Bretislav Duda's community posts

Odesilatel: samples@eset.sk
Datum: 15.04.21 15:29

Thank you for your submission.

The installer you provided us is silent installer for remote administrator application (RemoteUtilities) preconfigured to be accessed from ....
Please whitelist installer you created inside your organization (by adding detection exception).

Can you tell us, what if same application was preconfigured to connect to different server (maybe random, maybe belonging to your business competitor, maybe controlled by malware operator)
Would you allow to run it on your system ?
Would you expect it will be detected ?
Should your installer be executed on other (not-related to rubicon.cz) computers?

We understand the detection may be a problem for legit users. But we can confirm - for us it is rational decision to keep it.
It is because of *high prevalence* of malicious MSI configurator outputs signed by RemoteUtilities in our telemetry.

It is only in RemoteUtilities hands to change it.
As we wrote to them: "it is up to software vendors to identify possible issues, features, or combination of settings which make their application prone to such abuse.
And to discourage potential attacker from using legit software."

As you paste their statement:
"Eset blocks them all just because someone somewhere used one of those file to 'social engineer' into someone's computer."
<- this is not true

"the file that they claimed was "malicious' was actually a legit customized Host file (signed with our signature) only used for malicious purpose"
<- yet another confirmation of high level of responsibility presented by RemoteUtilities

"Eset decided that if our legit file is used by a malware actor then the file was malicious. And by extension they decided that all other configured installers should also be malicuous."
<- this is not true

I don't think it will ever be fixed again. ESET refuses to solve this and RU does not want to generate a new hash. So the end, the search for another. Damage.

Any news?
New hash?

Hello,
any news?

There is a chance for a solution and further use?

v7.0.0.3 identical problem

It may be faster and easier to revoke the certificate and create new ones

NEVER ENDING STORY

Thank you for your submission.
It seems that you try to build an installer, which is signed by compromised RemoteUtilities digital certificate (already known from malware).
Please create unsigned installer and (if required) sign it with your own certificate.
Such installer is expected to be optionally detected as potentially unsafe application RemoteUtilities.

Regards,

ESET Malware Response Team

for the agent I only change the server and port
our server
and port 5656

for the host, an authorization password

Yes, I mean MSI online configurator

I wrote and telephoned ESET, waiting for a response

I ask again
Why wasn't version 7.0.0.0 a problem?
Why does the Russian version still have no problem?

Has nothing changed - digital signature?

Are you kidding?
When you use an agent for remote support of random clients and write to them that I'm downloading a virus ... HOW DO I LOOK LIKE? AS IDIOT?

Not to mention that it's your software, your reputation
You have to solve it with ESET

Why is your version 7.0.0.0 not detected, but 7.0.0.1 and 7.0.0.2 are?
Why is the Russian version not detected?

Why is the agent and guest not detected downloaded from you, but online customized from you = trojan?

ESET whitelist is NOT a solution!!!
Not for remote support !!!