Solved: Re: AnyDesk - on compliant DH version

Mitja-S3NEXT · ‎2024-10-03

anydesk.exe

Suspicious Events:

User Execution: Malicious File: anydesk.exe; Subvert Trust Controls: Code Signing: anydesk.exe;

Incident Details:

anydesk.exe(ecae8b9c820ce255108f6050c26c37a1);

Client verasion : 88.60.0087

Will there be (planned) global solution (is a support ticket on this case already open?, I assume that many users/customers are facing the same problem) or do we have to put exclusions on every tenant of our customers?

PhoneBoy

To close the loop on this, it appears that AnyDesk is now treated as a Potentially Unwanted Application.
See: https://support.checkpoint.com/results/sk/sk182752

If AnyDesk is legitimately used in your environment, you will need to crate a local exception.

View solution in original post

RS_Daniel · ‎2024-10-04

Hi,

Yes, same question here. Anydesk is blocked/deleted with E2 engine.

the_rock · ‎2024-10-04

What did TAC say?

Andy

PhoneBoy · ‎2024-10-04

This is likely a false positive that should be reported to TAC.

PhoneBoy

To close the loop on this, it appears that AnyDesk is now treated as a Potentially Unwanted Application.
See: https://support.checkpoint.com/results/sk/sk182752

If AnyDesk is legitimately used in your environment, you will need to crate a local exception.

skandshus

How are we able to push this as an MSP to all tenants?

PhoneBoy

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...

skandshus

apparantly i still dont have access to all tenant's "smart exclusions"
do you know how i can activate that part?

MikeB

And what happened to the previous categorization "Riskware" for this type of software? The Antimalware policy had the possibility of not detecting it. does this no longer apply to E2?

skandshus

Im honestly unsure how checkpoint expect us to whitelist this

Everytime i right click in the eventlogs to automatically add it to global exclusion it just created a exclusion with a SHA1 value..
it does this everytime(with a different value)
So that exclusion isnt worth much

PhoneBoy

The certificate used to sign the application should be excluded from Forensics Monitoring.

skandshus

The certificate used for signing?? That’s a new one for me. Is there any examples somewhere perhaps?

PhoneBoy

Endpoint is not my strong suit 🙂
However, it appears this is where you set it for "legacy" exclusions (specifically for Forensics > Anti-Ransomware and Behavioral Guard): https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/...

skandshus

Would you expect that can work?

but how do i get the certificate when app is being blocked

PhoneBoy

According to the internal notes of the SK documenting AnyDesk as PUA, yes.
Suggest engaging with the TAC here.

Mitja-S3NEXT

Maybe a workaround, install anydesk and make an exception to the installed path "c:\Program files\AnyDesk......".
How do you install it when it is blocked? You can temporarly disable the protection with these settings on every client.

skandshus

yep i can disable security features. But.. that seems really out of boundary that its should even be considered just because you wanna install some software. Check Point should have a feaseable solution to installation/whitelisting software without having to disable security feature before installing 🙂

and if i need to "re-deploy" Anydesk to computer, i cant mass disable features on all endpoint og remotely re-enable again 🙂

Mitja-S3NEXT

I totally agree with you, that was the reason why I started this post in the first place.
Since no one provided a global solution, we had to this workarounds 😞

You can mass disable and reenable through Software Deployment- Policy - see screenshot

skandshus

auuuh that way of disabling 😮 . didnt that cause a lot of havoc ?

that way is literally uninstalling blades & then re-installing them afterwards 😮

Mitja-S3NEXT

Indeed, it was not the optimal solution 😞 , but a quick resolution was necessary.

skandshus

Yep seeing same issue here..

Are you a member of CheckMates?

AnyDesk - on compliant DH version