False positive detection in Capricorn engine

Jali Posts: 1,769 F-Secure Employee

Products affected: F-Secure Protection Service for Business Server Security, F-Secure Client Security (all old versions prior to 13.0), F-Secure Email and Server Security, F-Secure Server Security, F-Secure Protection Service for Business Workstation Security. 


Note also that this issue affects only products that are running on a 32-bit Windows platform.

Problem: We have a false positive detection in the Capricorn engine.  This is caused by USS which creates temporary files that are then detected by Capricorn. This happens during system scanning where USS iterates through the driver images.


Detection names are (examples):

  • Trojan.TR/Rootkit.Gen2 
  • Trojan.TR/Crypt.XPACK 
  • Trojan.TR/Patched.Gen
  • file_path:     %WINDOWS%\temp\uss27ad.tmp 
  • file_path:     %WINDOWS%\temp\ussb31a.tmp



Depending on the settings, restarting possibly removes the detected drivers and will render the computer in malfunction state.

Visible effects: If you reboot, the files are deleted. Reboot may result in a situation where the computer gets into malfunction state.

Solution: If your system has any of the above-mentioned false positive detections, ensure that you have the following update downloaded and installed (do not reboot the machine before):


Universal System Scanner 2019-02-05_02 (or newer)

Internal reference: TP-422