Atera agent found malicious by Bitdefender

wfield
wfield Member Posts: 3
edited December 2023 in Remote Monitoring

We have lost most of our agents because Bitdefender sees Atera as malicious.

"A malware outbreak has been detected in your network! At least 41%(125)
from a total of 311 endpoints were found infected with
"Gen:Variant.Application.RemoteAtera.1"

Live chat has told me to exclude all Atera folders.

Anyone else with this issue?

Tagged:
«1

Comments

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    edited November 2023

    OMG this is bad. Same here!
    All our managed servers are unreachable. No way to access the servers anymore. How on earth is this possible! Support says to exclude Atera folders for now and there is no ETA when this if fixed.

  • JefferyABull
    JefferyABull Member Posts: 4

    Same issue here.

  • chansen
    chansen Member Posts: 7

    Same here, where else do we post this for more visibility ? Sending a tech to all these sites for reinstall/whitelisting would be costly. We are using the integration between these company's so this shouldn't be a surprise.

  • IvanWeaver_ITSLLC
    IvanWeaver_ITSLLC Member Posts: 3
    edited October 2023

    Same Issue here - fortunately we have a fall back option or would have been more than severely crippled.

    It happened just as I rolled out some security patches, so I thought they were to blame.

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭

    Excluded Atera agent and directories in bitdefender gravity zone policies.
    restored atera agent from bit defender quanrantine
    Rebooted servers.
    Atera agent still not working !!!
    Tried to reinstall agent and it failed
    Support said to wait for an email with an update.
    Frankly, I find that Atera is very relax knowing that this is happening. May we call it a major issue.
    All servers down and unreachable
    All SNMP devices monitored by server agent unreachable.

  • IvanWeaver_ITSLLC
    IvanWeaver_ITSLLC Member Posts: 3

    So, I published the Agent EXE as a false positive to BitDefender. They have responded saying that it malicious.

    I have responded to BDef requesting clarification of how its malicious (maybe ATERA doesnt know its infected) when they (Atera) are an integration partner.

  • IvanWeaver_ITSLLC
    IvanWeaver_ITSLLC Member Posts: 3

    further update from ATERA - They have opened a case with BitDefender to get to the bottom of it.

    as we've all done - Exceptions of Program Files folders under, additionally, the agent's working Temp folder and then we need to reinstall/reset the service.

    Additional Folder:
    > C:\Windows\Temp\AteraUpgradeAgentPackage

    -> cd "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
    -> InstallUtil.exe "C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"
    ** Wait for the process to finish successfully, then run in CMD: **
    -> sc stop ateraagent && sc start ateraagent

  • nina
    nina Internal Posts: 428 ✭✭✭✭✭

    Hi all! Nina from Atera here. We have opened a case with Bitdefender and are speaking with them shortly. We will be sure to update you.

    In the interim, I have opened support tickets for each of you.

  • nina
    nina Internal Posts: 428 ✭✭✭✭✭

    Hi everyone! It is now resolved; it was an issue on Bitdefender's end. Thank you for bringing it to our attention.

  • billy
    billy Member Posts: 10

    so far still an issue.

    do you have remediation instructions.

    reinstall of atera fails to work

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭

    14:00 Update: We have just completed our work in getting the servers back online. It has cost us 6 hours of this work day (and a part of yesterday evening when we noticed it) to fix it.
    We are happy that the issue is resolved but a little more background info would be appreciated and is beneficial for understanding and essential for context and building consensus.

    This is the second time this happens. Earlier this year Atera was deleted by Windows defender.
    How is this even possible? What is causing Bitdefender to flag Atera as Malware? Has it something to do with the notorious: OpenHardwareMonitorLib.sys? Is Atera still using this?
    What has been done to prevent this in the future? Are there things we, the customers can do?

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭

    @billy For us this did the trick :

    1 Exclude Atera directories in BItdefender
    2 Exclude C:\Windows\Microsoft.NET\Framework\v4.0.30319 folder in Bitdefender
    3 Restore AteraAgent.exe from Bitdefender quarantine
    4. Reboot the device
    5. Open CMD as administrator and run these commands individually

    cd "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
    InstallUtil.exe "C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"
    Manualy start the Atera agent service

  • billy
    billy Member Posts: 10

    @frank.pietersma thanks for this.

    just in process of doing this.

    it's frustrating that comms were poor. i'm sure there are some out there who have had everything deleted, was only 20 odd endpoints for me.

    "it's resolved" isn't an answer

  • luis
    luis Member Posts: 5
    edited November 2023

    Agreed, had this issue happen on my end. What are the Atera directories? Anyone have a link to those? I have a back end for some endpoints but need more clear instructions.

  • mbudke
    mbudke Member Posts: 132 ✭✭✭

    Was this incident caused by Atera or BitDefender?
    I mean if this was caused by BitDefender then maybe worth to let them answer the question(s).

    I am using different Antivirus products than BitDefender but quite interested in the outcome. I had no alarms on my site.

  • vin
    vin Member Posts: 1

    this is horrble….. nothing works…. resolved means nothing when 90% of my endpoints are STILL down 2:15 Eastern TIME. Be more clear, what is resolved??????

  • russell.hoover
    russell.hoover Member Posts: 3

    Hey Atera, What's the fix? Some of our systems come back online when we reinstall the agent others do not. We have found that we can remote into the workstations since it's using the Atera supplied remote even though the workstation is offline. We need some guidance here on what to do. We are having to touch every system again.

  • fabriciocomp
    fabriciocomp Member Posts: 1

    I reinstalled all my endpoints after they fixed the "issue."

  • austin
    austin Member Posts: 1

    Commenting here for further proof that this is affecting multiple people. BD Removed 50 Endpoints from our network. Has there been any update on an official solution, or do we have to do all the leg work and use the fix provided by @frank.pietersma?

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    edited November 2023

    Directories to exclude:

    C:\Program Files\ATERA Networks
    C:\Program Files (x86)\ATERA Networks
    C:\Windows\Microsoft.NET\Framework\v4.0.30319
    C:\Windows\Temp\AteraUpgradeAgentPackage

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    edited November 2023

    Bitdefender has released an signature update which will not flag Ateraagent.exe anymore as malware.
    So even without the exclusions it should work again! Still it will be a lot of work to get everything back online :-(
    We noticed during the process we could still connect to agents with Splashtop even though the agents seemed down in Atera. That saved us from a lot of traveling time to customers.

    Just to be on the safe side for now we will leave the exclusions in place.
    When using Gravity zone, under "policies" you can configure "Exclusion lists" Here you can specify the exclusions.
    These exclusion lists can then be added to the policies you've made for your customers so you only have to create the exclusions one time. In the policy you can select them under "Antimalware - Settings - Exclusions from configuration profiles"

  • tommy
    tommy Member Posts: 4

    So the only solution is to reinstall over 100 workstations ?! Not to even mention the ones that are remote headless stations that cannot be remotely accessed now! (Sure, some have RDP access and that works, but some rely on Atera alone)

    That's insane!

    Anyone come across a real solution ?

    And also, do we know the cause ? was / is this Atera's or BD's fault ?

  • luis
    luis Member Posts: 5

    Would like to hear back from Atera/BitDefender on this. We need to be able to re-deploy agents easier. I am getting some restoration failures when trying to restore from within BitDefender, which means having to do a re-install of almost all my agents

  • frank.pietersma
    frank.pietersma Member Posts: 78 ✭✭✭
    edited November 2023

    In Bitdefender Gravity Zone when restoring from quarantine the (same) files are listed twice ;-)
    you only have to restore the files which file path begins wit: C:\progra….etc
    The files listed as <System>=>c:\progra… you cannot and don't have to restore.
    We could restore all the files from bitdefender to all servers involved and therefore a reinstall of the agent was not necessary.

    Agree that we need to hear back from Atera and Bitdefender. Wonder if they can help in the process.
    Hopefully there is going to be an easier way to recover the agent but I fear the worst.
    Note that you can still connect with splashtop to the agents.

  • AElliott
    AElliott Member Posts: 12

    Creating AV exclusions is a huge no-no for us.

    What if the Atera agent IS now malicious, and was infected way up the distribution chain?

    As of 2100 EST, 11/1/23, some machines are allowing a reinstall, some it just disappears. (I do wish the Atera Agent installer had some useful information. Side note- can we make the warning go away upon installation? If we have to GPO-install this everywhere we're not going to have enough phone lines (or staff) to support the freak out.

  • tommy
    tommy Member Posts: 4

    11.2.23, 12:47 AM EST update:

    Bitdefender is updating to version 7.9.9.336 which allows Atera to install and actually work. BUT(!!!!)

    Restoring from the BD panel doesn't work and the only way to bring clients back up is by reinstalling Atera and rebooting the system.

    This is a MAJOR time consuming problem, server restarts have to be planned and getting remote users to install something (even something as simple as Atera) isn't easy.

    Over 100 computers showing Offline in Atera and saying its a big problem is putting it mildly, very mildly.

    Can either Atera or BD provide a way to restore the files properly ?

  • nina
    nina Internal Posts: 428 ✭✭✭✭✭

    Hi everyone! As I mentioned yesterday, we spoke with Bitdefender and it appears that Bitdefender recently updated their software which caused it to remove/flag Atera's Agent. Bitdefender has since updated their policy and will not flag Atera's Agent moving forward.

    In any event, we advise whitelisting the following paths:
    C:\Program Files\Atera Networks (or C:\Program Files (x86)\ATERA Networks for 32bit)
    C:\Windows\Temp\AteraUpgradeAgentPackage\


    In the event that Bitdefender removed your Atera Agent, to restore the Agent availability:

    1. Restore AteraAgent.exe from Bitdefender quarantine
    2. Reboot the device
    3. Open CMD as administrator and run these commands individually:

    cd "C:\Windows\Microsoft.NET\Framework\v4.0.30319"
    InstallUtil.exe "C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"

    Wait for the process to finish successfully. Run in CMD:

    sc stop ateraagent && sc start ateraagent

    The device should appear back online in the Atera console.

    In the future, all those who opened tickets with Support (support@atera.com) received a response on the actions to take to restore the Atera Agent. For future, we would recommend opening a support ticket (support@atera.com) and posting in the Community!

    Best,

    Nina

  • nina
    nina Internal Posts: 428 ✭✭✭✭✭

    Also, I opened tickets for everyone here with our Support Team, so no need to open another ticket! I want to make sure we get y'all up and running ASAP!

  • ona_from_conforma
    ona_from_conforma Member Posts: 3
    edited November 2023

    Just wanted to drop in to confirm that the issue can still crop up - I've had limited impact this morning (ticket raised via support@atera.com), so I'm hoping it stays at the four servers.

    When an agent gets reinstalled - will the previous agent need to be removed from the portal or will the historical data/logs transfer over to the new install?

    EDIT: the block happened yesterday before the root cause was identified (national holiday), the alert only popped up this morning in Atera.

  • russell.hoover
    russell.hoover Member Posts: 3

    We are having to run a manual script to remove Atera on some PCs, reboot, to get Atera to reinstall from the installer. What a mess.