DamewareRE.exe and DamewareRemoteEverywhereAgent.exe being flagged by Symantec and Windows Defender

On either Thursday or Friday (June 11th and 12th), our team suddenly could no longer connect to end user systems using the applet - DamewareRE.exe. The applet is flagged by Symantec EndPoint Protection as WS.Reputation.1 and quarantined. The same for the desktop agent. Also, Microsoft Windows Defender SmartScreen (Win 10) is flagging it as well. I can duplicate this behavior on a personal machine with Norton Security and Windows 10 Home. Same behavior that suddenly started Thursday or Friday.

The DameWare executables generate different hashes. Our System Admin has concerns about flagging the application name as we don't want to let malicious applications through that may have the same name. 

Anyone else is experiencing this? How did you address it? We have a ticket (or two) open with Solarwinds but wanted to also see if anyone else is seeing this issue suddenly after this past Thursday or Friday.

Thanks,

Parents
  • Hi  , we also experience this with Kaspersky AV and Check Point Sandblast Agent.

    This is because Dameware is a Remote Access Tool- RAT tool classified as "riskware".

    Riskware is the name given to legitimate programs that can cause harm if they are used by malicious users to delete, block, modify or copy data, as well as to alter the performance of computers or networks.

    In our case we solved this by applying an exclusion to the specific protection that this software is triggering (not-a-virus: HEUR: RemoteAdmin.Win32.DameWare.gen). Sure you can find the right protection and exclude it.

  • Upon further investigation with SolarWinds, Symantec and Microsoft, it was determined that the root cause was due to SolarWinds' certificate issuers for DRE being switched from Symantec to another provider. We reached out to Symantec to have it whitelisted and now it is no longer being flagged. Microsoft's SmartScreen filter in Windows 10 started flagging it at the same time Symantec did. Per Microsoft, Smartscreen had to "learn" it again. 

    At this time, our Symantec products nor the Microsoft Smartscreen filter are flagging it any longer. We were good to go once Symantec put the exception in their updates.

Reply
  • Upon further investigation with SolarWinds, Symantec and Microsoft, it was determined that the root cause was due to SolarWinds' certificate issuers for DRE being switched from Symantec to another provider. We reached out to Symantec to have it whitelisted and now it is no longer being flagged. Microsoft's SmartScreen filter in Windows 10 started flagging it at the same time Symantec did. Per Microsoft, Smartscreen had to "learn" it again. 

    At this time, our Symantec products nor the Microsoft Smartscreen filter are flagging it any longer. We were good to go once Symantec put the exception in their updates.

Children
No Data