rustdesk-server-pro icon indicating copy to clipboard operation
rustdesk-server-pro copied to clipboard

Published 20 hours ago verified publisher icon rustdesk

Custom Client detected as suspicious download / antivirus false positive

Open mlopiccolo-progres opened this issue 10 months ago • 13 comments

When our customers download our custom client, often chromium based browsers detect it as suspicious, and also some antiviruses (right now we tested panda and avg).

Is there a solution for this? Its annoying and not very professional to have this happen with our customers

mlopiccolo-progres avatar Apr 09 '24 13:04 mlopiccolo-progres

There is no solution about this, you have to report yourself to each antivirus vendor.

rustdesk avatar Apr 09 '24 13:04 rustdesk

Why does this happen? Isn't the custom client using the same signature as the official one? Would it maybe help to call the executable the same as the official one?

mlopiccolo-progres avatar Apr 09 '24 13:04 mlopiccolo-progres

I know you will ask like this, because I thought so like you before. But the things are much more complicated than you imagine. Frankly, I know little either.

rustdesk avatar Apr 10 '24 03:04 rustdesk

Yeah, well, I know when it is about antiviruses things are always complicated. Thank you for clarifying. Hope in the future there will be a solution. I will try to report the false positives to antivirus vendors.

mlopiccolo-progres avatar Apr 10 '24 06:04 mlopiccolo-progres

The server pro is compiling each build with its private key, branding, configs, etc... We guess the signature or hash of each build is different. Every zero trust antivirus is going to block the executable while they analyze it for the first time.

What we are doing its to run the new build, let the antivirus block it and wait a couple of hours till it's acknowledged as safe software. Then we "publish" the build.

It may not be the smoothest thing, but it works just fine. Since we only have two different antivirus running between all our clients, it not a big deal.

AlvaroNieto avatar Apr 11 '24 07:04 AlvaroNieto

The problem for us is that our customers might have any antivirus in existence since we don't always sell ours. Also the custom client is sometimes being detected as malicious even by old school signature based endpoint antiviruses (and this is really weird, because uploading the file on virustotal, while I know it doesn't really mean anything, results as 99% clean with only one false positive).

I'm really curious to know how do teamviewer and anydesk pull this off without being detected as false positives.

mlopiccolo-progres avatar Apr 11 '24 07:04 mlopiccolo-progres

Because TeamViewer and Anydesk don't use custom clients.

AVs work on zero trust or if they haven't seen an executable before they consider it dangerous.

dinger1986 avatar May 09 '24 19:05 dinger1986

Because TeamViewer and Anydesk don't use custom clients.

AVs work on zero trust or if they haven't seen an executable before they consider it dangerous.

I used to be a user of both TV and AD, and in their business plans they have the ability to generate pre-configured custom clients that are automatically connected to your account and have your company logo, etc... They never got caught by EPP or EDR. Aren't they the same thing?

mlopiccolo-progres avatar May 10 '24 06:05 mlopiccolo-progres

Ah yes, no idea

dinger1986 avatar May 10 '24 07:05 dinger1986

thinking about this some more, you said thye were never as in past tense, doesnt mean they arent now, remember all remote control software is treated as Greyware by AVs so it could happen with any remote control software

dinger1986 avatar May 31 '24 14:05 dinger1986

FYI, as of version 1.3.7 of Rustdesk Server Pro (and 1.2.5 client), new custom clients are not being flagged in the very first run (at least from my end).

AlvaroNieto avatar Jun 13 '24 11:06 AlvaroNieto

Are not being flagged for which antivirus ?

From: AlvaroNieto @.> Sent: Thursday, June 13, 2024 7:27 AM To: rustdesk/rustdesk-server-pro @.> Cc: mcloudeeds @.>; Manual @.> Subject: Re: [rustdesk/rustdesk-server-pro] Custom Client detected as suspicious download / antivirus false positive (Issue #231)

FYI, as of version 1.3.7 of Rustdesk Server Pro (and 1.2.5 client), new custom clients are not being flagged in the very first run (at least from my end).

— Reply to this email directly, view it on GitHub https://github.com/rustdesk/rustdesk-server-pro/issues/231#issuecomment-2165378719 , or unsubscribe https://github.com/notifications/unsubscribe-auth/A3XMC6KNUDIWQPD5JIJMCKDZHF6XBAVCNFSM6AAAAABF6RTLDKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRVGM3TQNZRHE . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/A3XMC6L7H6U4Y7DN7UV75H3ZHF6XBA5CNFSM6AAAAABF6RTLDKWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUBCEHJ6.gif Message ID: @.*** @.***> >

mcloudeeds avatar Jun 13 '24 21:06 mcloudeeds

Bitdefender and another one a would rather not say. I have just ran the custom client in virustotal and the result was 2 positives out of 74 antiviruses.

AlvaroNieto avatar Jun 14 '24 11:06 AlvaroNieto