Skip to content
  • Register

    • DeepGuard Issue (false positive)

    zwp-secure
    zwp-secure Member Posts: 25 Contributor
    edited October 2024 in Business Suite

    Hi there,

    since the update to WithSecure 16, DeepGuard sends strange alerts to our admins like this one:

    Sicherheitsalarm: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu ändern.
    Von: XXX,
    2024-01-10 10:42:43 +01:00
    Details: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu verändern.
    Anwendungspfad: C:\Windows\System32\msiexec.exe
    Datei-Hash: 32b8b2e3b3ecd8e194ace65a5e5052c326d7ccaa
    Erkennung: Suspicious:W32/SuspiciousMsiPackage.A!DeepGuard
    Seltenheit: Unknown
    Reputation: Unknown
    Prozess-ID: 19788
    Benutzername: XXX

    This happens everytime when someone executes a random software setup package directly from a SMB share. When the same package is executed from your local harddrive instead, the alarm does not appear. What could be the cause here?

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In
    Register

    Answers

    • JamesC
      JamesC Staff, Moderator Posts: 563 W/ Moderator

      Hi @zwp-secure

      Thank you for reaching out to WithSecure Community and sorry to hear that you are receiving the False Positive detection on SMB share.

      Can you please submit a sample of the file, and WSDiag logs, using the below link, so our detection team can investigate further ?

      Submit a sample

    • zwp-secure
      zwp-secure Member Posts: 25 Contributor

      Hi,

      OK, I'll have to wait until it occurs again. Or maybe you fixed it in the meantime ;-)

    • zwp-secure
      zwp-secure Member Posts: 25 Contributor

      Occured & then submitted msi file today!

    • zwp-secure
      zwp-secure Member Posts: 25 Contributor

      Happened again…

      Sicherheitsalarm: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu ändern.
      Von: XXX, 2024-02-07 10:21:12 +01:00
      Details: DeepGuard hat eine verdächtige Anwendung angehalten, die versucht hat, geschützte Dateien zu verändern.
      Anwendungspfad: C:\Windows\System32\msiexec.exe
      Datei-Hash: 32b8b2e3b3ecd8e194ace65a5e5052c326d7ccaa
      Erkennung: Suspicious:W32/SuspiciousMsiPackage.A!DeepGuard
      Seltenheit: Unknown
      Reputation: Unknown
      Prozess-ID: 12416
      Benutzername: XXX

    • zwp-secure
      zwp-secure Member Posts: 25 Contributor

      It turned out that it happens EVERY TIME you try to execute a msi package from an SMB share. It´s the msiexec.exe that is handled false positive.

      Still, when execute the same package from the local harddrive, everything runs fine.

    • JamesC
      JamesC Staff, Moderator Posts: 563 W/ Moderator

      Hi @zwp-secure

      Sorry to hear you are still experiencing the false positive on SMB share , but not local drive.

      I checked with our detection team. Please submit a WSDiag log and case so they can investigate further as whitelisting will not work in this scenario.

    • zwp-secure
      zwp-secure Member Posts: 25 Contributor

      Hi James,

      of Server or Client? Where should I upload it?

    • JamesC
      JamesC Staff, Moderator Posts: 563 W/ Moderator

      Hi @zwp-secure

      You may upload the logs from SMB server and affected client to our Submit-a-Sample.

    • zwp-secure
      zwp-secure Member Posts: 25 Contributor

      OK, I uploaded the clients file. For the server log is 350 MB, I uploaded this via FTP.

    • JamesC
      JamesC Staff, Moderator Posts: 563 W/ Moderator

      Hi @zwp-secure ,

      Thank for submitting the file.

      Our detection team shall continue all communication from your case # 051xxxx8 

    This discussion has been closed.

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In
    Register

    Quick Links

    Categories