F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

etomcat

Dear Sirs,

I saw an apparent false blocking in FSAV PSB portal and reported it to the F-Secure Virus Lab as follows:

Ticket ID: xxxx

Date and time: 2019. feb. 22. 11:15:32

Customer: [a hungarian school]

Computer: [a desktop PC]

OS: Windows 10 64-bit, version 10.0.17763

User: [student's name]

Software: FSAV PSB Computer Protection Premium 19.1

Module: F-Secure DataGuard

File: C:\Windows\System32\PickerHost.exe

Target: C:\Users\Student\Pictures\f07_f4.jpg

Threat: reports.infections.types.ransomwareAccessControl

Action: Blocked

I asked the Lab to review the situation and make adjustments to the technology if necessary. I've just received this answer from them:

"With Access_Control_List and Discover_trusted_applications_automatically enabled in DataGuard, the feature does not trust by default:
C:\Windows\System32\svchost.exe
C:\Windows\System32\sihost.exe
C:\Windows\System32\PickerHost.exe

To workaround the issue, you can add the target path where the Windows process is working on, to the excluded folders in the Profile Editor at:
DataGuard > Manually defined folders > Excluded folders

Besides that, the application (for example, OneDrive, etc.) installed to the user directory is not trusted too. To workaround the issue, you can add the application path to the trusted applications in the Profile Editor at:
DataGuard > Access control list > Manually added trusted applications and folders"

I don't like this recommendation for a workaround. If the files in question are digitally signed and came from a reputable vendor (Microsoft) then why arent't they trusted automatically? I mean we cannot expect end-users like this primary school to have the skills for adding folder exclusions, etc. themselves and they don't have the money to employ security sysadmins.

The PSB system should work correctly by itself, because F-Secure is about automated solutions first and foremost, that's how and why it was sold to non-tech-savvy customers! I feel the technology should be tuned centrally by the vendor.

Thanks for your attention, Sincerely:
Tamas Feher, Hungary.

EDIT: Removed case number

Find more posts tagged with

Comments

etomcat

Dear F-Secure Virus Lab,

I would like to ask making "Dataguard" more intelligent, so that it does not need to rely on a myriad of manually configured exclusions to work properly.

Please observe the following incident, where PSB DG is apparently preventing the open-source Mozilla Thunderbird e-mail client from applying a hotfix on itself:

Date and time: 2019 August 09, 12:27:49

Customer: https://emea.psb.f-secure.com/#/c285931

Computer: https://emea.psb.f-secure.com/#/c285931/devices/computer/2431764

OS: Windows 10 64-bit, version 10.0.17134

Software: F-Secure PSB Computer Protection Premium client 19.5

Module: F-Secure DataGuard

File: C:\Users\telep\Desktop\PortOs\ThunderbirdPortable\App\Thunderbird\updater.exe

Target: C:\Users\telep\Desktop\PortOs\ThunderbirdPortable\App\Thunderbird\thunderbird.exe.update_in_progress.lock

Threat: Ransomware access control

Action: Blocked

I have reported that occurance or a very similar one in F-Secure Lab ticket xxxxxxx and received the usual response: "We would advise to add the application to the list of trusted applications under DataGuard".

I don't consider that a good workaround, as F-Secure protection now requires as much or more attention to work properly as it requires to be alert and not click "Open" or "Run" on ransomware threats.

What is the business case for antivirus protection then? Customers do expect automation and AI, since they have subscribed to the "cloud" based F-Secure PSB service taht promised them protection even without a sysadmin on hand.

Thanks for your kind attention, Sincerely:
Tamas Feher, Hungary.

EDIT: Removed Case number

etomcat

Dear Fedool,

I would like to ask for a review of F-secure Lab ticket xxxxxx, regarding Dataguard's blocking of Mozilla Thunderbird Updater. I got the usual answer from first-round lab support to manually add exclusions, but I feel Thunderbird is such a popular e-mail client that the issue should be fixed centrally by F-Secure.

Thanks in advance, Yours Sincerely:
Tamas Feher, Hungary.

etomcat

Dear Fedool,

I would like to ask for the review of another, curious and possibly false blocking action by F-Secure PSB DataGuard. (It happened recently in a special software and hardware environment, a hungarian school and dormitory for the deaf and hearing impaired youth.)

F-Secure Lab case number: xxxxx

Date and time: 2019. 04.23. 11:05:00

Customer: KzPTK Hallássérültek Óvodája, Általános Iskolája, Szakiskolája,
EGYMI és Kollégiuma
( https://emea.psb.f-secure.com/#/c282728 )

Computer: SZERETET-PC
( https://emea.psb.f-secure.com/#/c282728/devices/computer/2460239 )

OS: Windows 10 Professional 64-bit, version 10.0.17763

User: SZERETET-PC\Emőke

Software: F-Secure Computer Protection Premium 19.2

Module: DataGuard

File: C:\$Windows.~WS\Sources\SetupHost.exe

Target: C:\Users\Laci\Documents\Windows.iso

Threat: reports.infections.types.ransomwareAccessControl

Action: Blocked

Remote submission of FsDiag has been requested, unique ID:

xxxxx

I hope it would help fine-tuning F-Secure PSB Computer Protection.

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

EDIT: Removed PII

etomcat

Dear Fedool,

I would like to ask for a review of the following, potentially Windows file related FSAV PSB CP security incident as spotted in a hungarian primary school:

Date and time: 03/25/2019 10:22:31 AM

Customer: https://emea.psb.f-secure.com/#/c282723

Computer:
https://emea.psb.f-secure.com/#/c282723/devices/computer/2603846

OS: Win10 Ent. 64-bit, version 10.0.17134

Software: F-Secure PSB Computer Protection Premium 19.2

Module: F-Secure DataGuard

File: C:\Windows\SysWOW64\dllhost.exe

Target: C:\Users\kri75\Pictures\Saját\2019. március 23 - Fotós tábor (török idők)\P90323-094531.jpg

Threat: reports.infections.types.ransomwareAccessControl

Action: Blocked

FSDIAG: remote creation has been requested, hope the local user will approve its submission. The related diagnostic ID is e166aec5-8d6f-4cee-9899-6f9d87030cb4.

Please see if the incident may have been a false blocking and whether the situation warrants a central exclusion?

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

etomcat

Dear Fedool,

Thanks for your quick action in the Windows Fax case!

I would like to ask for another lab-related intervention, however:

I use e-mails sent to "xxx@xxx.com" to submit false alarm reports. There I ususally quickly receive automatic answers with the ticket ID in them, but the human response with the re-evaluation verdict consistently takes a longer time to arrive, like 2-3 workdays.

It seems submitting malware detection cases via the webform on F-Secure's site results in a much quicker human response, often as soon as within 1-2 hours:
https://www.f-secure.com/en/web/labs_global/submit-a-sample

On the other hand, using the web form is difficult for me, since we need to keep track of what we submit (GDPR, etc.) That's easily achieved when using the e-mail venue, but the webform based method kinds of forgets the orignal submission, so when we recieve a response that doesn't show what the question I entered was, only the analyst's answer and verdict. That makes keeping track of submissions difficult.

Thus, I would like to ask that the above mentioned PARTNER sample submission e-mail address should be given at least equal priority in lab case processing, compared to the web-based submission method.

Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

EDIT: Removed Email address

fedool

Thank you for reporting this.

WFS.exe added to exclusions

etomcat

Dear Fedool,

Thanks for your quick response!

> Please add details here

The PSB SoP webportal reports the following incident:

Date and time: 03/18/2019 09:33:27 AM

Computer:
https://emea.psb.f-secure.com/#/c285931/devices/computer/2064347

OS: Win 8.1 Pro 64-bit, version 6.3.9600

Software: FSAV PSB Computer Protection Premium 19.2

Module: DataGuard

File: C:\Windows\System32\WFS.exe

Target: C:\Users\Ferencz Krisztina\Documents\Fax\Inbox\WelcomeFax.tif

Threat: reports.infections.types.ransomwareAccessControl

Action: Blocked

Thanks in advance, Yours Sincerely:
Tamas Feher, Hungary.

fedool

@etomcat wrote:
Dear Fedool,

I would like to ask if a DataGuard trust re-evaluation could also take place for the F-Secure lab ticket xxxx (theme: FSAV PSB CP19 blocks the operation of Windows 8 built-in fax).

Thanks in advance, Yours Sincerely:
Tamas Feher, Hungary.

I don't have access to this ticket so, most likely answer is "no". Please add details here

EDIT: Removed Case information (PII)

etomcat

Dear Fedool,

I would like to ask if a DataGuard trust re-evaluation could also take place for the F-Secure lab ticket xxxx (theme: FSAV PSB CP19 blocks the operation of Windows 8 built-in fax).

Thanks in advance, Yours Sincerely:
Tamas Feher, Hungary.

EDIT: Removed Case number

etomcat

Dear Fedool,

> We cannot add user paths to be trusted by everyone because they are in unprotected folder by default

I'd hope F-Secure could approach Microsoft Corp. with that problem and convince them to relocate the OneDrive program to a more systematic folder path, were Windows OS protections are available (so that 3rd party security software can better trust the cloud client).

Yours Sincerely: Tamas Feher, Hungary.

etomcat

Dear Fedool,

Thanks for your qick response!

I have posted a (tangentially related) new thread in the community's Partner forum section:

https://community.f-secure.com/t5/Exclusively-for/Need-quot-anti-flood-quot/td-p/115403

Yours Sincerely: Tamas Feher, Hungary.

fedool

We cannot add user paths to be trusted by everyone because they are in unprotected folder by default. Imagine that you don't have OneDrive - malware can then just create there folder with the same name and we will trust it.

But when admin configures this exclusion - she should know that OneDrive is installer to this location and can add it a bit more safely.

Yes, DeepGuard will detect and block all known injection attacks but promise ofa DataGuard feature is that it will protect your data no matter what, even if all other layers of protection are compromised or, for instance, there is no even persistent component on a system to detect. So, we need to be careful with exclusions there

etomcat

Dear Fedool,

Thanks for your quick response!

> OneDrive is installed in C:\Users\ and not protected - we cannot trust it by default ... I wonder if you could add it to the list of trusted apps yourself in profile?

But if it is too dangerous for F-Secure Corp. to trust, why should I add it as an exception and shift the responsibility upon me? (Note: I'm not the affected end user, I just see those events happening in the PSB SoP portal and the 650+ DataGuard blocking messages are flooding the malware detection list which summarizes a total of app. 5000 computers, thus making the recognition of e.g. false virus alarm occurances rather difficult among the noise.)

> malware can just inject there and do whatever it wants

I wonder if that should be prevented by DeepGuard? (F-Secure DeepGuard already injects a mini-DLL into processes, preventing other attacks.)

Best regards: Tamas Feher, Hungary.

fedool

OneDrive is installed in C:\Users\ and not protected - we cannot trust it by default.

Otherwise malware can just inject there and do whatever it wants.

I wonder if you could add it to the list of trusted apps yourself in profile?

etomcat

Dear Fedool,

Please also suggest a solution for "Onedrive.exe" related Dataguard events? One particular computer is spamming the PSB SoP portal with 655 (!) recent alerts for "reports.infections.types.ransomwareAccessControl" regarding Onedrive and .docx files, as seen here:

https://emea.psb.f-secure.com/#/c282728/devices/computer/2475086

The use of cloud is gaining importance and some kind of by default solution is needed.

Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

etomcat

Dear Fedool,

> we will add sihost.exe and PickerHost.exe to exclusions

Thank you for the response and the solution offered!

I would also like to ask if the Microsoft OneDrive online storage service agent's trust status could be revised as well, since the adoption of "cloud-based" solutions is accelerating?

I mean frequently recurring incidents like this, where e.g. a description of imaginary city sightseeing in ancient Rome isn't approved by F-Secure Dataguard:

Computer: https://emea.psb.f-secure.com/#/c282728/devices/computer/2475086

OS: Windows 10 64-bit, version 10.0.17134

Software: F-Secure PSB Computer Protection Premium 19.1

Module: DataGuard

Date and time: 2019.02.28. 10:04:51
File: C:\Users\user.name.HT\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Target: C:\Users\user.name.HT\OneDrive\Dokumentumok\5.o töri\Városnézés az ókori Rómában.docx
Threat: reports.infections.types.ransomwareAccessControl
Action: Blocked

Date and time: 2019.02.11. 10:05:54
File: C:\Users\user.name.HT\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Target: C:\Users\user.name.HT\OneDrive\Dokumentumok\5.o töri\Ókori Róma (Automatikusan mentett).doc
Threat: reports.infections.types.ransomwareAccessControl
Action: Blocked

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

fedool

We have reviewed these apps and we will add sihost.exe and PickerHost.exe to exclusions.

Thank you

fedool

Hello,

Thank you for feedback.

Main point of dataguard protection is to protect your files. It's not about recognizing if the application which changes your file is trusteable or not. We know that some ransomwares inject into legit signed apps and do encryption of your files. If we would just trust everything what is correctly signed - we would not protect you from that.

But if we would not trust anything - it would create lot of false positives so we have a list of whitelisted apps. And PickerHost.exe is currently not there.

We will recheck again if we can trust PickerHost.exe