Atera agent found malicious by Bitdefender

frank.pietersma

I've opened a support ticket with Bitdefender regarding this issue.
I will copy and paste the email conversation here for you all to read.
I am still awaiting an answer to my last remarks:

Good day! Yesterday at all our customers Bitdefender gravity zone flagged the Atera monitoring agent as malware resulting in loss of all the installed Atera agents. Can you please inform me what the reason was for flagging the software as malware? Wat caused bitdefender to flag it as malware?

Hello Frank,
Thank you for contacting our Enterprise Support Team.
The Atera application was flagged as PUA (“Potentially Unwanted Application”) hence the detection. The issue was resolved with the latest update.
Let us know if you encountered any other issues.

Hi,
Thanks for your update.
Could you elaborate a little more?
Why was it flagged as Potentially unwanted application?
Was there a specific reason ?

Hello Frank,
The application was flagged because it can be used in certain ransomware attacks if the attacker has access to the machine in cause. 
Let me know if there is anything else I can help you with.

Hi,
OK, Still not the answer I’m looking for. I will explain a little further.
We’ve spent 16 man hours of restoring functionality and getting our agents back up and running.

Not to speak of all the other Atera customers. Some have hundreds of machines which al became unreachable. Some Atera customers must work multiple days to get it back online.  
We take this as a very serious problem.
You can imagine that “The issue was resolved with the latest update” is not a very satisfactory answer.
We buy Bitfender through Atera so it’s even more strange that Bitdefender flags the software of their partner as malware.  

Was it flagged by mistake by Bitdefender?
Was it because something changed in the Atera software?
Why did it got flagged now and not before?
Should we worry for the future?
What is done to prevent this in the future?

Hoping for an honest and a bit more extensive answer.

JefferyABull

Hey all, I don't know if this will help or not, but I had a secondary program to get into my client's servers and then used the following script to run a bat file with the example they provided above. This saved me a ton of time. The computers had to be rebooted before I did this. For many of them I had to run a remote shutdown command from the server.

SET RemComputer=???
SET AUserName=???
SET AUserPass=???

net use y: \%RemComputer%\c$
y:
if exist "Y:\install" (
echo Continue
) else (
md install
)
e:
copy e:\aterafix.bat y:\install\AteraFix.bat
net use y: /delete

psexec -u %AUserName% -p %AUserPass% \%RemComputer% -s -d cmd.exe /c "c:\Install\AteraFix.bat"

tommy

Just a quick update for all:

Bitdefender has pushed the same update (7.9.7.336) multiple times over the past 10 hours, not sure why so many times even though its marked as "Installed" but at this point it doesn't matter.

If the workstation is updated with latest version of BD, the next steps are to reboot the system and reinstall Atera - NOTE: DO NOT UNINSTALL the agent before reinstalling or it will create a new device.

(if you're lucky enough and Restore from quarantine works for you, thank your lucky stars)

So far that's the only way to restore Atera to life.

I manage 160 workstation with the Atera / BD combo and this is an absolute nightmare (I don't even want to imagine what its like for those with 1000's), it's not for one client or one site, computers are all over the place. As of now I've spent the past 8 hours reinstalling critical workstations with the help of remote users and other ways, not even 3rd of the way done and will most likely have to spend the weekend running between offices and locations to get everything back up.

I have open tickets with both Atera and Bitdefender pursuing an actual fix.

So far got nothing but copy-paste replies from both.

This is absolutely ridiculous and unacceptable.

@Atera, this is your mess, we buy BD through you. We are all looking to you for answers and more important a REAL solution and.. yes.. a compensation for this. People are and will have to spend hours, days even to get back online.

trevor.gibson

We have seen similar activity with PC Matic SuperShield blocking Atera. Are we all comfortable with whitelisting everything from Atera? Doesn't seem very secure if an RMM can't pass cybersecurity scans..

russell.hoover

This is the script we have been using to manually uninstall Atera on endpoints that would not respond to a recover, repair, reinstall or uninstall. After running the script, reboot then fresh install Atera. It will install a duplicate in the console that needs to be deleted We have run this on about 50 PCs that would not respond to anything we have performed. We, as everyone else have spent a lot of man hours trying to figure this out, trying everything. Hope this helps someone.

Open Notepad.
Copy and paste the following into notepad.

msiexec /x {EFB51F01-9805-4293-BB16-6F17EF4CEDF2} /qn
​
timeout /t 5 /nobreak >nul
​
sc stop AteraAgent > nul 2> nul
sc delete AteraAgent > nul 2> nul
​
taskkill /f /im TicketingTray.exe > nul 2> nul
REG DELETE "HKEY_CURRENT_USER\Software\ATERA Networks" /f > nul 2> nul
RMDIR /S /Q "%userprofile%\appdata\local\temp\TrayIconCaching" > nul 2> nul
​
taskkill /f /im AteraAgent.exe > nul 2> nul
taskkill /f /im TicketingTray.exe > nul 2> nul
taskkill /f /im AgentPackageMonitoring > nul 2> nul
taskkill /f /im AgentPackageInformation > nul 2> nul
taskkill /f /im AgentPackageRunCommandInteractive > nul 2> nul
taskkill /f /im AgentPackageEventViewer.exe > nul 2> nul
taskkill /f /im AgentPackageSTRemote.exe > nul 2> nul
taskkill /f /im AgentPackageInternalPoller.exe > nul 2> nul
taskkill /f /im AgentPackageWindowsUpdate.exe > nul 2> nul
taskkill /f /im AgentPackageSystemTools.exe > nul 2> nul
taskkill /f /im AgentPackageHeartbeat.exe > nul 2> nul
taskkill /f /im AgentPackageUpgradeAgent > nul 2> nul
taskkill /f /im AgentPackageProgramManagement > nul 2> nul
taskkill /f /im AgentPackageRegistryExplorer.exe > nul 2> nul
​
timeout /t 4 /nobreak >nul
​
REG DELETE "HKEY_CURRENT_USER\Software\ATERA Networks" /f > nul 2> nul
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks" /f > nul 2> nul
REG DELETE "HKEY_CLASSES_ROOT\Installer\Products\4758948C95C1B194AB15204D95B42292" /f > nul 2> nul
REG DELETE "HKEY_CLASSES_ROOT\Installer\Products\10F15BFE50893924BB61F671FEC4DE2F" /f > nul 2> nul
​
RMDIR /S /Q "C:\Program Files\ATERA Networks\AteraAgent" > nul 2> nul
RMDIR /S /Q "C:\Program Files (x86)\ATERA Networks" > nul 2> nul
​

Save as ateraremoval.bat and remember to change Save As Type to All Files.

Right click on ateraremoval.bat and select run as administrator.

kspringer

What is Atera and Bitdefender doing for us for this big hiccup……what about the teams who has over 1000 PCs….this is a nightmare

gwallace

I would be interested to know how Ateras AI-powered IT could have prevented or resolved this :)

gwallace

Did Bitdefender mark the Atera Agent as malicious just on Windows machines or did it affect agents on Mac and Linux machines as well?

beltane

https://community.atera.com/discussion/comment/1323#Comment_1323

How do we reboot the device without Atera running? After replacing the executable from the Quarantine, it's still not running. If the device has rebooted between detection and restoration, it removed the Service, but in any case, the service doesn't know it can run without a reboot. Which I cannot do.

I primarily serve clients without servers, including one with over 60 machines spread across multiple locations and all located hour(s) away. Am I supposed to just wait for each user to reboot, since Atera has the on-machine Windows Updates disabled so the machine will never reboot itself?

JefferyABull

Beltane, I have several clients without a server in their office and I have done two different things. 1. I used another remote access (GoToAssist) program to remotely run the bat file with their help. 2. I put the bat file on a flash drive and went over and ran it on each of their computers.

Sorry!

frank.pietersma

@beltane The Atera agent is down but you can still connect to the machine with Splashtop.
Just open the agent and click connect. it should work. For us this was the life saver!

JefferyABull

That didn't work for me. I was just glad I had never gotten rid of GoToAssist. It would act like it was going to connect and then it asked me to make sure network is available and splashtop streamer is running. Everyone of them.

tommy

I experienced the same thing with Splashtop, even asked me for credentials a few times, but never connected.

Luckily I have VPN+RDP to critical computers.

Still waiting to hear from Atera how they plan on compensating us. So far, except for one copy-paste reply yesterday morning I have yet to hear anything.

luis

Atera support understands this is a "frustrating matter" everyone. That fixes everything 🙃

frank.pietersma

continued conversation with BItdefender FYI:

Hello Frank,
Thank you for your prompt reply!
In regards to your inquiries, in order to clarify the exact situation, please find my answers below:

• The detection was added for PUA (potentially unwanted application) by our security teams due to the risk the application presented for business products (it was considered that the tool may create unwanted effects)
• For this kinds of detections, the application is first analyzed on our end and if the impact of the detection on the market is considered to be negative, it will be removed.
• The main reason behind the detection is that the application could be used for attacks. The details on how the application can be used for attacks can not be provided due to security reasons. For more clarifications, please contact and further discuss with Atera, as they should have addressed this as well.
• The situation will not resurface in the future. There are discussions held on our side with Atera to prevent such situation to be encountered in the future.

Please let me know if the above information clarified your inquiry and if you require further assistance on this matter.

Hi again,
Still a couple of questions unanswered.
From your answers I do not get the feeling Bitdefender is taking this as serious as it should.
This has cost us a LOT of work and money to recover from this.
There hasn’t been any apology from Bitdefender for the mess it caused for Atera/ Bitdefender customers.

“we have updated our definitions and how you recover is your problem, case closed.”

My questions which I still like to be answered:  

1. We know that the application was flagged as dangerous because it could be used in attacks.
   Does this mean that monitoring software from all vendors are marked as malware? Meaning Kaseya, Datto, N-able, Ninja, Syncro since they are alike programs or is it only Atera? If possible, please explain.
2. We are using Atera and Bitdefender for quite some time. Why does it get flagged now and not way before? Has something changed? Please explain this.
3. Was this a mistake from Bitdefender?  
4. When the software is still 'dangerous' why does Bitdefender does not flag it anymore?

kim

My understanding is most RMMs are being flagged as potential exploits by Bitdefender. This is one main reason why I don’t like BitDefender. Yes it’s cheap, but their service is subpar in my opinion. For my clients I use SentinelOne as my EDR. I feel it works better for my customers and it actually whitelisted the Atera Agent as I told it to do.
Bitdefender was great for a while until it wasn’t and I had to move on.

frank.pietersma

BItdefender is considered as one of the big brands in the security industry. Just like Sentinel One or Avast, Sophos, Symantec and I can think of more. Comparing products based on personal preferences is not what we should be doing here. They are all good products. Whitelisting programs is not best practice. In this case Bitdefender has caused a lot of trouble for Atera customers. What has happened is just unbelievable. We should get to the bottom of it and prevent this from ever happening again. I've never seen this in my career. Note I'm not saying this cannot happen with other RMM tools because it can. We all, including Atera, should learn from it and improve. The concern is that it happened before in combination with Microsoft Defender. I just don't want to accept that this is it and be in the same boat again in a few months. And that's why we need answers and measures to prevent this in the future.

frank.pietersma

Last words of BItdefender:

Thank you for your patience and before anything else I would like to present our official apologies for any frustrations/issues caused by the situation you have encountered with our security solution blocking Atera files as being PUA.

I can assure you that our team is aware of the gravity of this situation and we will do everything we can to avoid a similar case/situation resurfacing in the future.

The detection in question occurred only for the business version of Atera as our antimalware laboratories concluded initially that it can be used with malicious/suspicious content. The tool itself (Atera) was used in a few attacks our team noticed (worldwide) and this is why the detection was added from our end.

The file was marked as a PUA (potentially unwanted application) and not malware. Based on known cases, marking the Atera Agent as a PUA was deemed as a way of protecting our clients.

We are trying to improve the detection and increase the accuracy so we can have a minimal impact on clients using Atera Agent in a legitimate way, as part of their business.

The detection is no longer active and we are researching a way to add a protection layer that will have a smaller impact (ideally no impact) on legitimate users. 

Detection added:        Tue Oct 31 10:28:15 2023

Cloud exception added:  Wed Nov  1 11:10:00 2023

Detection removed:      Wed Nov  1 19:47:24 2023

Once again we would like to apologize for this situation and assure you that our team is available 24/7 in case you encounter any other issues.

Have a nice day!

frank.pietersma

And the final email from bitdefender with a bit more in depth answer:

Hello Frank,

We are reaching out to provide an update regarding the reported incident impacting our customers who have the Atera agent installed, detections for PUA enabled, and the action set for infected files on disinfect.

On October 31, 2023, a detection for the Atera agent was added as a Potentially Unwanted Application (PUA)  due to our internal research on the latest attacks.
Atera was used in the past as part of known attacks. From our tests and analysis to see how Atera can be used maliciously, we discovered the following: 
• Anyone can receive an MSI package using any email address (because there is no validation during their trial form).
• The agent can be installed silently on the target (after the initial access is gained) to obtain full access to that endpoint.

Based on our findings,  we consider the Atera agent as a potential risk for businesses and marked it as PUA .
• Additional information relating to Atera  :
https://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera
https://www.bleepingcomputer.com/news/security/how-conti-ransomware-hacked-and-encrypted-the-costa-rican-government/

The detection was added on Tue. October 31 at 08:28:15 2023 GMT. The following day, Wed. November 1 at  09:10:00 2023 GMT, we added an exclusion, and later the same day, at 17:47:24 2023 GMT, the detection was  disabled.

To limit the impact reported by our customers in their infrastructure, the detection has been temporarily disabled. We still consider the Atera agent as a security risk for businesses, however our laboratories will further analyze and test how to best implement it to reduce the impact in cases of legitimate use.

To restore the systems to the previous state, the customers need to reinstall the Atera agent. 

Should you have additional questions, please do not hesitate to contact us.

Have a nice day!

mbudke

Thanks for sharing all the feedback @frank.pietersma

@nina : Sounds like BitDefender is putting strong words in the direction of Atera especially as you are partnering. Is this information also shared with Atera and do you take any actions?
I understand this is not a security problem inside Atera but Atera is misused for such threads which if it goes more into media will create potential questions at our customer we have to deal with.

Example:

• it goes wrongly into media that the Atera client could be an impacted software
• customer with some IT knowledge open their control panel on the PC and see the Atera client
• customer uninstalls / removes Atera by themselves
• we have to re-install the client (new client ID) + explain to the customer that they are not impacted
• if there is an uninstall protection this is great for us but could cause even more panic at customerside

As the first incident did appear in April 2023 I did raise it via support and was directly navigated to the security department which was handled pretty well! The result was that the incident at that time was down to a 3rd party software and not Atera and Atera was just the misused tool. I was pointed to the page https://www.atera.com/trust/

With the recent incident with BitDefender I feel if this could come back again which is why I am asking.
Maybe as a small countermeasure would it be possible to rename the client when being installed on a computer? Of course threatactors can misuse this as well but then then it does not directly fall back to the same product name which at least avoids the confusion.

luis

Looking forward to an official reply from Atera regarding what is being done to avoid this from happening again. @nina

nina

We’d like to share some insights into the recent classification of the Atera agent by Bitdefender. Bitdefender recently categorized our agent as a ‘Potentially Unwanted Application’ (PUA). This occurred on October 31, 2023. This tag is applied to software that, while legitimate, has potential misuse scenarios in cyber incidents. We emphasize that Bitdefender does not deem the Atera agent as malicious.

We acknowledge that this has presented challenges for some of our users. We have since discussed with Bitdefender, analyzed, and identified measures to enhance communication and minimize the risk of future disruptions.

Your trust in Atera is paramount, and we are dedicated to ensuring the reliability and integrity of our services.

frank.pietersma

I do not entirely agree with Nina's latest comment.
This is and remains disconcerting because it does not guarantee that this
will not happen again. If not through Bitdefender, then through another
security solution. I want to point out that earlier this year, the Atera
agent was removed by Windows Defender. In my communication with
Bitdefender, they emphasized that they still view the Atera agent as a
security risk.

Quote: "To limit
the impact reported by our customers in their infrastructure, the
detection has been temporarily disabled. We still consider the Atera
agent as a security risk for businesses, however our laboratories will
further analyze and test how to best implement it to reduce the impact
in cases of legitimate use.

I am far from reassured. Apparently, the real problem is not solved.
Therefore, I would like to see concrete measures to prevent this. Assuring us taking this seriously is not enough.

kim

Like with all things cyber security, it is not "if" it is "when". There will always be bad actors trying to infiltrate the system and I implore you to have the same scrutiny for the other RMMs to include Microsoft's intune, and others. Honestly, I am happy there is a response from Atera, because try to get that from any other environment solution. Atera cannot promise it's impenetrable, because if they did, I wouldn't trust it at all. Instead, I like how they say different measures they have take to remediate the issue and how they are trying to improve their fortification. If it was radio silence and they just existed to take the money and not answer their customers like I have had that issue with other RMMs, then they would not have my business.