It has been a tough week for MSPs who supply 3CX as part of their package offerings. And a lesson learnt to those who’s EDR tools flagged the compromise, and they decided to whitelist it as a false positive.
For those that don’t know, the issue started when a few MSPs posted on various forums that the latest 3CX app had been flagged as containing a threat actor. More of that can be read on the Huntress post: https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
At our MSP, we immediately took appropriate action, blocking the reported malware websites via Cisco Umbrella. And to be fair to the Umbrella team, they put the block in place pretty quickly too. But we had a number of clients on the version affected, and we needed to get rid of is fast.
Well, here is a script to help you achieve such greatness.
DISCLAIMER! Running this code, you do so at YOUR OWN RISK. I have included a line that you can include to aim this at 1 tenant, or a tenant at a time, if you wish to do so.
This script will:
1. Use the GUID of each affected 3CX application.
2. Loop through each GUID and use msiexec to remove the application if present.
3. A reboot may be required to allow your RMM to then show it is no longer installed.
Who Are We?
Growth MSP is an MSP for MSPs. We are manage migration projects from start to finish, at a price that means we can all make money. We aim to take the stress away, whilst allowing you to not put off sales due to lack of capacity.
The Code
Note here that your RMM most likely run scripts as SYSTEM
Set-ExecutionPolicy Unrestricted -force
$guids = @(
"{BF60C539-8A02-409E-B67C-3256DC61A8AB}",
"{A89CE738-DAE1-4010-ADEC-AD38F1888199}",
"{110A3CCE-3D00-4E4A-8E61-EE5A4DFDA908}",
"{3D3B244E-7FB5-4747-BF11-64F34C128A8B}",
"{D5F28C48-46B5-42C7-BC6F-2E3E14D4088C}",
"{4BE10024-1B00-4837-99C2-CA630F1C3C75}",
"{C5F3A982-1C13-4E12-8519-83C9A1CA3FCD}",
)
foreach ($guid in $guids) {
$uninstallArgs = "/x $guid /qn /norestart"
Start-Process msiexec.exe -ArgumentList $uninstallArgs -Wait
}What Happens When You Run This Code?
Running this script will remove all 3CX applications from the device, pending reboot.
Want More Expert Tips Like This?
We’ve got dozens of tips and tricks like this to make your life as an MSP a little easier. We also offer expert mentorship, advice, and support for every aspect of an MSP’s business, including sales, marketing, support, and engineering. If you need help growing your MSP, please contact us today.
Related posts
Powershell – Create A Group Across All Delegate Tenants For Mailshots
A common issue amongst MSPs is the inability to mailshot all of your users in one go. As we know, these are forever changing, and would require constant updates.
Furthermore, some PSAs allow the syncing of tenants to their CRM to be able to log tickets against your users. But we do not want all of the service accounts and unlicensed users, right?
Read more
Change PST Limit to 100GB
Want an easy want to increase a PST limit to 100GB? Just use this script!
Microsoft Outlook will no longer work once a PST or OST hits its 50GB limit. Often, the cause of this is a large “Deleted Items” folder. Luckily, this can be easily fixed with a simple registry change.
Read more
