FSCS DeepGuard ignores hashes

Hi there,

after deploying FSPM 13/FSC 13 all workstations experience deep guard warnings when opening executables which are allowed by PM. The hashes are correct but FSCS seems to ignore them:

Here are the most recent alerts (120) from Policy Manager:

Security alert: Malware blocked
From: XXXXXXXXXXXXXXX, 2017-11-03 10:52:34 +01:00
Details: Action by malware was blocked. Malware path: \xxx\xxxx\xxxxxx.exe File hash: 643a2495c509e842885091b918a74b772d64c336

This email was automatically generated by F-Secure Policy Manager. Please do not reply to this message.

FSPM

SHA-1-Hash Hinweise Vertrauenswürdig Aktiviert
643a2495c509e842885091b918a74b772d64c336 xxxxx.exe Ja Ja

Can you help us with that?

Regards,

Dirk

Find more posts tagged with

Comments

Hello Robert,

As automatic update via AUA.

Best regards,

Vad

Hello RmB,

No, unfortunately I can't provide binaries in the community. Please, communicate with our support.

Best regards,

Vad

@Vad wrote:
We now have a fix for the whitelisting issue. It will be delivered over the channel in one-two weeks.

Hello Vad,

what does "over the channel" mean? Will the fix be delivered as automatic update via AUA or will it be a hotfix, which needs to be pushed via Policy Manager?

Kind regards

Robert

Hey RmB,

we just sent a sample via https://www.f-secure.com/en/web/labs_global/submit-a-sample. Once our binaries were checked we enabled deep guard again - since then everything works like a charm:)

Dirk

Hi Vad

Great to hear that fix is coming. I'd like to try whitelisting before official channel udate. Can you help me?

Hello everybody,

We now have a fix for the whitelisting issue. It will be delivered over the channel in one-two weeks.

If you want to try/take it in use now, please, contact support.

Best regards,

Vad

Hi!

It seems, that our problem is well known mictray64.exe file. New updated file is already deployed to our enviroment and deepguard should ignore this file, because we excluded it already.

Really don't get it why we keep getting these error messages.

Hey Vad,

I just sent a sample and result of fsdiag.

Dirk

Hey Vad,

I did - support ticket is xxxxxx - I will provide fsdiag data asap.

Dirk

Hello Dirk and RmB,

Did you already happen to provide diagnostic information to support for investigation? As I already mentioned, unfortunately, we can't reproduce this problem, and need your help to continue.

Best regards,

Vad

Hello,

Submit sample here so virus lab crew can fix the false alarm centrally:

https://www.f-secure.com/en/web/labs_global/submit-a-sample

You will struggle for ever with the problem if you don't do that.

(Some apps modify themselves while running so the checksum changes. These are not possible to exclude statically via hash and the only fix is to modify the scan logic to avoid the false alarm in the first place.)

Best Regards: Tamas Feher, Hungary.

HI,

Same problem here with deepguard.

Hi Dirk,

I have the same problem with dg and some more, look at my post 1 over yours...

LG

Martin

Hello Dirk,

Normally allowed applications should not be blocked in version 13.

Please, contact support. We will need diagnostic information from affected client machine for investigation.

Best regards,

Vad

Quick Links