Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: ConnectWise ScreenConnect
Environment: Huntress Platform
Summary: When you review your Huntress Platform dashboard, you may notice a section called ScreenConnect Hosts. This article explains what this feature shows, why you might see ScreenConnect instances listed, and what the data means for your environment.
Key Takeaway
The ScreenConnect section in the Huntress portal is informational only and doesn’t, by itself, mean there’s an active incident. Our SOC monitors ScreenConnect-related activity in the background and investigates suspicious signals. If we see signs of suspicious or malicious use, we’ll notify you with a formal Incident Report or Escalation. Otherwise, no action is required on your end.
In this Article
- The ScreenConnect Hosts Feature
- Why Do I See ScreenConnect Instances Listed?
- First Seen and Last Seen
- Is This a Security Concern?
- Huntress SOC Monitoring
- Frequently Asked Questions
The ScreenConnect Hosts Feature
The ScreenConnect Hosts feature in the Huntress Platform provides a historical timeline of when the Huntress Agent observed a ScreenConnect client running on a host and connecting to a specific ScreenConnect server. This timeline is not a real-time inventory of what is currently installed on your endpoints.
In the Command Center, the ScreenConnect widget shows the count of ScreenConnect hosts observed in the past 30 days (based on the Last Seen timestamp). When you click through to the full ScreenConnect Hosts list, that view is initially filtered to the same 30-day window, but you can clear the filter to see older history. The underlying records themselves are retained as a timeline of past activity.
ScreenConnect Hosts summary page
When you click into the widget, you’ll see a table listing each observed ScreenConnect connection, including:
- The ScreenConnect host (server / domain) and port
- The First Seen and Last Seen timestamps
- The number of endpoints where that ScreenConnect host has been observed
This view helps you understand which ScreenConnect servers have talked to your endpoints and when.
ScreenConnect Hosts details page
From the summary list, you can click into a specific ScreenConnect host to see which endpoints were observed connecting to it and the related timing details. If an endpoint’s agent has been uninstalled, the ScreenConnect host entry may remain in the timeline, but that specific endpoint may no longer appear in the detail view.
Why Do I See ScreenConnect Instances Listed?
ScreenConnect instances in the Huntress Platform are listed when the Huntress Agent observes a ScreenConnect client process running on an endpoint and connecting to a ScreenConnect server. This is derived from process and event activity at the time it occurred, not from a periodic inventory scan of installed applications.
Key points:
- This view is historical. It shows when a ScreenConnect client was observed running and connecting, not what is currently installed or active on the endpoint.
- An entry in this list doesn’t, by itself, confirm that ScreenConnect is currently installed or still running on the endpoint.
- You can use this data to understand remote access activity over time, which can support both day-to-day operational awareness and deeper security investigations (for example, identifying unexpected ScreenConnect servers or one-off support sessions that don’t match your normal workflows).
First Seen and Last Seen
These timestamps help you track the history of remote access activity for each endpoint and ScreenConnect server combination.
First Seen
The date and time when the Huntress Agent first observed a ScreenConnect client connecting to a specific ScreenConnect server from an endpoint.
Last Seen
The most recent date and time that same ScreenConnect connection was observed from that endpoint.
Together, these fields let you answer questions like:
- When did this ScreenConnect server first appear in my environment?
- Has it been used recently, or was it a one-off historical connection?
Is This a Security Concern?
Not by itself. Many organizations use ConnectWise ScreenConnect for legitimate purposes. However, remote access tools are also a common way attackers gain or maintain access, so unexpected servers or suspicious timing are worth validating.
Use the timeline as follows:
- If you recognize the ScreenConnect server and the timing aligns with expected support or management activity, you can treat this as normal, informational context.
- If the server is unfamiliar or the timing doesn’t match your workflows, we recommend you confirm whether it’s authorized (for example: who owns the ScreenConnect server, why the endpoint connected, and which user or tool initiated it). Unexpected remote access can be a sign of unauthorized use, and may warrant deeper investigation.
The ScreenConnect Hosts view is informational and historical. It can help you spot unusual patterns or unknown ScreenConnect infrastructure, but it does not by itself confirm an active threat or assert that a given ScreenConnect server is authorized in your environment.
Huntress SOC Monitoring
Huntress’ Security Operations Center (SOC) continuously monitors protected endpoints and identities for suspicious remote access activity, including behavior involving ScreenConnect and other remote management tools.
The ScreenConnect Hosts view is designed primarily for visibility and auditing (for example, cataloging which ScreenConnect servers have connected to which hosts, and when). Separately, the Huntress Platform generates signals when it sees activity that may indicate misuse or malicious remote access. Our SOC analysts investigate these signals to determine whether they represent a real threat. If we identify suspicious or malicious ScreenConnect activity, we’ll notify you through an Incident Report or escalation. You shouldn’t rely on this timeline as your primary indicator of active threats.
In practice, you can use the ScreenConnect Hosts timeline for context, and treat Incident Reports and escalations as the primary signal for confirmed or strongly suspected malicious activity.
Frequently Asked Questions
What should I do if I suspect a rogue ScreenConnect instance?
- Isolate or otherwise protect the affected host per your incident response playbook.
- Review whether the ScreenConnect instance/server is expected (your own, a known vendor, etc.).
- If there’s an associated Huntress Incident Report, follow its remediation guidance and contact SOC Support (incidents@huntress.com) if you need help.
- If there’s no Incident Report but you still suspect malicious use, contact Huntress with context so SOC Support can review signals in detail.
Do I get an alert for every new ScreenConnect instance?
Huntress do not send alerts for every single ScreenConnect detection. The ScreenConnect Hosts view is informational/visibility-only. The SOC uses signals and threat hunts to decide when an instance or activity pattern is suspicious or malicious; only then will you receive an Incident Report or Escalation.
Does this mean ScreenConnect is currently installed on my endpoint?
Not necessarily. The ScreenConnect Hosts timeline shows when the Huntress Agent observed a ScreenConnect client process running and connecting to a server. It is not a current software inventory view.
Why does the dashboard widget show a number that doesn’t match what I see in the list?
The Command Center widget shows ScreenConnect hosts whose Last Seen is within the last 30 days. When you click into the list, it opens pre-filtered to that same 30-day Last Seen window. If you change or clear the filter, you’ll see more/older entries, so the list may show more items than the widget count.
Why do I see old or one-time connections?
The timeline is historical. If ScreenConnect was used once or later removed, the past connection event can still appear for reference.
Should I be concerned if I see a ScreenConnect server I don’t recognize?
If the server is unfamiliar, validate it on your side. Review your remote access policies and confirm whether the server and connections were authorized. Unexpected remote access can indicate unauthorized use.
Can I remove entries from the ScreenConnect Hosts timeline?
No. The timeline is a record of observed activity and cannot be edited or deleted from the Huntress portal UI.
Why do I sometimes see a ScreenConnect host but no endpoint listed when I click into it?
In some cases, Huntress may have historical data showing that a ScreenConnect host connected to an endpoint, but the underlying endpoint/agent record has since been uninstalled or removed. In those scenarios, the ScreenConnect host entry remains in the timeline, but the specific endpoint no longer appears in the detail view.
If I uninstall ScreenConnect, why is it still showing here?
Uninstalling ScreenConnect stops new events, but past events remain in the timeline. The widget will eventually drop it once its Last Seen is older than 30 days, but the underlying historical record will still exist (depending on filters).
How often is the ScreenConnect Hosts list updated?
New entries are created when our backend detects new ScreenConnect-related events (service installs, process events, etc.); this effectively happens as telemetry is processed, not in batches.
Need help?
If you have questions about the ScreenConnect Hosts feature or want help interpreting a specific connection, reach out to Huntress Product Support at support@huntress.com.