Community
On 1/18 at least half of my hosts were quarantined as a hack tool
Links used in this discussion
Links used in this discussion
Martin E,
User (Posts: 17)
Jan 21, 2025 11:16:10 pm EST
Support level: Pro
I have now lost access to 100+ hosts as Remote Utilities was identified as a hack tool and quarantined. I've been trying to figure out why my hosts were offline. I've been able to get in via a few remaining hosts and used a vnc tool to access the systems that I know to be online. Nothing remains of Remote Utilities but a few log files. Windows Defender, etc. have decided RU is a hack tool and removed it entirely.
Different host versions going back to 6.8.0.1 to the lastest. Different operating systems, in different locations, using different ISPs.
Yes, I could have excluded RU from any AV access, but I naively assumed RU had been around long enough to not have this happen. Apparently, I'm wrong.
FYI, if you have hosts you know to be online but show offline, you may need to find another way in.
Different host versions going back to 6.8.0.1 to the lastest. Different operating systems, in different locations, using different ISPs.
Yes, I could have excluded RU from any AV access, but I naively assumed RU had been around long enough to not have this happen. Apparently, I'm wrong.
FYI, if you have hosts you know to be online but show offline, you may need to find another way in.

Conrad Sallian,
Support (Posts: 3099)
Jan 22, 2025 5:09:03 am EST
Hello Martin,
We are sorry to hear that that happened.
The closest analogy would be confiscating kitchen knives from every household in the country simply because a single crime was committed using such a knife.
We are sorry to hear that that happened.
For modern antivirus software, longevity alone is no longer sufficient. They may blacklist a file that has been used by tens of thousands of paid customers and corporations—one whose digital signature hasn’t changed for years—based on a single incident or even a complaint from a victim who fell prey to a technical support scam where the software was used (pure social engineering).Yes, I could have excluded RU from any AV access, but I naively assumed RU had been around long enough to not have this happen. Apparently, I'm wrong.
The closest analogy would be confiscating kitchen knives from every household in the country simply because a single crime was committed using such a knife.
Martin E,
User (Posts: 17)
Jan 22, 2025 11:50:59 am EST
Support level: Pro
While you are correct, I used other well-known remote access tools for years before switching over to Remote Utilities without a single incident of AV conflict. Unfortunately, I'm now at a point that RU will cost me real money to travel to remote sites that have 100% offline hosts to re-establish connectivity.
As it stands this morning, I've lost over a third of my 800+ hosts. If I have to go through the effort to fix this, I'm also going through the effort to try to prevent this in the future.
As it stands this morning, I've lost over a third of my 800+ hosts. If I have to go through the effort to fix this, I'm also going through the effort to try to prevent this in the future.

Conrad Sallian,
Support (Posts: 3099)
Jan 22, 2025 12:04:42 pm EST
Hi Martin,
We completely understand your frustration. The current state of the "security" industry is indeed dismal. Security software providers often remain unaccountable for the damages they cause. Take this recent incident as an example.
We completely understand your frustration. The current state of the "security" industry is indeed dismal. Security software providers often remain unaccountable for the damages they cause. Take this recent incident as an example.
David Silvera,
User (Posts: 24)
Jan 22, 2025 7:55:04 pm EST
Support level: Pro
This seriously seriously sucks! How can you delete a program that is genuinely being used in a corporation and fully remove it? I mean, it had to pass through installation, even marked as safe by the admin as he installed it.
Was this Windows Defender that did this? They need to take a less stern stance in regards to these programs. Even a warning instead of a delete would have been better. Not even quarantine??
If this happened to me with 800!!!! hosts, I would flip!
Feel your pain Martin.
Was this Windows Defender that did this? They need to take a less stern stance in regards to these programs. Even a warning instead of a delete would have been better. Not even quarantine??
If this happened to me with 800!!!! hosts, I would flip!
Feel your pain Martin.

Conrad Sallian,
Support (Posts: 3099)
Jan 23, 2025 5:13:36 am EST
Hi David,
Recently, Microsoft denied the inclusion of Remote Utilities in the MS Store, even though the previous version was accepted without any problems (both Viewer and Host). In their message, they referred to VirusTotal results as the basis for their decision. Apparently, if there is even a 1/70 detection ratio, they reject the submission—regardless of whether it’s a false positive or a warning like "potentially unwanted."
Even after ESET, whose PUP detection it was, directly confirmed via email that it wasn’t a malware detection, Microsoft didn’t revise their decision.
While we can't confirm this with absolute certainty, there are indications that Microsoft Defender and SmartScreen may rely on third-party detection data—such as VirusTotal results or sandbox analysis—to form their verdicts. This is concerning because VirusTotal was never intended for such purposes. It's an experimental platform, and its engines often operate in their most aggressive detection modes.
We always encourage users to immediately file a complaint with Microsoft whenever there’s even a single file detection or SmartScreen blocks a file download in Edge (as is currently the case with Agent). Edge provides a dedicated menu option for submitting such complaints. Without these complaints any antivirus detection system tends to retain false positive classifications unless explicitly brought to their attention.
Currently, our software adheres to every single CSA guideline—any analyst can easily verify this by examining the software. In our upcoming release, we will introduce features that could further address this situation. However, it seems that many antivirus engines disregard performing any thorough analysis.
It might be considered unethical to point this out, but I feel it’s important to mention. After the production systems(!) of one of our competitors—well-known remote access software—were breached a year ago and their digital signature was compromised, it took nearly a week for some antivirus software to start blocking files signed with that signature. During that time, it was unclear how many malware builds might have been signed with it and distributed.
Now compare this to every version of Remote Utilities being blocked by some well-known a/v programs immediately after release, despite being signed with a digital signature that has never been compromised, only for the detections to be removed later with apologies. 🤦
Recently, Microsoft denied the inclusion of Remote Utilities in the MS Store, even though the previous version was accepted without any problems (both Viewer and Host). In their message, they referred to VirusTotal results as the basis for their decision. Apparently, if there is even a 1/70 detection ratio, they reject the submission—regardless of whether it’s a false positive or a warning like "potentially unwanted."
Even after ESET, whose PUP detection it was, directly confirmed via email that it wasn’t a malware detection, Microsoft didn’t revise their decision.
While we can't confirm this with absolute certainty, there are indications that Microsoft Defender and SmartScreen may rely on third-party detection data—such as VirusTotal results or sandbox analysis—to form their verdicts. This is concerning because VirusTotal was never intended for such purposes. It's an experimental platform, and its engines often operate in their most aggressive detection modes.
We always encourage users to immediately file a complaint with Microsoft whenever there’s even a single file detection or SmartScreen blocks a file download in Edge (as is currently the case with Agent). Edge provides a dedicated menu option for submitting such complaints. Without these complaints any antivirus detection system tends to retain false positive classifications unless explicitly brought to their attention.
Currently, our software adheres to every single CSA guideline—any analyst can easily verify this by examining the software. In our upcoming release, we will introduce features that could further address this situation. However, it seems that many antivirus engines disregard performing any thorough analysis.
It might be considered unethical to point this out, but I feel it’s important to mention. After the production systems(!) of one of our competitors—well-known remote access software—were breached a year ago and their digital signature was compromised, it took nearly a week for some antivirus software to start blocking files signed with that signature. During that time, it was unclear how many malware builds might have been signed with it and distributed.
Now compare this to every version of Remote Utilities being blocked by some well-known a/v programs immediately after release, despite being signed with a digital signature that has never been compromised, only for the detections to be removed later with apologies. 🤦
* Website time zone: America/New_York (UTC -5)