PSB setup loads unsigned DLL

Guilherme_S
Guilherme_S W/ Alumni Posts: 3 Security Scout

I recently installed a trial of F-Secure Protection Service for Business on a Windows 10 device configured with Windows Defender ATP.

 

The installation of PSB triggered an alert on Windows Defender ATP, which appears to result from an unsigned DLL:

 

Executable with original file name 'FSSETUP.EXE' (Sha1: 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74) loaded DLL 'fsaua_i.dll' (Sha1: 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc) unsigned whereas it is generally signed by 'F-Secure Corporation'

 

I imagine that this is a false positive (threat-wise), since the installation executable was downloaded directly from F-Secure's server and the UAC prompt indicated a setup executable with a valid digital signature.

 

However, I am a little concerned to see that the "fsaua_i.dll" that was loaded onto this device appears to have never been seen before:

  • The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed, whereas it is normally signed by F-Secure.
  • The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID: DigiCert EV Code Signing CA (SHA2)").

 

Any ideas about what might be going on here? The installation took place on April 22, 2017, if that helps.

Comments

  • Laksh
    Laksh W/ Alumni Posts: 237 Cybercrime Crusader

    Hi Guilherme_S,

     

    I am checking on this with our team. I will keep you posted once I have any information on this.

     

  • Guilherme_S
    Guilherme_S W/ Alumni Posts: 3 Security Scout

    Thanks Tamas. I'll report this to the Windows Defender ATP Team and report back when they figure out what happened.

  • antti-fsecure
    antti-fsecure W/ Alumni Posts: 8 W/ Former Staff

    Hi all,

     

    We double-checked the binaries with our team, and we couldn't find any signing problems. Tamas' also provided an extensive study of the problem, which indicated no problems in signing. Let's hope this was indeed a false alarm. 

     

    A super-big thanks to Tamas for the great detective work. Highly appreciated. 

     

     

    Cheers,

    - Antti, Senior Product Owner, PSB

  • Guilherme_S
    Guilherme_S W/ Alumni Posts: 3 Security Scout

    Thanks guys for carefully looking into this. I've already submitted a False Positive report to Microsoft's Windows Defender ATP Team, and included the information regarding VirusTotal's records for those files. They're looking into it now, I'll report back when I hear from them.

This discussion has been closed.