To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox

etomcat
etomcat Posts: 1,172 Firewall Master

Dear Sirs,

 

I am seeing the below quoted, curious malware alerts in the F-Secure PSB EMEA "SoP" webportal. I have reported them to F-Secure Virus Lab as cases xxx and xxx and they are asking for samples in response. I find that request bizarre, considering that F-Secure Corp. itself is distributing these files on which the FSAV false alerts occur...

 

OS: Win 10 Pro 64-bit, version 10.0.17763

Software: F-Secure PSB Computer Protection client 19.3

File: C:\ProgramData\F-Secure\swup2\working\deployer\Patches\Firefox Setup 67.0.2_x86_HUN.exe

Hash: 011defa74d030fadcf7773134d984e8247c673f1

Threat: Suspicious:W32/Malware!DeepGuard.pg

Action: Blocked

 

***************************

 

OS: Win 10 Ent 64-bit., version 10.0.17134

Software: F-Secure PSB Computer Protection Client 19.3

File: C:\ProgramData\F-Secure\swup2\working\deployer\Patches\Firefox Setup 67.0.2_x64_HUN.exe

Hash: d2985a9181d31b3df4063292d89477216a0bf086

Threat: Suspicious:W32/Malware!DeepGuard.pg

Action: Blocked

 

Please review the situation if possible, because there is no way I could obtain binary file samples from those PSB endpoints, they are located in some hungarian school in the countryside, but I don't even know where exactly geographically and I don't have remote desktop to them and FSAV PSB doesn't yet support remote sample submission.

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

 

EDIT: Removed Case numbers

Comments

  • fedool
    fedool Posts: 162 Threat Terminator

    Hello,

     

    Thanks for reporting this. We will find the samples and send them to analysts.

     

    Note, that F-Secure does not distribute these updates. We download them from vendor sites and have no way to verify if they will be false positived or not before that happens. Especially for deepguard which analyses events from running application, not just scanning the file.

    Deepguard detections are often based on rarity of files and if you are the first one seeing this update then it's rare and deepguard treats it as suspicious. I assume signing for these updates is also somehow changed so it's not trusted and detection is triggered on system modification.

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Dear Fedool,

     

    Thanks for your super-quick response!

     

    > I assume signing for these updates is also somehow changed

     

    There was a minor scandal recently where one of Mozilla Firefox's certificates expired (wasn't renewed in time) and all browser extensions were disabled as a result. They had to issue new emergency cert as a result. The incident was discussed here:

     

    https://community.f-secure.com/t5/Business/Mozilla-org-s-big-mess-up-with/td-p/116847

     

    Yours Sincerely: Tamas Feher, Hungary.

This discussion has been closed.

Categories