: AnyDesk - on compliant DH version

Mitja-S3NEXT — Wed, 23 Oct 2024 12:48:38 GMT

I totally agree with you, that was the reason why I started this post in the first place.
Since no one provided a global solution, we had to this workarounds 😞

You can mass disable and reenable through Software Deployment- Policy - see screenshot

Re: AnyDesk - on compliant DH version

skandshus — Wed, 23 Oct 2024 15:01:44 GMT

auuuh that way of disabling 😮 . didnt that cause a lot of havoc ?

that way is literally uninstalling blades & then re-installing them afterwards 😮