F-Secure Server Security 12 fails to quarantine Microsoft Document OLE files

@import "https://static.cloud.coveo.com/searchui/v2.6063/css/CoveoFullSearch.min.css"; header {margin:52px 0 0 0} #dropdownnavi {float:left; clear:both; width:100%;} header .row {width:100%} header .row:nth-child(1) {background-color:#0014a0} header .container, footer .container {max-width:1172px; margin: auto;} .top-header {height:53px;} .bottom-header {height:52px;} .Header-logo {width: 10%;float: left;} .Header-logo img {width: 105px; margin: 11px 8px 8px 16px;} .header-top-links {float: right; margin: 1px 15px 0 0;} .header-top-link, .header-bottom-item {cursor: pointer; display: inline-block; font-size: 14px; font-weight: 400; line-height: 52px; margin: 0 15px; position: relative; text-align: center; } .header-top-link, .header-bottom-item a {text-decoration:none;} .header-top-link {color: #fff; margin: 0 10px 0 12px;} .header-top-link.active {margin-right:12px} .header-top-link.active::after {width: calc(100% + 30px)!important} .header-top-link.active::after, .header-top-link:hover::after {background: #fff;} .header-bottom-link {color: #1e1e1e;} .header-bottom-item .header-bottom-link {margin:0 15px} #opensearch-icon:before {content:"\f220";font-family:fsg-icon;font-size:26px;color:#ffffff} #closesearch-icon:before {content:"\f130";font-family:fsg-icon;font-size:26px;color:#ffffff} #opensearch-icon, #closesearch-icon {font-style: normal;} #opensearch-icon:hover, #closesearch-icon:hover {cursor:pointer} #homeLink {margin-left:1px} .kb-lang-title {width:100%;text-align:center;font-weight:600;color:black; margin:0} .header-right {float: right; margin: 10px 48px 0 0; padding: 3px; height: 30px; border-radius: 3px;} #signin {margin-top:5px} #signin a {text-decoration: none; color:#1e1e1e; } .signin-icon {float: left; height: 20px; padding: 0 5px 20px 0;} #articleslink hr, #dashboardlink hr {margin:0} #articleslink .title {padding: 0;text-align: center; font-weight: 600;} #articleslink p, #dashboardlink p {padding:10px 0 10px 20px;} #articleslink p a, #dashboardlink p a {text-decoration: none; color:#1e1e1e;} #articleslink .draftslink:hover, #dashboardlink p:hover {padding: 10px 0 10px 20px;} .header-coveosearch {position: relative; margin-top: -53px;} .header-search {display:inline-block;padding:8px 0 0 0;} .searchboxtoggle {color:white;} .header-searchcontainer {float: right; margin:0 18px 0 0; height:52px} .search-icon {color:white;} .expand {display:inline-block;} .collapse {display:none;} .header-searchbox {height:52px;} .CoveoSearchbox {background: white!important;margin-top: 3px!important;} .CoveoSearchbox .magic-box .magic-box-input > input {font-family: 'FSSansWeb';font-size: 14px;} #kbsearch {display:block;margin: 0 0 0 auto; height:53px; box-sizing: border-box; border: 1px solid white; font-size: 14px; padding: 14px 0 10px 15px;} header-searchbox.active, #kbsearch:focus {width: 100%; transition: 1s ease-in-out;} #helpForumsLink #menu-dropdown.ontouch {display: block;left: 25px;position: absolute;top: 52px;} #FaqsLink #kb-menu-dropdown.ontouch {display: block;left:0;position: absolute;top: 52px;} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch, #FaqsLink #kb-menu-dropdown.ontouch .depth-2-list.ontouch {border: 1px solid #c4c4c4;left: calc(100% + 0px);position: absolute;top:-1px;width: 100%;display:block;background:white} #helpForumsLink #menu-dropdown.ontouch .dropdown-1-title, #helpForumsLink #menu-dropdown.ontouch .dropdown-2-title, #helpForumsLink #menu-dropdown.ontouch .dropdown-3-title,#FaqsLink #kb-menu-dropdown.ontouch .dropdown-1-title, #FaqsLink #kb-menu-dropdown.ontouch .dropdown-2-title, #FaqsLink #kb-menu-dropdown.ontouch .dropdown-3-title {display: block;text-align: left;margin-left:25px} #helpForumsLink #menu-dropdown.ontouch a.dropdown-1-title,#helpForumsLink #menu-dropdown.ontouch a.dropdown-2-title,#helpForumsLink #menu-dropdown.ontouch a.dropdown-3-title,#FaqsLink #kb-menu-dropdown.ontouch a.dropdown-1-title,#FaqsLink #kb-menu-dropdown.ontouch a.dropdown-2-title,#FaqsLink #kb-menu-dropdown.ontouch a.dropdown-3-title {font-weight:500!important;color:#8a8a8a;font-style: italic} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-2-item, #FaqsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-2-item {border-top: 1px solid #c4c4c4;} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-2-item:first-of-type {border-top:none;} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-3-list.ontouch {left: calc(100% + 0px);position: absolute;top:-1px;border: 1px solid #c4c4c4;width: 100%;display: block;border-bottom: none;background:white} #signin .header-bottom-item.header-bottom-link {display:inline-block; margin-top: -16px;} #signin a:hover {color:#0014a0} .signin-icon:before {content:"\f258";font-family:fsg-icon;font-size:22px;color:#363636;position:absolute;margin:-10px 0 0 -20px} .Footer {background:#f6f6f6;color:#555a62;font-size:16px;line-height:1.5;padding:18px 0; border-top:1px solid #c4c4c4} .Footer .footer-logo-wrap .footer-logo {height: auto; max-height: 32px; width: auto; margin-top:20px} .Footer .col {padding:0 0 0 15px;width: 23%; font-size: 13px; display: inline-block; vertical-align: top;} .Footer .footer-links-wrap {border-bottom: 1px solid #c4c4c4;max-width: 1172px; margin: auto;} .Footer .footer-links-wrap .col:nth-child(2), .Footer .footer-links-wrap .col:nth-child(3), .Footer .footer-links-wrap .col:nth-child(4) {border-right:1px solid #c4c4c4} .Footer .col ul {list-style: none;} .Footer .col:nth-child(2) ul {padding: 0;} .Footer .col ul li a {color: #1e1e1e; text-decoration: none;} .footer-link-title {text-transform: uppercase; color: #1e1e1e;} .footer-link-subtitle {font-size:14px; color: #1e1e1e; max-width:95%} .footer-icon {float: left; height: 30px; padding: 0 10px 60px 0;} footer.Footer .row.footer-links-wrap .col.footer-links {border:none;margin-bottom:0} footer.Footer .row.footer-links-wrap .col.footer-links h3 {font-size:16px} footer.Footer .row.footer-links-wrap .col.footer-links ul {padding:0 0 15px 0;margin-left:0} footer.Footer .row.footer-links-wrap .col.footer-links .footer-link{color:black;font-size:14px} footer.Footer .row.bottom-row .col.col-copyRight * {color:black;font-weight:400} footer.Footer .row.footer-links-wrap .col.footer-links .footer-link:hover, footer.Footer .row.bottom-row .col.col-copyRight:hover {color:#0014a0;} footer.Footer .row.bottom-row {border-top:none} footer.Footer .row.bottom-row .col {width:48%} footer.Footer .row.footer-links-wrap:nth-of-type(3) {padding-top:10px} .col-copyRight a, .social-icons-wrap a {display:inline-block; padding:5px 0; text-decoration: none; color: #1e1e1e; } .social-icons-wrap {float:right} .Footer a:hover, .Footer .col ul li a:hover, footer.Footer .row.bottom-row .col.col-copyRight *:hover {color:#0014a0} footer.Footer .row.bottom-row {padding-top:5px;max-width: 1172px;margin: auto;} footer.Footer .row.bottom-row .col.col-copyRight * {font-weight:400} social-link:hover {cursor:pointer} social-link:hover svg {fill:#0014a0} .social-link.facebook:before {content:"\f226";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.youtube:before {content:"\f231";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.twitter:before {content:"\f22f";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.linkedin:before {content:"\f22a";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.facebook:hover::before,.social-link.youtube:hover::before,.social-link.twitter:hover::before, .social-link.linkedin:hover::before {color:#0f58dc} @media screen and (max-width:991px){ header {margin:0} header .row:nth-child(1) {height:64px} .Header-logo img {margin: 17px 8px 8px 16px;} .Hamburger-border {position: absolute; right: 60px; border-left: 1px solid #fff; height: 64px; width: 50px; top: 0; z-index: 20; border-right: 1px solid white; padding-right: 10px;} .Hamburger {display:block;position: absolute; top: 8px; left: calc(100% - 52px); z-index: 20;-webkit-box-align: center; -webkit-box-pack: center;-webkit-user-select: none; align-items: center; background: transparent; border: none; border-radius: 0;cursor: pointer;justify-content: center; outline: none;transition: .35s;} .Hamburger-menuXcross {height: 25px; padding: 0; width: 26px;} .Hamburger-menuLines {-o-transition: .35s;-webkit-transition: .35s; background-color: #fff; border-radius: 2px; display: inline-block; height: 2px; position: relative; transition: .35s; width: 26px;} .Hamburger-menuLines::before {top: 6px; } .Hamburger-menuLines::after {top: -6px;} .Hamburger-menuLines::after, .Hamburger-menuLines::before {-ms-transform-origin: 5.5px center;-o-transition: .35s;-webkit-transform-origin: 5.5px center;-webkit-transition: .35s;background-color: #fff;border-radius: 2px; content: ""; display: inline-block; height: 2px;left: 0;position: absolute;transform-origin: 5.5px center;transition: .35s;width: 26px;} .sr-only {position: absolute !important;width: 1px !important;height: 1px !important;padding: 0 !important;margin: -1px !important;overflow: hidden !important;clip: rect(0,0,0,0) !important;border: 0 !important;} .Hamburger-menuXcross.isToggled .Hamburger-menuLines::before {-webkit-transform: rotate(45deg); transform: rotate(45deg);} .Hamburger-menuXcross.isToggled .Hamburger-menuLines::after {-webkit-transform: rotate(-45deg);transform: rotate(-45deg);} .Hamburger-menuXcross.isToggled .Hamburger-menuLines::after, .Hamburger-menuXcross.isToggled .Hamburger-menuLines::before {-ms-transform-origin: 50% 50%;-webkit-transform-origin: 50% 50%;background-color: hsla(0,0%,100%,.6); left: 0;top: 0;transform-origin: 50% 50%;width: 26px;} .Hamburger-menuXcross.isToggled .Hamburger-menuLines {background: transparent;} .isToggled .Hamburger-menuLines {-webkit-transform: scaleX(1);transform: scaleX(1);} #signin {text-align:center; margin: auto; color:white} #signin a {text-decoration: none; color:white;} .header-top-links, .bottom-header {display: none} .header-coveosearch {margin-top:0} .header-searchcontainer {color: white; text-align: right; margin: 8px 18px 0 0;} .header-search { padding: 5px 0 0 0; width: 60px; margin: auto; display: block; position: absolute; right: 17px; top: 8px;} .searchboxtoggle {color:white} .header-searchbox {position: absolute; right: 60px; top: 0; height:65px; width:85%;z-index:30} .CoveoSearchInterface {margin-top:-3px} .CoveoSearchbox {margin-top:0;} .CoveoSearchInterface .CoveoSearchbox {margin-right:0;height:65px;} .CoveoSearchButton.coveo-accessible-button, .CoveoSearchbox .magic-box .magic-box-input > input {height:65px} #kbsearch {height:66px} .banner-middleContainer_f1l0wf96 {box-shadow: inset 0 10px 10px -10px #000;} #homeLink, #helpForumsLink, #FaqsLink, #userguidesLink, #supportLink, .header-right {width:100%; text-align: left; margin: 0; } #userguidesLink, #supportLink {border-top: 1px solid #dfdfdf;} #helpForumsLink, #FaqsLink {margin: 0 0 10px 25px;} .top-header-link {text-transform: uppercase; font-weight:700; color:#1e1e1e; font-size:14px; padding:15px 15px; line-height: 2em;} #dropdownnavi .top-header-link {margin: 3px 0 0 10px;} .header-bottom-link::after {background:none;} .header-bottom-item .header-bottom-link {margin:0 10px} .depth-1-list, .depth-2-list, .depth-3-list {list-style: none; margin: 0; padding:0 0 0 40px} .kb-lang-title {text-align:left;} #menu-dropdown {margin-top: -20px;} #kb-menu-dropdown .depth-2-list.open {padding-left:30px} .depth-1-list a, .depth-2-list a, .depth-3-list a {color:#1e1e1e} .smdropdown-alt {line-height: 0; margin:0; padding: 0 0 10px 0;} .smdropdown-link {color:#acacac!important; font-style: italic;} .depth-1-list, .depth-2-list, .depth-3-list {display: none; margin: -20px 0 0 0; padding: 0 0 0 15px;} .header-right {float: right;padding: 8px 0; height: 30px; border-radius: 0; box-shadow: 0 3px 5px #1e1e1e; background:#0014a0; text-align: right;} .signin-icon {display: none;} #signin .header-bottom-item.header-bottom-link {margin-top: -10px;} .open {display: block;} .Footer .col {display: block; width:96%; padding: 0 20px 15px 20px} .Footer .col.col-copyRight, .Footer .col.col-social {width:90%} footer .container {width:95%} .col.footer-logo-wrap {text-align: center;} .col-copyRight a {padding: 10px 0 0 20px;} .social-icons-wrap a {padding: 10px 0 0 0;} .Footer .footer-links-wrap {padding-bottom:none; border-bottom:none;} .Footer .footer-links-wrap .col:nth-child(2), .Footer .footer-links-wrap .col:nth-child(3), .Footer .footer-links-wrap .col:nth-child(4) {border-bottom:1px solid #c4c4c4; border-right:none} footer.Footer .row:nth-of-type(2).footer-links-wrap .col.footer-links:last-of-type {border-bottom:none} a.dropdown-1-title, a.dropdown-2-title, a.dropdown-3-title {color: #8a8a8a; font-style: italic;} .header-bottom-link:focus::after, .header-bottom-link:hover .smdropdown::after,.smdropdown::after,.depth-1-url::after,.depth-2-url::after {content:"\f1f5";font-family:fsg-icon;font-size:26px;color:#363636;position:absolute} .smdropdown.change::after,.depth-1-url.change::after,.depth-2-url.change::after {content:"\f131";} .footer-link-title {width:94%} .footer-link-title::after {content:"\f1f5";font-family:fsg-icon;font-size:26px;color:#363636;float:right!important} .footer-link-title.change::after {content:"\f131";} footer.Footer .row.footer-links-wrap .col.footer-links ul {display:none} footer.Footer .row.footer-links-wrap .col.footer-links ul.open {display:block; padding-bottom:30px} footer.Footer .row.footer-links-wrap:nth-of-type(3) {border-bottom:none} footer.Footer .row.footer-links-wrap .col.footer-links {border-bottom:1px solid #dfdfdf;} footer.Footer .row.footer-links-wrap .col.footer-links, footer.Footer .row.footer-links-wrap .col.footer-links:last-of-type {padding:10px 0 0 20px} footer.Footer .row.footer-links-wrap .col.footer-links .footerdropdown::hover {cursor:pointer!important} .row.bottom-row {display:flex;} .Footer .col.col-copyRight, .Footer .col.col-social {width:50%;padding:0} .social-icons-wrap {margin-top:-15px} } @media screen and (min-width:992px){ .Hamburger, .dropdownnavi .top-header-link, #userguidesLink, #supportLink, .smdropdown-alt {display: none;} .bottom-header {display: block;} .header-top-link::after {background: #fff;} header .row:nth-child(2) {background-color:white; box-shadow: 0 3px 5px rgba(0,0,0,0.1);} .depth-1-list, .depth-2-list, .depth-3-list {list-style: none; margin: 0; padding-left: 0; box-shadow: 0 4px 4px rgba(0,0,0,.1);} .depth-1-item, .depth-2-item, .depth-3-item {padding-left:15px; border-bottom:1px solid #dfdfdf; position: relative;} .depth-1-item a, .depth-2-item a, .depth-3-item a {color: #1e1e1e;} .header-bottom-link::after {background: #0014a0;} .header-top-link.active::after, .header-top-link:hover::after, .header-bottom-link.active::after, .header-bottom-link:hover::after {bottom: 0; content: ""; display: block; height: 5px; left: -15px; margin: auto; position: absolute; width: calc(100% + 35px);} .header-bottom-link.smdropdown:hover, .header-bottom-link.smdropdown.active {color:#0014a0} .header-searchbox {position:absolute;top:0;right:60px; margin:0; z-index: 200; } .header-searchbox.active {width:500px;transition: 1s ease-in-out;} #kbsearch {width:350px;} #menu-dropdown, #kb-menu-dropdown {position: absolute; z-index: 100; background: white; text-align: left; margin: 1px 0 0 -15px;} #menu-dropdown, #kb-menu-dropdown .depth-1-list {width:300px} #kb-menu-dropdown .depth-1-url {color:#8a8a8a} #kb-menu-dropdown .depth-2-list {width:350px!important} #profile-menu {position: absolute; z-index: 100; background: white; width: 350px; text-align: left; width:260px; margin: 0 0 0 -230px; border: 1px solid #c4c4c4; border-radius: 5px; box-shadow: 0 4px 4px rgba(0,0,0,.1);} #menu-dropdown, #menu-dropdown .depth-2-list, #menu-dropdown .depth-3-list, #kb-menu-dropdown, #kb-menu-dropdown .depth-2-list, #profile-menu {display:none;} #helpForumsLink:hover #menu-dropdown, #FaqsLink:hover #kb-menu-dropdown, #profiledropdown:hover #profile-menu {display: block;} #menu-dropdown .depth-1-item:hover .depth-2-list, #menu-dropdown .depth-2-item:hover .depth-3-list, #kb-menu-dropdown .depth-1-item:hover .depth-2-list { display: block; left: calc(100%); background: #fff; border: 1px solid #c4c4c4; position: absolute; top: 0; width: 100%;} #kb-menu-dropdown .depth-1-url {margin:0} #menu-dropdown .depth-1-item:nth-child(3) .depth-2-list, #menu-dropdown .depth-2-item:hover .depth-3-list {top:-1px} .depth-1-item:hover, .depth-2-item:hover, .depth-3-item:hover {pointer:cursor;background-color:#f8f8f8} #helpForumsLink .depth-1-item:hover .depth-1-url, .depth-2-item:hover .depth-2-url, .depth-3-item:hover .depth-3-url, #kb-menu-dropdown .depth-2-item:hover .depth-3-url {color:#0014a0} #FaqsLink .depth-1-item:hover, #FaqsLink .depth-1-item:hover .depth-1-url {cursor:default} .header-right {float: right; margin: 8px 15px 0 0; padding: 3px; height: 30px; border-radius: 3px;} #dropdownnavi {margin: -1px 0 0 -13px;width:50%} #dropdownnavi .top-header-link, .dropdown-1-title, .dropdown-2-title, .dropdown-3-title {display:none} .header-bottom-link.smdropdown {line-height:53px} #signin {display:flex; margin: 1px -12px 0 0} #signin .header-bottom-item.header-bottom-link {margin-top:-14px; height:54px} #signin span {margin-top: 3px;} .signin-icon {padding: 4px 0 20px 0;} .header-bottom-link.smdropdown:before {content:"\f1f5";font-family:fsg-icon;font-size:26px;float: right;} #helpForumsLink:hover .header-bottom-link.smdropdown::before, #FaqsLink:hover .header-bottom-link.smdropdown::before, .header-bottom-link.smdropdown:hover::before {content:"\f131";} .depth-1-item:before, #helpForumsLink .depth-2-item:before {content:"\f1f6";font-family:fsg-icon;font-size:26px;float: right;} .depth-1-item:hover::before, #helpForumsLink .depth-2-item:hover::before {content:"\f132";} }

F-Secure Server Security 12 fails to quarantine Microsoft Document OLE files - F-Secure Community

Issue:

After a Real-time scanning operation, there are many different objects detected as malicious. Some documents or files are blocked but not quarantined.
Action on malware detection is set to "decide automatically" and custom action on infection for workstations is set to "quarantine automatically".

We have noticed, that these files are however not quarantined. Here is some of the entries reported from removal.log:

09.04.2020 11:44:45 Malware.XF/Agent.A BEGIN
;
;Log created by USS version 5.8.317
;
09.04.2020 11:44:45 Malware.XF/Agent.A file "N:\NDATA\XX\xxxxx\applicationxxxx\clients\A\ACENT AG\xxxx\example PEK.xls" quarantined failed
09.04.2020 11:44:45 Malware.XF/Agent.A file "N:\NDATA\XX\Ixxxxx\applicationxxxx\clients\A\ACENT AG\xxxx\example PEK.xls" blocked success
09.04.2020 11:44:45 Malware.XF/Agent.A END
or
15.04.2019 01:03:52 Heuristic.HEUR/CVE-2017-0199 file "P:\Daten\XX\XX-xxxxxx\xxxxx\xxxxxx, example.doc" quarantined failed
15.04.2019 01:03:52 Heuristic.HEUR/CVE-2017-0199 file "P:\Daten\XX\XX-xxxxxx\xxxxx\xxxxxd, example.doc" disinfected failed
15.04.2019 01:03:52 Heuristic.HEUR/CVE-2017-0199 END

Resolution:

Old style Microsoft Document OLE files (.xls, .doc, etc.) are explicitly protected from deletion and quarantine in legacy scanning platform (F-Secure Server Security 12.x and F-Secure Client Security 12.x). Those documents will always log as failing quarantine if detected on-access.

The way to reliably remove those files is to do a manual scan with explicit "delete" or "quarantine" actions. This behavior is controlled by "advanced action table" policy setting, but user/admin modifications for this setting are not possible in any supported product; it's hard-coded for all practical purposes.

How to manually scan using the F-Secure Policy Manager Web Console:

Login to F-Secure Policy Manager Web Console
From the standard view, click on the Manual scanning from the left menu
Set " quarantine automatically" or " delete automatically" for action on infection
Distribute the policy

After the operation is completed, these files should be quarantined or deleted, depending on the option you have set.

In case those files, or documents are detected false, please submit a sample to F-Secure for further analyses.

With latest versions of the Ultralight scanning platform (F-Secure Server Security 14, F-Secure Client Security 13 and 14) document files are quarantined or deleted in the same way as other file types.
You can find the latest versions of F-Secure business products at: https://www.f-secure.com/en/business/support-and-downloads

Article no: 000011430