Insecure System Finding Messages

Insecure System findings may provide the following messages and remediation tips:

• NEUTRAL
• WARN
• BAD

Riskware

Description: Legitimate programs that can cause damage if they are exploited. This encompasses all types of riskware.

Remediation tips: Track down the endpoint system by using the available details and uninstall the application.

Identified riskware (ver. 11-DEC-2024):

AbandonedBrowserExtensions-abandoned_chrome_browser_extensions
AbandonedIPTv-abandoned_chinese_iptv_platform
AbandonedIPTv-abandoned_live_tv_addon
AbandonedIPTv-abandoned_m3u_plus
AbandonedIPTv-abandoned_media_hub
AbandonedIPTv-abandoned_myvst
AbandonedIPTv-abandoned_swarmcast_media
AbandonedVPNs-linkvpn
AbandonedVPNs-vpnextensions
Abandonware-ActivateTBKS
Abandonware-ActivityMonitoring, InfoLeak
Abandonware-DahuaWebPlugin
Abandonware-SSuggest
Abandonware-Supercat
Abandonware-android_cube26
Abandonware-auto_words_with_friends_cheats
Abandonware-blackmarket
Abandonware-dinerware
Abandonware-email-analytics
Abandonware-go_contacts_pro
Abandonware-imapp
Abandonware-itiva_accelerator
Abandonware-leagoo
Abandonware-mal_prot_360
Abandonware-pdbarea
Abandonware-rargiant
Abandonware-ready_nas_photos
Abandonware-showbox
Abandonware_ADkmob
Abandonware_Advertisingcrbt
Abandonware_Alitv
Abandonware_Auuempire
Abandonware_CloudEngine
Abandonware_Cocos2dSDK
Abandonware_ColorOS
Abandonware_CyberFlix
Abandonware_Cybercloud
Abandonware_Digwex
Abandonware_Flyer
Abandonware_Jpush_SDK, InfoLeak
Abandonware_MarbleBlastUltra
Abandonware_ModsHub
Abandonware_Movies
Abandonware_Mwanplay
Abandonware_MySamsung-NA
Abandonware_PhoneBoosterCleaner
Abandonware_PpaCamPro
Abandonware_RenrenSDK
Abandonware_Sputnik, InfoSteal
Abandonware_TVSurfMobile
Abandonware_TlsVpn
Abandonware_TopApps
Abandonware_Wanhuatong
Abandonware_ezvuu
Abandonware_mibc, InfoLeak
Abandonware_supersonicsdk
BitcoinMiner-bitcoinminer
Debugfirmware-pana_dl1_ota
Debugfirmware-rooted_phone
Debugfirmware-rooted_phone_multilaser
Filesharing-abandoned_gnutella_domains
LDAP-expired_ldap_domains
Netbios-netbios
NonStoreApps-non_store_android_Baicai
NonStoreApps-non_store_android_airattack
NonStoreApps-non_store_android_barometer
NonStoreApps-non_store_android_booslink
NonStoreApps-non_store_android_callerwork
NonStoreApps-non_store_android_ilauncher
NonStoreApps-non_store_android_mobogenie
NonStoreApps-non_store_android_netflixmoddedapk
NonStoreApps-non_store_android_snaptube
NonStoreApps-non_store_android_thefreenote
NonStoreApps-non_store_android_unblckd
Proxyconfig-expired_proxy_domain
RIskware_LtblSDK
RemoteManagement-citrix_pna
RemoteManagement-dratchet_av
RemoteManagement-honeywell_hvac
RemoteManagement-hp_smartprint
RemoteManagement-mcafee_corpav
RemoteManagement-mcafee_epolocy
RemoteManagement-microsoft_sus
RemoteManagement-ms_sccm
RemoteManagement-mydlink
RemoteManagement-symantec_epm
RemoteManagement-symantec_patch_domain
RemoteManagement-tr069CPE
Riskware_LeBianSDK, InfoLeak
Riskware_NetNetworkManagementHome
Riskware_XToolApps, PUA
TorTool
TorrentTracker-torrent_tracker_expiredd.

NEUTRAL

Software versions that cannot be determined or are unsupported, but still receive security fixes are evaluated as “NEUTRAL.” These items do not affect the Insecure Systems grade, but should be resolved.

IPTV: Media Hub

Description: Endpoint is using an abandoned media hub, named “Media Hub.”

Remediation tips: Track down the IPTV system by using the available details and disable the insecure application. Samsung recommends transferring Media Hub accounts to M-GO.

WARN

App: Auto Words With Friends Cheats

Description: Android endpoint is using abandoned “Auto Words With Friends Cheats” software.

Remediation tips: Track down the endpoint system by using the available details and uninstall the application.

App: Go Contacts Pro

Description: Android endpoint is using abandoned “Go Contacts Pro” software.

Remediation tips: Track down the endpoint system by using the available details and uninstall the application.

App: Itiva Internet Accelerator

Description: Endpoint is using abandoned “Itiva Internet Accelerator” software.

Remediation tips: Track down the endpoint system by using the available details and uninstall the application.

File sharing: Gnutella

Description: Endpoint is reaching out to abandoned Gnutella peer-to-peer file sharing service domains.

Remediation tips: Track down the endpoint system by using the available details, disable network connectivity, and/or disable P2P BitTorrent applications.

File sharing: Tracker

Description: Endpoint is reaching out to torrent tracker domains for information about files to download via BitTorrent.

Remediation tips: Track down the endpoint system by using the available details, disable network connectivity, and/or disable P2P BitTorrent applications.

Remote management: HVAC controllers

Description: Honeywell HVAC industrial/residential controllers are contacting abandoned domains.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure controller or device.

Remote management: McAfee Corporate AV

Description: Corporate endpoints are contacting abandoned domains from McAfee Enterprise Corporate AntiVirus.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Remote management: Microsoft SCCM

Description: Devices are using Microsoft System Center Configuration Manager (SCCM) over abandoned domains.

Remediation tips: Ensure that the management service is not publicly visible from outside of the company's networks by blocking the port on company edge network infrastructure. Use a Virtual Private Network (VPN) if secure access to the resource is needed.

Remote management: Microsoft SUS

Description: Corporate endpoints are contacting abandoned domains for Microsoft Windows Server Update Services.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Service: LDAP

Description: Endpoint is reaching out to unused LDAP servers via expired domain names.

Remediation tips: Track down the system accessing the LDAP service by using the available details, and then reconfigure or disable the destination access. Reevaluate your systems contacting remote services. For additional security, block the LDAP port on company edge network infrastructure or use LDAP over TLS/SSL (LDAPS).

BAD

App: ActivateTBKS

Description: This Android app, pre-installed in The Creative Life (TCL) devices, can steal device and user data. It can also silently install and uninstall Android Application Packages (APK).

Remediation tips: Track down the endpoint by using the available details and uninstall the application.

IPTV: Abandoned platform

Description: Endpoint is an abandoned Chinese-based IPTV platform.

Remediation tips: Track down the IPTV system by using the available details and disable the insecure application.

IPTV: LiveTV add-on

Description: Endpoint is a software media center with abandoned Live TV add-on.

Remediation tips: Track down the IPTV system by using the available details and disable the insecure application.

IPTV: Swarmcast

Description: Endpoint is using abandoned “Swarmcast” internet television services.

Remediation tips: Track down the IPTV system by using the available details and disable the insecure application.

Mobile debug firmware

Description: This mobile endpoint contains firmware with rootkit capabilities masked under a debug flag. It is sending out information about the device.

Remediation tips: Use the available details about the device to track down the source, and then update or disable access to personally identifiable information and confidential data on the device. Ensure the device receives a thorough security review.

Proxy auto-discovery configuration

Description: The communication was detected via sinkholing, so the communication was with an abandoned or expired domain not owned by your company through the Web Proxy Auto-Discovery Protocol (WPAD) indicating that it reached out externally and allows malicious actors to eavesdrop on the communication. Otherwise, the WPAD is safe to use on properly secured domains.

Remediation tips: Search tier web traffic logs, locate the system using the proxy, and then disable or update the proxy auto-discovery configuration. See troubleshooting.

Remote management: Citrix PN Agent

Description: Devices are using Citrix Received PN Agent over abandoned domains.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Remote management: McAfee ePolicy

Description: Corporate endpoints are contacting abandoned domains from McAfee ePolicy Orchestrator (McAfee ePO).

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Remote management: mydlink

Description: DLink routers are using abandoned service domains from “My DLink” portal.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Remote management: Symantec EPM

Description: Corporate endpoints are contacting abandoned domains from Symantec Endpoint Protection Manager.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Remote management: Symantec patches

Description: Corporate endpoints are contacting abandoned domains from Symantec patch management solution (Altiris).

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Remote management: TR-069 CPE

Description: Customer-premises equipment (CPE) devices are using the TR-069 protocol for remote management on abandoned domain names.

Remediation tips: Track down the endpoint system by using the available details, and then reinstall or remove the related insecure application.

Service: SMB

Description: Endpoint is reaching out to Windows Netbios network via an abandoned domain.

Remediation tips: Track down the system accessing the SMB service by using the available details, and then reconfigure or disable the destination access. Reevaluate your systems contacting remote services. For additional security, block the SMB ports on company edge network infrastructure. If NetBIOS connectivity is required, tunnel any connections through a secure Virtual Private Network (VPN) connection. Implement strong passwords and either strong password handling protocols or a key authentication system.