Best Of

Hi Tamas,

The F-Secure Labs Team will consider about using the remote FSDIAG feature after checking on the possible GDPR constrains of granting the access to the team.

For the meantime, please take note that for malware and false positive incidents, we do still require the file samples to be submitted at the first stage.

While FSDIAG may be useful at a later stage during an ongoing case investigation, FSDIAG doesn’t contain the actual detected samples that we require to fix a detection. In most cases it is often sufficient to submit the affected file samples without requiring an FSDIAG to resolve the case.

Thank You.

Hi NinjaLee,

You can create application control rule to block the installation with the below conditions under the Profile in PSB portal.

1. Event: Installer start

2. Action: Block
3. Target signer name: " "
4. Target has trusted signature: " "

Thank you.

Hi,

I downloaded the Teamviewer client v. 14 and could not immediately reproduce your problem. Would it be possible for you to submit the false positive file (the exe that gives you trouble) for our labs at https://www.f-secure.com/en/web/labs_global/submit-a-sample.

    Maaret

Hi Carlos2285

To block/disable mobile phone via Device Control from PSB web portal, you need to block the following device classes.

Please add a device access rule as below, and let me know if it works:

Display name: Mobile Phone storage
HardwareID: USB\Class_FF
Access level: Blocked

Repeat this rule with the below mentioned device classes to block all smart phones:

HardwareID: USB\Class_00
HardwareID: USB\Class_08
HardwareID: USB\Class_02
HardwareID: USB\Class_EF

Hi Tamas,

As MonikaL shared, obtaining the file samples during the first stage would be the most efficient way to resolve a false positive case.

The binaries are required for us to debug how the false positive may occur in a particular file and then apply the necesary fixes, while keeping the protection on a good level to still detect valid malware samples.

In some cases, the samples may be publicly available or already in our backend. I would recommend whenever possible to provide at least the file hash (SHA1) when filing a false positive case, so that we can check if the sample is already available to us.

The PSB Management API documentation contains some examples on how to generate a report containing the detection details (including SHA1) programmatically:
https://help.f-secure.com/product.html?business/psb-rest-api/1.0.0/en/concept_216D5455656A49A38AA049D6C7B37427-1.0.0-en

For cases where the sample is not available to us (e.g. internally-developed software), there's an easy-to-use F-Secure tool available that we recommend to both Home and Corporate users to utilize in order to safely retrieve the quarantined files before submission.

The tool would have to be executed at the endpoint where the samples were quarantined, and its usage instructions are described here:
https://community.f-secure.com/t5/Common-topics/How-do-I-collect-quarantined/ta-p/78104

As PSB currently doesn't feature remote sample submission capabilities, I hope you find the above information useful for the time being.