Disable scanning for "trojan.generic.xxx" in policy manager. Tons of false positive.

In tha last week we started getting tons of infection of "Trojan.Generic.11935054" for exe files.

ALL "infection" is totally wrong and false positive.

At the moment F-secure client security almost useless for us because it continues deleting files which are not infected at all.

So something seriously wrong with the latest virus definitions (when was introduced Trojan.Generic.11935054?!)

The big question is how can we configure the policy manager to not scan for any "generic" virus.

Find more posts tagged with

Comments

stmarti

Samples sent to hungarian office.

etomcat

Hello,

If you are a hungarian, false alarm file samples or undetected malware samples can also be sent to us, at: minta kukac 2f pont hu

(I don't think F-Secure's Virus Lab partner address accepts samples directly from end users. Maybe other national partners also have local sample collection addresses.)

Best Regards: Tamas Feher, 2F 2000, Hungary.

stmarti

DeepGuard not enabled and never was.

I've filled every field in the sample report form.

We still getting tons of false alerts and f-secure deleting legitimate exe files.

What is the f-secure lab email address?

etomcat

Hello,

If the generic alerts come from the Aquarius scan engine (old-school malware fingerprint database based detection technology) then I have no idea if they can be excluded. On the other hand, if these alerts come from the DeepGuard subsystem (Gemini engine?) within F-Secure, then maybe turning off the Deepguard Advanced mode (mini-DLL) scanning mode or even turning off the DeepGuard module entirely, could help as a temporary measure.

However, turning off DeepGuard entirely would cut the protection level by about 33% and especially hurt in protecting against newly emerging malware!

By the way, I usually try to avoid using the SAS website, because it works sluggishly and rather try to submit new, undetected malware samples or false virus alert files via e-mail attachment to F-Secure Lab.

Best Regards: Tamas Feher, 2F 2000, Hungary.

Ben

Hello Stmarti,

Did you fill the message field in English? This is a compulsory step to receive feedback.

Note: If you need to contact our Response Team, include your question or incident details in the "Message" field. Else, please leave it empty.

Also note that under certain circumstances submissions might be removed automatically from the list.

Are you still suffering of the false positives?

stmarti

I have registered on the sample analysis page, and uploaded two false positive.

No feedback, and my submission list is empty.

Is this service useable at all?

Ben

This detection seems to have been introduce on 14th of October.

You can always follow the virus definition release through the dbtracker page.

It is not possible to exclude a given definition on the customer side. You might want to report the false positive to our lab, providing the exe files and explaining that the problem might be with this specific generic detection.