VNC labelled as WIN32/RA

Discussion in 'NOD32 version 2 Forum' started by tdueck, Aug 1, 2007.

Thread Status:
Not open for further replies.
  1. tdueck

    tdueck Registered Member

    Joined:
    May 9, 2006
    Posts:
    8
    This morning quite a few of our systems are catching the vnc executables as possible variants of Win32/RA. Can anyone give me an update as to what the cause might be (I am assuming its the result of an update yesterday) and if anyone else is having the same problem. Thanks.



    Operating memory - probably a variant of Win32/RA-based application

    C:\Program Files\RealVNC\VNC4\winvnc4.exe - probably a variant of Win32/RA-based application
    C:\Program Files\UltraVNC\vnchooks.dll - probably a variant of Win32/RA-based application
    C:\Program Files\UltraVNC\vncviewer.exe - probably a variant of Win32/RA-based application
    C:\Program Files\UltraVNC\winvnc.exe - probably a variant of Win32/RA-based application
     
  2. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    What options under AMON are you running, as far as "Potential"...if you crank them up, it will detect some remote admin utilities.
     
  3. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    I can confirm this with signature version 2430. I have sent in a bug report via their web page: http://www.eset.com/support/contact.php
    This is my first time getting a False Positive with NOD32.

    I also looked at:
    http://www.eset.com/support/updates.php
    but could not see anything related to Win32/RA.

    I hope this is fixed in 2431. This is a big problem for us as this is how we connect to our servers.

    If others are seeing this problem, please contact them. The more people that submit this problem, the quicker it will get fixed.

    -John
     
  4. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    I just got a reply to my support ticket and this is what it said:

    The VNC false positive is a known issue with the most recent update and will be resolved shortly. If you wish, you can disable the detection of potentially unwanted/unsafe applications in AMON until the next update is released.


    Great news!
    -John
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It is NOT a false positive. Potentially unsafe applications cover mostly commercial applications for remote administration and VNC is actually such an application.
     
  6. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    It IS a false positive to the vast majority of system admins. Almost everyone uses some form of a remote tool on the network. VNC being a popular choice.
     
  7. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    Agreed.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Then I wonder why we and other AVs have a group of potentially unsafe applications if the clients want to have every such an application excluded, it simply doesn't make sense to have a group of app that would cover nothing.
     
  9. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Years ago, but Remote Desktop has taken over.

    Also IMO you don't need to run PDA option on a server...you don't (or most of us know better) web surf on a server, you don't run e-mail clients on a server, a server is (or should be) behind a firewall....minimal exposure.
     
  10. ASpace

    ASpace Guest

    I fully agree with this . The default settings of AMON,EMON,DMON and IMON related to what to scan for are excellent :thumb:
     
  11. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    I have to agree that this is a problem. I had to reinstall VNC on my workstations and servers. To me this is a fp but I can see Marcos' point also.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    We will remove detection, but much better solution would be to remove Uwanted app completely, otherwise this makes no sense. I can't understand why people want one particular RA tool remain undetected but not the others. If you want to be protected against RA tools, then every such a tool must be detected. Imagine that someone asked us to remove all other RA tools, then you would be under false impression of being protected, but actually you wouldn't be as PUA wouldn't cover a thing.

    What you should take into account:

    1. PUA cover commercial remote admin tools
    1. PUA are disabled in all modules by default
     
  13. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    True DRP has a big place on the network now and works very well. We still have a number of win2K workstations and some servers and VNC(flavours) works well when you want access to the console.
     
  14. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    Marcos,

    One thing that I would like to point out is that this change in behavior was not mentioned in the changelog for v.2430:

    http://www.eset.com/support/updates.php

    If it was mentioned, it was not apparent. Do you agree with this?

    -John
     
  15. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    If you look at the original post it says "probably a variant of" which means it was detected heuristically. So it wouldn't show up as a new definition in the list.

    -Cov
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    These were not standard signatures, hence they did not appear in the list.
     
  17. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    Just pointing out that VNC has been a popular choice for admins for a long time and for that reason was a surprise to see it detected. I can see scanning for BO2K, NC or sub7 “like programs” but wouldn’t expect to see what I believe to be a common RA tool on show.

    I can see the reasoning for detecting the RA applications (RDP, VNC, Citrix, NC…)it just appears not to be as simple as identifying all RA applications.

    What are Eset's plans for RA detection?

    It is an easy workaround, although it will take some time, we have disabled scanning of the VNC folder and will start reinstalling.
     
  18. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    I should add that I don't expect anyone to sneak onto my network and install Citrix before owning my network.
     
  19. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    Why leave a hole on your network that is simple to plug if your servers can handle the added work? Terminal users often need web and email services running.

    Once a person is on your network it isn't all that hard to move around so we build with defense in depth in mind.
     
  20. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I don't see it as a "hole"...a company big enough for a Terminal Server will have a mail server such as Exchange..and XMON covers that. None that I support allow web surfing, most companies have Terminal Server profiles locked down...only the bare minimum of LOB software icons on the desktop (primary application)...no web surfing allowed.

    2K is past end of life from Microsoft..shouldn't be there anymore.
     
  21. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    Win2K licensing is EOL and extended support does die in 2010 so for companies that can afford it or require something newer an upgrading is a must. If something is easy (in terms of time) to implement why not utilizes the solution?

    I guess I'm off topic now and will leave this thread.
     
  22. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I would prefer that all RA tools be detected in Potentially Unsafe Applications (since that is what the category is for right?) but I note that the current Radmin seems to be going undected also...

    Cheers :)
     
Thread Status:
Not open for further replies.