TDR does not like Zoho Assist and keeps containing computers
Has anyone else been experiencing issues with TDR and Zoho Assist unatteneded agent?
I have a client who has had two computers so far get contained because TDR flags Zoho Assist executables as threats. This problem started last July. One of the computers was a rarely-user training computer, so it being offline for months was not unusual. I repurposed it a month ago, and it would not connect, and that is when I found the Zoho Assist problem and added all of the exclusions below the one that happened today as noted below. The latest one was today and it was:
C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\agent.exe
I already had the following in the exception list and I just added the one above to the list. I am tempted to just allow the whole "C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting" folder and subfolders to stop this false positive, but that's not the best solution.
C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\Temp\ZA_Delta\agent_ui.exe
C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\agent_ui.exe
C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\ZMAgent.exe
C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\ZohoURS.exe
C:\Program Files (x86)\ZohoMeeting\UnAttended\ZohoMeeting\ZohoURSService.exe
What is really strange is that there are three computers that have Zoho Assist on them, but only two that ever get contained.
No, but last week i had TDR killing OneDrive process as a thread
I took a look around and I don't see any reported issues for ZOHO via TDR. There are a few cases where the HTTPS proxy picks it up as INVALID LINE FORMAT (because it's not actually HTTPS) -- in both cases making a packet filter to handle that traffic fixed it.
If you're running into a problem specific to TDR and ZOHO, I'd suggest opening a support case if you haven't done so already so that our team can help look into it, and look at your logs.
WatchGuard Customer Support