------------------------------
Syscom AS
------------------------------
Original Message Original Message:
Sent: 05-03-2021 10:51 AM
From: Colin McRae
Subject: False positives with SEP and Teamviewer?
Yeah I've been annoyed by this issue for well over a month, maybe two months. I manage a lot of SES customers and most of them are seeing "attacks" on port 5938 almost every day (seen via IPS reports). So far Symantec has not acknowledged the issue in a separate post I had made a while ago, they're busy with other stuff I suppose. Judging by Teamviewer's general behavior over the years I've been using it, I don't think they have a very solid product design that's imperviious to compromise, so I would not be surprised to learn some day in the future that their product had been hacked or something, but having said that, there's currently no reason to think they're any real issue.
The problem lacks the regularity of a heartbeat, but happens often enough that I am very much confused by the pattern.
It's also not ok to just whitelist the exe file, that's lazy secops behavior and rules out real detections later. So on this one I would have to think Symantec needds to talk to TeamViewer and work this out, or just identify the false positive trigger and fix that if applicable.
Original Message:
Sent: 04-29-2021 01:59 PM
From: r m
Subject: False positives with SEP and Teamviewer?
I've got some machines with Teamviewer installed. I'm seeing a lot of outbound attacks in SEPM logs for network attack on some machines that have Teamviewer, and different versions of Teamviewer. It looks like Symantec is calling teamviewer_service.exe an outbound attack. I'm thinking it's some kind of heart beat/checkin thing that Teamviewer is doing, that machine reporting itself in with Teamviewer.
Is anyone seeing that? That is a false positive, correct? It's pretty consistent on machines with Teamviewer. I don't believe they all got compromised, and there are no other signs. My network attacks alerts started blowing up yesterday morning.
------------------------------
rmo
------------------------------
------------------------------
Syscom AS
Original Message:
Sent: 05-03-2021 10:51 AM
From: Colin McRae
Subject: False positives with SEP and Teamviewer?
Yeah I've been annoyed by this issue for well over a month, maybe two months. I manage a lot of SES customers and most of them are seeing "attacks" on port 5938 almost every day (seen via IPS reports). So far Symantec has not acknowledged the issue in a separate post I had made a while ago, they're busy with other stuff I suppose. Judging by Teamviewer's general behavior over the years I've been using it, I don't think they have a very solid product design that's imperviious to compromise, so I would not be surprised to learn some day in the future that their product had been hacked or something, but having said that, there's currently no reason to think they're any real issue.
The problem lacks the regularity of a heartbeat, but happens often enough that I am very much confused by the pattern.
It's also not ok to just whitelist the exe file, that's lazy secops behavior and rules out real detections later. So on this one I would have to think Symantec needds to talk to TeamViewer and work this out, or just identify the false positive trigger and fix that if applicable.
Original Message:
Sent: 04-29-2021 01:59 PM
From: r m
Subject: False positives with SEP and Teamviewer?
I've got some machines with Teamviewer installed. I'm seeing a lot of outbound attacks in SEPM logs for network attack on some machines that have Teamviewer, and different versions of Teamviewer. It looks like Symantec is calling teamviewer_service.exe an outbound attack. I'm thinking it's some kind of heart beat/checkin thing that Teamviewer is doing, that machine reporting itself in with Teamviewer.
Is anyone seeing that? That is a false positive, correct? It's pretty consistent on machines with Teamviewer. I don't believe they all got compromised, and there are no other signs. My network attacks alerts started blowing up yesterday morning.
------------------------------
rmo
------------------------------
Teamviewer Ykle
DOWNLOAD 🔥 https://byltly.com/2y2Rrs 🔥
To set up 2 factor authentication, log into teamviewer.com, and then hit the dropdown arrow on your username in the top right, and then hit "edit profile". The Two factor authentication setup(ifits not set up) will be the 4th option down on the "general" tab. You will need an app like the "google authenticator".
To set up a Whitelist, open the teamviewer program, and make sure you are logged in with your account, and then go to extras>options. In options, go to the "security" tab, and hit the "configure" button next to "black and whitelist". This will open a popup box. Tic the "allow access only for the following partners" mark, and then the "add" button. "add contacts" should be selected, and then double click on your own account. That will "add" you to the whitelist. Hit "okay", and your whitelist is set up. You can add others, but do this at your own risk.
Just wondering if any of you have experience customizing TeamViewer Host 9 for deployment?
I tried following this instructions: -teamviewer-host-to-be-deployable-via-managed-software-update-munki-on-mac-os-x/
Worth noting, when you download your custom-made TeamViewer module package, TeamViewer does NOT include your customizations in the package itself. The TeamViewer application has to be able to talk to teamviewer.com to download the customization files it needs. Why TeamViewer doesn't put these things in the package you download I really don't know ... Anyway, we ran into the problem where the VLAN we were using was preventing TeamViewer Host from accessing teamviewer.com, and rather than open up the whole website in our web filter, I just temporarily connected the computer to a different VLAN just to get the customization files. With those files downloaded then took the 2nd Composer snapshot.
I've tried deploying teamviewer on our macs using composer and it never seemed to work. It's been about a year since I tried last, but I think one of the issues was that it either didn't assign to our account, didn't keep our unattended password, or didn't show up in our list when logging into the Teamviewer clients.
SO! Today I said enough is enough. I'm tired of imaging our machines, logging in, opening a web browser, navigating to our custom PKG URL @ get.teamviewer.com/uniquepathhere, clicking through the installer, setting a passcode, etc. etc. just get to get TeamViewer on our machines.
The real key here for me was getting the full download path to our custom module (the curl line of the script). If you go to your module's URL - get.teamviewer.com/customurlpathformodule - there is a link in the middle of the page that you can click in the event the PKG doesn't download automatically.
@dvasquez It looks like the /Library/Preferences PLIST (com.teamviewer.teamviewer10.plist) holds this information underneath the key of PermanentPassword, but all the sensitive information in this PLIST is encrypted. To automate or deploy this password you'd have to some fancy stuff, but frankly I'm not sure this is possible.
I have installed Teamviewer QS in our Citrix envoritment. I launch it, then i can see id and password. If i try to connect to Virtual Desktop through teamviewer from a local client, it try very fast and then close connection. I do not get any help in the event viewer on server/local client.
I was wondering if TeamViewer uses certificate pinning so I tried to decrypt it. I've set a simple decrypt rule to decrypt everything from one IP going to internet. But the rule doesn't seem to work for TeamViewer. All SSL sessions are decrypted but teamviewer-base isn't. I've also tried sharing file over it and I didn't see it in data log, also application didn't change to teamviewer-sharing. So I'm pretty sure TeamViewer didn't get decrypted while other SSL sessions did. ff782bc1db
windows 8 music player free download