DeepGuard Fehlalarm ?!

Medusa

Sehr geehrte Damen und Herren !

Ich habe nachfolgendes Problem:

Zunächst – Ich benutze Win 7 Ultimate 64-Bit ( aktueller Updatestand ) und die F-Secure Internet Security ( Abo bis 2020, aktueller Stand). Mein Rechner läuft den ganzen Tag über, bei Nichtbenutzung versetze ich Ihn in den Standby Modus. Ich nutze auch ein VPN ( Perfect Privacy ). Am gestrigen Abend nach d. Aufwecken aus d. StandBy-Modus erhielt ich sofort folgende Meldung:

 

07.01.2019 19:29 Uhr Anwendung blockiert

Pfad: c:\windows\system 32

Datei:cmd.exe

Grund: Trojan:W32/GenericSuspExecution.A!Deep Guard

 

In der Anwendungs- und Dateisteuerung + Reiter “Blockiert”

07.01.2019 19:29 cmd.exe

Grund:Malware: c:\windows\system32\cmd.exe

Zulassen ?!     Löschen ?!

 

Danach führte ich folgendes durch:

1. Manueller Scan ( F-Secure) – keine Fehlermeldung / Ohne Befund
2. Onlinescan ( F-Secure)             - keine Fehlermeldung / Ohne Befund
3. Scan HouseCall64 ( TrendMicro) – keine Fehlermeldung / Ohne Befund
4. Daten cmd.exe – Größe 345.088 – geändert 21.11.2010 04:23 Uhr, auf einen anderen Win 7 System weist sie folgende Daten auf: Größe 345.088 – geändert 20.11.2010 14:24  ----  sie unterscheiden sich also im Änderungsdatum, ich weis aber nicht ob das von Belang ist ?!

Nun stellen sich mir folgende Fragen:

 

1. Handelt es sich vielleicht um einen Fehlalarm von DeepGuard ?
2. Falls ja – kann ich dann die CMD.exe in der Datei und Anwendungssteuerung wieder freigeben ( Zulassen ) ?
3. Falls nein - welche Schritte sollte ich weiter unternehmen ? Könnte ich zb. die Datei cmd.exe durch eine Originalversion ersetzen oder geht das eher nicht ?!

 

Für entsprechende Tips und Hinweise wäre ich Ihnen recht dankbar.

 

Dear Ladies and Gentlemen !
I have the following problem:
First of all - I use Win 7 Ultimate 64-bit (current update) and F-Secure Internet Security (subscription to 2020, current version). My computer runs throughout the day, when not in use, I put him in standby mode. I also use a VPN (Perfect Privacy). Yesterday evening after d. Wake up from d. StandBy mode, I immediately received the following message:

07.01.2019 19:29 clock application blocked
Path: c: \ windows \ system 32
File: cmd.exe
Reason: Trojan: W32 / GenericSuspExecution.A! Deep Guard

In the application and file control + tab "Blocked"
07.01.2019 19:29 cmd.exe
Reason: Malware: c: \ windows \ system32 \ cmd.exe
Allow ?! Clear ?!

After that I did the following:
1. Complete. Manual scan (F-Secure) - no error message / no report
2. Complete. Online scan (F-Secure) - no error message / no report
3. Complete. Scan HouseCall64 (TrendMicro) - no error message / no report
4. Data cmd.exe - size 345.088 - changed 2010-11-21 04:23 clock, on another Win 7 system, it has the following data: size 345.088 - changed 20.11.2010 14:24 ---- they are different in the Modification date, but I do not know if this is relevant?
Now ask me the following questions:

1. Is it perhaps a false alarm from DeepGuard?
2. If yes - can I then release the CMD.exe in the file and application control (allow)?
3. If not, what steps should I take? For example, could I replace the file cmd.exe with an original version or is not it?

For appropriate tips and instructions, I would be very grateful.

 

Ukko

Hello,

 

Sorry for my reply. I am only an F-Secure user (their home solutions).

---

Just as sidenote: one option is to contact their official Support Channels (chat or phone):

• https://www.f-secure.com/en/web/home_global/contact-support

Another additions to this suggestion are:

- ability to create fsdiag and to collect quarantined item:

• https://community.f-secure.com/t5/Common-topics/How-do-I-create-an-FSDIAG-file/ta-p/18190
• https://community.f-secure.com/t5/Common-topics/How-do-I-collect-quarantined/ta-p/78104
• https://community.f-secure.com/t5/Common-topics/Collecting-quarantined-files/ta-p/92151

- with further try to use it (or as addition to noted Support channels):

• https://community.f-secure.com/t5/Common-topics/How-do-I-submit-a-large-FSDIAG/ta-p/77917
• https://community.f-secure.com/t5/Common-topics/How-can-I-submit-samples-to-F/ta-p/77674
• https://community.f-secure.com/t5/Common-topics/How-can-I-submit-large-samples/ta-p/77499

---

My own feelings are:

-> as part of Ransomware protection (protected folders) or as part of generic DeepGuard functionality - it is likely can be false positive detection.

 

-> but I do able to suspect that situation is not pinned to "cmd.exe" (Command line) directly.

Likely, that something used cmd.exe for perform scripting or certain task.

 

So, DeepGuard detected suspicious execution and blocked cmd.exe; But it is unclear 'what/who' triggered cmd.exe;

Possible to suspect that maybe some Scheduled tasks were configured for wake up. As one-time or as still remained task.

Otherwise, good to understand what is 'performed' (prevented, in fact) action was.

 

My own suggestion (in addition to official Support Channels try) - possible to doublecheck Windows Journal (Events). Where possible to locate F-Secure events or even to check F-Secure own journal there (if available). What if such entry with more information about (for example, visible application which tried to use cmd.exe).

 

In addition, if possible to suspect that it is fake/tricky cmd.exe file -> then possible to restore it from Quarantine and then to transfer file to F-Secure Labs (F-Secure SAS) or upload to Virustotal.com (as doublecheck).

 

But I think that to contact official Support Channel for proper investigation OR to doublecheck Windows Journal (for more information) are most useful and safe steps. 

 

Thanks!