Ylianst
commented
2 years ago You can submit the agent for analysis here: https://www.microsoft.com/en-us/wdsi/filesubmission
Closed Ylianst closed 12 months ago
Ylianst
commented
2 years ago You can submit the agent for analysis here: https://www.microsoft.com/en-us/wdsi/filesubmission
PathfinderNetworks
commented
2 years ago Avast has been doing this the last month or so and I've been going back and forth with tech support about it ever since. My main issue is that I have exclusions in place on my Avast CloudCare installs (all of my customers are set up with Avast CloudCare) but CloudCare, randomly, will ignore the exclusions and end up deleting MeshAgent and/or the service from the devices I manage. In regards to the user consent/notification. Please only make that optional. Almost 100% of the devices I manage I need unattended remote access to as I manage these systems during off-business hours times. What I don't understand is that many, many other remote tools work in completely unattended mode and don't get flagged like this. Like Splashtop, AnyDesk, RemoteUtilities, etc. Anydesk and RemoteUtilities both have free options as well- which means bad actors can use them just like they would MeshCentral. So something else is at play here and is not just because MeshCentral can be used by anyone. I'm guessing the other products may be paying the antivirus vendors to stay on their 'nice list'?
krayon007
commented
2 years ago A while ago someone posted an email exchange with support from their AV vendor, I can't remember where, but it said something about how MeshCentral didn't have a dialog during installation time, advising the user that the software allows remote access to the system, with an OK / CANCEL button or something to that effect. Saying that's why it was flagged as potentially "unwanted" software, because there supposedly wasn't a warning about what type of software was being installed. So I worked on adding optional support to display a dialog box with custom text that can be configured, that by default can say something to that effect... I implemented it becuase someone asked about needing a legal/privacy disclosure/acknowledgement at installation time, so I made it so the server can specify the text, so it can be whatever you want.
Whether or not this will actually have any effect on AV detection as "unwanted" software, I have no idea, which is why I made it optional, and disabled by default.
PathfinderNetworks
commented
2 years ago I was hoping that change you made was going to resolve this. But it hasn't. The change is very nice and makes it look much more legitimate to my customers- so it is greatly appreciated. But the AV vendors (especially Avast) still keep flagging it as a virus. In the past they would remove it from the definition files when I'd report it. But now the best they will do is change the classification from being a straight out virus to just a PUP (Potentially Unwanted Program). It's pretty infuriating to be honest. As it creates a massive amount of work on my part to 'recover' the devices that have had MeshAgent removed by the antivirus. It just makes it worse when the product I resell and manage for all of my endpoints has exclusion policies that are meant to protect from this sort of thing- but those exclusions aren't always honored by the Avast client. I'm going on two weeks trying to get them to resolve that HUGE issue. I just now, hopefully, have them understanding how big a deal it is when exclusion policies are not being honored.
PathfinderNetworks
commented
2 years ago If I knew that signing my agent with a certificate and locking it to my server would actually solve this I'd absolutely do it. But I asked Avast about that and they said it wasn't due to the signing certificate. But that was also first level support so who knows what would happen in reality. I'd just hate to shell out the funds and time involved for nothing.
OutbackMatt
commented
2 years ago I've left a thread or two on the AVAST user forum (without being answered by Avast)- I don't mind so much that the software is flagged as Potentially unwanted, HOWEVER if I exclude it within Avast, I expect that Avast should acknowledge that and not flag it again, and again and again.
I've had the meshagent.exe flagged three times in one day, getting excluded EACH time. And each time, I need to add an exception, then install the agent again.
LPJon
commented
2 years ago As discussed on Reddit here. Microsoft Security Essentials April 23, 2022 Definitions: 1.363.833.0 Flagging MeshAgent.exe
ProgramWin32/Uwamson.A!ml Category: Potentially Unwanted Software Description: This program has potentially unwanted behavior. Recommended action: Remove this software immediately. Items: file:C:\Program Files\Mesh Agent\MeshAgent.exe uninstall:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Mesh Agent safeboot:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\Mesh Agent service:Mesh Agent regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Mesh Agent regkey:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\Mesh AgentArg. That is too bad, but not unexpected. People do bad things with the agent. I just published MeshCentral v1.0.12 with the Windows agents signed using a different self-signed root but that will probably not make a difference.
We may need to change strategy and release agents with more mandated user consent/control to solve this, but this will mean that there will no longer be a way to just remote into computers. MeshCentral Assistant is like this already.
Another solution maybe for people to code-sign their own agent (this cost money however). We have a way to sign the agent and lock it to only connect to your server, video on this here.
Please don't force Consent. I manage a lot of systems that don't have users or after hours when users are not available. It would be so much better to point people at customizing the name of the agent and either installing the current certificate in each system or creating their own cert to sign it with. We install the current cert into the windows system and customize the agent name and have not run into this problem yet. I'm working now on purchasing a codesigning cert specifically to work with this issue before I have it.
@Ylianst another solution might be to lock the agent to the server on install automatically for each new server install instance. Locking the agent is a good way to stop this issue for several reasons.
Just some food for thought.
krayon007
commented
2 years ago The consent I was referring to was just at installation time. But either way, it's completely optional.
PathfinderNetworks
commented
2 years ago The consent I was referring to was just at installation time. But either way, it's completely optional.
Oh, in that case that can definitely be set to mandatory (in my opinion anyway). I definitely want that new screen appearing for all of my installs.
silversword411
commented
2 years ago You are a paying customer to Avast.
If their support will not assist you in a reasonable manner, cancel the account, let sales and support know the reason for cancelling the account and remove their software. Sometimes it's takes financial consequences for vendors to take appropriate action.
dinger1986
commented
12 months ago @si458 can close
si458
commented
12 months ago closing as agreed, all AV ones will point to a discussion going forward, me thinks
As discussed on Reddit here. Microsoft Security Essentials April 23, 2022 Definitions: 1.363.833.0 Flagging MeshAgent.exe
Arg. That is too bad, but not unexpected. People do bad things with the agent. I just published MeshCentral v1.0.12 with the Windows agents signed using a different self-signed root but that will probably not make a difference.
We may need to change strategy and release agents with more mandated user consent/control to solve this, but this will mean that there will no longer be a way to just remote into computers. MeshCentral Assistant is like this already.
Another solution maybe for people to code-sign their own agent (this cost money however). We have a way to sign the agent and lock it to only connect to your server, video on this here.