Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mitja-S3NEXT
Collaborator
Jump to solution

AnyDesk - on compliant DH version

anydesk.exe

 
Suspicious Events:
User Execution: Malicious File: anydesk.exe; Subvert Trust Controls: Code Signing: anydesk.exe;
Incident Details:
anydesk.exe(ecae8b9c820ce255108f6050c26c37a1);
 
Client verasion : 88.60.0087
 
Will there be (planned) global solution (is a support ticket on this case already open?, I assume that many users/customers are facing the same problem) or do we have to put exclusions on every tenant of our customers?
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

To close the loop on this, it appears that AnyDesk is now treated as a Potentially Unwanted Application.
See: https://support.checkpoint.com/results/sk/sk182752 

If AnyDesk is legitimately used in your environment, you will need to crate a local exception.

View solution in original post

24 Replies
RS_Daniel
Advisor

Hi,

Yes, same question here. Anydesk is blocked/deleted with E2 engine.

the_rock
Legend
Legend

What did TAC say?

Andy

0 Kudos
PhoneBoy
Admin
Admin

This is likely a false positive that should be reported to TAC.

0 Kudos
PhoneBoy
Admin
Admin

To close the loop on this, it appears that AnyDesk is now treated as a Potentially Unwanted Application.
See: https://support.checkpoint.com/results/sk/sk182752 

If AnyDesk is legitimately used in your environment, you will need to crate a local exception.

skandshus
Advisor
Advisor

How are we able to push this as an MSP to all tenants?

 

0 Kudos
skandshus
Advisor
Advisor

apparantly i still dont have access to all tenant's "smart exclusions"
do you know how i can activate that part?

0 Kudos
MikeB
Advisor

And what happened to the previous categorization "Riskware" for this type of software? The Antimalware policy had the possibility of not detecting it. does this no longer apply to E2?

 

image.png

skandshus
Advisor
Advisor

Im honestly unsure how checkpoint expect us to whitelist this

Everytime i right click in the eventlogs to automatically add it to global exclusion it just created a exclusion with a SHA1 value..
it does this everytime(with a different value)
So that exclusion isnt worth much

0 Kudos
PhoneBoy
Admin
Admin

The certificate used to sign the application should be excluded from Forensics Monitoring.

0 Kudos
skandshus
Advisor
Advisor

The certificate used for signing?? That’s a new one for me. Is there any examples somewhere perhaps?

0 Kudos
PhoneBoy
Admin
Admin

Endpoint is not my strong suit 🙂
However, it appears this is where you set it for "legacy" exclusions (specifically for Forensics > Anti-Ransomware and Behavioral Guard): https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/... 

0 Kudos
skandshus
Advisor
Advisor

Would you expect that can work?

but how do i get the certificate when app is being blocked

0 Kudos
PhoneBoy
Admin
Admin

According to the internal notes of the SK documenting AnyDesk as PUA, yes.
Suggest engaging with the TAC here.

0 Kudos
Mitja-S3NEXT
Collaborator

Maybe a workaround, install anydesk and make an exception to the installed path "c:\Program files\AnyDesk......".
How do you install it when it is blocked? You can temporarly disable the protection with these settings on every client.

 

 

0 Kudos
skandshus
Advisor
Advisor

yep i can disable security features. But.. that seems really out of boundary that its should even be considered just because you wanna install some software. Check Point should have a feaseable solution to installation/whitelisting software without having to disable security feature before installing 🙂

and if i need to "re-deploy" Anydesk to computer, i cant mass disable features on all endpoint og remotely re-enable again 🙂

Mitja-S3NEXT
Collaborator

I totally agree with you, that was the reason why I started this post in the first place.
Since no one provided a global solution, we had to this workarounds 😞

You can mass disable and reenable through Software Deployment- Policy - see screenshot

0 Kudos
skandshus
Advisor
Advisor

auuuh that way of disabling 😮 . didnt that cause a lot of havoc ?

that way is literally uninstalling blades & then re-installing them afterwards 😮

 

0 Kudos
Mitja-S3NEXT
Collaborator

Indeed, it was not the optimal solution 😞 , but a quick resolution was necessary.

0 Kudos
skandshus
Advisor
Advisor

have you checked your harmony endpoint reports?

all my harmony reports are screwed now, and data is now worthless. it still triggers detection's on anydesk and thereby making all my malware/infection reports useless because it keep triggering.

 
 

Skærmbillede 2024-11-06 201511.pngSkærmbillede 2024-11-06 201459.png

0 Kudos
Mitja-S3NEXT
Collaborator

Have you tryed this exception with certificate exeption.png?

 
 
 

 

0 Kudos
skandshus
Advisor
Advisor

Yes.. and it works,  but it still reports as detected none the less. It bypasses but it still does a detection and therefore killing my data/reporting.. are yours gone from the logs if you check?

0 Kudos
Mitja-S3NEXT
Collaborator
 

And here the exception with SMART exceptions

2024-11-18_19h19_54.png

0 Kudos
skandshus
Advisor
Advisor

Yep seeing same issue here..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events