Our software is dynamically compiled and signed for every different client installation which makes it difficult to keep whitelisted with certain vendors as every package is different. It also collects a tremendous amount of data when users submit tickets about their system. This includes optional screenshots of the last 20 actions the user took before they hit the help button (to recreate the problem steps.) as well as in depth diagnostics about the network, hardware, and software at the moment the button was pressed. All of this looks extremely suspicious to most antiviruses. Having said that most antiviruses will not flag us and if you do find the software being flagged, we can provide you with instructions on how to exempt it from your AV policy.
We do create several registry keys during install, including services and keys to allow the software to run at startup.
We use the PowerShell -EncodedCommand feature to run the update scripts.
We use the PowerShell -EncodedCommand feature to run the update scripts.
The PTTB.exe process injects code into the running shell32.dll thread. That shell32.dll thread running inside of explorer.exe is the only windows process that can pin a shortcut to the taskbar. (“PTTB” starnd for “Pin To TaskBar”). since shell32.dll is the only thig that is allowed to pin a item to the taskbar, we inject code into shell32.dll in-memory and execute it so that the request will be coming from that process. This is the only way to pin a shortcut to the taskbar in Windows 10 and 11
That one shouldn’t be persistent, we think it’s just complaining that we run PowerShell with the “-ExecutionPolicy Bypass” flag so that the installer/updates still work when PowerShell is restricted.
This is just a process starting as the user “SYSTEM” to run the service
Yes, the process that collects the screenshots needs to run when the user logs in
Yes, we install a windows service, like many applications.
We have processes that need to run persistently.
We use keyboard and mouse inputs to build the slideshows but these are not “logged”, they are just used to know when to take a screenshot.
Yes, we use pyinstaller to package the python scripts into executables:
Ssince shell32.dll is the only thig that is allowed to pin a item to the taskbar, we inject code into shell32.dll in-memory and execute it so that the request will be coming from that process. This is the only way to pin a shortcut to the taskbar in Windows 10 and 11