Anydesk issue.

cancel
Showing results for 
Search instead for 
Did you mean: 

Anydesk issue.

Hi everyone!
I have some issues with anydesk application. It has ssl issue because of decryption, I think.

I've added *.anydesk.com ind 'SSL decryption exclusion', but it didn't worked.

Maybe some of you have faced such kind of issue?

Thanks in advance!

anydesk.jpg

24 REPLIES 24

Hi

 

You mean insdide ip address? but how did you manage to avoid decryption for olny anydesk sides?

Hi,

I avoid decryption for whole <private-ip-addr> category, as I could't make it only for anydesk. As I said earlier I tried many combinations.

Any update??? still not working for me.

 

Paloalto has predefined "SSL Descryption Exclusion" for "AnyNet Relay" and "AnyDesk Client" and I manually add "AnyNet Root CA" "*.net.anydesk.com" "net.anydesk.com".

 

Also try with Custom URL List...

Hello,

 

Any update? Anydesk not working for me neither.

 

Regards,

Having the same issue. Pain in the ass!

OK got this working for now but not exactly the way I want. 

 

1) Tag

Nehmaan_2-1582713340970.png

 

2) Address Group

Nehmaan_1-1582713306695.png

 

3) SSL Decryption Policy

Nehmaan_3-1582713514583.png

 

4) Log Forwarding

Nehmaan_4-1582713614994.png

 

5) Built-in Actions

Nehmaan_5-1582713658530.png

 

6) Security Rule

Nehmaan_6-1582713791350.png

 

Hello, guys!

 

I met this issue and found out the root cause. Many of you know that desktop applications often check certificate. Anydesk does it. So we need to exclude it from SSL decryption, but here is the trick: *.anydesk.com works only for Anydesk website (NGFW detects web-browsing application, see that URL match *.anydesk and exclude the session from decryption), but it doesn't work for the desktop application and here is why: 

I made a little investigation and found out that the application makes DNS query for random URL, generated upon installation. (Guess it called DGA, but correct me if I wrong)

 

Here is an example:1.png

 

Then it establishes TCP session to IP, that was previously taken from DNS Query and that's all:

1 (1).png

So our exclusion rules will not work for IP. 

 

Solution:

 

1. Go to Monitor>Traffic and filter logs by application "Anydesk".

2. Export logs to CSV and open it in Excel

3. Find Destination IP column, select all items and delete duplicates

4. Copy this list to *.txt file and create EDL. 

5. Use this EDL in No-Decrypt policy

6. PROFIT!

 

You also can go further. According to WHOIS service - backend IP addresses are located in different DCs all over the world. You can take IPs you found in logs and find the whole IP ranges in WHOIS info and use these ranges in EDL. But it doesn't seem safe to me, because many of those IPs in IP range can be used by other applications, not Anydesk, so this is a potential risk.

Looks cool!

But I think 6 should be after 3. Because you use the security rule name in the filter in Log Forwarding settings

Yes, On the assumption that the security rules doesn't exist. It does in my case. 

Hi @Ilya_Kuranov 

 

Could you please show me how to create a custom EDL IPv4 with Minemeld. Currently I have created and using Office365 IPv4 list but I don't know how to create a custome EDL IPv4 list with a text file as you mentioned.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!