TeamViewer Detection

by Dave Breslin
April 23, 2012

Locations

This template was designed to report hosts and network locations that have been observed using TeamViewer. The sample above was cut from one of two chapters in the template and points to the physical network locations where TeamViewer was observed in use. To see a full report use the download example link.

TeamViewer is one of the more interesting remote destop software packages in terms of tracking its use to enforce computer and network use policy. It can bypass traditional Internet perimeter firewalls, run without installation or administrator rights, has support for multiple operating systems, and can be used to transfer files. The Passive Vulnerability Scanner has multiple plugins dedicated to its detection through network monitoring. The plugins are grouped under the PVS “Policy” plugin family which can be used to detect, report and alert on exceptions to an organization's computer and network use policy.

The “Locations” chapter uses static asset list names that have been configured to map subnets to meaningful labels representing physical locations. The “Hosts” chapter simply lists all the hosts that have been observed using TeamViewer. The totals in both chapters refer to the number of detection plugins that were triggered at least once per host. If a host triggers the same plugin more than once the count for that host and plugin will remain at one.