Community

« Back to Windows version

C2 Defender Alerts

Links used in this discussion
Support level: Pro
Hey all,

Just a quick on but are any of you suddenly (as of today) getting Defender blocking access to the Rutserver.exe and firing off a load of malicious C2 connections?
Hello Josh,

Thank you for your message.

We did receive one more report about this behavior from our user, however,  it’s a false positive detection. Some security and endpoint protection products occasionally flag remote access software this way because it maintains a persistent connection for remote control functionality.

Adding Remote Utilities installation folders to the security software’s allowlist will prevent these alerts in the future. In order to do so, you can follow this guide

Let us know if you have more questions.
Support level: Plus
Since yesterday, we got alerts fr om Defender about 5 computers regarding this. It is not sufficient to create exceptions for the folders or processes. Fr om what I understand, we have to whitelist the RU Central server ip addresses. Unfortunately i have not found any dynamic server address that can be used, so I added ip address indicators to allow the traffic. (Defender portal->Settings->Endpoints-> Rules->Indicators->IP addresses.
64.20.61.146
172.241.164.247
216.158.232.18

There can be more IP addresses in use that might show up later, and they can be found by using Advanced hunting with this query:

DeviceNetworkEvents
| wh ere InitiatingProcessFileName == "rutserv.exe"
| wh ere RemotePort in (5650,5651,5652,5653,5654,5655)
| summarize count() by RemoteIP

Adding ip-address indicators to allow traffic will open up for all processes, so it probably should be used together with an endpoint firewall policy to only allow rutserv.exe to connect to these addresses and ports.
Edited:Christer Jakobsen - May 19, 2026 3:34:00 am EDT
Support level: Pro

Christer Jakobsen wrote:

Since yesterday, we got alerts fr om Defender about 5 computers regarding this. It is not sufficient to create exceptions for the folders or processes. Fr om what I understand, we have to whitelist the RU Central server ip addresses. Unfortunately i have not found any dynamic server address that can be used, so I added ip address indicators to allow the traffic. (Defender portal->Settings->Endpoints-> Rules->Indicators->IP addresses.
64.20.61.146
172.241.164.247
216.158.232.18

There can be more IP addresses in use that might show up later, and they can be found by using Advanced hunting with this query:

DeviceNetworkEvents
| wh ere InitiatingProcessFileName == "rutserv.exe"
| wh ere RemotePort in (5650,5651,5652,5653,5654,5655)
| summarize count() by RemoteIP

Adding ip-address indicators to allow traffic will open up for all processes, so it probably should be used together with an endpoint firewall policy to only allow rutserv.exe to connect to these addresses and ports.

Hey Christer,

Thanks for your reply, I was going to do this (as it's not the software being blocked per se)

However I was more inclined to check if 172.241.164.247 was an active RU IP and not a some sort of middle botnet which has been hijacked.

Thanks for the help, I imagine that's what I'll do shortly
Support level: Plus

Josh D wrote:

Christer Jakobsen wrote:

Since yesterday, we got alerts fr om Defender about 5 computers regarding this. It is not sufficient to create exceptions for the folders or processes. Fr om what I understand, we have to whitelist the RU Central server ip addresses. Unfortunately i have not found any dynamic server address that can be used, so I added ip address indicators to allow the traffic. (Defender portal->Settings->Endpoints-> Rules->Indicators->IP addresses.
64.20.61.146
172.241.164.247
216.158.232.18

There can be more IP addresses in use that might show up later, and they can be found by using Advanced hunting with this query:

DeviceNetworkEvents
| wh ere InitiatingProcessFileName == "rutserv.exe"
| wh ere RemotePort in (5650,5651,5652,5653,5654,5655)
| summarize count() by RemoteIP

Adding ip-address indicators to allow traffic will open up for all processes, so it probably should be used together with an endpoint firewall policy to only allow rutserv.exe to connect to these addresses and ports.

Hey Christer,

Thanks for your reply, I was going to do this (as it's not the software being blocked per se)

However I was more inclined to check if 172.241.164.247 was an active RU IP and not a some sort of middle botnet which has been hijacked.

Thanks for the help, I imagine that's what I'll do shortly

Thanks for the comment.
I don't know if it's possible to gurantee the ip-addresses are actually official RU servers. It would be very helpful if they could provide an official list of addresses (or even better a dynamic address that they could update themselves).
Hello everyone,

Yes, it is our server at 172.241.164.247. RU uses end-to-end encryption, and the servers simply relay the encrypted traffic. They cannot inspect forwarded packets and do not store any data.

The reason for this alert is banal and very typical for the modern “security industry”. Apparently, someone was “hacked” using social engineering methods, which in this case simply means they voluntarily installed RU, gave their access credentials to a fraudster/attacker, and the attacker connected to their computer using RU. The victim then complained to their ISP, the ISP submitted an “abuse report” to the hosting provider Leaseweb, and that was enough for the IP address to be labeled as a “botnet server”, despite the fact that it is used by hundreds of thousands of perfectly legitimate connections.

I don't know if it's possible to guarantee the ip-addresses are actually official RU servers. I

It is possible. Just ask here and we will answer. However, we will not disclose our entire infrastructure because we do not want it to be DDoSed or otherwise targeted. That is quite understandable.

Do not hesitate to ask if you have any questions.
Support level: Pro

Conrad Sallian wrote:

Hello everyone,

Yes, it is our server at 172.241.164.247. RU uses end-to-end encryption, and the servers simply relay the encrypted traffic. They cannot inspect forwarded packets and do not store any data.

The reason for this alert is banal and very typical for the modern “security industry”. Apparently, someone was “hacked” using social engineering methods, which in this case simply means they voluntarily installed RU, gave their access credentials to a fraudster/attacker, and the attacker connected to their computer using RU. The victim then complained to their ISP, the ISP submitted an “abuse report” to the hosting provider Leaseweb, and that was enough for the IP address to be labeled as a “botnet server”, despite the fact that it is used by hundreds of thousands of perfectly legitimate connections.

I don't know if it's possible to guarantee the ip-addresses are actually official RU servers. I

It is possible. Just ask here and we will answer. However, we will not disclose our entire infrastructure because we do not want it to be DDoSed or otherwise targeted. That is quite understandable.

Do not hesitate to ask if you have any questions.

Thank you Conrad, that's perfect. Thank you for taking the time to reply :)
Submit a reply

* Website time zone: America/New_York (UTC -4)