Our server hosted at DO SH after 7 years just started having issues being blocked or identified as malicious by random ISPs or routers. Like TP-Link, nighthawk but Cisco’s and real enterprise equipment does not have issues near as much.
We found a random toolbox resource being marked as a virus by windows and Webroot.
The server is not infected. We ran rkhunter and many other tools including a 100% fresh updated VM.
We deleted it. Rebuilt a new VM did all the updates put it on a new IP. Cleaned and scanned the backup then rezipped removing all of tools and restored it.
Same issue. Different IP, different, network, different ASN. Different data center. Basically only the domain is the same which is hosted at cloudflair and they confirmed they do not see anything on their end. It’s not proxyed with through them. As that did cause issues in the past.
So my next step would be to make a use a new domain as a test.
The weird thing is if we use the VM we host simple help on and shut down simple help and put a temp Apache page it will pull up just fine on any network. I can trace route to it until I have SH running. Once it’s running the ISP will stop responding. Once it hits the server.
There’s a lot more back story on this. I’m willing to pay for an experts time to look into this with me via zoom.
About half of our Remote Access client do not work. Most of which we control the firewall and antivirus for. So even after white listing simple help it still does not.
I have several screenshots and can take videos.
I’m really just at a lost. Almost 50% of our machines do not connect to the remote service agent. To make matters more complex…. Some computers on the same network with the same AV and aD policy’s connect just fine. Fully updated windows.
Been using SH over 12 years and never had an issue like this.
I believe it was an issue with the URL being blacklisted for some reason. However I ended up deleting the VM moving to another DC, getting a new IP and fresh OS then simply restore the SimpleHelp backup.
It took about a week but no longer having issues I know of. I will say the SH staff was very helpful and knowledgeable. They gave very detailed information on what to look for. While they are not always the fastest in getting back to tickets I am very happy with their support team!
just an FYI for those with similar “being blocked” issues…
Comcast/Xfinity business Security Edge blocks Simplehelp
and unfortunately adding an ‘allow’ for your server IP in the Security Edge interface does nothing, the only way to resolve is to turn off SecurityEdge [SE] via your comcast account (business.comcast.com). And surprise, sometimes the service is in such a state of disarray that you can’t even turn it off and have to call comcast business support and have them turn it off for you. note also that it will eventually turn it self back on and you have to rinse and repeat.
We also encountered the same issue on our end. Please note that we are not using Comcast. It appears that the SH executable has been flagged as malicious by some security vendors on VirusTotal.com. I would think that simple help support would have something to say on the matter.
Yes we are still having the same issues. However changing IPs and DNS did help the issue for some. I believe SimpleHelp is being flagged then the IP going on some sort of black list.
We also noticed some like UDP or TCP even on the same WAN.
Also a weird note that we have some clients with dual wan failover. Ones with ISP1 blocked yet you can see the ISP2 route picked it up and it worked fine after some latency from failover.
Just some notes to help others with what we found.
Guys, this isn’t a matter of swapping out IPs, DNS, or even an ISP issue. Over the past two days, the situation has worsened significantly. The SimpleHelp executable, RemoteAccessWinLauncher.exe, with the hash 1d74b4bc9381eb7095a3a675b99c163a25dbad4b1c3a0ea695b647880adc3cbb, is now being flagged as malicious more widely. This is triggering alerts across several of our EDR/MDR partners and has become a major problem that urgently requires attention from SimpleHelp support. Unfortunately, support has been completely silent on this issue.
I’m unclear on the specific resolution—whether a new executable with a different hash needs to be published in a new release—but something must be done immediately. I believe this issue will continue to escalate if left unresolved.
This topic is being a little confused. The main post was about the ip/hostname of someone’s simple-help server being detected and blocked by comcast Security EdgeProduct (which is a big pain in the butt). But now people are talking about the executable that can be run on a computer and what uploading them to tools like virustotal.com shows.
For what it’s worth we have not had any issues with SecurityEdge and our server (the majority of our clients have comcast), and other than a short issue with bitdefender our executables on windows have worked just fine with security solutions and we’ve not had an issue getting blocked.
How has the topic gotten confused? While it may have initially seemed like an issue related to a specific IP address or ISP, the underlying problem appears to be that SimpleHelp.exe is being flagged by multiple ISPs and EDR/MDR platforms as malicious or malware. These two issues are not necessarily mutually exclusive—they can be, and most likely are, connected. This has been corroborated by authoritative sources such as VirusTotal.
In our case, the problem became evident after upgrading to versions 5.5 and then 5.7. In early December, our SimpleHelp servers and clients were completely blocked. Initially, it seemed isolated to our ISP, but further investigation revealed the root cause was our MDR platform. They informed us that VirusTotal was flagging the executable file, and the hash for the file is consistently being identified as problematic.
We can agree to disagree, but you literally just described it as 2 separate issues.
Original Issue on this thread is Josh_Barrett having issues where client’s machines at a site would exhibit strange behaviors in connecting to the server (he mentions an example of half of them seeing the server, and half not). He seemed to have solved this issue by changing out the server and domain completely though and things were solved.
Then BobR comes on and mentions SecurityEdge from comcast caused him similar issues and he had to have comcast turn it off (good luck Bob, it will get turned on again automatically in the future and the issue will present itself again) So in his case it was a blacklisting of a DNS resolution to the server name that made it onto a blacklist by SecurityEdge - possibly related to Josh, but unsure
Then you come on here and mentions that you are having issues with the executables getting blocked by some security vendors. This is a 100% different issue, it’s an issue with an executable being detected as potentially malicious, and your issue is not about connection to the server it’s the running of the executable
Then Jerry and Nathan post agreeing and saying they are experiencing similar things as you/
I’m not saying your post isn’t valid, and I understand your pain, but I’m just saying out that there are two different issues being discussed in this topic and I wanted to make that clear to people that may stumble across the original issue and not realize that the current situation you are talking about has nothing to do with the original issue, and that the solution to this topic was already achieved. If this was a ticket I would split you, jerry, and nathan into a new one as it’s not the same issue and doesn’t contribute to the original issue or the solution.
I believe theses are related. In my mind which is probably my first problem lol so maybe not. I do see theses as being related.
I would guess the reason the IPs/Blocking issue are due to the fact that the Simple-Help agent / activity is being marked as malicious causing the IP to get blacklisted/blocked as a false positive.
Its hard to know for sure. All I care about is both issues are related and users in the forum are submitting helpful content to solve the same problem and meet the same goal.
We have both Fios and Spectrum in our area, and we’ve seen this issue occur with both. It would be logical to think that if an .exe is being flagged as malicious on online platforms like VirusTotal, the ISPs would follow suit in their attempts to prevent the spread of what’s perceived as malicious activity. As a result, they are taking these precautions. It’s also highly likely that one or more SimpleHelp installations somewhere in the world have been compromised, using SimpleHelp as an attack vector, which is why the hash is being flagged as malicious. At this point, it’s likely become a domino effect and hence they are related.
One of the things you will see in Virus Total is the IP addresses that are being associated with the simple help executable, which can turn into IP blacklisting,… I for one would like to keep MY IP addresses off of those lists, and this is putting them at risk.
Remote Support
Remote Access
Monitoring and Management
Presentation
Remote Work
Standard
Business
Enterprise
