Bitdefender has been flagging Syncro as malicious and removing it

We’ve now had two separate instances of Bitdefender detecting Syncro.service.runner.exe as malicious. With all of the supply chain compromises (think about the recent 3CX disaster) we are very concerned about just adding this to the Bitdefender whitelist. What do you advise? Thank you for your time and attention.

Got this on 2 assets while harmless scripts were running. I think it might be related to 1.0.180.0 that just came out. Like you, I wouldn’t add anything RMM related to the allow list. Syncro still showed it had 1.0.179.0, but I was able to remote in and view that it had recently updated. For our two systems, it didn’t eat it, it just stopped the service, so we were able to restart it. I opened a ticket already.

We haven’t opened an official support ticket yet I thought I’d reach out to the community first for quicker response. Please keep us updated with what you find out in your ticket. Thank you!

Everyone should open a ticket, the more tickets they get, the more widespread it will show, otherwise they could respond back and say no one else has reported it lol.

Have received several more since and confirmed they were on 1.0.180.0. I don’t have any way to restart the service in bulk, so this is going to suck…

Bump.

Happening across all my Bitedefender enabled endpoints also.

I’ve confirmed that it has been hours since some of these events and the systems still show offline, but I can get in with BT and the service starts, so to compound this, the SyncroRecovery service is not functioning as it should.

Support responded back and they are working with BD. Sent them the BD logs.

Just saw this now - had about 50 notifications so far.

They aren’t doing anything @Jimmie … if they were they’d have already rolled back the offending application.

Its a platitude at best, and at worst they are stalling to contact their lawyers in case its a real breach event.

Um, we are doing something… we’re in contact with BD, we shared logs that Jimmie and others sent our Product and Support teams, and BitDefender is investigating the cause.

Sorry, but why would you suggest anything else?

1 Like

Well if your product team was aware and they haven’t already rolled back, then I’d start by posting some job ads.

And I get that it sounds harsh Andy, but I have 600 or so email alerts from bitdefender that say it should have been escalated faster than it was. So, either your relationship with Bitdefender doesn’t provide you with enough clout to make things happen with them or your internal support channels don’t have enough escalation training.

If this was a real event and not a false positive, then every Syncro customer would be out of business tomorrow, and fending off legal claims and so would Syncro. 7 hours passed between first report and a notification being posted that it was a false positive.

Don’t be 3CX.

1 Like

You are making some very wild assumptions so I am going to ask you to please stop.

An issue was reported to us by multiple customers, and we are working with BitDefender to resolve it. We’ll update the status site once we have additional information to share.

I’m feeling particularly antagonistic due to my stress level from this event, but since it isn’t constructive to resolution I’ll hold my tongue for tonight.

1 Like

There are two sides to this.
Agree, wild assumptions are never helpful. But understandable when stress is high.
Thankfully our exposure to BD while non Zero is minimal.

However I’m again concerned at the comms from Syncro, the lack of testing, the lack of a rollback strategy and the lack of a public display of empathy for impacted MSPs.
If this was Webroot (and it could be in the future) I’d be stressed like @adam9 and others are.

Why isn’t there an email to all partners explaining there is a problem and what SyncroMSP is doing about it?
Why isn’t the agent version being rolled back?
Why doesn’t Syncro have multiple test VMs running with each of the major AV engines and the deployed Syncro agent versions installed?

SentinelOne is doing the same thing.

It was posted on their status page a few hours ago and since I’m subscribed to the page, I got an email notification. I recommend everyone subscribe since this is one of their primary ways of communicating status changes.

Honestly…in the flood of email I get, this was one I didn’t notice in my inbox. :shushing_face:
Clearly (for me at least) the system generated email didn’t stand out as a must read.
Perhaps something a little more obvious would be better, as this is fairly serious.

We have had notifications of problems in the Announce section of the forums as recently as May 11.

In anycase where is the proactive action to role back the version…or perhaps there isn’t a way of doing this if the AV is stopping the agent from doing anything.
Hopefully the only fix isn’t a reinstall with a new version.

In my case, BD isn’t eating it, I just have to start the service again. I think it’s also preventing the recovery from restarting it too.