Unwanted "System modification attempt" when deploying software with SCCM

Popeye

We are currently working on a Win7 image for our workstations, using SCCM to deploy software and manage the workstations. One of the testers are repeatedly getting the "System modification attempt" from Client Security 9.11 when he tries to install software.

 

I have excluded the path "*\\windows\\syswow64\\*" from the  real time scanner, but still he gets the S.m.a. messages when installing programs and browser plugins.I have a feeling the exclusion is unnessesary, but they wantet the exclusion to try to avoid too many sysmod alerts.

 

One typical message when trying to install an advertised program says:

Windows Host Process (rundll32.exe)

Rating: Neutral

Location: C:\Windows\syswow62\rundll32.exe

Operation: Attempt to manipulate a protected process.

Target: C:\Program Files (x86)\F-Secure\common\fsm32.exe

 

When installing a program through Control Panel - Get Programs, he gets:

Windows Explorer

Rating: Neutral

What should be done?
o I Trust the program

o I do not trust...

Location: C:\Windows\explorer.exe

Operation: Attempt to manipulate a protected process.

Target: C:\Program Files (x86)\F-Secure\common\fsm32.exe

In the Management Console I have enabled DeepGuard with the setting "Ask When Case is Unclear" and I have also enabled "Use server queries to improve...". Advanced process monitoring is not enabled.

 

I could use the setting "Do not ask", but have been reluctant to do so. Is there another way around the problem exept using "Do not ask"? If so, how? Any clues to how to get rid of (to us) false alarms without using the no questions asked alternative?

Thanks in advance!

Gummibeere

Hello Popey ( did you eat a lot of spinach as a child?! )

 

I don't think that this alert is a false alert. I guess, the rundll32.exe wants to write to the harddisk cause of an install. If you enabled realtime scanning the FSSM32.exe will scan every activity on your harddisk except on folders you exclude. The Windows Host Process is one of the "root" services from Windows so many tasks will be started by this service.

 

You can try to add the desired installation folder to the exclude list. In our company I did the same for the Visual Studio compile folders.

 

Btw: I get the same error while installing / deinstalling software which puts files to the Windows-folder.

 

As I get it right you are developing selfmade software to your testers. The "Use server queries to improve..." has no sense for you in this case, cause the F-Secure Server won't know the MD5 of your programmed tool. So the reference to the F-Secure Server won't help. As I said: we had a similar problem on our developing machines.

 

I really think the exclusion of the installation folder will redurce the messages you get.

You can try this and report your experience...

 

Best regards from sunny Germany

 

MJ-perComp

@Gummibere: Sunny? Tell me where...

 

If you are developing own software it should be signed. Please get in contact with support. they will give you advise how to handle those. Manual exclusion should always only be a temporary workaround only!

 

BR

Popeye

Thank you for the replies so far.

 

I probably should have been more clear in my first post. We see the SysModAttempt warnings when installing commercial software, not just self made software.

 

Here are three screenshots from three different programs:

 

Capture One - A RAW image converter / image editing software

Novell Client - Client for logging in to Novell Servers

Datastream - Excel add-in from Thompson Reuters (http://online.thomsonreuters.com/datastream)

 

These three are examples - DeepGuard alerts on more that these three, but those were the screen shots my colleague sent me to document the problem...

 

We DO get F-Secure false alarms on some of our own AutoIT scripts and when installing amongst others the fingerprint drivers for our Lenovo ThinkPads, but those are regular malicious code false alerts that we work on getting rid of using folder exclusions.

MJ-perComp

Hi,

 

Do you have the ORSP-network in place when you start the installation? i.e what does ORSPDiag.exe tell you about its current connection state?

 

BR

Matthias

larsen

Hi,

 

has this problem been solved already?

 

We also use F-Secure Client Security 9.11 and have no problems with WinXP but with one Win7 laptop. There we get the same error message when opening Windows Explorer. Strangely enough, this happens after the user logged in, but not on the next subsequent occasions. Still, it might happen that the error pops up again, yet this doesn´t seem to be regular.

 

What can I do here?

 

 

Regards

Lars

 

jackma

Sorry if I cannot display a solution here, but in my experience the symptoms you see occur on Windows 7 64bit only. That is why you do not see it with Windows XP.
My best guess it to go to "Settings > Computer > DeepGuard" and set the "Action: when a harmful program is found" to "Automatic".

Please do consider using the CS 9.20 version: http://www.f-secure.com/de/web/business_de/support/downloads/-/carousel/view/73

If the situation still exists or you need to know more detail, please open a support ticket @ F-Secure.