Sophos Central - False positive - Connectwise Screenconnect - a Thoma Bravo Company - Same as Sophos

Good morning (NZ Time)
We are an IT support business
We use connectwis's screenconnect product to remotely support all of our clients, and have done for 6 years.

From Yesterday afternoon (NZ Time) our Sophos Central alerts are going off with the below.

Sophos Central Event Details for <customer name>
What happened: We attempted to restore a cleaned up application but failed.
Where it happened: <machine name>
Path: C:\Windows\Temp\ScreenConnect\22.9.10589.8370\ScreenConnect.ClientSetup.exe
What was detected: Generic ML PUA
User associated with device: <machine name>\<username>
How severe it is: Medium

Can you "globally" stop this nonsense please - or work with connectwise - Its part of the Thoma Bravo group - so also are Sophos.

You dont need to troubleshoot MY control panel (as your support agents are often wanting to do) - This is a GLOBAL SOPHOS issue and Thoma Bravo

I'm posting this in the forum as well as in a support ticket as I find support tickets are slow due to timezones and the "follow the sun" system not really working.



Edited TAGs
[edited by: Gladys at 9:30 AM (GMT -8) on 1 Mar 2023]
Parents
  • Hi Dennis,

    Thanks for reaching out to the Sophos Community Forum. 

    If you wish to white-list the app locally on your environment, I suggest checking the "Details" button on the ML detection event that was generated. 

    To have this adjusted globally for the specific version of Screenconnect you're using, you'll need to submit a sample of the detected file so that our ML engine can be updated. You can do this from the following webpage. 
    Submit a Sample

    If you require immediate assistance after-hours, the best way to get support is to reach out using the regional contact numbers on the following page. If you have a business-critical issue, and your team is available 24/7 to continue working on the issue with us, our team will use the follow-the-sun process to assist you. 
    - support.sophos.com

    If you feel that you are not being assisted in a reasonable manner, or if there is an issue you wish to highlight to our management team regarding your experience in working with Sophos Support, you can always reach out to SupportEscalations@sophos.com as well. The case will be reviewed as a whole to ensure we're delivering a high-quality support experience. 

    I hope this gives you some insight into things and provides some possible avenues for you to reach out to us should any issues arise. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for the reply
    - sample is hard as sophos deletes it
    - can i whitelist globally for all customers from central or do i have to go thru 1 by 1

  • If you have a Global Template applied currently with the "Allowed Applications" section controlled. It's possible to add an exclusion for the ML PUA type detections. 

    You can add the exclusion via SHA256 value or Path.

    If you are not currently controlling the "Allowed Applications" section for your customers, I'd suggest checking within the tenant sites to ensure you won't be overwriting any configurations they already have applied. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children