PSB setup loads unsigned DLL

I recently installed a trial of F-Secure Protection Service for Business on a Windows 10 device configured with Windows Defender ATP.

The installation of PSB triggered an alert on Windows Defender ATP, which appears to result from an unsigned DLL:

Executable with original file name 'FSSETUP.EXE' (Sha1: 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74) loaded DLL 'fsaua_i.dll' (Sha1: 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc) unsigned whereas it is generally signed by 'F-Secure Corporation'

I imagine that this is a false positive (threat-wise), since the installation executable was downloaded directly from F-Secure's server and the UAC prompt indicated a setup executable with a valid digital signature.

However, I am a little concerned to see that the "fsaua_i.dll" that was loaded onto this device appears to have never been seen before:

The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed, whereas it is normally signed by F-Secure.
The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID: DigiCert EV Code Signing CA (SHA2)").

Any ideas about what might be going on here? The installation took place on April 22, 2017, if that helps.

Find more posts tagged with

Comments

Guilherme_S

Thanks guys for carefully looking into this. I've already submitted a False Positive report to Microsoft's Windows Defender ATP Team, and included the information regarding VirusTotal's records for those files. They're looking into it now, I'll report back when I hear from them.

antti-fsecure

Hi all,

We double-checked the binaries with our team, and we couldn't find any signing problems. Tamas' also provided an extensive study of the problem, which indicated no problems in signing. Let's hope this was indeed a false alarm.

A super-big thanks to Tamas for the great detective work. Highly appreciated.

Cheers,

- Antti, Senior Product Owner, PSB

Guilherme_S

Thanks Tamas. I'll report this to the Windows Defender ATP Team and report back when they figure out what happened.

etomcat

Hello,

I see no problems here:

> The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed

The VirusTotal website says that the file descibed by SHA1 = 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc is properly signed:

F-Secure Automatic Update Agent Installation Plug-In,

Signature verification: Signed file, verified signature,

Signing date 08:56AM 12/9/2016,

Signers: F-Secure Corporation / DigiCert EV Code Signing CA (SHA2) / DigiCert

Counter-signers: DigiCert Timestamp Responder / DigiCert Assured ID CA-1

See here for more:

https://virustotal.com/hu/file/cb896eedfe3cd9438820218310d384671104efd0adc2e1c3a87e700c23c5e143/analysis/

> The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID

The VirusTotal website says that the file descibed by SHA1 = 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74 is properly signed:

F-Secure Setup Core Engine
Signature verification: Signed file, verified signature
Signing date: 07:47AM 4/6/2016
Signers: F-Secure Corporation / DigiCert EV Code Signing CA (SHA2) / DigiCert
Counter signers: DigiCert Timestamp Responder / DigiCert Assured ID CA-1 / DigiCert

See here for more:

https://virustotal.com/hu/file/894525c5c0c43798d9ebf4cbbcd9207b36d003411f490d1765e6447e497e845b/analysis/

(Now, if the mentioned SHA1 values have been falsified for your connection on-the-fly, then you are being targeted by such huge powers-that-be that antivirus is the least of you concern. But I don't think paranoia is justified here. More likely the "Microsoft Enterprise Protection ATP" messed up. It is not recommeded to run two different protection suites on the same computer, because they often clash and cause problems.)

Best Regards: Tamas Feher, Hungary.

Laksh

Hi Guilherme_S,

I am checking on this with our team. I will keep you posted once I have any information on this.