Curious if anyone else who uses Crowdstrike (or other anti-malware products) has seen this?
We just upgraded a PSA3000 to Connect Secure v9.1R16 (build 20059) and upgraded ESAP to v4.0.4. On our remote laptops we connect to the vpn using a web browser ("browser client") and that causes Pulse Secure Application Launcher (PSAL) to launch. Almost immediately the Crowdstrike agent on the remote laptop began to detect files as "malicious". This is during the portion where PSAL downloads the newer files from the Connect Secure appliance. Initially one file was detected and quarantined, so we added an exception and tried to connect again only to have two more files detected and quarantined. We have a ticket open with Pulse Secure tech support and waiting for their feedback.
In addition to Crowdstrike, at least one other anti-malware product also detects these files as malicious.
We didn't get any resolution from Pulse Secure tech support and ended up having to add exclusions in Crowdstrike for the file hashes. Also, we have upgraded to 9.1R16.1 and then 9.1R16.2 and each time have to re-add the exclusions for the new file hashes.
We did talk to someone from Ivanti back in August. I think he was a manager or a developer. He said that we are the only customer having the problem. Maybe you should open a ticket (you can reference our ticket 2022-0816-9805). He did say that developers would try to look into the issue further to figure out out why Crowdstrike is alerting.
Thanks for your feedback. We also had opened case to TAC support regarding this issue. Below is the feedback from support :
We had a detailed discussion internally with the management and the security team ( PSIRT ) regarding Crowd strike, below is the analysis and action plan,
> Our security team has confirmed that the malicious flag from Crowd-strike is a false positive.
- The operations from Pulse perspective are legitimate.
> Moving forward, we will continue to work with Crowd-strike to better ensure their AV is not flagging our software as malicious