To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Lack of SHA-1 checksum on certain malware alert in the webportal

etomcat
etomcat Posts: 1,172 Firewall Master

Dear F-Secure,

 

I would like to repeatedly request that PSB endpoints should report the SHA-1 checksum on every malware alert to the webportal. Currently only Deepguard module based detections provide a checksum in F-Secure alerts, but traditional virus detection module based alerts do not. Let me explain why that asymmetry is a serious problem:

 

- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:

 

File: ...blahblah...\c-project\2\20190531\bin\Debug\20190531\2.exe
Hash: c6da49a63d096f2515f0a3ce920f5be0a6980ff7
Threat: Suspicious:W32/Malware!DeepGuard.n

 

Here I can use the Hash as a clue to start searching e.g. in VirusTotal webportal to find a sample that matches the SHA-1 value exactly. If I find one, I can report the case to F-Secure Virus Lab and they can fix the false malware detection. Thismethod works well.

 

- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:

 

File: ...blahblah...\Browny02\Brother\BrStMonW.exe

Threat: Heuristic.HEUR/AGEN.1019626

 

Here I see no Hash value to start searching for, so I cannot find an exact sample match to report. Searching for the file name is not possible in Virustotal and even if I find a file with that name elsewhere, it is ususally a different minor version of the same software, so it cannot be used to reproduce the false malware alert event and I cannot report the case to F-Secure Virus Lab to have it fixed.

 

Due to the lack of hash info in so many malware alerts (many of them obvious false alerts on the fist sight), I often feel helpless, as I would like to have them fixed by the FSC virus lab but can't find a way to submit them in a usable manner.

 

Please consider if anything could be done to alleviate this siuation!

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

 

EDIT: Title

Comments

  • Sandor
    Sandor Posts: 3 Security Scout

    I ran into a similar problem.. I translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929

    Sincerely: Sandor

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello,

     

    > translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929

     

    Please do this:

     

    - Upload the affected program file to "www.virustotal.com" (that website is run by Google)

     

    - When you see the virus scanner detection results, there will be a "Details" tab

     

    - Tell us the "SHA-1" value written there, something similar to: e33a0247f0ed3635a12a4927a6380308e430fe04

     

    This allows us to report the false malware alarm for fixing.

     

    Best regards: Tamas Feher, 2F 2000 Kft., Budapest.

  • Sandor
    Sandor Posts: 3 Security Scout

    Hi etomcat!

    SHA-1: fdeaf9713b68cd5e921a72b41fbe23550d0d6dd9

     

    Thanks and best regards,

    Sándor

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello Sandor

     

    This morning I've opened case ticket xxxxxxxx with the FSC virus analysis lab and currently waiting for their response.

     

    Best regards: Tamas Feher.

     

    Edit: Removed case number

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello Sandor,

    F-Secure viruslab sent the following ticket response on Friday morning:

     

    "Our analysis has found that the file you submitted is clean.
    We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.
    In the meantime, you may exclude this file from further scanning by using the following instructions:

     

    F-Secure Home Security products:

    https://community.f-secure.com/t5/F-Secure-SAFE/How-do-I-exclude-a-file-or/ta-p/56363

     

    F-Secure Business Security products:

    https://community.f-secure.com/t5/Business/Excluding-objects-from-Real-Time/ta-p/66013

     

    Best regards,
    F-Secure Customer Protection"

  • Sandor
    Sandor Posts: 3 Security Scout

    Thanks,

    I think that due to platform problem this error came out, it is produced by Delphi Vcl.FileCtrl Components, like FileListBox, DirectoryListBox, DriveComboBox, ...

    Regards,

    Sandor

This discussion has been closed.

Categories