logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
kpax  
#1 Posted : Friday, June 19, 2015 5:52:41 PM(UTC)
kpax


Rank: Newbie

Joined: 6/19/2015(UTC)
Posts: 1
Canada
Location: Toronto

Hey Guys,

I have the software set up with a externally accessible portal. I have an installer build on the guest page behind a password prompt. In the last few days I have gotten a few PCs in my 'Access' section that are not within my org. They look spammy. See below;

UserPostedImage

UserPostedImage

My current build is; Your Version:5.2.8694.5556

The SC server is in the domain, should I move it off the domain? Is

Is this something I should be concerned about?

Is there any way I can have computers need to be approved before they show up in 'Access'?

Reid  
#2 Posted : Tuesday, June 30, 2015 2:12:15 PM(UTC)
Reid


Rank: Administration

Medals: Level 2: Lent a Helping Hand! 10 Thanks!

Joined: 4/22/2010(UTC)
Posts: 475
Location: NC

Was thanked: 17 time(s) in 15 post(s)
I would guess that someone got a hold of one of your Access installers and probably thought that that would give them access to someone else's machine (rather than the other way around). Probably not a huge concern but you could use the "RestrictToIPs" and "BlockIPs" keys in the ScreenConnect web.config file to limit access. (You could also do that via your router, if you wanted to block the IP's of the machines that appeared on your list of Access sessions.)

As far as having a "Needs Approval" list, depending upon how you are currently grouping your Access sessions, you could create an Access Session Group for machines that are not yet in other groups (i.e., new sessions that have not been grouped).

http://help.screenconnec.../Managing_session_groups

ScreenConnect Team
RalphA  
#3 Posted : Friday, July 10, 2015 6:52:17 PM(UTC)
RalphA


Rank: Newbie

Joined: 7/10/2015(UTC)
Posts: 3
United States
Location: Albuquerque

I think I have figured out what these are.

Apparently the client installers behavior is being analyzed by an AV vendor. To test this theory I built two installers, customizing them with different organizations. Of course these have different hashes (MD5, SHA, etc,). Then I uploaded both of them to virustotal.com. Within 10 minutes I had two phantom clients show up under the organizations I had created. Both of them were running under a Virtual Machine as in the the original post above. One of them was even the same IP.

You can also expect to see this if Herd Protect is run. I ran that last night on a real clients computer and had a phantom on the same organization show up this morning. This caused alarm and I investigated.

Since every "customized" installer is a unique executable, it will have a new hash associated and the first time it gets scanned by an AV vendor for "behavior analysis", it's going to show up in your SC Host, (assuming the AV vendor allows outbound connections in their "sand box").

Cheers
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.