Any idea why Windows Defender is seeing the Beta as a severe malware app with remote command execution?
Yeah, it's heuristics. The software (code) is new, so it'll take time for the antivirus companies to mark it as safe.
That's not how heuristics works. Heuristics looks at the construction of the code, such as the calls used and the jumps made, instead of using signatures. Heuristic scanning of code generally only reports a false positive if there is something seriously funky being done in the code, and rarely reports it as a known malicious piece of code - which is what happened here.
Now, admittedly, any app that allows remote access to a computer by definition has some "seriously funky code", but with it being recognised as a particular piece of malicious code, that's the issue.
And as to scanners not seeing it yet, therefore not building signatures in their databases, the app has been out for a week and I'm sure I'm not in the first handful of people who have downloaded it who are running Windows Defender - so that isn't really a valid reason for this detection.
Windows Defender is awful about this. I have custom programs that I run in a business. About once or twice a year, without any changes have been made to my software, Windows Defender calls them a virus and deletes them, can't reinstall because they are immediately flagged again. Wait a few days, install, and everything is good again... for 6-12 months. I've gotten where I always add exceptions now, because at any moment in the future, all of the computers I have my software installed on is going to delete it at the same time.
One more thing I've found: If you remotely update, and include a new password in the msi, and the previous version is 18.104.22.168, you cannot login because the old settings are still on the client. Even if you go to the client, and uninstall first, the remote install still cannot be logged into with the simple password from the msi because the old settings are still in the registry. I found that if I delete HKEY_LOCAL_MACHINE\SOFTWARE\Usoris, then the remote installation will work properly after that. Perhaps the installer msi should check for that and remove it. I have reproduced this on several computers. I always have to delete HKEY_LOCAL_MACHINE\SOFTWARE\Usoris for the remote install to work properly.
You are correct, it goes back to the prefilled simple password instead of going back to the one time password. It's confusing because the simple password is saved with the address and it doesn't prompt for it initially because of that, but then it goes to it if the one time password is wrong or close to expiration.
I am using simple password + 2 factor authy. If I put a wrong one-time password in, it says the password is wrong, and then it goes to the simple password entry box, so it you then type in the correct one-time password, you are actually changing the simple password. Then, of course, it really doesn't work, you have to fix the simple password and then put in the one-time password. What makes it worse is that it won't accept a one-time password that is a few seconds away from expiration, so many times the one-time password is wrong. Most implementations will allow you to use a one-time password for a few more seconds so that you don't have to sit and wait for the next password to be generated if you are near the end of the 30 second window.
When I create an MSI and tell it to auto-generate an ID and use the custom server, it seems that when the MSI is ran, it grabs a default/public server ID. The ID on the client does not show on my ru server. If I go to the ID on the client and tell it to generate a new ID, then the new ID shows up on my server.
1. Do you use online or legacy option? 2. What is the type of installer that you choose (standard, one click or agent)? 3. Could you please send us the Host log ? Feel free to send it to firstname.lastname@example.org as an attachment. This issue might also mean that the Host simply doesn't connect the first time for some reason, the log should reflect that.
Looking forward to your reply.
Okay, I think it just wasn't connecting yet, but later it did on further testing.
I have the RU Server installed. When I create an MSI and tell it to auto-generate an ID and use the custom server, it seems that when the MSI is ran, it grabs a default/public server ID. The ID on the client does not show on my ru server. If I go to the ID on the client and tell it to generate a new ID, then the new ID shows up on my server.
Kim Dawson wrote: All day long, the pop up for this host comes up every few minutes to tell me it's online.
Yes, that. That's exactly what mine does. All day, computer online pop up, computer online pop up, computer online pop up. The PCs at the same location with the older version host/viewer do NOT have this issue. The new version simply isn't as stable as the old version.