Remote Utilities Blocked

Hello, this is my first post. I've sent a support ticket regarding Bitdefender blocking a Remote Desktop program that I use with my clients. This started beginning of Jan 2022 with new definition files I assume. The program is rutserv.exe found in the following Windows location C:\Program Files (x86)\Remote Utilities - Host

When I try to restore from quarantine, the folder location is denied and therefore I cannot add as an Exception

Has anyone else come across this issue or have any comments?

Thx

Tony

Comments

  • Started having same issue. Saw that in the past BitDefender and Remote Host did not get a long. I have not had any problems until a couple of days ago and now it is blocked. Tried to update to new remote utilities and bit defender is block it. Need the remote so going to uninstall bit defender and see how that does.

  • Hello,

    You can submit the files for analysis here: https://www.bitdefender.com/consumer/support/answer/29358/

    As a workaround in the meantime, if you trust the application, you can set an exception. Is the file detected by Bitdefender Shield or by Advanced Threat Defense? If it's detected by Bitdefender Shield, simply set an exception for the C:\Program Files (x86)\Remote Utilities - Host folder, then manually restore/reinstall the files, if restoring from quarantine directly to that location does not work.

    If the file is detected by Advanced Threat Defense, temporarily turn off Advanced Threat Defense, restart the computer, manually restore/reinstall the files, set an exception for the detected file(s) for the Advanced Threat Defense module, then turn the module back on.

    You can consult: https://www.bitdefender.com/consumer/support/answer/13427/ and https://www.bitdefender.com/consumer/support/answer/2393/ for more detailed instructions on how to set exceptions.

    I hope this helps.

    Stay safe.

  • David and Tony,

    Thank you for your support. Frankly speaking, we have no idea why BitDefender is so extremely hostile towards our software despite the fact that it's no more dangerous than any other similar software.

    Instead of just whitelisting our official builds - clean and digitally signed - they keep giving advice on how to add them to exceptions. But that doesn't work for remote access software due to its nature. Unattended remote machines may only be accessible remotely. If antivirus software, such as BitDefender - blocks or removes the remote component from the machine - the machine is no longer accessible. How can the user add the software to exceptions then if it's gone and there's no access to the machine?

    BitDefender,

    I would like to remind you - and any other antivirus software vendor for that matter - that your job is to protect your customers' machines against threats, not to dictate which software they (customers) are allowed to use on their own machines.

    However, you are doing exactly that - you decide for your customers what legitimate software they can or cannot use. You perfectly understand that your advice to fix the issue by adding the software to exceptions don't work in this case. This is totally unacceptable and shows the level of respect for your customers (which is clearly very low).

  • Also having problems with Bitdefender and remote utilities software. Tried the work around the bitdefender gave me and it did not work. Had to uninstall our paid version of bitdefender so that our employees could work from home. I have another trouble ticket to bitdefender but have not gotten any reply. - Bitdefender can reach me at [email protected]

  • Been using both BitDefender and Remote Utilities for many years now - despite having listed the RU program as an exception, I have recently completely lost access to a bunch of my clients and their systems when RU updated, resulting in a huge amount of wasted time as I have had to regain remote access to these systems.

    You would never do this to Teamviewer, Anydesk, Splashtop or whatever other remote control software... software that I might add I and my customers recieve multiple calls a week from scammers trying to get us to install. I have never once had anybody attempting to scam myself or my clients using Remote Utilities.

    Please work with the Remote Utilities devs and get this sorted. Give them the same treatment you give to other remote management software and stop messing with my business.

    Cheers.

  • Installed paid version of BitDefender a couple weeks back and now Remote Utilities won't work. Tried updating Remote Utilities to current version but the install fails. The proposed work around for installing fails due to folder permission issues. Its rather a huge mess now. Will need to uninstall everything and only use programs that are compatible with Remote Utilities.

  • Hello and thank you for sharing your observations with us.

    If adding the file in the exceptions list does not fix the issue, I would recommend to submit the Remote Utilities file here: https://www.bitdefender.com/consumer/support/answer/29358/

    This way, the Bitdefender Labs can have a closer look and come up with a fix as soon as possible.

    Best regards.

  • Yep same problem. I use Remote Utilities free license and they recently upgraded from v6 to v7 and all these v7 tools are being detected by bitDefender.

    Note it's impossible to fix with exclusion because:

    You can white-list the URL to the download.
    But then Firefox (probably chrome too) downloads to a temp file which contains a random string in the path which BD flags. You can't categorically exclude this file.

    I had to turn off BD protection to get it to download.

    Then, for, say agent.exe, you can exclude the file.
    But agent.exe extracts itself to a random dir in TEMP, which, again, you can't categorically exclude.

    Plus, last 2x I had to restore a file from quarantine, BD kept a lock on the file so I got Access Denied trying to acess it. Couldn't run, copy, rename, or change permissions on even tho I was the owner and had full permissions. I had to reboot to clear the lock.

    Please browse the Remote Utilities user forum: https://www.remoteutilities.com/support/forums/forum1/

    You'll see thousands of customers over the last 10 years using the program legitimately, and the software manufacturer diligently responding to user issues.

    THIS IS LEGITIMATE SOFTWARE!
  • Hello,

    Blocking has been lifted for now and the certificate whitelisted. This occured due to a specific setup that Remote Utilities is using, which is different from Team Viewer, for example. As there are certain standards of compliance when it comes to security, if changes in the software are not made by the Remote Utilities developers, blocking may resume in the future.

    To avoid further blocking, the recommendation for Remote Utilities is to update their software so that it is visible and clear whenever a remote is in progress and to eliminate the possibility of being able to completely hide the UI / tray. So it's really up to them.

    Thank you all for your patience.

    Stay safe.

  • johnvk
    johnvk
    edited February 2022
    And yet, Remote Utilities 7.1.2.0 has an irremovable banner on the lower left that says remote control is in progress.

    Here's a link what it looks like and discussion: https://www.remoteutilities.com/support/forums/forum1/2147-free-license_-notification-near-the-system-tray-and-other-changes

    BD thanks for looking at this. We the user base really appreciate your time, attention and effort. You're making IT a better place.
  • "To avoid further blocking, the recommendation for Remote Utilities is to update their software so that it is visible and clear whenever a remote is in progress and to eliminate the possibility of being able to completely hide the UI / tray. So it's really up to them."

    I'm sorry what? In what world do you get to tell me what software with what features I can install on the machines I control?

    I don't care what you want to declare suspicious, in fact I like that you flag remote control programs as suspicious... I would ideally like to see every single one of them blocked unless I authorise it. What I don't like is that you did this to Remote Utilities after I whitelisted it. If I do not wish for a notice to be shown on machines I remote control then that's up to me, not you.

    Your role is not to tell me what I can and can't install. It's not to tell vendors I buy from to change their feature set. When I tell BitDefender "I approve of this software" it means I want it installed.

    When I do my due diligence and decide to trust a piece of software, I expect my security software to listen to me when I tell it that it's trusted and allow it to perform whatever actions it needs. If you can't manage that I will need to find a new security solution... which is a damn shame because othewise I'm quite happy with your product.

    I'm a systems administrator. Let me do my damn job.

  • Hello @snknick,

    I believe there has been a misunderstanding here. We are not suggesting not to install the software, the recommendation is intended for the software creators. We flag remote control programs as suspicious, if a vulnerability is found. Our job is to ensure the highest standards of protection available. If we identify a weakness that can be exploited, we are going to shut that door.

    The assessment is based on facts and what the industry has experienced so far. Similar files, an older version of the Remote Utilities software was used in the BalkanRAT attack back in 2019. The tool was used to gain remote access to computers. The kit drops and uses "rfusclient.exe" and "rutserv.exe" to give the attacker remote access.

    We are glad to hear you are happy with our product and I am sorry if this has caused an inconvenience to you.

    Best wishes.

  • https://www.remoteutilities.com/support/forums/forum1/2147-free-license_-notification-near-the-system-tray-and-other-changes
  • @Alexandru_BD

    There's no misunderstanding, you're telling the software creators to change their software in ways that would be a major annoyance to the people who use it legitimately or otherwise you may block it again. The free versions of the software already have these restrictions, I pay for the professional edition because I use it professionally and have zero interest in those changes.

    By all means shut down whatever you like, but when I whitelist software, I really don't care what you think about it. I'm telling your software that I put it there, know what it does, and approve of its actions... so leave it alone. My job is to manage systems professionally, if I opt to install something that's my call. Not yours.

    And please... "this software was once used in an attack"? I guess you're going to start blocking ssh, python, java, netcat, and a bunch of other common utilities... right? I can start a reverse shell using any of those in seconds without anybody knowing so best stop that. Or I can just enable RDP or whatever else I feel like. The list of tools that provide undetectable remote access AFTER a successful exploit is endless.

    As I said. By all means, list this and every other remote access tool as a potential security threat. But once I have listed it as an intended installation, that needs to be the end of it.

  • Hello Alexandru,

    Perhaps, you are referring to Remote Utilities Host only having a persistent icon in the system tray area, and not a full-fledged notification message. There are two things to point out here:

    • The icon is always shown and cannot be hidden. When there's an active remote session, the icon turns red.
    • Starting version 7.1.1 a persistent banner is shown for free license users and trial users. This was introduced to make it harder for abuse actors to use the program out-of-the-box for their shady purposes.

    So what about other products?

    Take, for example, RealVNC. It allows "cloud" (firewall bypass) connection just like Remote Utilities does.

    With the default settings the RealVNC Server (the module that we call "Host" in Remote Utilities) indeed shows a message notifying the user about a connection. The message is only shown for a short time (so it can be overlooked easily, right). But that's not all.

    Actually, one can DISABLE the message in RealVNC Server settings. See the attached screenshot. So when the admin connects to the remote computer the next time, the message is gone. Only the icon in the system tray changes its color/state.

    So how could this possibly be? Did you have a chance to immediately notify RealVNC that their product might be blocked by BitDefender for not meeting your "highest standards of protection"? Isn't it a weakness that could be exploited, a door ajar that must be shut?




  • And by all means we can implement more windows, and warnings and all that stuff in Remote Utilities. For example, a message that can be shown for a while and then disappear with the ability to disable this message altogether. Perhaps even, that we will. But who says that this helps combat the abuse? Especially when social engineering is involved.

    What we are definitely going to get is more pissed-off customers on whom we have to put more restrictions. Sorry, but this path of blocking anything that might even remotely pose a threat is a short-sighted strategy.

  • Hi,

    I understand your concern and you do have a valid point. We've made a recommendation and only suggested to make the server's presence visible in one way or another, whenever a remote is active, to minimize the chances of the application being used for unwanted purposes.

    This being said, the block has already been lifted a couple of days ago and your program should resume function without any further interference from Bitdefender.

    Thank you for your understanding and cooperation.

    Stay safe.

  • Is BitDefender deleting the termservice from the registry these days? I've had 3 clients all with missing remote desktop services. If you go to reg edit - hklm, system, current control set, services - the termserv folder is missing. I've reinstated it from a vm and uninstalled bitdefender but it's still not starting the service despite it being in the service list now. Anyone else with BD missing this reg file?

  • Hello @dbmqc,

    Not that I'm aware of. But I would recommend to ask our engineers, they will be able to shed some light on this.

    You can get in touch with our Technical Teams by choosing one of the contact methods available here:

    https://www.bitdefender.com/consumer/support/

    Best regards.

  • Flexx
    Flexx Moderator, Defender of the month mod

    As far as the latest version of the remote utilities is considered, it is currently undetected by bitdefender but it may get detected in future again since it is PUA.

    https://www.virustotal.com/gui/file/d9ce81a643b852e7944b3fb49a69add91bcc735718195c6186a973152194085c?nocache=1

    The best thing will be to create a exclusion as of now until bitdefender might recreate detection again for the sample in the near future.

    Regards

    OMEN Laptop 15-en1037AX (Bitdefender Total Security) & Samsung Galaxy S22 Ultra (Bitdefender Mobile Security)