Download Teamviewer 12 Portable Full BETTER
Augustus Fenstermacher
------------------------------
Syscom AS
------------------------------
Original Message Original Message:
Sent: 05-03-2021 10:51 AM
From: Colin McRae
Subject: False positives with SEP and Teamviewer?
Yeah I've been annoyed by this issue for well over a month, maybe two months. I manage a lot of SES customers and most of them are seeing "attacks" on port 5938 almost every day (seen via IPS reports). So far Symantec has not acknowledged the issue in a separate post I had made a while ago, they're busy with other stuff I suppose. Judging by Teamviewer's general behavior over the years I've been using it, I don't think they have a very solid product design that's imperviious to compromise, so I would not be surprised to learn some day in the future that their product had been hacked or something, but having said that, there's currently no reason to think they're any real issue.
The problem lacks the regularity of a heartbeat, but happens often enough that I am very much confused by the pattern.
It's also not ok to just whitelist the exe file, that's lazy secops behavior and rules out real detections later. So on this one I would have to think Symantec needds to talk to TeamViewer and work this out, or just identify the false positive trigger and fix that if applicable.
Original Message:
Sent: 04-29-2021 01:59 PM
From: r m
Subject: False positives with SEP and Teamviewer?
I've got some machines with Teamviewer installed. I'm seeing a lot of outbound attacks in SEPM logs for network attack on some machines that have Teamviewer, and different versions of Teamviewer. It looks like Symantec is calling teamviewer_service.exe an outbound attack. I'm thinking it's some kind of heart beat/checkin thing that Teamviewer is doing, that machine reporting itself in with Teamviewer.
Is anyone seeing that? That is a false positive, correct? It's pretty consistent on machines with Teamviewer. I don't believe they all got compromised, and there are no other signs. My network attacks alerts started blowing up yesterday morning.
------------------------------
rmo
------------------------------
------------------------------
Syscom AS
Original Message:
Sent: 05-03-2021 10:51 AM
From: Colin McRae
Subject: False positives with SEP and Teamviewer?
Yeah I've been annoyed by this issue for well over a month, maybe two months. I manage a lot of SES customers and most of them are seeing "attacks" on port 5938 almost every day (seen via IPS reports). So far Symantec has not acknowledged the issue in a separate post I had made a while ago, they're busy with other stuff I suppose. Judging by Teamviewer's general behavior over the years I've been using it, I don't think they have a very solid product design that's imperviious to compromise, so I would not be surprised to learn some day in the future that their product had been hacked or something, but having said that, there's currently no reason to think they're any real issue.
The problem lacks the regularity of a heartbeat, but happens often enough that I am very much confused by the pattern.
It's also not ok to just whitelist the exe file, that's lazy secops behavior and rules out real detections later. So on this one I would have to think Symantec needds to talk to TeamViewer and work this out, or just identify the false positive trigger and fix that if applicable.
Original Message:
Sent: 04-29-2021 01:59 PM
From: r m
Subject: False positives with SEP and Teamviewer?
I've got some machines with Teamviewer installed. I'm seeing a lot of outbound attacks in SEPM logs for network attack on some machines that have Teamviewer, and different versions of Teamviewer. It looks like Symantec is calling teamviewer_service.exe an outbound attack. I'm thinking it's some kind of heart beat/checkin thing that Teamviewer is doing, that machine reporting itself in with Teamviewer.
Is anyone seeing that? That is a false positive, correct? It's pretty consistent on machines with Teamviewer. I don't believe they all got compromised, and there are no other signs. My network attacks alerts started blowing up yesterday morning.
------------------------------
rmo
------------------------------
I was wondering if TeamViewer uses certificate pinning so I tried to decrypt it. I've set a simple decrypt rule to decrypt everything from one IP going to internet. But the rule doesn't seem to work for TeamViewer. All SSL sessions are decrypted but teamviewer-base isn't. I've also tried sharing file over it and I didn't see it in data log, also application didn't change to teamviewer-sharing. So I'm pretty sure TeamViewer didn't get decrypted while other SSL sessions did.
I'm trying to imagine a connection that is between remote machinge and my computer. Remote machine is sending the packets (and its header (for instance, destination IP, message body)) to me but it only knows my id number(which is given by my local teamviewer application).