Community

Update AV vendors with your latest signatures before releasing a build

MaxBlitzer, User (Posts: 23)

Oct 24, 2018 3:56:04 pm EDT

Conrad wrote:

Hello Max,

Just as I was writing this answer Microsoft informed us that they removed the detection and that one should update their definition files.

I perfectly understand what you say and agree completely. Unfortunately, there is little we can do because the antivirus software industry is in dismal state. How else can we characterize them if they cannot even distinguish a digitally signed file from an unsigned trojan-loaded one?

Just think about it - a file signed with an EV Code Signing Certificate coming from a legit developer gets detected as a trojan :) Well, of course not all a/v software is that bad though, but some are.

And there is this VirusTotal, which is another sad story. For almost three years we have been trying to convince them that not all antivirus software are created equal and that they should take a closer look at the quality of the a/v engines they use. Yet, they keep presenting their scan results alphabetically and in red type (even the relatively benign detections). So the never-responding-to-false-positive-requests Chinese antivirus by the name "AntiyAVL" (without VirusTotal you wouldn't even know that it exists) always gets at the top of the list with their bold red warning that Remote Utilities is unsafe :)

Was the Microsoft response an automated one (I'm sure) or possibly a human? Could you ask them about what impact an EV signed certificate does on AV scans? Because I don't see that as an automatic whitelist for AV vendors, just an additional safety check that the .exe you have is from the people you expected it from before executing it (ie, from Microsoft, not Micros0ft). If it was an automatic whitelist, then the cost to mass malware infections would be very cheap. Legit developers signed certs get stolen all the time and we find out days, weeks or months later something malicious got slipped in without someone knowing. An AV vendor that trusted a file on EV alone would be swiss cheese and not something people would really want to install.

But yeah, the big 6-10 vendors that will be installed by your customer base is main priority. I know from reading bleepingcomputer forums over the years, people tend to ignore the really obscure VirusTotal AV engines, but if one or more of the main vendors detects something, there is probably something to it.

Update AV vendors with your latest signatures before releasing a build

MaxBlitzer, User (Posts: 23)

Oct 24, 2018 2:55:26 pm EDT

Contacted by user today after their viewer got removed by Windows Defender. Didn't know why it happened, and told her to download the 6.9 and of course, "a window popped up saying “viewer6.9.msi contained a virus and was deleted” so the download didn’t complete."

Since this is the second time this happened for this user in just a few months, with the loss of productivity after this happens, I'm anticipating the conversation about switching to something else. Telling people to temporarily disable their antivirus is not a solution that works more than once.

I cannot think of any software I use that has this level of problems with AV software, so it sticks out as an outlier. I understand the predicament you are in, it's especially harder as you're in an industry where AV vendors have to distinguish between malicious RATs and intentional RATs, but it is a problem that is mainly yours to make any improvement if there are false positives.

So what can be done about this situation?

First thought, was that the signatures should automatically be made available to the Virus Total AV vendors before officially releasing the final builds and have a high or 100% vendor update confirmation. At the very least, the main ones, like Defender, Kaspersky, McAfee, ESET, etc. I think people can look at a Virus Total and ignore false detections when the main ones don't flag it and only the super obscure ones do. I know you can submit false positives to each vendor, not sure if you can pre-submit to prevent false positives. I assume so.

But yeah, getting on Defender blocklist is bad. Anything and everything to prevent this proactively in the future should be done.

Will not install

MaxBlitzer, User (Posts: 23)

Oct 23, 2018 10:06:44 pm EDT

You need to go and manually remove remote utilities from registry. I've had to do that on a couple of boxes that refused uninstall and reinstall.  One instance was definitely some conflict with Intel security software. I think an OS upgrade can also result in broken installs due to installing in wrong registry location many versions back.

Detect and alert user about version mismatches

MaxBlitzer, User (Posts: 23)

Aug 21, 2018 7:10:08 pm EDT

Since Host and Viewer are not bundled together and if backward compatibility breaks or changes on every version, then it should be more obvious to the user when there is a version mismatch that would prevent connection.

The Viewer knows the version of itself. The Viewer knows the version of the host. Very easy to pop up and alert user to the documentation about needing to upgrade Viewer first and that they are not compatible.

The typical user (*cough* *cough*, myself included here. Though in this case, I KNOW I've read that before, just forgot) doesn't read documentation until they run into a problem. Errors and messages help tell the user where they should look in the documentation. The pop up informs the user what the exact problem is and what to do about it. Problem solved in minutes.

Norton always blocks

MaxBlitzer, User (Posts: 23)

Aug 21, 2018 1:58:01 pm EDT

Issue resolved.  Turned out it was the Viewer being 6.8.0.1 and the server host being 6.9.1.0.  I didn't realize 6.8.0.1 Viewer couldn't talk to 6.9.1.0 beta.  So just upgrading her Viewer to 6.9.1.0 made the connecting work.

You might want to make that clear on the Beta release notes page that 6.8.0.1 viewers can't talk to the 6.9.1.0 hosts.

I also saw the check marks she was seeing. Doesn't look like my screen and I didn't take any screenshots. But it's not intuitive as to what the check marks mean, since it was green for the offline connection and red for the online connection.  Also, it frequently only showed the Internet-ID connection as online and the Direct connection Offline/unknown until double clicked and connected.

Norton always blocks

MaxBlitzer, User (Posts: 23)

Aug 21, 2018 5:18:38 am EDT

Conrad wrote:

However, I'm trying to remotely help someone over the phone, she says she disabled both and still same result, "double clicking or selecting Full Control doesn't connect to server or give any errors or popups".

The feedback is on the connection icon/icons in the address book. If connection isn't possible, the icons will be in offline state.

I haven't found I could trust or use the online/offline/unknown status as accurate.  I have always had older servers appear under Online but never be connectable anymore (less of or not much of an issue after 6.6).  Out of 4 online hosts, 3 have 'Last IP' and 'Version', the 4th didn't.  I connect to the 4th, it fails on first try but successful after 5 second retry. Not sure how it determines its online but not getting Last IP and Version, I'd expect that to be part of your handshake or keepalives or whatever you're using.

Just now, if I try and connect to a powered off offline host, I get a pop up with 5 second count down 'unable to connect'.  Is that new or fairly recent?  

When I first set this up, I made two entries in the address book and sent it to her.  One was the remote machine using direct connection through router port forward, and the 2nd the same settings but using the Internet-ID (in case the router changed or something). When I initially set it up, I could often see one appear online and the other unknown, both online, or both unknown. But they both worked if double clicking. Now both appear for me under Online.

I just checked one of her text messages from first tries when Norton firewall was still enabled.

I do see the 'Direct Server' and 'Fallback Server' as you describe. However, Fallback has a red check mark and says online, Direct has green check mark and says unknown.

So before trying to connect, or perhaps describing after unsuccessfully double clicking (the text is written after she tried, so I think this is the state AFTER her attempt), the direct connection shows unknown and the Internet-ID connection showed Online.  

I don't know what she means by "check mark" (hmm, maybe she thought and meant check BOX). It's a little computer screen, obviously :P  But for me, green computer screen is what I see for Logged on, orange for Online, and black for Offline/Unknown.  

Hopefully I'll find out what exactly she was talking about in the morning.  She uninstalled Norton completely and still didn't have any success, but made it sound like maybe something changed in her last update:

Tried to take full control of each, it says `logging on` `then the offline/unknown error comes up.

I'll try and clarify if she was always seeing "unable to connect" pop up like I do for an Offline host for real, or if she could see the address book connection change from Online to Offline/Unknown or what.  She is not a technical person and so some details could be (read: likely) mistaken.

But some additional diagnostics to help the user would be a welcome addition.  Thanks.

Norton always blocks

MaxBlitzer, User (Posts: 23)

Aug 20, 2018 3:26:52 pm EDT

Have you guys received any recent reports of this happening again? I've come across two users this week running Norton.  They cannot use the Viewer to connect outside their home to their office. I'd expect them to block the host, but the viewer?! Jeepers.

On one machine I had direct access to, I temporarily disabled Smart Filter and Auto Protect and was able to use the Viewer to connect to the Host.  However, I'm trying to remotely help someone over the phone, she says she disabled both and still same result, "double clicking or selecting Full Control doesn't connect to server or give any errors or popups".

So my first complaint is to Norton, for being $&#^$&#.

But it is kind of frustrating when you go to connect to a server and there is no error, no pop up, and doesn't connect, the user is kind of left "what do I do now?"  Is there somewhere it clearly says something like "unable to connect to host" or anything? Need something the user can feedback to the tech or just to google the next steps..

Could there be a way to detect when the Viewer is being blocked from making any outbound connections?

Version 6.9 Beta - main discussion

MaxBlitzer, User (Posts: 23)

Jul 07, 2018 5:54:35 am EDT

Conrad wrote:

Hi Max,

Yes, that. Though, I think you mean "local user" (person at the location of the PC) since I am the remote user (person at another location) and I can't click on it and its in the way.

Yes, this depends on where you are. But in our documentation and elsewhere on the site we use these terms in relation to where the tech/admin is located. So the admin is the local user whereas the user who is sitting at the computer to which the admin is connecting in is the remote user.

I guess unattended remote access isn't so much your target customer as remote technicians wh ere this might make some sense.

With unattended access no remote user is present.

Correct. Two remote monitors and two local monitors, and I want to map each remote monitor to a specific local monitor. Since this is not a beta feature, I agree this isn't the place.

This thread  can help.

Thanks.

Awesome! Thanks

Direct connect arbitration

MaxBlitzer, User (Posts: 23)

Jul 06, 2018 4:49:08 am EDT

Conrad wrote:

Hello Max,

Yeah, I don't think you understand what I mean, because businesses would definitely prefer to run traffic between their hosts directly and not through another server unless they had to. We'll just agree to disagree on that. Perhaps if I was unclear, all I really meant is that connections be made using direct connection, but without the user having to configure anything, it is handled automatically by the server. But I do believe you answered my question by not having any plans to implement such a feature. Fair enough.

Perhaps, cascade connection  may qualify as such a feature.

Thanks.

Thanks, that would be very useful for places with more than one machine and I'll look at setting that up in once place.  But not so much when target computers are at different locations.

Version 6.9 Beta - main discussion

MaxBlitzer, User (Posts: 23)

Jul 06, 2018 4:37:23 am EDT

You probably mean the first connection warning. This warning is shown only once and will go away if either of the following is true:

- The remote user clicks on it
- You connect to that Host fr om a Viewer registered with a PRO or SITE license

Yes, that. Though, I think you mean "local user" (person at the location of the PC) since I am the remote user (person at another location) and I can't click on it and its in the way.  Since I would only ever be a STARTER, this is a showstopper for me.  Are you saying in that documentation that "remote user" is actually the person AT the keyboard???  I guess this is a perspective (from a technician point of view) issue, but generally the person AT the PC is local and the person NOT at the PC is remote (local user, remote technician).  I guess unattended remote access isn't so much your target customer as remote technicians wh ere this might make some sense.


You might want to turn off the "Advanced mouse scroll " option in connection properties .

Thanks. So in the viewer, I click "Connection" and then "Properties". Nothing happens. But then I see you set your new default connection settings when editing the properties of an existing connection.  So if making multiple edits on multiple pages, and click "Set as default for new connections", some settings are ignored (ie, Names, ID's, ) and some are applied (tick box stuff)?  You might want to think about making a default connection settings page you can access from Connection->Properties that doesn't include connection specific properties.

Do you mean displaying them on two different local monitors? So you have two remote monitors and two local monitors, and you want to map each remote monitor to a specific local monitor. Is that the case?

Correct. Two remote monitors and two local monitors, and I want to map each remote monitor to a specific local monitor.  Since this is not a beta feature, I agree this isn't the place.
Page:
This website uses cookies to improve user experience. By using this website you agree to our Terms of Service and Privacy Policy.