To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

DeepGuard Issue (false positive)

Options
zwp-secure
zwp-secure W/ Member Posts: 24 Cyber Knight

Hi there,

since the update to WithSecure 16, DeepGuard sends strange alerts to our admins like this one:

Sicherheitsalarm: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu ändern.
Von: XXX,
2024-01-10 10:42:43 +01:00
Details: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu verändern.
Anwendungspfad: C:\Windows\System32\msiexec.exe
Datei-Hash: 32b8b2e3b3ecd8e194ace65a5e5052c326d7ccaa
Erkennung: Suspicious:W32/SuspiciousMsiPackage.A!DeepGuard
Seltenheit: Unknown
Reputation: Unknown
Prozess-ID: 19788
Benutzername: XXX

This happens everytime when someone executes a random software setup package directly from a SMB share. When the same package is executed from your local harddrive instead, the alarm does not appear. What could be the cause here?

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 525 Moderator
    Options

    Hi @zwp-secure

    Thank you for reaching out to WithSecure Community and sorry to hear that you are receiving the False Positive detection on SMB share.

    Can you please submit a sample of the file, and WSDiag logs, using the below link, so our detection team can investigate further ?

    https://www.withsecure.com/en/submit-a-sample

  • zwp-secure
    zwp-secure W/ Member Posts: 24 Cyber Knight
    Options

    Hi,

    OK, I'll have to wait until it occurs again. Or maybe you fixed it in the meantime ;-)

  • zwp-secure
    zwp-secure W/ Member Posts: 24 Cyber Knight
    Options

    Occured & then submitted msi file today!

  • zwp-secure
    zwp-secure W/ Member Posts: 24 Cyber Knight
    Options

    Happened again…

    Sicherheitsalarm: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu ändern.
    Von: XXX, 2024-02-07 10:21:12 +01:00
    Details: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu verändern.
    Anwendungspfad: C:\Windows\System32\msiexec.exe
    Datei-Hash: 32b8b2e3b3ecd8e194ace65a5e5052c326d7ccaa
    Erkennung: Suspicious:W32/SuspiciousMsiPackage.A!DeepGuard
    Seltenheit: Unknown
    Reputation: Unknown
    Prozess-ID: 12416
    Benutzername: XXX

  • zwp-secure
    zwp-secure W/ Member Posts: 24 Cyber Knight
    Options

    It turned out that it happens EVERY TIME you try to execute a msi package from an SMB share. It´s the msiexec.exe that is handled false positive.

    Still, when execute the same package from the local harddrive, everything runs fine.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 525 Moderator
    Options

    Hi @zwp-secure

    Sorry to hear you are still experiencing the false positive on SMB share , but not local drive.

    I checked with our detection team. Please submit a WSDiag log and case so they can investigate further as whitelisting will not work in this scenario.

  • zwp-secure
    zwp-secure W/ Member Posts: 24 Cyber Knight
    Options

    Hi James,

    of Server or Client? Where should I upload it?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 525 Moderator
    Options

    Hi @zwp-secure

    You may upload the logs from SMB server and affected client to our Submit-a-Sample.

  • zwp-secure
    zwp-secure W/ Member Posts: 24 Cyber Knight
    Options

    OK, I uploaded the clients file. For the server log is 350 MB, I uploaded this via FTP.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 525 Moderator
    Options

    Hi @zwp-secure ,

    Thank for submitting the file.

    Our detection team shall continue all communication from your case # 051xxxx8