Lack of SHA-1 checksum on certain malware alert in the webportal
Dear F-Secure,
I would like to repeatedly request that PSB endpoints should report the SHA-1 checksum on every malware alert to the webportal. Currently only Deepguard module based detections provide a checksum in F-Secure alerts, but traditional virus detection module based alerts do not. Let me explain why that asymmetry is a serious problem:
- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:
File: ...blahblah...\c-project\2\20190531\bin\Debug\20190531\2.exe
Hash: c6da49a63d096f2515f0a3ce920f5be0a6980ff7
Threat: Suspicious:W32/Malware!DeepGuard.n
Here I can use the Hash as a clue to start searching e.g. in VirusTotal webportal to find a sample that matches the SHA-1 value exactly. If I find one, I can report the case to F-Secure Virus Lab and they can fix the false malware detection. Thismethod works well.
- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:
File: ...blahblah...\Browny02\Brother\BrStMonW.exe
Threat: Heuristic.HEUR/AGEN.1019626
Here I see no Hash value to start searching for, so I cannot find an exact sample match to report. Searching for the file name is not possible in Virustotal and even if I find a file with that name elsewhere, it is ususally a different minor version of the same software, so it cannot be used to reproduce the false malware alert event and I cannot report the case to F-Secure Virus Lab to have it fixed.
Due to the lack of hash info in so many malware alerts (many of them obvious false alerts on the fist sight), I often feel helpless, as I would like to have them fixed by the FSC virus lab but can't find a way to submit them in a usable manner.
Please consider if anything could be done to alleviate this siuation!
Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.
EDIT: Title
Comments
-
Hi Tamas,
Thanks for your post and request.
We've looked into this, and we should be able to add more information such as the hash to the portal.
I cannot give an exact timeline on this being available, but it's in our queue for implementation.
Best Regards,
Andy
7 -
I ran into a similar problem.. I translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929
Sincerely: Sandor
1 -
Hello,
> translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929
Please do this:
- Upload the affected program file to "www.virustotal.com" (that website is run by Google)
- When you see the virus scanner detection results, there will be a "Details" tab
- Tell us the "SHA-1" value written there, something similar to: e33a0247f0ed3635a12a4927a6380308e430fe04
This allows us to report the false malware alarm for fixing.
Best regards: Tamas Feher, 2F 2000 Kft., Budapest.
0 -
Hi etomcat!
SHA-1: fdeaf9713b68cd5e921a72b41fbe23550d0d6dd9
Thanks and best regards,
Sándor
0 -
Hello Sandor
This morning I've opened case ticket xxxxxxxx with the FSC virus analysis lab and currently waiting for their response.
Best regards: Tamas Feher.
Edit: Removed case number
0 -
Hello Sandor,
F-Secure viruslab sent the following ticket response on Friday morning:
"Our analysis has found that the file you submitted is clean.
We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.
In the meantime, you may exclude this file from further scanning by using the following instructions:F-Secure Home Security products:
https://community.f-secure.com/t5/F-Secure-SAFE/How-do-I-exclude-a-file-or/ta-p/56363
F-Secure Business Security products:
https://community.f-secure.com/t5/Business/Excluding-objects-from-Real-Time/ta-p/66013
Best regards,
F-Secure Customer Protection"1 -
Thanks,
I think that due to platform problem this error came out, it is produced by Delphi Vcl.FileCtrl Components, like FileListBox, DirectoryListBox, DriveComboBox, ...
Regards,
Sandor
0