Odesilatel: samples@eset.sk
Datum: 15.04.21 15:29
Thank you for your submission.
The installer you provided us is silent installer for remote administrator application (RemoteUtilities) preconfigured to be accessed from ....
Please whitelist installer you created inside your organization (by adding detection exception).
Can you tell us, what if same application was preconfigured to connect to different server (maybe random, maybe belonging to your business competitor, maybe controlled by malware operator)
Would you allow to run it on your system ?
Would you expect it will be detected ?
Should your installer be executed on other (not-related to rubicon.cz) computers?
We understand the detection may be a problem for legit users. But we can confirm - for us it is rational decision to keep it.
It is because of *high prevalence* of malicious MSI configurator outputs signed by RemoteUtilities in our telemetry.
It is only in RemoteUtilities hands to change it.
As we wrote to them: "it is up to software vendors to identify possible issues, features, or combination of settings which make their application prone to such abuse.
And to discourage potential attacker from using legit software."
As you paste their statement:
"Eset blocks them all just because someone somewhere used one of those file to 'social engineer' into someone's computer."
<- this is not true
"the file that they claimed was "malicious' was actually a legit customized Host file (signed with our signature) only used for malicious purpose"
<- yet another confirmation of high level of responsibility presented by RemoteUtilities
"Eset decided that if our legit file is used by a malware actor then the file was malicious. And by extension they decided that all other configured installers should also be malicuous."
<- this is not true
