Detects and removes AnyDesk binaries signed with the compromised February 2024 code-signing certificate on Windows endpoints
This Automox Worklet™ hunts for AnyDesk binaries on Windows endpoints that were signed with the code-signing certificate AnyDesk Software GmbH revoked after the February 2, 2024 production breach. The Worklet inspects the Windows Certificate Store across LocalMachine and CurrentUser scopes – including the My, Root, and TrustedPublisher store names – for any certificate whose serial number matches 0DBF152DEAF0B981A8A938D53F769DB8. A match indicates the compromised AnyDesk certificate is still trusted on that endpoint.
The Worklet then performs a recursive scan of the system drive for .exe, .msi, and .ps1 files and runs Get-AuthenticodeSignature against each one. Any file whose SignerCertificate.SerialNumber matches the compromised serial is logged with its full path. Because the scan walks every directory under SystemDrive, runtime depends on disk size and file count, and the endpoint may sit in a Pending Update or Refreshing state in the Automox console until the scan completes.
The Worklet ships with two parameters that gate its behavior. The serialNumberToFind parameter defaults to the AnyDesk compromised certificate serial and rarely needs to change. The removeExecutable parameter defaults to $false so the first run is reporting-only; set it to $true to force-delete each compromised binary after the Worklet stops the AnyDesk service and process. The Worklet does not uninstall AnyDesk itself – pair it with the catalog AnyDesk uninstall Worklet to fully clear the install before redeploying version 8.0.8 or later.
On February 2, 2024 AnyDesk disclosed that attackers had compromised its production environment and obtained code-signing certificates used to sign earlier release binaries. AnyDesk's post-incident guidance directed customers to update to 8.0.8 (8.x line) or 7.0.15 (7.x line), and any AnyDesk executable carrying serial number 0DBF152DEAF0B981A8A938D53F769DB8 should now be treated as untrusted. The vendor revoked the certificate, but revocation only protects endpoints when CRL or OCSP checks succeed and the file is re-verified. An old install sitting on a laptop will not check itself. Until the binary is removed and a current build is in place, the endpoint runs a signed-but-revoked remote-access agent that an attacker could leverage for impersonation, lateral movement, or persistence.
The February 2024 AnyDesk supply-chain compromise revoked the code-signing certificate used to sign every AnyDesk build prior to version 8.0.8, and any Windows host still running a sub-8.0.8 AnyDesk binary carries a binary signed by a revoked certificate that vulnerability scanners flag and incident responders treat as a compromise indicator. This Worklet detects vulnerable AnyDesk installations on every Windows host where AnyDesk was ever installed, including the long tail of contractor laptops and idle workstations that never check in to a vulnerability scanner, and removes the compromised binary on the next evaluation.
Evaluation phase: The Worklet iterates the LocalMachine and CurrentUser certificate stores for the My, Root, and TrustedPublisher store names, opening each one read-only and filtering for SerialNumber 0DBF152DEAF0B981A8A938D53F769DB8. When a match is found, it writes Issuer, Subject, Serial Number, and Thumbprint to the Activity Log. It then runs Get-ChildItem -Path "${env:SystemDrive}\" -Recurse -Include *.exe, *.msi, *.ps1 and pipes each file through Get-AuthenticodeSignature, comparing SignerCertificate.SerialNumber to the target serial. The phase exits 80 the moment any compromised binary is found, which triggers remediation; if no match is found, it exits 0 and the endpoint is marked compliant.
Remediation phase: The same certificate-store and Authenticode scan runs again to collect a full list of compromised files into $matchingFiles. The Worklet then calls Stop-Service -Name AnyDesk -Force and Stop-Process -Name AnyDesk -Force to release file locks before any deletion attempt. With removeExecutable left at its default $false, the Worklet logs each path with a FOUND: prefix and exits without touching the file – an inventory pass. With removeExecutable set to $true, the Worklet calls Remove-Item -Force -Recurse against each path; a delete failure exits 16 with the offending path in the Activity Log so an admin can intervene.
Windows workstation or server with PowerShell 5.1 or later and the Automox agent installed under SYSTEM
Administrative privileges to read every certificate store, walk the entire SystemDrive, and stop the AnyDesk service
AnyDesk installs signed with the revoked certificate are the in-scope risk. AnyDesk's post-incident guidance pointed customers on the 8.x line to update to 8.0.8 or later, and customers on the 7.x line to 7.0.15 or later. Confirm version with the AnyDesk uninstall key at HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk before and after remediation
serialNumberToFind parameter (default 0DBF152DEAF0B981A8A938D53F769DB8) – override only if hunting for a different compromised certificate
removeExecutable parameter (default $false) – flip to $true once a dry-run pass confirms the file list is correct
Extended runtime is expected: the recursive Get-ChildItem on SystemDrive walks every directory, so SSD-backed endpoints finish in minutes while spinning-disk workstations may run for an hour or longer
Pair with the AnyDesk uninstall catalog Worklet and the AnyDesk third-party patch policy to redeploy AnyDesk 8.0.8 or 7.0.15 (or later in either line) after cleanup
The Activity Log captures every certificate match, including Store, Location, Issuer, Subject, Serial Number, and Thumbprint, followed by a FOUND: line for each compromised binary on disk. Endpoints with no matches log "A certificate match was not found." and "No matching signed executables found. Device is compliant." and exit 0. Endpoints in scope exit 80 from evaluation and proceed to remediation, where Stop-Service and Stop-Process release the AnyDesk handle before any delete is attempted.
Validate after remediation by re-running the Worklet and confirming a clean exit 0 with no FOUND: entries. As a second check, open PowerShell on a sample endpoint and run Get-ChildItem 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk' | Select-Object DisplayVersion to confirm AnyDesk is either absent or at AnyDesk 8.0.8 (or 7.0.15) or later. For a faster fleet-wide attestation, query Get-AuthenticodeSignature on a known AnyDesk path such as C:\Program Files (x86)\AnyDesk\AnyDesk.exe and confirm SignerCertificate.SerialNumber no longer matches 0DBF152DEAF0B981A8A938D53F769DB8. Once clean, push the current AnyDesk MSI through your patch policy or the AnyDesk install Worklet so remote support resumes against a trusted, signed build.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in