Custom Client detected as suspicious download / antivirus false positive

[mlopiccolo-progres]

When our customers download our custom client, often chromium based browsers detect it as suspicious, and also some antiviruses (right now we tested panda and avg).

Is there a solution for this? Its annoying and not very professional to have this happen with our customers

[rustdesk]

There is no solution about this, you have to report yourself to each antivirus vendor.

[mlopiccolo-progres]

Why does this happen? Isn't the custom client using the same signature as the official one? Would it maybe help to call the executable the same as the official one?

[rustdesk]

I know you will ask like this, because I thought so like you before. But the things are much more complicated than you imagine. Frankly, I know little either.

[mlopiccolo-progres]

Yeah, well, I know when it is about antiviruses things are always complicated. Thank you for clarifying. Hope in the future there will be a solution. I will try to report the false positives to antivirus vendors.

[AlvaroNieto]

The server pro is compiling each build with its private key, branding, configs, etc... We guess the signature or hash of each build is different. Every zero trust antivirus is going to block the executable while they analyze it for the first time.

What we are doing its to run the new build, let the antivirus block it and wait a couple of hours till it's acknowledged as safe software. Then we "publish" the build.

It may not be the smoothest thing, but it works just fine. Since we only have two different antivirus running between all our clients, it not a big deal.

[mlopiccolo-progres]

The problem for us is that our customers might have any antivirus in existence since we don't always sell ours. Also the custom client is sometimes being detected as malicious even by old school signature based endpoint antiviruses (and this is really weird, because uploading the file on virustotal, while I know it doesn't really mean anything, results as 99% clean with only one false positive).

I'm really curious to know how do teamviewer and anydesk pull this off without being detected as false positives.

[dinger1986]

Because TeamViewer and Anydesk don't use custom clients.

AVs work on zero trust or if they haven't seen an executable before they consider it dangerous.

[mlopiccolo-progres]

Because TeamViewer and Anydesk don't use custom clients.

AVs work on zero trust or if they haven't seen an executable before they consider it dangerous.

I used to be a user of both TV and AD, and in their business plans they have the ability to generate pre-configured custom clients that are automatically connected to your account and have your company logo, etc... They never got caught by EPP or EDR. Aren't they the same thing?

[dinger1986]

Ah yes, no idea

[dinger1986]

thinking about this some more, you said thye were never as in past tense, doesnt mean they arent now, remember all remote control software is treated as Greyware by AVs so it could happen with any remote control software

[AlvaroNieto]

FYI, as of version 1.3.7 of Rustdesk Server Pro (and 1.2.5 client), new custom clients are not being flagged in the very first run (at least from my end).

[mcloudeeds]

Are not being flagged for which antivirus ?

From: AlvaroNieto @.> Sent: Thursday, June 13, 2024 7:27 AM To: rustdesk/rustdesk-server-pro @.> Cc: mcloudeeds @.>; Manual @.> Subject: Re: [rustdesk/rustdesk-server-pro] Custom Client detected as suspicious download / antivirus false positive (Issue #231)

FYI, as of version 1.3.7 of Rustdesk Server Pro (and 1.2.5 client), new custom clients are not being flagged in the very first run (at least from my end).

— Reply to this email directly, view it on GitHub https://github.com/rustdesk/rustdesk-server-pro/issues/231#issuecomment-2165378719 , or unsubscribe https://github.com/notifications/unsubscribe-auth/A3XMC6KNUDIWQPD5JIJMCKDZHF6XBAVCNFSM6AAAAABF6RTLDKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRVGM3TQNZRHE . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/A3XMC6L7H6U4Y7DN7UV75H3ZHF6XBA5CNFSM6AAAAABF6RTLDKWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUBCEHJ6.gif Message ID: @. @.> >

[AlvaroNieto]

Bitdefender and another one a would rather not say. I have just ran the custom client in virustotal and the result was 2 positives out of 74 antiviruses.