What is the "ScreenConnect Suspicious Domain" alert?

NAVIGATION  Alerts

SECURITY   Datto EDR subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access

IMPORTANT  Specific retention periods apply to all record types in Datto EDR and Datto AV. For more information, refer to Datto EDR and Datto AV data retention policies.

This article provides important information about the ScreenConnect Suspicious Domain detection rule and how it keeps your environment safe.

What is ScreenConnect?

ScreenConnect is a robust tool for granting support teams remote access to endpoints. Unfortunately, it's also a prime target for scammers. Datto EDR will now monitor ScreenConnect sessions, triggering an alert when there's a connection to a suspicious Top-Level Domain (TLD).

How to respond to an alert

Upon receiving an alert, you should investigate the command line used to establish the connection. To learn how to do so, refer to Working with the Alerts page and Using the Analyze page. Identify the TLD it leveraged. Verify if the domain is approved by administrators. If the administrator is unaware, contact the computer owner to confirm the connection's safety. Ask questions to understand the purpose of the session. Ensure it's not a result of a phishing email or suspicious call.

Protecting your users

Implement controls such as domain filtering and geo-IP access lists. Audit and approve remote control tools.

If the connection is safe

In the event of a safe connection, create a suppression rule from the alert. We recommend including the command line as a match criterion, focusing on the TLD. Additionally, consider matching the hostname, especially if ScreenConnect isn't widely supported by your company.

Stay vigilant, and keep your users secure!