FSCS DeepGuard ignores hashes

dmueller

Hi there,

 

after deploying FSPM 13/FSC 13 all workstations experience deep guard warnings when opening  executables which are allowed by PM. The hashes are correct but FSCS seems to ignore them:

 

Here are the most recent alerts (120) from Policy Manager:

Security alert: Malware blocked
From: XXXXXXXXXXXXXXX, 2017-11-03 10:52:34 +01:00
Details: Action by malware was blocked. Malware path: \xxx\xxxx\xxxxxx.exe File hash: 643a2495c509e842885091b918a74b772d64c336

This email was automatically generated by F-Secure Policy Manager. Please do not reply to this message.

 

FSPM

SHA-1-Hash    Hinweise    Vertrauenswürdig    Aktiviert
643a2495c509e842885091b918a74b772d64c336    xxxxx.exe    Ja    Ja

Can you help us with that?

 

Regards,

Dirk

 

 

Vad

Hello Dirk,

 

Normally allowed applications should not be blocked in version 13.

Please, contact support. We will need diagnostic information from affected client machine for investigation.

 

Best regards,

Vad

martini

Hi Dirk,

 

I have the same problem with dg and some more, look at my post 1 over yours...

 

LG

Martin

RmB

HI, 

 

Same problem here with deepguard. 

etomcat

Hello,

 

Submit sample here so virus lab crew can fix the false alarm centrally:

https://www.f-secure.com/en/web/labs_global/submit-a-sample

 

You will struggle for ever with the problem if you don't do that.

 

(Some apps modify themselves while running so the checksum changes. These are not possible to exclude statically via hash and the only fix is to modify the scan logic to avoid the false alarm in the first place.)

 

Best Regards: Tamas Feher, Hungary.

Vad

Hello Dirk and RmB,

 

Did you already happen to provide diagnostic information to support for investigation? As I already mentioned, unfortunately, we can't reproduce this problem, and need your help to continue.

 

Best regards,

Vad

dmueller

Hey Vad,

 

I did - support ticket is xxxxxx - I will provide fsdiag data asap.

 

Dirk

dmueller

Hey Vad,

 

I just sent a sample and result of fsdiag.

 

Dirk

RmB

Hi!

 

It seems, that our problem is well known mictray64.exe file. New updated file is already deployed to our enviroment and deepguard should ignore this file, because we excluded it already.  

 

Really don't get it why we keep getting these error messages. 

Vad

Hello everybody,

 

We now have a fix for the whitelisting issue. It will be delivered over the channel in one-two weeks.

If you want to try/take it in use now, please, contact support.

 

Best regards,

Vad

RmB

Hi Vad

 

Great to hear that fix is coming. I'd like to try whitelisting before official channel udate. Can you help me?

dmueller

Hey RmB,

 

we just sent a sample via https://www.f-secure.com/en/web/labs_global/submit-a-sample. Once our binaries were checked we enabled deep guard again  - since then everything works like a charm:)

 

Dirk

Rob-K

---

@Vad wrote:

We now have a fix for the whitelisting issue. It will be delivered over the channel in one-two weeks.

 

---

Hello Vad,

 

what does "over the channel" mean? Will the fix be delivered as automatic update via AUA or will it be a hotfix, which needs to be pushed via Policy Manager?

 

Kind regards

Robert

 

Vad

Hello RmB,

 

No, unfortunately I can't provide binaries in the community. Please, communicate with our support.

 

Best regards,

Vad

Vad

Hello Robert,

 

As automatic update via AUA.

 

Best regards,

Vad