Auto Isolation for Rogue ScreenConnect
B
Brett Kelly
Huntress logs alerts to ScreenConnect instances.
Huntress has the capability to isolate a computer when a severe threat is detected.
Rogue ScreenConnect active sessions are a severe threat.
We can tell you for sure they are a severe threat by allow listing the one and only host our clients are allowed to connect.
Ergo, Huntress should auto-isolate a host when it connects to a known rogue ScreenConnect instance, and you don't have to worry about false positives because we have already told it exactly what it should do.
I have said this to every Huntress rep and they all seem puzzled. I don't understand why, all the pieces are already there. This would be a huge bonus for all of us and it seems trivial to implement.
Please consider fast tracking this.
M
Matt Buehlmann
I will just drop here that there is some risk for a benign true-positive if a 3rd party company (e.g., Application Specific Support) is using ScreenConnect to perform maintenance or troubleshooting activities, but agree the benefits of this feature would likely outweigh the potential inconvenience.
Maybe having the option to treat this as an escalation ("Endpoint Rogue Apps") similar to the way ITDR handles unexpected App Registrations would be a happy medium?
K
Kevin Walker
It would be good to be able to whitelist any known RMMs and have any unknown ones blocked pending investigation. Screenconnect uses client IDs so it should be easy to identify any additional installs.
D
Darren Djernes
or consider auto-isolate for any known rouge RMM , or remote control software