Help CenterTo promote a smoother experience and help prevent ThreatLocker from flagging the ScreenConnect Windows installer as being from an “unidentified developer,” ThreatLocker recommends signing your ScreenConnect Certificate, running the ScreenConnect installer, and adding a few custom rules to the Application Files in your organization.
The article below will detail these instructions.
The expectation is that the unique new installers and update files that do not match the Built-In will be added to the application. The core components of ScreenConnect will be permitted using the ThreatLocker ConnectWise ScreenConnect Built-in.
Installing the 'Certificate Signing' Extension
ConnectWise provides an extension that allows administrators to sign the Windows access agent installers with their own trusted code-signing certificate or a generated self-signed certificate. To access this, navigate to the 'Extension Marketplace' and select the 'Administration' button at the bottom of the page. This button appears as a gear icon, as shown below.
Within the 'Administration' page, select 'Extensions' from the list. Here, you can select the 'Browse Extension Marketplace' to navigate ConnectWise's extensions list.
Selecting this button will open the 'Extension Marketplace'. From here, you can search for the extension's name, which is called 'Certificate Signing'. Select this extension and select 'Install' to install it.
To access this extension, navigate to the 'Administration' page. It will now be an option within the 'Administration' page.
Add a Self-Signed Certificate in ConnectWise ScreenConnect
Navigate to the 'Administration' page using the left-hand menu.
Select 'Certificate Signing' from the list of pages in 'Administration' from here.
Within the 'Certificate Signing' page, select the 'Install Self-Signed Certificate' button at the top right corner of the screen.
A pop-up titled 'Install Self-Signed Certificate' will appear. It will be pre-populated with a 'Subject', which appears as a string of numbers and letters. This does not have to be changed. Select 'Install Certificate'.
For further questions regarding the 'Certificate Signing' extension, please refer to the following article from ConnectWise below:
Once the certificate signing is complete, the installation files will contain your Self-Signed Certificate.
Add a Custom Certificate in ConnectWise ScreenConnect
Navigate to the 'Administration' page using the left-hand side of the page.
Select 'Certificate Signing' from the list of pages in 'Administration' from here.
From here, select the 'Install Custom Certificate' button, which appears in the top right-hand corner of the page.
Selecting the 'Install Custom Certificate' button will open a pop-up window titled 'Install Custom Certificate'. Here, you will be asked to enter your Certificate Chain and your certificate's Private Key. Once you have filled out all this information, you can select the 'Install Certificate' button at the bottom of the pop-up window.
Once the certificate signing is complete, the installation files will contain your Custom Certificate.
Build a New Install
Note: This step is only needed for users who do not already have an installer. If you already have ScreenConnect installed in your environment, you can proceed to the section titled “Add Custom Rules”.
Within your ConnectWise ScreenConnect portal, navigate to the 'Access' page, then select the 'Build +' button to build a new installer.
In the 'Build Installer' menu, complete all of the information shown below. You can create a new Company or Site for your installer file here. Finally, select the Type of installer file you will be distributing. For this example, we will be selecting 'Copy URL'.
Once the URL has been copied, this link can be distributed to users within your organization. The installer will begin downloading after you search for it.
Note: Your machine needs to be in Secure Mode for the following steps.
Once you have attempted to execute this application, navigate to your Unified Audit using the left-hand side of the portal.
Locate the failed installer file execution log by searching in the Unified Audit around the timeframe that the file was executed, then select it.
Selecting the Unified Audit log will open a side panel with more information regarding the log. In this side panel, you can choose 'Permit Application', which is found at the top of the page.
The 'Permit Application' button opens a window of the same name. This displays all the information you would receive for a regular approval request. From here, you can select an existing application from your organization or create a new one, and then make a custom rule.
The custom rule can be created using the 'File Hash or Custom Rules' portion of the page. To create the custom rule here for your ConnectWise ScreenConnect installer, select the 'Full Path' and 'Certificate SHA' options from the 'Conditions' dropdown. Ensure you insert wildcards where data might be more susceptible to change, such as in place of the username.
Note: This is just an example of a custom rule. Other custom rules can also be created.
Once you have completed this information, select 'Approve' at the bottom of the page and deploy policies.
Installing your Custom Certificate in Trusted Root Certification Authorities
Note: This is only necessary if your custom certificate was not already installed in Trusted Root Certification Authorities. This step must only be completed if you are using a custom certificate.
Once the ConnectWise ScreenConnect installer has been downloaded onto the machine, right-click the installation file and select 'Properties'.
Within the 'Properties' pop-up, select 'Digital Signatures'.
Select the signature, then select the 'Details' button.
Selecting 'Details' will open a new window titled 'Digital Signature Details'. From here, select 'View Certificate'.
Selecting this button will open a new window titled 'Certificate'. From here, select the 'Install Certificate' button.
Now, the 'Certificate Import Wizard' will appear. From here, you can follow the steps to install the Certificate into Trusted Root Certificate Authorities. On the first page, make sure that the radio button to the left of 'Local Machine' is selected, then choose the 'Next' button at the bottom.
A User Account Control (UAC) prompt window will open asking you to verify whether the "Windows host process (Rundll32) is allowed to make changes to your device. Select 'Yes' to verify this.
Back in the 'Certificate Import Wizard' window, make sure that the radio button labeled 'Place all certificates in the following store' is selected. From here, you can select the browse button to the right of the 'Certificate Store' field.
Once ' Browse ' is selected, a pop-up titled 'Select Certificate Store' will open. From here, choose the option labeled 'Trusted Root Certification Authorities', then select 'OK.'
Select the 'Next' button when this is done.
On the final page of the 'Certificate Import Wizard', you can verify if the information you entered is correct. Once done, select the 'Finish' button to complete the Certificate Import.
If the changes were successful, the Certificate Import Wizard will send a message stating, 'The import was successful.'
Once done, be sure to create a custom rule using the path and certificate of the installer file.
Creating Custom Rules for the Installer
Note: Multiple custom rules might be needed to permit all of your ConnectWise ScreenConnect files.
Your ConnectWise ScreenConnect policy can have custom rules applied to it to make it easier for the correct installer to be permitted on other machines in your environment. There are several methods you can use to create easy custom rules for your installer. To start, navigate to the Unified Audit and select the ConnectWise ScreenConnect Installer from your logs. Once this side panel is opened, select the 'Add To Application' button in the top right corner of the screen.
When prompted, enter the Application Name in the available field, then select it. This will take you to the application you entered, allowing you to insert the necessary information for custom rule creation directly into the application files.
You can also view previous application files that have been inserted here. Locate the Path, Process, and Certificate. Within the ThreatLocker Portal, you can find them in the application files tab in the Notes section.
Custom Rule 1 – Account for Different Users
Under the File Rules section, select Full Path for Condition 1, then copy and paste the Process Path into the Full Path condition. Replace the area between c:\ and \screenconnect with a wildcard (highlighted in the example below) to account for multiple users and file locations. Next, select Certificate for Condition 2 and paste the certificate into the field.
Select 'Add Rule'.
Custom Rule 2 – Account for Multiple Install Files
Under the File Rules section, select Full Path for Condition 1, then copy and paste the Process Path into the Full Path condition. Replace the area between c:\ and \screenconnect with a wildcard to account for multiple users and file locations, and add space, open parenthesis, wildcard, and close parenthesis (highlighted in the example) after clientsetup and before .exe to account for multiple install files. Next, select Certificate for Condition 2 and paste the certificate into the field.
Select 'Add Rule'.
Custom Rule 3 – Account for Future Updates (1 of 2)
Under the File Rules section, select Full Path for Condition 1 and copy and paste the Full Path into the Full Path condition. Replace the user’s name with a wildcard (*).
Note: The GUID that is displayed after \screenconnect\ and before \setup.msi is a unique id for each ScreenConnect Server. If your organization manages multiple ScreenConnect Servers, the most secure way is to build a rule for each ScreenConnect Server.
Then, select Certificate for Condition 2 and paste the Certificate details (after cn=) in Value 2.
Select 'Add Rule'.
Custom Rule 4 – Account for Future Updates (2 of 2)
Under the File Rules section, select Full Path for Condition 1 and type c:\windows\installer\*.msi in Value 1.
Then, select Certificate for Condition 2 and paste the Certificate details (after cn=) in Value 2.
Select 'Add Rule'.
