Jump to content
KoRi

RealVNC issue [In progress]

Recommended Posts

Hi!

 

We have few computers which has RealVNC installed on it. In the events log every 3 seconds create a new entry: Information about detected object.

I don't want to disable this type of event logging, just about this object. I put to trusted list, and exception list the winvnc, but still logging.

How can i end this?

post-7944-1444902118_thumb.jpg

Share this post


Link to post

Policy had compressed for upload.

 

KSC 10.2.434, policy for KES 10 SP1 10.2.2.10535

post-7944-1444908463_thumb.jpg

kes10sp1.zip

Edited by KoRi

Share this post


Link to post

Hi,

 

Please chack all checkboxes at VNC trusted appliaction registry(for both files).

 

Please inform us about result.

 

Thank you!

Share this post


Link to post
Hi,

 

Please chack all checkboxes at VNC trusted appliaction registry(for both files).

 

Please inform us about result.

 

Thank you!

You think on this?

post-7944-1444990953_thumb.jpg

Share this post


Link to post
Hi!

 

We have few computers which has RealVNC installed on it. In the events log every 3 seconds create a new entry: Information about detected object.

I don't want to disable this type of event logging, just about this object. I put to trusted list, and exception list the winvnc, but still logging.

How can i end this?

 

Please translate the screen shot in English.

Thank you.

Share this post


Link to post

Ok, so here is it something like this:

Event name Information about detected object

Severity: Info

Application: Kaspersky Endpoint Security 10 Service Pack 1 for Windows

Version number: 10.2.2.10535

Task name: File AntiVirus

Computer: FKF-971502

Group: common

Time: 2015. October 29. 7:00:43

Virtual Server name:

Description: Event type: Information about detected object

Application\Name: Windows Explorer

Application\Path: c:\windows\

Application\PID: 760

User: FKF-971502\HeimA (Initiator)

Component: File AntiVirus

Result\Description: Észlelve

Result\Type: Legal software that can be used by criminals for damaging your computer or personal data

Result\Name: not-a-virus:RemoteAdmin.Win32.WinVNC.4

Result\Threat Level: Low

Result\Accuracy: Exactly

Object: C:\Program Files\realvnc\vnc4\winvnc4.exe

Object\Type: File

Object\Path: C:\Program Files\realvnc\vnc4\

Object\Name: winvnc4.exe

 

 

On KES 10 MR1 computers there are no such event entry.

Share this post


Link to post
Ok, so here is it something like this:

On KES 10 MR1 computers there are no such event entry.

 

Hi,

 

What version are you talking about exactly where the event is not getting reported? Is this getting reported only on version 10.2.2.10535 ? Do you experience any issue with this event happening or the event itself is only what you are worried about?

 

Thank You!

Share this post


Link to post
Hi,

 

What version are you talking about exactly where the event is not getting reported? Is this getting reported only on version 10.2.2.10535 ? Do you experience any issue with this event happening or the event itself is only what you are worried about?

 

Thank You!

 

The event itself annoying, because of this many informational event the other events are cleared from server after about 3 days. I don't want to raise events limit, just don't logging such event.

There are 6 computers which has VNC installed, 5 of them v10.2.2.10535, they all reporting VNC. The remaining one of them are v10.2.1.23 not reporting VNC.

There are 3 computers ultravnc installed, one of them are v10.2.2.10535 (reporting), two of them are v10.2.1.23, not reporting VNC.

So only v10.2.2.10535 reporting. The policies have to be same.

 

post-7944-1465807374_thumb.jpg

post-7944-1465807388_thumb.jpg

Share this post


Link to post
The event itself annoying, because of this many informational event the other events are cleared from server after about 3 days. I don't want to raise events limit, just don't logging such event.

There are 6 computers which has VNC installed, 5 of them v10.2.2.10535, they all reporting VNC. The remaining one of them are v10.2.1.23 not reporting VNC.

There are 3 computers ultravnc installed, one of them are v10.2.2.10535 (reporting), two of them are v10.2.1.23, not reporting VNC.

So only v10.2.2.10535 reporting. The policies have to be same.

Hi,

 

Try to upgrade to 10.2.4.674 and reproduce the problem.

 

Thank you!

Share this post


Link to post
Hi,

 

Try to upgrade to 10.2.4.674 and reproduce the problem.

 

Thank you!

 

Hi!

 

I upgraded one computer to v10.2.4.674 and reporting continued. I was wrong before, v10.2.1.23 also create reports, it was just switched off earlier.

 

Event name Information about detected object

Severity: Info

Application: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows

Version number: 10.2.4.674

Task name: File Anti-Virus

Computer: HUHASUS

Group: szerverek

Time: 2016. június 13. 12:47:19

Virtual Server name:

Description: Event type: Information about detected object

Application\Name: Windows Explorer

Application\Path: c:\windows\

Application\Process ID: 2812

User: HUHASUS\Administrator (Initiator)

Component: File Anti-Virus

Result\Description: Detected

Result\Type: Legal software that can be used by criminals to damage your computer or personal data

Result\Name: not-a-virus:RemoteAdmin.Win32.WinVNC.4

Result\Threat level: Low

Result\Precision: Exactly

Object: C:\Program Files\realvnc\vnc4\winvnc4.exe

Object\Type: File

Object\Path: C:\Program Files\realvnc\vnc4\

Object\Name: winvnc4.exe

 

Share this post


Link to post
Hi!

 

I upgraded one computer to v10.2.4.674 and reporting continued. I was wrong before, v10.2.1.23 also create reports, it was just switched off earlier.

 

Event name Information about detected object

Severity: Info

Application: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows

Version number: 10.2.4.674

Task name: File Anti-Virus

Computer: HUHASUS

Group: szerverek

Time: 2016. június 13. 12:47:19

Virtual Server name:

Description: Event type: Information about detected object

Application\Name: Windows Explorer

Application\Path: c:\windows\

Application\Process ID: 2812

User: HUHASUS\Administrator (Initiator)

Component: File Anti-Virus

Result\Description: Detected

Result\Type: Legal software that can be used by criminals to damage your computer or personal data

Result\Name: not-a-virus:RemoteAdmin.Win32.WinVNC.4

Result\Threat level: Low

Result\Precision: Exactly

Object: C:\Program Files\realvnc\vnc4\winvnc4.exe

Object\Type: File

Object\Path: C:\Program Files\realvnc\vnc4\

Object\Name: winvnc4.exe

Hi,

 

Please collect traces and GSI logs in moment when problem is reproduced.

 

Thank you!

Share this post


Link to post

Hi,

 

Can you please use full path for winvnc.exe and check whether issue occurs?

 

BR

Share this post


Link to post

I don't get it. The computer I upgraded stopped reporting yesterday about 3:25 am. (see pic 1.) I don't know what happened, no one touched.

 

On the other hand, at another computer with v10.2.2.10355 mr1, I disabled server policy just to check local settings.

No matter how i configure Scan exclusions, the log rolls. (see pic 2.) I'm not even sure about where i have to set: Scan exclusions, or Trusted applications?

I imported even the other (now good) machine exclusions and trusted applications list, but still detecting winvnc4.exe.

 

More interesting, where computer has magically fixed, when i switch of totally exclusions and trust, it still not logging anything. (see pic 3.) Maybe somewhere else defined, or cached setting for a time?

 

 

post-7944-1465990023_thumb.jpg

post-7944-1465990032_thumb.jpg

post-7944-1465990043_thumb.jpg

Share this post


Link to post
I don't get it. The computer I upgraded stopped reporting yesterday about 3:25 am. (see pic 1.) I don't know what happened, no one touched.

 

On the other hand, at another computer with v10.2.2.10355 mr1, I disabled server policy just to check local settings.

No matter how i configure Scan exclusions, the log rolls. (see pic 2.) I'm not even sure about where i have to set: Scan exclusions, or Trusted applications?

I imported even the other (now good) machine exclusions and trusted applications list, but still detecting winvnc4.exe.

 

More interesting, where computer has magically fixed, when i switch of totally exclusions and trust, it still not logging anything. (see pic 3.) Maybe somewhere else defined, or cached setting for a time?

 

Hello.

 

Earlier in the topic, you mentioned upgrading some hosts to 10.2.4.674. Please note that when performed on its own, it will make existing KES policies (10.2.2.10535) in KSC inapplicable: they also need to be converted. Could this have to do with the exlusions you configure?

Also, try adding WinVNC to Trusted applicaitions with options "Do not scan application activity" and "Do not scan network activity".

 

Thank you.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.