TEAMVIEWER - TeamViewer Traffic

Method description

This method is designed to detect the TeamViewer application usage. The application is used for desktop sharing and may be potentially misused to exfiltrate sensitive data from the company environment. The method is capable of distinguishing whether the application was only launched or if the client is actively sharing its desktop (or is connecting to a remote desktop). This fact can be found in the event detail of the detected event.

This method consists of the following submethod:

• General: Reports the usage of the TeamViewer application.

Method configuration

It is recommended to apply this method only for the IP addresses from the monitored network. The right place for traffic monitoring is the central switch. To enhance the accuracy of the detection method, ensure you have the option Use autonomous system list enabled in Flowmon Configuration Center → FMC configuration → Autonomous systems. Also, note that the method provides less accurate results for devices that use both IPv4 and IPv6 protocols (dual stack) for communication on the Internet.

Method parameters

• Probability: The minimal probability that the device (identified by an IP address) is using the TeamViewer application. The default value is 50%.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

This method detects devices that are using the TeamViewer application. This indicates the device can be under a remote control via TeamViewer service which may be used for legitimate purposes but also the sensitive data exfiltration.