logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
guitxo  
#1 Posted : Sunday, March 11, 2018 4:25:54 PM(UTC)
guitxo


Rank: Guest

Joined: 3/11/2018(UTC)
Posts: 1
Cuba
Location: holguin

I keep seeing sessions I did not create. Is that normal?

Scott  
#2 Posted : Monday, March 12, 2018 11:02:43 AM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
So we've seen this issue come up a few times in the past and previous investigations have concluded that its likely an AV company executing a copy of your Access client installer within a virtual environment in order to test/profile it. See some other discussion here.

Either way, however, there's no security risk to you if someone installs your Access client onto their system, it would really just give you SYSTEM level access to their machine.
ScreenConnect Team
Linda L  
#3 Posted : Friday, March 30, 2018 7:36:20 PM(UTC)
Linda L


Rank: Guest

Joined: 3/30/2018(UTC)
Posts: 1
United States

So that's all fine and dandy that these "unknowns" pose no security risk. However, we purchased a set number of session connections. If I/we don't delete these "unknowns" from our Access List they could cause us to max out our session limit at some point in the future.

I have also had the same computers come back sometimes with the same IP and sometimes with a different one. This whole scenario is very annoying to say the least and we should not have to do this kind of housekeeping on a regular basis.

We have only been using CW for a few months and use it for customer support. While I like many features I am questioning our decision and whether or not we will renew due to this issue and several others I've encountered.

Linda L
shawnkhall  
#4 Posted : Friday, March 30, 2018 11:32:55 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 316
Man
United States

Thanks: 6 times
Was thanked: 33 time(s) in 29 post(s)
i've been using SC for several years and in that time i've had maybe 10 devices that showed up without my prior knowledge or contact. two were from random residential IP addresses in asia that smelled of hacking attempts. all the rest were from different "security" outfits that downloaded them to virtual machines to determine if they were malicious. for the most part it's unlikely to cause any problem.

having these people install SC should only impact the session limit if you actually have connections open to those unknown devices, which is quite unlikely since they finish their install/test/validation process in less than 15 minutes, then dump the VM so it'll never reconnect again. they're simple enough to remove from your device list (only 'end', don't bother to queue an 'uninstall' since they're most likely virtual machines), so while an annoyance, it isn't that big of a problem.

i would like to have an extension or something that required a pin or passcode before an access installer were allowed to be downloaded. this would greatly reduce these installs.
mih2  
#5 Posted : Saturday, March 31, 2018 2:24:44 AM(UTC)
mih2


Rank: Guest

Joined: 11/3/2017(UTC)
Posts: 1
Canada
Location: Toronto

Thanks: 1 times
Our client, that got distributed to a few mystery machines was pulled from some machine(s) at a specific client. We do NOT allow the client to be downloaded (and assigned to a company) without logging in as a deployment user.

If it indeed is a security outfit that's doing this, it's either Webroot or Symantec (which were present on the machines at the client).
When the machines got this client install, they were unpatched, so could also be some hacker that got through initially, and is now installing it randomly on other hacked machines?
The machines are only active for a few hours before going dead, so I'm leaning towards the former.
shawnkhall  
#6 Posted : Saturday, March 31, 2018 7:24:18 PM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 316
Man
United States

Thanks: 6 times
Was thanked: 33 time(s) in 29 post(s)
it's actually more than that. most av services submit (upload) unknown applications to their scanners for detection. the IP addresses for the unknown installs on my instance resolved to symantec, kaspersky, and mcafee.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.