How to exclude a program in Deepguard?

Jaro

Hi

We use Policymanager 10 and CS 9.x versions

 

F-secure ClientSecurity 9.x Deepguard is suddenly dectecting Dameware as dangerous application. How can I exclude Dameware from Deepguard scanning? I still want Deepguard to be enable.

Jouni

Hi Jaro,

As you are using Policy Manager, you can add the executable file's SHA-1 hash as trusted on Policy Manager's DeepGuard Applications -table.

This table can be found from Policy Manager Console in advanced mode:
F-Secure DeepGuard -> Settings -> Applications

MJ-perComp

Please also submit the file to analysis.f-secure.com

 

After the FA has been fixed you may remove the exclusion again.

 

BR

Jaro

I have done that a few years ago, but now it does not seem to work. Can I use the hash that is shown in the alert? This is just an example for aboapaivitys.exe :

Application was blocked. This was determined to be a high-risk application by system control heuristics.

Application path: \\?\c:\aboa\aboapaivitys.exe File hash: 91d3a2b45db6931a4e603dde11ef5484837ce475

MJ-perComp

YES, use that hash!

 

But I think that DG also obeys the realtime sacnning excludes! at least with FSCS9.31...

 

BR

etomcat

The problem with use of CRC/SHA-1/MD-5 checksum for exclusion is that IBM-compatible PC is a "von Neumann" type platform, therefore self-modifying executable code is perfectly legal. One cannot legitimately expect that only malware will use self-modify code, thus checksum start to change and become unusable.

 

The best thing is to have the executable receive a digital signage from the software vendor and F-Secure virus lab will grant a generic exclusion for that crypto signature, if the vendor is truly reputable. (But maybe this reputation method may not work now, thanks to guys who wrote Stuxnet/Duqu?)

MJ-perComp

signing software requires that the file that is signed does NOT change!