Celebrating the 22th anniversary of the UltraVNC: https://forum.uvnc.com/viewtopic.php?t=38031
Update: UltraVNC and UltraVNC SC https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

1.0.0 RC 18 upsets my host IDS.

Post Reply
Posts: 1
Joined: 2004-07-02 16:09

1.0.0 RC 18 upsets my host IDS.

Post by bstiff »

My company uses the Cisco Security Agent for Host Intrustion Detection. When I open an ultraVNC session (version 1.0.0 RC18), my host IDS alarms with the following message:

"The process "c:\program files\ultravnc\vncviewer.exe" is attempting to insert the code in "c:\program files\ultravnc\vncviewer.exe" into all running processes. This may be symtomatic of a trojan. To prevent further execution, choose "terminate""

If I say "don't terminate", the session runs fine.

Any guesses why my host IDS is seeing this activity?

User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6894
Joined: 2004-04-23 10:21

Post by Rudi De Vos »

The scroll_lock + special key trick.
If scroll lock is activated, special keys like (alt_tab) are send to the server
instead of being handled as a local special key
The only way you can capture thoose special key is by inserting
a hook that capture keyboard input before it reach any application.
If scroll_lock is active key is handled by the viewer, else the key is send to the normal application

Please check the viewer.exe for any virus infection, but I'm
almost sure that the key hooking is causing the alarms to react
Post Reply