Avast, once again, starting to detect MeshAgent as malware

[PathfinderNetworks]

I just submitted a false positive report to Avast for this. Might be a good idea for others to report it as well.
I've started getting alerts from devices I manage with Avast CloudCare that it's detecting the MeshAgent Windows service as malware.
Threat Description: Win32:Malware-gen Threat Severity: Infection Threat Shield: Antivirus Object Name: SVC: Mesh Agent > C:\Program Files\Mesh Agent\MeshAgent.exe

In my case I have rules in place for all of my Avast CloudCare endpoints to ignore everything for MeshCentral- so it hasn't acted on the 'infection'.

[PathfinderNetworks]

BTW, this is now for the 64bit version. Previously it was only the 32bit version they were flagging.

[Ylianst]

Arg! Thanks for the report. I just did the same and filed a false positive here.

[OutbackMatt]

sent some

[PathfinderNetworks]

Avast reported back that they have white listed MeshAgent again. Hopefully they are the only ones that was flagging it as malware this time.

[Ylianst]

I need to research this a bit more, I wonder how other RMM's deal with this.

[MailYouLater]

I don't know about other RMMs specifically, but I know other software creators who submit their new files to VirusTotal and Jotti before releasing them publicly to see if any of the antivirus solutions available through them detect it, then they can preemptively submit false positive reports if a detection occurs.

[Ylianst]

I did not know about Jotti, thanks for the info. I do submit the MeshAgent.exe (32 and 64bit) to VirusTotal before publishing it and only publish clean versions. That does not help however as a month later the results look very different and the number of red marks only goes up. We almost need to release a new agent every 3 weeks.

[PathfinderNetworks]

It makes me wonder if there may be nefarious characters out there using MeshCentral more like malware to gain remote access to devices they shouldn't be? And if that might be why it's getting flagged as such? Not that any of us would have any power to prevent that- more thinking about why this might be happening?

[MailYouLater]

Possible, but more likely the AV engines see these files on people's computers, automatically submit them as suspicious because they're unknown and/or because they do suspicious things, and the AV vendors add them to their databases. I guess the answer is probably to regularly (e.g. weekly) submit to VirusTotal/Jotti/etc. and see if it's time to submit another wave of false positive reports to the various AV vendors. Ugh.

[MailYouLater]

Actually, come to think of it, the version of the agent that usually gets downloaded includes a .msh file basically tacked on the end of it, right? well there was a report a while ago about someone having a couple of extra computers show up on their MeshCentral server, I bet you they were virtual machines set up as antivirus test computers that were checking to see what the MeshAgent installer did after the file was submitted (possibly automatically) to the vendor for analysis.

[treicadani]

Sometimes if an application is reported to an antivirus company (scam, pishing etc...) and your application behave in a similar way or does things differently than it did before then is triggered as a false / positive.

There could be also a posibility of scammers use of remote desktop software to perform their activity and there are scam baiters that reports the software used, but i hope MC is not one of them.

Or but not last someone is having a laugh and reports it for no apparent reason but to have fun.

[dinger1986]

@si458 can close

[si458]

sadly this is always going to happen and the isnt nothing much we can do it now adds a certificate to the exes to hopefully help windows find it legit but even thats not always correct! one way around is to use ur own code-sign certificate AND/OR allow the exe in the antivirus you use