+5
Under review

McAfee has started quarantining the standard ScreenConnect DLLs from a permanent install, knocking out most of my client PCs

tim 2 years ago updated by Caitlin M Barnes (Product Manager) 1 year ago 35

McAfee has started quarantining the standard ScreenConnect DLLs from a permanent install, knocking out most of my client PCs. This has been reported to McAfee some time ago, and I am chasing, but they do not seem to be "allowing" these.

This is happening with 6.9.21870.6964

Does this still happen with 19.0.23234.7027 or later?

ScreenConnect.ClientService.dll

ScreenConnect.Core.dll

ScrennConnect.Windows.dll

ScreenConnect.Client.dll

Most of my customers/client PCs use retail McAfee so they are completely UNABLE to 'exclude' these as apparently "McAfee kows best" for retail customers.  At this rate I will not be able to renew as this will become unworkable.  Others must be affected by this?

ConnectWise Control Version:
20.3
Server Affected:
Host Client Affected:
Guest Client Affected:

Answer

PINNED

Hi All, 

According to McAfee, they've whitelisted the DLL's in question. Please continue to use this thread if you find ongoing problems with McAfee and Control. Thanks!

Caitlin 

10 days and McAfee have still NOT resolved this problem.  They are quarantining all four of the ConnectWise Control "ScreenConnect….DLLs"

Has anyone else come across this.  How can we increase awareness and PUT MORE PRESSURE on McAfee to fix this?

Thanks





Hi Tim, 

I'll be reaching out to McAfee again today to check on their progress. Can you please provide me with your specific product name, engine, and .DAT version so that I can let them know which specific products are impacted?

Thanks!

Hi Caitlin,


I've currently got 44 clients have been impacted by this, that I'm no longer able to access.  Various versions of McAfee involved, but the last two I was loking at were


McAfee Total Protection vs 16.0

Security Centre 17.8.131

VirusScan 22.3.143

Engine 3693.0


I've seen this on a few Live Safe version too.


A senior McAfee technician is "supposed" to be phoning me this evening between 20:00-22:00BST but I'll see if they actually phone.


I will be stressing the importance of this and expecting an action plan and commitment to resolve.


If not then I will be recommending my clients "ditch" McAfee as this is destroying my business.


Please do and apply more presume.


I'll prove another update ASAP
















We are still experiencing issues with this issue on our end. Has there been any update on this situation? It is really impacting us being able to manage things remotely. 

Hi Alex, 

We've contacted McAfee and provided the necessary files. Currently, we're waiting to hear back from their virus research team. To expedite the request, McAfee suggests registering your own ticket with their support. 


- Caitlin 

Hi Caitlin,


I have spent the evening chasing McAfee again to find out what is happening.  It appears that they have done nothing.  My original submission was sent on the 18 April.  I have since contacted technical support 4 more times and submitted the DLLs for scanning another 3 times, including once to one of the tech support team. 

All they have done is sent "one" summary email to a higher-level team.  They haven't sent any follow-ups or anything.

I don't think they care at all.


They have just promised to send another escalation email (right now, but I am not holding my breath).   And have been promised another call in 30 minutes but I'm told they will not tell me what they have done so far (my bet is nothing) and they will not tell me when they will fix this...


Based on this call I will start to recommend to all 44 of my clients that currently use McAfee to remove it.  I'll probably recommend AVG although it is a bit more expensive


Caitlin … please help?













Thanks for the update, Tim! Very helpful. I'll attempt to get in contact with McAfee again today, though quite honestly we're at the mercy of their team. 

- Caitlin 

Chased McAfee again last night but there has been no further progress.  Apparently escalated on 30 April but I'm not overly confident, had to ask the question about six times before they acknowledged.  And then refused to comment any further.


I have noticed that this problem appears to ONLY occur in version 6.9 of the client.  I have a coule of users who have McAfee anti-virus which I have not upgraded to the later version.  And they do not seem to be effected by the quarantining problem.


So is there something in version 6.9 causing them some rogue signature at McAfee?

Does this problem/has any one seen problems with the 2019 version release?   Maybe that is the solution and perhaps "mark" 6.9 as a problem?






Still no update on this? We do not manage the McAfee for these clients but manage almost everything else. We are using teamviewer as an alternative. Any progress yet? 

We are also experiencing this issue. I have an open case with Mcafee, Let me know if the SR Number would help you.

I have referred them to this thread to try and get a resolution.

Mcafee have replied, saying they will not remove this Listing from their General definitions.

Will there be an update to ConnectWise control to address this issue?

Hi Adam, 

Unfortunately, I was told today by McAfee that ConnectWise Control cannot whitelist our DLL's en masse with them -- they need specific support tickets from their customers. There will not be a change to our product to address this, as this is not a failure of our product, but of McAfee's filtering. 


Please continue to report all false positives to McAfee (or any AV vendor that incorrectly flags our .exe's or DLL's). 

I upgraded to the latest version and that seemed to solve it for a week or so.  As of today, McAfee has started quarantining ScreenConnect files again.


As a result I am moving my clients AWAY from McAfee to AVG.  More expensive but they are more helpful and do not stop me using Screen Connect.


It will be McAfee's loss...

That said, I will submit my case .. yet again.  It'll be the fourth time. They haven't replied to any of mine so far...


Hi Caitlin - Are you able to provide the SR# you have open with mcafee

Hi Adam, 

Unfortunately, since Connectwise Control isn't a customer of McAfee, we're not able to open support requests/tickets or even speak to a support technician. We've been submitting the affected files through McAfee's false positive process and have followed up on those results. I've reached out to members of the support team at McAfee through other means, but no word yet. 

We have the same issue across numerous clients. We will need to dump McAfee or ConnectWise Control. The combination is simply impossible to manage. Even with manually entered exceptions, one of the scans in McAfee will still detect and delete the ScreenConnect files. They will not even be put in quarantine so they can be easily restored. Unbelievable arrogance on McAfee part. 

+1

Mcafee have offered

https://www.mcafee.com/enterprise/en-us/threat-center/detection-dispute-form.html

As the method of disputing false PUP detection, and asked that someone from Connectwise complete the form submission so they can investigate further.

PINNED

Hi All, 

According to McAfee, they've whitelisted the DLL's in question. Please continue to use this thread if you find ongoing problems with McAfee and Control. Thanks!

Caitlin 

We're still seeing this with numerous clients. I don't believe they are running the enterprise version of McAfee (one client essentially had a Windows 10 home computer that came with a McAfee pre-installed and it wouldn't let them join a support session or meeting)...

Thanks Rob, 

We had a similar report from a partner in support chat this morning. I've reached back out to McAfee to double check that we've been whitelisted for all of their products. 

Hi there,

Our support teams are still having issues connecting to some customers with McAfee AV products, despite them having the PUP workaround in place to whitelist “ScreenConnect".

Is there any further news?

I don't know what to do next to move this forward, as we have no relationship with McAfee to escalate and I can't reproduce the issue on my equipment.

Any advice would be much appreciated.

Hi JRM, 

According to McAfee, we've been whitelisted by default in all of their products. In order to pursue additional investigation with McAfee, I'll need to provide them with screenshots or logs of reported issues. Do you have any evidence that I can submit to McAfee? Which products in particular were causing these problems? 

I'll do what I can to help!

Caitlin 

Hi Caitlin,

What address should I send the information to?

Thanks

JRM

Here's a screenshot showing it still as marking them as viruses. Here's the version info for this client:

McAfee Agent
Version number: 5.0.5.658
Status: Managed
SuperAgent: Peer to Peer
Last security update check: 6/4/2019 6:12:51 AM
Last agent-to-server communication: 6/4/2019 5:57:54 AM
Agent to Server Communication Interval (every): 1 hour
Policy Enforcement Interval (every): 1 hour
Agent ID: {39bc6308-e454-11e6-0e14-c4346b935630}
ePO Server/Agent Handler

McAfee Endpoint Security
Version number: 10.5
For module and content information, view the About page
in the McAfee Endpoint Security Client

So something still isn't right. If I try to join a session, even after whitelisting ScreenConnect*.* and even individual files, the installer opens and then McAfee jumps over it saying virus detected and it was deleted (not even quarantined - meaning McAfee things it's a very bad virus and not even worthy of quarantining...)

Really frustrating to try to support these clients with this going on!

Thanks!

-rob

Thanks Rob, this is very helpful. I'll reach out to McAfee today with this information. They've been relatively quick with their responses lately, so I'll follow up when I know more. 

Hi Rob, 

McAfee double checked and confirmed that all of our DLL's have been whitelisted in McAfee EndPoint Security (see below screenshot from McAfee). 


If you continue to have problems, could you please provide the file names of those deleted? McAfee is resistant to whitelisting our entire application, so we need to continue sending in specific files for whitelisting. Thanks!

Still no luck. The file name is: ScreenConnect.WindowsClient.exe

And I did an update on the McAfee to make sure it has the most recent definitions...

Also, for some reason your posts to here aren't emailing me so that's why there's a delay in getting back to you...

This is happening when trying to join a support session and the user runs the downloaded program to join the session. It's happening on multiple windows machines at multiple client locations - only those with McAfee anti-virus. McAfee auto-deletes it (instead of quarantining it) and you get the above On-Access Scan screen.

Thanks!

-rob

Hi Rob, 

Just heard back from McAfee, all exe's should be whitelisted. In fact, I sent over all of our exes, msis, client files, dlls.. basically everything I could think of - over 40 files in all. According to their team, all of these should now be whitelisted. 

Please let me know if the problem persists!

Caitlin 

I don't know what to tell you but it's still deleting them. If I use the copy URL to download an access client or just try to join a support session I get this from McAfee when trying to run the program:

Is it perhaps just a certain version of the connectwise control client that McAfee whitelisted and I need to match that one?

Thanks!

-rob

Here's my analysis when i was having this problem. I gave up waiting on a fix from mcafee and connectwise and ended up updating to 19.0 of control which wasn't flagged as a PUP. Hope this helps. 

https://www.virustotal.com/gui/file/9ba5eb1a5d76f5b5044f0a54f944a92c6cff32829e652d5a5cfd61708a535750/detection

Thanks Sean - that worked like a charm. I was on v6.9 and updating to v19.1 solved the problem. Computers with McAfee installed now will join sessions and install the access client once again. Appreciate the help from all here!

-rob

AVG detects 19.3.25391.7201...  we will have to go with TV soon

Hi BBQPM, 

Can you provide some additional information about what you're seeing with AVG? Which specific files are being flagged?