PSB to remotely submit suspected false virus alert samples to the F-Secure lab

etomcat
etomcat W/ Alumni Posts: 1,172 Firewall Master

Dear Sirs,

 

Please implement the capability in FSAV PSB to remotely submit suspected false virus alert samples to the F-Secure lab!

 

I see a LOT of obvious-looking false alarms among hungarian schools using monthly subscriptions of PSB Advanced. Apparently it affects in-house bred and specifically hungarian software titles, but I don't have access to binary samples, because obtaining co-operation from the end users via mail and phone is difficult! On the other hand, the FSC lab answers they cannot deliver a definite judgement without the binaries.

 

I would like to have a button in our PSB SoP account, where I can tick a virus alert item and click "Submit object for second opinion" and the affected endpoint would just do the upload and the Lab's answer would arrive at the e-mail address beloning to the particular SoP login. Sounds so easy, why not implement it?

 

False alarm handling is the weak point of almost all anti-virus software brands, as the vendors like to pretend such problem doesn't exist. But I feel it is key to the usability of PSB especially, where the cloud-managed endpoints can be anywhere geographically , so traditional methods of fetching samples via USB and so on are not practicable.

 

Currently the situation is, school people experiencing the false alarm are trying to re-download / re-run the file obsessively-complusively for a dozen times, then get fed up with lack of success and turn off or uninstall PSB and I can only obseve that outcome via the webportal. Hungarian people are not very communicative and usually don't ask for help or don't even accept it. The ability to fix false alarms silently via tele-operation that would be tremendously helpful!

 

Thanks for your kind attention, Yours Sincerely:

Tamas Feher, 2F 2000 Kft., Hungary.

 

Edit: title

Comments

  • AndyRD
    AndyRD W/ Alumni Posts: 16 Junior Protector

    Hi Tamas,

     

    I think there are actually two parts to your suggestion:

     

    1. Submit the samples automatically to Labs for analysis.

     

    This one I support, and I will investigate with the team what options we have.

     

    2. Report back to Administrator the analysis results.

     

    This one would need more analysis, to ensure that customer (end-user) privacy is preserved.

     

     

    I cannot commit tothis feature being implemented, but it will definitely be considered by the team!

     

     

    Best Regards,

     

    Andy

     

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Dear Andy,

     

    Remote sample submission is absolutely crucial for the FSAV PSB portal. Please implement is with priority! Don't try to convince yourself that false alarms are rare, because I see many of them in hungarian schools, all kinds of in-house bred programs and commercial applications made by smaller software houses. I see them in the PSB portal and cannot do anything about them. F-Secure Lab cannot fix them through the Cloud only, they would need the samples.

     

    I cannot compel clueless or non-cooperative end users to collect the samples for me. I see a typical pattern where they try to download or run the file in question, which is always getting denied by the protection. Eventually the user and sysadmin are fed up and uninstall PSB from the endpoint. That is, F-Secure is destroying its own user base with its indifferent approach!

     

    Previously, there were promises of a "remote desktop" like functionality in future versions of PSB, but that feature was never realized. I could have used that feature to remotely connect and collect the suspected false alarm samples in a manual, work-intensive way.

     

    Since that option is not available, I need a button in the PSB portal that allows me to remotely upload the object/file of an endpoint malware alarm to the lab and get a second opinion.

     

    Thanks for your kind attention, Yours Sincerely:

    Tamas Feher, 2F 2000 Kft., Hungary.

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Dear F-Secure Business Products Development,

     

    Please let me note again and again that the lack of remote sample submission support in the F-Secure PSB system causes a lot of problems for partners (SeP, SoP).

     

    It appears F-Secure virus protection has a big tendency to produce false alarms on binary code produced by school pupils as class work or home work, while they learn how to program. This makes FSAV essentially unusable in the educational sphere!

     

    Please understand that we have no physical access to the local computers, usually there is no one that could be asked to collect the sample on-site, since schools are under-staffed and local competence is rare. The result is F-Secure PSB starts to get uninstalled from computers classroom by classroom, as it causes on-going problems and there is no simpler solution.

     

    If we had the option to click on virus alert items in the FSAV PSB webportal and choose "Submit this sample to lab for a second opinion" then all these problems could be solved quickly. F-Secure already had to abandon participation in comparative antivirus tests, due to failed grades stemming from too many false alarms, so why don't you do something about that problem? You can't train your scanning engines without having access to false alarm samples!

     

    Here are some very obvious false virus detection alerts, which are hitting entire classroom worth of computers in Hungary:

     

    Date and time: 2017.01.07. 10:06:06 CET
    Computer: Alpha
    File: C:\FPC\3.0.0\bin\i386-win32\ritkaszam.exe
    Threat: Gen:Variant.Razy.106642
    Action: Quarantined
    (Note: the file name "ritkaszam" means "rare number" in hungarian and the folder "FPC" could refer to the "Free Pascal Compiler" programming language)

    Date and time: 2017.01.07. 9:57:49 CET
    Computer: Bravo
    File: C:\FPC\3.0.0\bin\i386-win32\versenycsakegy.exe
    Threat: Gen:Variant.Razy.106642
    Action: Quarantined
    (Note:  file name "versenycsakegy" means "only one race" in hungarian)

    Date and time: 2017.01.07. 11:08:21 CET
    Computer: Charlie
    File: C:\FPC\3.0.0\bin\i386-win32\piac.exe
    Threat: Gen:Variant.Razy.106642
    Action: Quarantined
    (Note: file name "piac" means "market" in hungarian)

     

    Date: 2017.01.07.
    Time:  10:08:47 CET
    Computer: Delta
    Threat: Gen:Variant.Razy.106642
    Object: unparsed scan target (sic!)
    Action: Quarantined

     

    Please do something about the impossibility of treating false alarms!

     

    Thanks in advance, Yours Sincerely:

    Tamas Feher, Hungary.

This discussion has been closed.