Microsoft Defender blocks Anydesk clients (since 28 February 2024)

Stop - Pixabay[German]Brief information for everyone. I have just heard from blog readers that the clients of the remote maintenance provider AnyDesk will probably be blocked by Microsoft Defender under Windows from today (28 February 2024). The whole thing is related to the hack of the provider AnyDesk, in which certificates may have been lost. Here is a brief overview, what you need to know so far.


Advertising

Reader reports about blocked clients

Blog reader Peter H. from Germany contacted me yesterday via email and reported that Windows Defender was blocking AnyDesk clients with the latest signature update. His email states:

Nun möchte ich mit Dir folgende Erfahrung teilen: Seit HEUTE (bzw. letzten Defender Signatur Update) blockt Defender alle Downloads als auch die Ausführung von Anydesk (aktuell v7.0.15) und stuft diese als PUA.Win32.Softcnapp ein.

Defender blocks AnyDesk
Defender blocks AnyDesk, Click to zoom

Peter wrote that the signature visible in the screenshot below is used in Defender, so its signature files are up to date:Defender Signature

German blog reader Harald has also posted a comment in my German blog, stating that "since today, Windows Defender has started to detect the latest AnyDesk clients with the latest signature and report them as potentially unwanted programs". Karsten has also reported this in the discussion area. I'll pull it out separately, as I delete the discussion entries sporadically.

The new anyDesk clients are being blocked today by Microsoft Defender as an unwanted app.
'PUA:Win32/Softcnapp' is reported as the reason.

We are talking about the newly released clients that have been digitally signed with a new digital certificate from AnyDesk GmbH. Karsten also referred to the reddit.com post Anydesk custom client is blocked by Microsoft Defender, where another user confirms the Defender's behavior.Hello,


Advertising

since this morning, Anydesk custom client, from my.anydesk 1 and 2 (.exe and .msi) is blocked by Defender.

Defender detected and terminated active 'PUA:Win32/Softcnapp' in process 'AnyDesk.exe' during a scheduled scan

Anybody have the same situation ?

Within the thread, other users confirm the problem. One user doud_doud quotes an answer from AnyDesk support:

Sorry for this inconvenience. Our team is actively investigating the root cause of this issue.

The current solution, if nothing is configured and a false positive notification arises, would be to manually add an exception/rule for AnyDesk.

There is no risk in using AnyDesk. Therefore, you can download and install AnyDesk safely.

We appreciate your patience and understanding.

They have now run into real problems when the AnyDesk client is now blocked as unwanted on many systems and moved to quarantine. The recommendation: Define an exception for the client in Defender so that it is no longer blocked. The howler of the month is "There is no risk in using AnyDesk. Therefore, you can download and install AnyDesk safely.".

The background

The background to all this is probably that the provider AnyDesk was the victim of a cyberattack on its production systems in December 2023. However, the whole thing did not come to light until the beginning of February 2024 – possibly also due to the reporting here in the blog (see links at the end of the article).

AnyDesk could not rule out the possibility that the keys for the certificates used to digitally sign files had been lost. The old certificates were therefore revoked and the provider was busy providing new clients with updated digital signatures in February.

Perhaps something got into the binary files when "building the new clients", causing Defender to regard the whole thing as undesirable. We will have to wait and see whether AnyDesk can rectify the situation with Microsoft – if the AnyDesk client is still to be used at all.

Articles:
AnyDesk confirmed, they have been hacked in January 2024, Production systems affected – Part 1
AnyDesk hack undercover – more information and thoughts – Part 2
AnyDesk hack undercover – Suspicious cases and more – Part 3
AnyDesk hack undercover – Access data offered for sale – Part 4
AnyDesk hack – A review – Part 5
AnyDesk hack – Review of the German CERT BSI report – Part 6
AnyDesk hack – Notes on exchanging certificates for Customs clients 7.x – Part 7
AnyDesk hack – more details (FAQ from Feb. 5, 2024) – Part 8
AnyDesk hack already noticed on December 20, 2023? – Part 9
AnyDesk hack confirmed as of December 2023; old certificate recalled – Part 10
AnyDesk hack: Revoke chaos with old certificates? – Part 11
AnyDesk hack: Newly signed clients available; what are your experiences? – Part 12

Störung bei AnyDesk, jemand betroffen?
AnyDesk: Be careful in using that remote support software


Advertising

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).