VNC labelled as WIN32/RA

This morning quite a few of our systems are catching the vnc executables as possible variants of Win32/RA. Can anyone give me an update as to what the cause might be (I am assuming its the result of an update yesterday) and if anyone else is having the same problem. Thanks.



Operating memory - probably a variant of Win32/RA-based application

C:\Program Files\RealVNC\VNC4\winvnc4.exe - probably a variant of Win32/RA-based application
C:\Program Files\UltraVNC\vnchooks.dll - probably a variant of Win32/RA-based application
C:\Program Files\UltraVNC\vncviewer.exe - probably a variant of Win32/RA-based application
C:\Program Files\UltraVNC\winvnc.exe - probably a variant of Win32/RA-based application

 

What options under AMON are you running, as far as "Potential"...if you crank them up, it will detect some remote admin utilities.

 

I can confirm this with signature version 2430. I have sent in a bug report via their web page: http://www.eset.com/support/contact.php
This is my first time getting a False Positive with NOD32.

I also looked at:
http://www.eset.com/support/updates.php
but could not see anything related to Win32/RA.

I hope this is fixed in 2431. This is a big problem for us as this is how we connect to our servers.

If others are seeing this problem, please contact them. The more people that submit this problem, the quicker it will get fixed.

-John

 

I just got a reply to my support ticket and this is what it said:

The VNC false positive is a known issue with the most recent update and will be resolved shortly. If you wish, you can disable the detection of potentially unwanted/unsafe applications in AMON until the next update is released.


Great news!
-John

 

It is NOT a false positive. Potentially unsafe applications cover mostly commercial applications for remote administration and VNC is actually such an application.

 

It IS a false positive to the vast majority of system admins. Almost everyone uses some form of a remote tool on the network. VNC being a popular choice.

 

Agreed.

 

Then I wonder why we and other AVs have a group of potentially unsafe applications if the clients want to have every such an application excluded, it simply doesn't make sense to have a group of app that would cover nothing.

 

Years ago, but Remote Desktop has taken over.

Also IMO you don't need to run PDA option on a server...you don't (or most of us know better) web surf on a server, you don't run e-mail clients on a server, a server is (or should be) behind a firewall....minimal exposure.

 

I fully agree with this . The default settings of AMON,EMON,DMON and IMON related to what to scan for are excellent

 

I have to agree that this is a problem. I had to reinstall VNC on my workstations and servers. To me this is a fp but I can see Marcos' point also.

 

We will remove detection, but much better solution would be to remove Uwanted app completely, otherwise this makes no sense. I can't understand why people want one particular RA tool remain undetected but not the others. If you want to be protected against RA tools, then every such a tool must be detected. Imagine that someone asked us to remove all other RA tools, then you would be under false impression of being protected, but actually you wouldn't be as PUA wouldn't cover a thing.

What you should take into account:

1. PUA cover commercial remote admin tools
1. PUA are disabled in all modules by default

 

True DRP has a big place on the network now and works very well. We still have a number of win2K workstations and some servers and VNC(flavours) works well when you want access to the console.

 

Marcos,

One thing that I would like to point out is that this change in behavior was not mentioned in the changelog for v.2430:

http://www.eset.com/support/updates.php

If it was mentioned, it was not apparent. Do you agree with this?

-John

 

If you look at the original post it says "probably a variant of" which means it was detected heuristically. So it wouldn't show up as a new definition in the list.

-Cov

 

These were not standard signatures, hence they did not appear in the list.

 

Just pointing out that VNC has been a popular choice for admins for a long time and for that reason was a surprise to see it detected. I can see scanning for BO2K, NC or sub7 “like programs” but wouldn’t expect to see what I believe to be a common RA tool on show.

I can see the reasoning for detecting the RA applications (RDP, VNC, Citrix, NC…)it just appears not to be as simple as identifying all RA applications.

What are Eset's plans for RA detection?

It is an easy workaround, although it will take some time, we have disabled scanning of the VNC folder and will start reinstalling.

 

I should add that I don't expect anyone to sneak onto my network and install Citrix before owning my network.

 

Why leave a hole on your network that is simple to plug if your servers can handle the added work? Terminal users often need web and email services running.

Once a person is on your network it isn't all that hard to move around so we build with defense in depth in mind.

 

I don't see it as a "hole"...a company big enough for a Terminal Server will have a mail server such as Exchange..and XMON covers that. None that I support allow web surfing, most companies have Terminal Server profiles locked down...only the bare minimum of LOB software icons on the desktop (primary application)...no web surfing allowed.

2K is past end of life from Microsoft..shouldn't be there anymore.

 

Win2K licensing is EOL and extended support does die in 2010 so for companies that can afford it or require something newer an upgrading is a must. If something is easy (in terms of time) to implement why not utilizes the solution?

I guess I'm off topic now and will leave this thread.

 

I would prefer that all RA tools be detected in Potentially Unsafe Applications (since that is what the category is for right?) but I note that the current Radmin seems to be going undected also...

Cheers