Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Crowdstrike detects Connect Secure 9.1R16 as malware

ohiovpnuser
Occasional Contributor
‎08-17-2022 10:29:AM
‎08-17-2022 10:29:AM

Crowdstrike detects Connect Secure 9.1R16 as malware

Curious if anyone else who uses Crowdstrike (or other anti-malware products) has seen this?

 

We just upgraded a PSA3000 to Connect Secure v9.1R16 (build 20059) and upgraded ESAP to v4.0.4.   On our remote laptops we connect to the vpn using a web browser ("browser client") and that causes Pulse Secure Application Launcher (PSAL) to launch.   Almost immediately the Crowdstrike agent on the remote laptop began to detect files as "malicious".   This is during the portion where PSAL downloads the newer files from the Connect Secure appliance.    Initially one file was detected and quarantined, so we added an exception and tried to connect again only to have two more files detected and quarantined.  We have a ticket open with Pulse Secure tech support and waiting for their feedback.

 

In addition to Crowdstrike, at least one other anti-malware product also detects these files as malicious.

 

PSSetupClientInstaller.exe

https://www.virustotal.com/gui/file/35ff83f6c044dfd621c0a0c95626d934b099e729bdd27f100f82f909fdef9a26...

 

PulseSetupXP.exe

https://www.virustotal.com/gui/file/c6cdaf0edb5f9d701372a8303cb118acce5bd07786acb7d390274a2f58f8281d...

 

dsHostChecker.EXE

https://www.virustotal.com/gui/file/63e351b089edf2288d6a3c56e176687eb4511cb6042566c3e4946a42f22978f0...

 

 

0 Kudos
5 REPLIES 5
zanyterp
Moderator
Moderator
‎08-21-2022 06:27:PM
‎08-21-2022 06:27:PM

Re: Crowdstrike detects Connect Secure 9.1R16 as malware

thank you for bringing that to our attention so we can investigate as well as sharing with the community so others are aware and can open cases as-needed
0 Kudos
Azzim
New Contributor
‎12-17-2022 05:28:AM
‎12-17-2022 05:28:AM

Re: Crowdstrike detects Connect Secure 9.1R16 as malware

Any update on this issue. We are facing the same :

ESAP 4.0.7

R15.2

0 Kudos
ohiovpnuser
Occasional Contributor
‎12-27-2022 09:20:AM
‎12-27-2022 09:20:AM

Re: Crowdstrike detects Connect Secure 9.1R16 as malware

@Azzim 

We didn't get any resolution from Pulse Secure tech support and ended up having to add exclusions in Crowdstrike for the file hashes.  Also, we have upgraded to 9.1R16.1 and then 9.1R16.2 and each time have to re-add the exclusions for the new file hashes.

 

We did talk to someone from Ivanti back in August.  I think he was a manager or a developer.  He said that we are the only customer having the problem.   Maybe you should open a ticket  (you can reference our ticket 2022-0816-9805).   He did say that developers would try to look into the issue further to figure out out why Crowdstrike is alerting.

zanyterp
Moderator
Moderator
‎12-27-2022 11:37:AM
‎12-27-2022 11:37:AM

Re: Crowdstrike detects Connect Secure 9.1R16 as malware

thank you for sharing, @ohiovpnuser
0 Kudos
Azzim
New Contributor
‎12-27-2022 04:29:PM
‎12-27-2022 04:29:PM

Re: Crowdstrike detects Connect Secure 9.1R16 as malware

@ohiovpnuser 

 

Thanks for your feedback. We also had opened case to TAC support regarding this issue. Below is the feedback from support :

 

We had a detailed discussion internally with the management and the security team ( PSIRT ) regarding Crowd strike, below is the analysis and action plan,

 

> Our security team has confirmed that the malicious flag from Crowd-strike is a false positive.

- The operations from Pulse perspective are legitimate.

 

> Moving forward, we will continue to work with Crowd-strike to better ensure their AV is not flagging our software as malicious

 

 

© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.