Dear F-Secure,
I would like to repeatedly request that PSB endpoints should report the SHA-1 checksum on every malware alert to the webportal. Currently only Deepguard module based detections provide a checksum in F-Secure alerts, but traditional virus detection module based alerts do not. Let me explain why that asymmetry is a serious problem:
- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:
File: ...blahblah...\c-project\2\20190531\bin\Debug\20190531\2.exe
Hash: c6da49a63d096f2515f0a3ce920f5be0a6980ff7
Threat: Suspicious:W32/Malware!DeepGuard.n
Here I can use the Hash as a clue to start searching e.g. in VirusTotal webportal to find a sample that matches the SHA-1 value exactly. If I find one, I can report the case to F-Secure Virus Lab and they can fix the false malware detection. Thismethod works well.
- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:
File: ...blahblah...\Browny02\Brother\BrStMonW.exe
Threat: Heuristic.HEUR/AGEN.1019626
Here I see no Hash value to start searching for, so I cannot find an exact sample match to report. Searching for the file name is not possible in Virustotal and even if I find a file with that name elsewhere, it is ususally a different minor version of the same software, so it cannot be used to reproduce the false malware alert event and I cannot report the case to F-Secure Virus Lab to have it fixed.
Due to the lack of hash info in so many malware alerts (many of them obvious false alerts on the fist sight), I often feel helpless, as I would like to have them fixed by the FSC virus lab but can't find a way to submit them in a usable manner.
Please consider if anything could be done to alleviate this siuation!
Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.
EDIT: Title
