Nod32 and Dameware MRC

I've been receiving these alerts today from a very high percentage of the PCs on one of the networks I manage. We use Dameware to remotely manage the PCs. It seems odd that I would be receiving this message from nearly all of the machines all at once. Is anybody else having this problem?? Is this a legitimate infection that has spread, or a false positive??

 

Please send the file in an archive protected with the password "infected" and "False positive" in the subject to samples[at]eset.com. It may not be necessarily false positive as commercial tools for remote administration are detected as potentially unsafe applications.

 

We also have the same problem, using ESET NOD32 v3.0.669 Business Edition.

Gerrit

 

I've installed Dameware 6 on a computer running fully updated ESS and didn't get any warning during installation. Are you using the most current version 3378? If so, please submit the file as described in my previous post.

 

Hello Marcos,

It is not the installed software, which gives the problem/alert. It is the remote client, which is being installed on a client when Dameware Mini Remote Control is being used to manage a remote client. At that moment, DWRCS.exe is being installed on the client as a service.

The problem occurs on this client. The alert is also triggered on some clients where the service runs, when the service is updated and a restore point is created.

BTW, our version is indeed 3378.

Gerrit

 

Same problem here. Using V2.70.39 (we still have some NT machines)
Started with signature 3374 and still exists with 3379.
DWRCS.exe v. 5.0.1.1 and 5.5.0.0 are suspected.
The fact, that a remote control tool is suspicious is not the problem.
The problem is, that every way we tried to EXCLUDE the file in AMON is obviously ignored. Lower case/ capitals, short path, long file names, no help, the file is found and checked.
Any way around? The tool is definitley okay, only a little bit outdated. But that will never be changed just because of NOD32 not willing to live with Dameware 5.5

 

hi there,

just got the response that solution is about to come with one of the next updates - they're working on it, please hold on just a little

 

Replying to myself: fur us it seems solved with signature 3380..
Any other experiences?

greeting from germany
Armin

 

3380 seems to have fixed it for us as well. Thanks!!