0
Known issue

Quick Support SOS - Infected with DRep

FAB-ITRescue 2 years ago updated by Scott Linak 2 years ago 5

SC version:6.6.18120.6697


The SOS Deployer Extension is being Blocked by Avast claiming it to be infected with DRep.

ConnectWise Control Version:
19.5
Server Affected:
Host Client Affected:
Guest Client Affected:

Avast DRep explanation

Avast DRep (DomainRep, aka Domain reputation) is a preventive detection of Avast antivirus that blocks EXE file (Windows executables) downloads if all these conditions are met:

  1. The file is not prevalent enough, ie. not enough Avast users launched the file yet,
  2. The domain is not prevalent enough, ie. not enough Avast users downloaded (any) EXE files from the domain yet,
  3. The file is not digitally signed or Avast does not trust the signature.

Once one of these conditions are not met anymore, Avast will stop flagging the download.

Other antivirus software may also use DRep as a nickname for this type of threat. For example, AVG also uses "DRep" as the nickname for low "domain reputation" and blocks the download as a preventive measure.

https://www.starmessagesoftware.com/faq-page/what-is-avast-drep-infection

Thanks for the explanation, most helpful.  Pity I thought that was why all extensions were now required to be digitally signed & thus why we can't write our own anymore!  My small business is never going to clear Avast's Domain Reputation criteria by usage alone - espcially when they are blocking the downloads in the first place!


This certification/reputation issue needs to be address by certifying the extension itself rather than the server from where it is downloaded.


ESET was also producing false positives when using https://appesteem.com to verify the intent of "Useful" software.  ESET's response was to direct the author of such utiliies to "conform" to the requirements of the so-called gate-keepers.  I respectfully suggest the same here.

Further I've submitted the Quick Support SOS.exe to https://www.virustotal.com and this reports 1/67 currently regard this as infected.  But interestingly when the details are interrogated, this exe is NOT signed and thus carries no 3rd party trusted certificate.  Surely this would be a 1st step to preserving a hard won reputation.

+1

Thank you for the submission. I've registered your request and we will be looking into signing the exe. Please feel free to submit any other feature requests, as we work on a V2 of the SOS deployer.

Answer
Known issue