{"id":33379,"date":"2024-02-29T00:01:06","date_gmt":"2024-02-28T23:01:06","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33379"},"modified":"2024-02-28T18:49:06","modified_gmt":"2024-02-28T17:49:06","slug":"microsoft-defender-blocks-anydesk-clients-since-28-february-2024","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/02\/29\/microsoft-defender-blocks-anydesk-clients-since-28-february-2024\/","title":{"rendered":"Microsoft Defender blocks Anydesk clients (since 28 February 2024)"},"content":{"rendered":"

\"Stop[German<\/a>]Brief information for everyone. I have just heard from blog readers that the clients of the remote maintenance provider AnyDesk will probably be blocked by Microsoft Defender under Windows from today (28 February 2024). The whole thing is related to the hack of the provider AnyDesk, in which certificates may have been lost. Here is a brief overview, what you need to know so far.<\/p>\n

<\/p>\n

Reader reports about blocked clients<\/h2>\n

\"\"Blog reader Peter H. from Germany contacted me yesterday via email and reported that Windows Defender was blocking AnyDesk clients with the latest signature update. His email states:<\/p>\n

Nun m\u00f6chte ich mit Dir folgende Erfahrung teilen: Seit HEUTE (bzw. letzten Defender Signatur Update) blockt Defender alle Downloads als auch die Ausf\u00fchrung von Anydesk (aktuell v7.0.15) und stuft diese als PUA.Win32.Softcnapp ein.<\/p><\/blockquote>\n

\"Defender<\/a>
\nDefender blocks AnyDesk, Click to zoom<\/a><\/p>\n

Peter wrote that the signature visible in the screenshot below is used in Defender, so its signature files are up to date:\"Defender<\/p>\n

German blog reader Harald has also posted a comment<\/a> in my German blog, stating that \"since today, Windows Defender has started to detect the latest AnyDesk clients with the latest signature and report them as potentially unwanted programs\". Karsten has also reported this in the discussion area. I'll pull it out separately, as I delete the discussion entries sporadically.<\/p>\n

The new anyDesk clients are being blocked today by Microsoft Defender as an unwanted app.
\n'PUA:Win32\/Softcnapp' is reported as the reason.<\/p><\/blockquote>\n

We are talking about the newly released clients that have been digitally signed with a new digital certificate from AnyDesk GmbH. Karsten also referred to the reddit.com post Anydesk custom client is blocked by Microsoft Defender<\/a>, where another user confirms the Defender's behavior.Hello,<\/p>\n

since this morning, Anydesk custom client, from my.anydesk 1 and 2 (.exe and .msi) is blocked by Defender.<\/p>\n

Defender detected and terminated active 'PUA:Win32\/Softcnapp' in process 'AnyDesk.exe' during a scheduled scan<\/p>\n

Anybody have the same situation ?<\/p><\/blockquote>\n

Within the thread, other users confirm the problem. One user doud_doud<\/em> quotes an answer from AnyDesk support:<\/p>\n

Sorry for this inconvenience. Our team is actively investigating the root cause of this issue.<\/p>\n

The current solution, if nothing is configured and a false positive notification arises, would be to manually add an exception\/rule for AnyDesk.<\/p>\n

There is no risk in using AnyDesk. Therefore, you can download and install AnyDesk safely.<\/p>\n

We appreciate your patience and understanding.<\/p><\/blockquote>\n

They have now run into real problems when the AnyDesk client is now blocked as unwanted on many systems and moved to quarantine. The recommendation: Define an exception for the client in Defender so that it is no longer blocked. The howler of the month is \"There is no risk in using AnyDesk. Therefore, you can download and install AnyDesk safely.\".<\/p>\n

The background<\/h2>\n

The background to all this is probably that the provider AnyDesk was the victim of a cyberattack on its production systems in December 2023. However, the whole thing did not come to light until the beginning of February 2024 – possibly also due to the reporting here in the blog (see links at the end of the article).<\/p>\n

AnyDesk could not rule out the possibility that the keys for the certificates used to digitally sign files had been lost. The old certificates were therefore revoked and the provider was busy providing new clients with updated digital signatures in February.<\/p>\n

Perhaps something got into the binary files when \"building the new clients\", causing Defender to regard the whole thing as undesirable. We will have to wait and see whether AnyDesk can rectify the situation with Microsoft – if the AnyDesk client is still to be used at all.<\/p>\n

Articles:<\/strong>
\nAnyDesk confirmed, they have been hacked in January 2024, Production systems affected<\/a>\u00a0\u2013 Part 1
\nAnyDesk hack undercover \u2013 more information and thoughts<\/a>\u00a0\u2013 Part 2
\nAnyDesk hack undercover \u2013 Suspicious cases and more<\/a>\u00a0\u2013 Part 3
\nAnyDesk hack undercover \u2013 Access data offered for sale<\/a>\u00a0\u2013 Part 4
\nAnyDesk hack \u2013 A review<\/a>\u00a0\u2013 Part 5
\nAnyDesk hack \u2013 Review of the German CERT BSI report<\/a>\u00a0\u2013 Part 6
\nAnyDesk hack \u2013 Notes on exchanging certificates for Customs clients 7.x<\/a>\u00a0\u2013 Part 7
\nAnyDesk hack \u2013 more details (FAQ from Feb. 5, 2024)<\/a>\u00a0\u2013 Part 8
\nAnyDesk hack already noticed on December 20, 2023?<\/a>\u00a0\u2013 Part 9
\nAnyDesk hack confirmed as of December 2023; old certificate recalled<\/a>\u00a0\u2013 Part 10
\nAnyDesk hack: Revoke chaos with old certificates?<\/a>\u00a0\u2013 Part 11
\nAnyDesk hack: Newly signed clients available; what are your experiences?<\/a>\u00a0\u2013 Part 12<\/p>\n

St\u00f6rung bei AnyDesk, jemand betroffen?<\/a>
\nAnyDesk: Be careful in using that remote support software<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Brief information for everyone. I have just heard from blog readers that the clients of the remote maintenance provider AnyDesk will probably be blocked by Microsoft Defender under Windows from today (28 February 2024). The whole thing is related to … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,2],"tags":[773,1544,194],"class_list":["post-33379","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-windows","tag-defender","tag-software","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33379"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33379\/revisions"}],"predecessor-version":[{"id":33380,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33379\/revisions\/33380"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}