Protection for CVE-2021-40444

memika · 2021-09-08T10:11:50+00:00

There was an error rendering this rich post.

I would like to know the moment F-Secure Elements Endpoint Protection and Client Security has protection for CVE-2021-40444. Recommended registry changes have been set up using GPO, but it takes time and needs workstation reboot.Since F-Secure is installedhe default MS Defender is disabled, defender has protection for this.

Find more posts tagged with

Accepted answers

gancal

@JohnWick , thanks for raising it up and we definitely understand your concern regarding missing detection.

Rest assured, I can verify and confirm that the file you linked is currently detected by us as Malware.W97M/Dldr.Agent.vvwhk.

While VirusTotal is a good tool to get an indicator of the status of a sample, the way VirusTotal integrates scanning engine from different vendors does at times produce varying results. In F-Secure's case (and for most vendor), a static signature based scanner was implemented in their backend to scan for samples. The frequency of VirusTotal fetching our database update is dependent on their implementation and we have no control over that. This often times resulted in varying detection status from various vendors.

VirusTotal has also written a blog on why their site should not be used to compare vendor performance which you can find it here: https://support.virustotal.com/hc/en-us/articles/115002094589-Why-do-not-you-include-statistics-comparing-antivirus-performance-

I hope the above explains why our detection name is not appearing in VirusTotal's scan result. Feel free to let me know if you have more concerns.

Regards,

Calvin Gan

All comments

JohnWick

Ok, good. Thank you Calvin!

gancal

@JohnWick , thanks for raising it up and we definitely understand your concern regarding missing detection.

Rest assured, I can verify and confirm that the file you linked is currently detected by us as Malware.W97M/Dldr.Agent.vvwhk.

I hope the above explains why our detection name is not appearing in VirusTotal's scan result. Feel free to let me know if you have more concerns.

Regards,

Calvin Gan

memika

Microsoft updated the original artickle, so I just added more Group Policy Settings (Preferences, Registry) for the HKEY_CLASSES_ROOT part. I keep these applied until MS patch is applied, which might not catch next weeks patch tuesday, will see.

JohnWick

According to Virustotal F-Secure does not detect this: https://www.virustotal.com/gui/file/938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52/detection

This worries me a lot. Like really a lot.

gancal

Hi @memika ,

Good day to you and thanks for reaching out!

While specific information regarding the exploitation of CVE-2021-40444 is still being investigated, we have ascertained that our Capricorn engine in Endpoint Protection products is able to detect known malicious samples in-the-wild with the detection name Malware.W97M/Dldr.Donoff.xxxxx or Malware.W97M/Dldr.Agent.xxxxx. At the same time, our Security Cloud is able to detect these malicious samples as well if it is enabled. Detection name will end with !Online if it's detected through Security Cloud.

These detection should already prevent the malicious document files from being executed. Hope this clarifies your concern.

Regards,

Calvin Gan

Tactical Defense Unit

LomM

Bump.