Bitdefender and Atera agent: the empire strikes back?

ona_from_conforma
ona_from_conforma Member Posts: 3

Hi all,

I was wondering whether anyone using Bitdefender's Gravity Zone in combination with Atera has encountered this issue. I've had a single agent receiving advanced threat control blocks for suspicious behavior, all commands executed by the SYSTEM user - sometimes from the Splashtop agent. The blocked commands basically are Windows Update commands, pushed through a configuration profile in Atera.

It's just the one agent so far, but I was brought back to late last year when Bitdefender quarantained Atera completely.

Are any of you seeing this behaviour pop up too?

The device in question was in dire need of updates and pending a name change, but Bitdefender keeps on blocking the commands. They seem to be pushed via the locally installed Splashtop agent.

A harmful process has been detected by Behavior Scan on the following endpoint in your network:

Computer Name: WS028
Computer IP: 192.168.x.y
Installed Agent: Bitdefender Endpoint Security Tools
Command Line: "C:\Windows\SysWOW64\cmd.exe" /c chcp 65001&&powershell.exe -Command "$Session = New-Object -ComObject Microsoft.Update.Session;$Searcher = $Session.CreateUpdateSearcher();$Res = $Searcher.search(\"IsInstalled = 0 And DeploymentAction=*\");$array = @();foreach($update in $Res.Updates) {$line = \"\" | select kbid, title, desc, updateId, category, severity, important, eulaAccepted, maxSize, minSize, type, releaseDate, rebootRequired;$line.title = $update.Title;$line.desc = $update.Description;$line.updateId = $update.Identity.UpdateID;$line.category = \"\";foreach($category in $update.Categories) { $line.category += \"$($category.CategoryID),\" };$line.kbid = $update.KBArticleIDs -join ' ';$line.severity = $update.MsrcSeverity;$line.important = $update.AutoSelectOnWebSites;$line.eulaAccepted = $update.EulaAccepted;$line.maxSize = $update.MaxDownloadSize;$line.minSize = $update.MinDownloadSize;$line.type = $update.Type;$line.releaseDate = $update.LastDeploymentChangeTime.toString(\"yyyy:MM:dd hh:mm:ss\");$line.rebootRequired = $update.RebootRequired;$array += $line;};ConvertTo-Json $array;"
Parent Process Path: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
Parent PID: 13228
Exploit Type: ATC Application
Exploit Path: C:\Windows\SysWOW64\cmd.exe
Exploit Status: ATC/IDS Disinfected
Last Blocked: 28 May 2024 15:02:46
Logged User: SYSTEM

Comments

  • iectechbrian
    iectechbrian Member Posts: 157 ✭✭✭✭

    I don't use Bitdefender, but I am commenting to bump it up. Hopefully someone who knows will see this and know how to help.

    If not, try chatting in the Atera Agent with support. They have always been effective in helping me on problems I've had. Hopefully it'll be the same, or they will at least be able to get you in contact with someone at Bitdefender who can help!

  • ona_from_conforma
    ona_from_conforma Member Posts: 3

    I've deleted the Splashtop agent and that has stopped all notifications so far, so it seems as if some commands should have been run with the Atera Agent where the Splashtop agent suddenly started to be used for this. It's just weird that this happened with this specific device and not any others.

  • iectechbrian
    iectechbrian Member Posts: 157 ✭✭✭✭

    That is very odd for sure. Good thing there's an alternative to splashtop.