F-Secure Server Security 12 fails to quarantine Microsoft Document OLE files

F-Secure Server Security 12 fails to quarantine Microsoft Document OLE files - F-Secure Community

Issue:

After a Real-time scanning operation, there are many different objects detected as malicious. Some documents or files are blocked but not quarantined.
Action on malware detection is set to "decide automatically" and custom action on infection for workstations is set to "quarantine automatically".

We have noticed, that these files are however not quarantined. Here is some of the entries reported from removal.log:

09.04.2020 11:44:45 Malware.XF/Agent.A BEGIN
;
;Log created by USS version 5.8.317
;
09.04.2020 11:44:45 Malware.XF/Agent.A file "N:\NDATA\XX\xxxxx\applicationxxxx\clients\A\ACENT AG\xxxx\example PEK.xls" quarantined failed
09.04.2020 11:44:45 Malware.XF/Agent.A file "N:\NDATA\XX\Ixxxxx\applicationxxxx\clients\A\ACENT AG\xxxx\example PEK.xls" blocked success
09.04.2020 11:44:45 Malware.XF/Agent.A END
or
15.04.2019 01:03:52 Heuristic.HEUR/CVE-2017-0199 file "P:\Daten\XX\XX-xxxxxx\xxxxx\xxxxxx, example.doc" quarantined failed
15.04.2019 01:03:52 Heuristic.HEUR/CVE-2017-0199 file "P:\Daten\XX\XX-xxxxxx\xxxxx\xxxxxd, example.doc" disinfected failed
15.04.2019 01:03:52 Heuristic.HEUR/CVE-2017-0199 END

Resolution:

Old style Microsoft Document OLE files (.xls, .doc, etc.) are explicitly protected from deletion and quarantine in legacy scanning platform (F-Secure Server Security 12.x and F-Secure Client Security 12.x). Those documents will always log as failing quarantine if detected on-access.

The way to reliably remove those files is to do a manual scan with explicit "delete" or "quarantine" actions. This behavior is controlled by "advanced action table" policy setting, but user/admin modifications for this setting are not possible in any supported product; it's hard-coded for all practical purposes.

How to manually scan using the F-Secure Policy Manager Web Console:

Login to F-Secure Policy Manager Web Console
From the standard view, click on the Manual scanning from the left menu
Set " quarantine automatically" or " delete automatically" for action on infection
Distribute the policy

After the operation is completed, these files should be quarantined or deleted, depending on the option you have set.

In case those files, or documents are detected false, please submit a sample to F-Secure for further analyses.

With latest versions of the Ultralight scanning platform (F-Secure Server Security 14, F-Secure Client Security 13 and 14) document files are quarantined or deleted in the same way as other file types.
You can find the latest versions of F-Secure business products at: https://www.f-secure.com/en/business/support-and-downloads

Article no: 000011430