We use Policymanager 10 and CS 9.x versions
F-secure ClientSecurity 9.x Deepguard is suddenly dectecting Dameware as dangerous application. How can I exclude Dameware from Deepguard scanning? I still want Deepguard to be enable.
Hi Jaro,As you are using Policy Manager, you can add the executable file's SHA-1 hash as trusted on Policy Manager's DeepGuard Applications -table.This table can be found from Policy Manager Console in advanced mode:F-Secure DeepGuard -> Settings -> Applications
Please also submit the file to analysis.f-secure.com
After the FA has been fixed you may remove the exclusion again.
I have done that a few years ago, but now it does not seem to work. Can I use the hash that is shown in the alert? This is just an example for aboapaivitys.exe :
Application was blocked. This was determined to be a high-risk application by system control heuristics.
Application path: \\?\c:\aboa\aboapaivitys.exe File hash: 91d3a2b45db6931a4e603dde11ef5484837ce475
YES, use that hash!
But I think that DG also obeys the realtime sacnning excludes! at least with FSCS9.31...
The problem with use of CRC/SHA-1/MD-5 checksum for exclusion is that IBM-compatible PC is a "von Neumann" type platform, therefore self-modifying executable code is perfectly legal. One cannot legitimately expect that only malware will use self-modify code, thus checksum start to change and become unusable.
The best thing is to have the executable receive a digital signage from the software vendor and F-Secure virus lab will grant a generic exclusion for that crypto signature, if the vendor is truly reputable. (But maybe this reputation method may not work now, thanks to guys who wrote Stuxnet/Duqu?)
signing software requires that the file that is signed does NOT change!