Unsolved
This post is more than 5 years old
3 Posts
0
2768
November 26th, 2018 13:00
Screenconnect update causes security event on all machines
Hi,
This is the second time this has happened for us. On the update of the client it sends a security event to all staff when it tries to install. We have the program whitelisted and it is the same name/location everytime it updates.
Any idea how we can get this fixed?
No Events found!
dell-dale p
2 Intern
•
156 Posts
0
December 1st, 2018 16:00
Hi hoelle512m08,
With applications that update frequently, their hash values for the application can change, which will result in the Advanced Threat Prevention application (both for Dell Endpoint Security Suite Enterprise and Dell Threat Defense) having to re-evaluate the files that were laid down. This can cause these dialogs that your users are seeing to prompt while the file is being analyzed.
There are a few ways we could tackle this to prevent the pop-ups for your end-users.
White-list the application based on its signing certificate:
We have a how-to guide on finding the signing certificate used for the application, and how to use that certificate to white-list any application signed by it : https://www.dell.com/support/article/us/en/04/sln305778
Disable or increase the threshold for when the pop-ups for the end users:
For Dell Endpoint Security Suite Enterprise, there are two policies that can be changed that modify if users receive prompts, or the severity level of an event before a user receives the prompt. These policies are under Populations -> Enterprise (or Endpoint Group/Endpoint) -> Advanced Threat Prevention -> click "show advanced settings" at the bottom of the list -> "Suppress Popup Notifications" and "Minimum Popup Notification Level".
Checking the box next to "Suppress Popup Notifications" will remove the ability for pop-ups to be displayed to the end user.
"Minimum Popup Notification Level" has multiple severity levels defined that modify what events cause a prompt to the user:
High
1) Protection status has changed. (Protected means that the Advanced Threat Prevention service is running and protecting the computer and needs no user or administrator interaction.)
2) A threat is detected and policy is not set to automatically address the threat.
Medium
1) Execution Control blocked a process from starting because it was detected as a threat.
2) A threat is detected that has an associated mitigation (for example, the threat was manually quarantined), so the process has been terminated.
3) A process was blocked or terminated due to a memory violation.
4) A memory violation was detected and no automatic mitigation policy is in effect for that violation type.
Low
1) A file that was identified as a threat has been added to the Global Safe List or deleted from the file system.
2) A threat has been detected and automatically quarantined.
3) A file has been identified as a threat but waived on the computer.
4) The status of a current threat has changed (for example, Threat to Quarantined, Quarantined to Waived, or Waived to Quarantined).
I hope those suggestions and options help. If these do not get you in the direction desired, i would suggest opening a Service Request with Dell Prosupport so we can find the best configuration for your environment.