Will Code Signing Resolve Antivirus from Saying Agents are Trojans or Malware?

[dkleckner498]

Just recently within the last 4 days all my agents for workstations are now having tactical RMM agents as well as other components getting quarantined for Trojan:Win32/Sabsik.TE.A!ml or another Malware name. I tried going into Bitdefender and Windows Defender and excluding the files as mentioned in another discussion however it doesn't seem to do any change. I didn't have this problem before but now it has become an issue. Will Code Signing prevent this from happening or the agent being picked up as malicious? Would like to somehow test Code Signing but not sure what the best route for this is.

Thank you

Derrick

[dinger1986]

Code signing certainly works fine for me, there's afew who have suggested ways and better support on discord if you want to try without code signing.

There is no trial for code signing, essentially you are supporting an opensource project by sponsoring and getting code signing.

[dkleckner498]

What is the Discord Server for this?

[silversword411]

From: https://github.com/wh1te909/tacticalrmm

It's the Discord Chat: https://discord.gg/upGTkWp

[silversword411]

I never have problems with triggering a powershell install with code signed, but I usually install from my screenconnect commandline

[dkleckner498]

The problem is really two parts. One is which I can work around the agent installer, however that wasn't the issue I ran into when this all started. The problem is with agents that are already installed. All of a sudden out of the blue BitDefender and normal Windows Defender started flagging all of the .exe files such as Tactical RMM and Mesh and all as malware in the ATP. This caused the Services basically to stop and now because the files are gone it won't start the services so all of my agents that were online which seem to be only all workstations but about 20 of them are now offline. There was a small point where I tried using the Recovery Agent which brought it back online once but about 5 mins later it just did the same thing.

[silversword411]

Don't think they'll alert if you have exceptions setup properly

[dkleckner498]

Well positive side, I figured out what was triggering it. It seems that the built in script for disabling Fast Boot kept creating ps1 scripts and made the tacticalrmm.exe trigger false malware triggers that caused the Antivirus to think it was malware running in process. It then faulted to the path and ultimately put the tacticalrmm.exe into Quarantine. Was able to get a few back up and running but hopefully as I released remotely from Quarantine, a few reboots and they all should be back up.

[dkleckner498]

With this being said, this is probably an area for a feature request or an improvement that needs to be added. Requesting that any and all tasks/scripts that run be ran on a different Process / Executable that is not Tactical RMM. Maybe a run exe for Tactical RMM so that if something faults on a script that it doesnt tag the Agent that runs the services as an issue so that the agent service still has communication back to the console. Hopefully this makes sense.

[wh1te909]

all checks currently spawn a new process so that the main process can forcefully kill it if it times out otherwise main process can hang forever

[wh1te909]

everything else runs asynchronously in a new thread so the agent communication with console is always there and cannot be lost unless network connection drops