DEEPGUARD ALLOWS MALWARE

Good Day,

 

Wondering why deepguard does not block malware that has not been seen. F-Secure states that if  a binary has 0 reputation and is completely new... that deepguard will block it from running.

 

Now, we have seen this in many occurances. But there seems to be a lack in the consistancy of DEEPGUARD keeping up to the task. Are there any answers as to to why this happens from the F-Secure team? I believe we are not the one with this observation. 

 

Thanks.

 

F-Secure quotes this here: https://www.youtube.com/watch?v=mu7wbJq9Ulo

Ukko

Comments

  • UkkoUkko Posts: 2,997 Superuser

    Hello,

     

    Sorry for my reply. I'm only F-Secure user (their home solutions). Just as my feedback or ask - because kind of 'related' experience was with my own feelings.

     

    But where

    F-Secure states that if  a binary has 0 reputation and is completely new... that deepguard will block it from running.

    it was stated?

     

    For example, it should not work for safe/valid applications (with limitations probably). Sorry if DeepGuard module under Business solutions with certain tweaks for such view.

     

    Or if your words and 'noted' statement about only suspicious, malicious and harmful files:

    maybe possible to use F-Secure SAS:

    https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file

     

    To transfer samples/examples to F-Secure Labs and ask them directly about decision.


    Good to get official and proped responses from official F-Secure Staff.

     

    Thanks!

  • F-Secure states that all unkown malware should be blocked from starting by deepguard.

     

    You can see here: https://www.youtube.com/watch?v=mu7wbJq9Ulo

    Ukko
  • UkkoUkko Posts: 2,997 Superuser

    I see.

    So, or there is something broken. Or they thought about certain 'malicious software' as about 'clean/valid software'. Does your experience was about indeed harmful items (and with addition points like totally unseen previously)?

     

    For example, if it known that "fully 'unknown' malicious/harmful software" is not detected by DeepGuard as such -> and available to get this file -> good to transfer it to F-Secure Labs (as good channel for receiving their feedback).

     

    I feel that DeepGuard (or other layers) do not able to handle things like using/exploiting proper system's design and system's abilities OR official known valid software and tools.  What can be with harmful result.

     

    Even based on youtube-video.. it comes with next view:

    -> unrated/unknown/unseen executable file is running;

    -> DeepGuard/F-Secure do find it as suspicious (based on some checks like dynamic/static analysis or maybe Security Cloud lookup and some network sandboxies checks);

    -> DeepGuard block it.

     

    If it will be not looks as 'suspicious' unknown executable: File can be launched. For example, youtube-video may be with 'known' steps for put backdoor into system. but maybe not all of steps (for such or related 'backdoor') can be known for F-Secure (or not possible to detect it with default configuration).

     

    Basically, good to receive normal response from F-Secure Staff (or if available examples -> good to ask F-Secure Labs directly). Currently, only possible to suspect that 'unknown malware' was looks as 'goodware' for DeepGuard checks at launch (and as preventing 'false positive' detections - executable is allowed).

     

    Thanks!

    Raido111
This discussion has been closed.