1 Reply Latest reply on Apr 6, 2017 6:21 AM by ddenning

    Tracking Rouge deployments in shavlik

    KirloxChamplow Rookie

      Hi All,

       

      I just have a question a few months back we got some rogue deployments to workstations from shavlik, to make it interesting a pdfcreator application was pushed with a bundle of pdfarchitect the problem is its detecting on our endpoint solution as malware. Here are the logs below from our Endpoint Protection classifying as an OpenCandy risk

       

       

      Risk name: PUA.OpenCandy

      File path: c:\windows\propatches\patches\pdfcreator-1_7_3_setup.exe

      Event time: Mar 29, 2017 2:13:35 AM

      Database insert time: Mar 29, 2017 2:15:22 AM



       

      Is there a way we could track and stop this kind of push? Looking at our shavlik console we don't have any scheduled tasks to run such updates.

        • 1. Re: Tracking Rouge deployments in shavlik
          ddenning SupportEmployee

          Hi,

           

          Thank you for posting your question.

           

          Some open source products such as pdfcreator are bundled by the vendor to include installers for products such as OpenCandy, Google Toolbar, etc. While we use vendor switches in our deployment to disable such products from installing with the product you are deploying, the dormant product installer is still there flagging a few select antivirus vendors. Unfortunately, there is no way we can remove these product installers as all updates that we support are packaged by the vendor and we only use what the vendor gives us. However, you can rest assured that we use switches to disable the other installers and therefore there is no actual threat. If you do for some reason see those products being installed as well, please let us know and we will look at that.

           

          Thanks!

           

          David