F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Sirs,

 

I saw an apparent false blocking in FSAV PSB portal and reported it to the F-Secure Virus Lab as follows:

 

Ticket ID: xxxx

Date and time: 2019. feb. 22. 11:15:32

Customer: [a hungarian school]

Computer: [a desktop PC]

OS: Windows 10 64-bit, version 10.0.17763

User: [student's name]

Software: FSAV PSB Computer Protection Premium 19.1

Module: F-Secure DataGuard

File: C:\Windows\System32\PickerHost.exe

Target: C:\Users\Student\Pictures\f07_f4.jpg

Threat: reports.infections.types.ransomwareAccessControl

Action: Blocked

 

I asked the Lab to review the situation and make adjustments to the technology if necessary. I've just received this answer from them:

 

"With Access_Control_List and Discover_trusted_applications_automatically enabled in DataGuard, the feature does not trust by default:
C:\Windows\System32\svchost.exe
C:\Windows\System32\sihost.exe
C:\Windows\System32\PickerHost.exe

 

To workaround the issue, you can add the target path where the Windows process is working on, to the excluded folders in the Profile Editor at:
DataGuard > Manually defined folders > Excluded folders

 

Besides that, the application (for example, OneDrive, etc.) installed to the user directory is not trusted too. To workaround the issue, you can add the application path to the trusted applications in the Profile Editor at:
DataGuard > Access control list > Manually added trusted applications and folders"

 

I don't like this recommendation for a workaround. If the files in question are digitally signed and came from a reputable vendor (Microsoft) then why arent't they trusted automatically? I mean we cannot expect end-users like this primary school to have the skills for adding folder exclusions, etc. themselves and they don't have the money to employ security sysadmins.

 

The PSB system should work correctly by itself, because F-Secure is about automated solutions first and foremost, that's how and why it was sold to non-tech-savvy customers! I feel the technology should be tuned centrally by the vendor.

 

Thanks for your attention, Sincerely:
Tamas Feher, Hungary.

 

EDIT: Removed case number

Best Answer

  • fedoolfedool Posts: 146 F-Secure Employee
    Accepted Answer

    We have reviewed these apps and we will add sihost.exe and PickerHost.exe to exclusions.

    Thank you

    etomcat

Comments

  • fedoolfedool Posts: 146 F-Secure Employee

    Hello,

     

    Thank you for feedback.

    Main point of dataguard protection is to protect your files. It's not about recognizing if the application which changes your file is trusteable or not. We know that some ransomwares inject into legit signed apps and do encryption of your files. If we would just trust everything what is correctly signed - we would not protect you from that.

    But if we would not trust anything - it would create lot of false positives so we have a list of whitelisted apps. And PickerHost.exe is currently not there.

    We will recheck again if we can trust PickerHost.exe

    etomcat
  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    > we will add sihost.exe and PickerHost.exe to exclusions

     

    Thank you for the response and the solution offered!

     

    I would also like to ask if the Microsoft OneDrive online storage service agent's trust status could be revised as well, since the adoption of "cloud-based" solutions is accelerating?

     

    I mean frequently recurring incidents like this, where e.g. a description of imaginary city sightseeing in ancient Rome isn't approved by F-Secure Dataguard:

     

    Computer: https://emea.psb.f-secure.com/#/c282728/devices/computer/2475086

    OS: Windows 10 64-bit, version 10.0.17134

    Software: F-Secure PSB Computer Protection Premium 19.1

    Module: DataGuard

     

    Date and time: 2019.02.28. 10:04:51
    File: C:\Users\user.name.HT\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    Target: C:\Users\user.name.HT\OneDrive\Dokumentumok\5.o töri\Városnézés az ókori Rómában.docx
    Threat: reports.infections.types.ransomwareAccessControl
    Action: Blocked

     

    Date and time: 2019.02.11. 10:05:54
    File: C:\Users\user.name.HT\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    Target: C:\Users\user.name.HT\OneDrive\Dokumentumok\5.o töri\Ókori Róma (Automatikusan mentett).doc
    Threat: reports.infections.types.ransomwareAccessControl
    Action: Blocked

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, 2F 2000 Kft., Hungary.

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    Please also suggest a solution for "Onedrive.exe" related Dataguard events? One particular computer is spamming the PSB SoP portal with 655 (!) recent alerts for "reports.infections.types.ransomwareAccessControl" regarding Onedrive and .docx files, as seen here:

     

    https://emea.psb.f-secure.com/#/c282728/devices/computer/2475086

     

    The use of cloud is gaining importance and some kind of by default solution is needed.

     

    Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

     

     

  • fedoolfedool Posts: 146 F-Secure Employee

    OneDrive is installed in C:\Users\ and not protected - we cannot trust it by default.

    Otherwise malware can just inject there and do whatever it wants.

    I wonder if you could add it to the list of trusted apps yourself in profile?

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    Thanks for your quick response!

     

    > OneDrive is installed in C:\Users\ and not protected - we cannot trust it by default ... I wonder if you could add it to the list of trusted apps yourself in profile?

     

    But if it is too dangerous for F-Secure Corp. to trust, why should I add it as an exception and shift the responsibility upon me? (Note: I'm not the affected end user, I just see those events happening in the PSB SoP portal and the 650+ DataGuard blocking messages are flooding the malware detection list which summarizes a total of app. 5000 computers, thus making the recognition of e.g. false virus alarm occurances rather difficult among the noise.)

    > malware can just inject there and do whatever it wants

     

    I wonder if that should be prevented by DeepGuard? (F-Secure DeepGuard already injects a mini-DLL into processes, preventing other attacks.)

     

    Best regards: Tamas Feher, Hungary.

  • fedoolfedool Posts: 146 F-Secure Employee

    We cannot add user paths to be trusted by everyone because they are in unprotected folder by default. Imagine that you don't have OneDrive - malware can then just create there folder with the same name and we will trust it.

    But when admin configures this exclusion - she should know that OneDrive is installer to this location and can add it a bit more safely.

     

    Yes, DeepGuard will detect and block all known injection attacks but promise ofa  DataGuard feature is that it will protect your data no matter what, even if all other layers of protection are compromised or, for instance, there is no even persistent component on a system to detect. So, we need to be careful with exclusions there

    etomcat
  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    Thanks for your qick response!

     

    I have posted a (tangentially related) new thread in the community's Partner forum section:

    https://community.f-secure.com/t5/Exclusively-for/Need-quot-anti-flood-quot/td-p/115403

     

    Yours Sincerely: Tamas Feher, Hungary.

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    > We cannot add user paths to be trusted by everyone because they are in unprotected folder by default

     

    I'd hope F-Secure could approach Microsoft Corp. with that problem and convince them to relocate the OneDrive program to a more systematic folder path, were Windows OS protections are available (so that 3rd party security software can better trust the cloud client).

     

    Yours Sincerely: Tamas Feher, Hungary.

    fedool
  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    I would like to ask if a DataGuard trust re-evaluation could also take place for the F-Secure lab ticket xxxx (theme: FSAV PSB CP19 blocks the operation of Windows 8 built-in fax).

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, Hungary.

     

    EDIT: Removed Case number

  • fedoolfedool Posts: 146 F-Secure Employee

    @etomcat wrote:

    Dear Fedool,

     

    I would like to ask if a DataGuard trust re-evaluation could also take place for the F-Secure lab ticket xxxx (theme: FSAV PSB CP19 blocks the operation of Windows 8 built-in fax).

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, Hungary.


    I don't have access to this ticket so, most likely answer is "no". Please add details here

     

    EDIT: Removed Case information (PII)

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    Thanks for your quick response!

     

    > Please add details here

     

    The PSB SoP webportal reports the following incident:

     

    Date and time: 03/18/2019 09:33:27 AM

     

    Computer:
    https://emea.psb.f-secure.com/#/c285931/devices/computer/2064347

     

    OS: Win 8.1 Pro 64-bit, version 6.3.9600

     

    Software: FSAV PSB Computer Protection Premium 19.2

     

    Module: DataGuard

     

    File: C:\Windows\System32\WFS.exe

     

    Target: C:\Users\Ferencz Krisztina\Documents\Fax\Inbox\WelcomeFax.tif

     

    Threat: reports.infections.types.ransomwareAccessControl

     

    Action: Blocked

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, Hungary.

  • fedoolfedool Posts: 146 F-Secure Employee

    Thank you for reporting this.

    WFS.exe added to exclusions

    etomcat
  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    Thanks for your quick action in the Windows Fax case!

     

    I would like to ask for another lab-related intervention, however:

     

    I use e-mails sent to "[email protected]" to submit false alarm reports. There I ususally quickly receive automatic answers with the ticket ID in them, but the human response with the re-evaluation verdict consistently takes a longer time to arrive, like 2-3 workdays.

     

    It seems submitting malware detection cases via the webform on F-Secure's site results in a much quicker human response, often as soon as within 1-2 hours:
    https://www.f-secure.com/en/web/labs_global/submit-a-sample

     

    On the other hand, using the web form is difficult for me, since we need to keep track of what we submit (GDPR, etc.) That's easily achieved when using the e-mail venue, but the webform based method kinds of forgets the orignal submission, so when we recieve a response that doesn't show what the question I entered was, only the analyst's answer and verdict. That makes keeping track of submissions difficult.

     

    Thus, I would like to ask that the above mentioned PARTNER sample submission e-mail address should be given at least equal priority in lab case processing, compared to the web-based submission method.

     

    Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

     

    EDIT: Removed Email address

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    I would like to ask for a review of the following, potentially Windows file related FSAV PSB CP security incident as spotted in a hungarian primary school:

     

    Date and time: 03/25/2019 10:22:31 AM

     

    Customer: https://emea.psb.f-secure.com/#/c282723

     

    Computer:
    https://emea.psb.f-secure.com/#/c282723/devices/computer/2603846

     

    OS: Win10 Ent. 64-bit, version 10.0.17134

     

    Software: F-Secure PSB Computer Protection Premium 19.2

     

    Module: F-Secure DataGuard

     

    File: C:\Windows\SysWOW64\dllhost.exe

     

    Target: C:\Users\kri75\Pictures\Saját\2019. március 23 - Fotós tábor (török idők)\P90323-094531.jpg

     

    Threat: reports.infections.types.ransomwareAccessControl

     

    Action: Blocked

     

    FSDIAG: remote creation has been requested, hope the local user will approve its submission. The related diagnostic ID is e166aec5-8d6f-4cee-9899-6f9d87030cb4.

     

    Please see if the incident may have been a false blocking and whether the situation warrants a central exclusion?

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, 2F 2000 Kft., Budapest, Hungary.

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    I would like to ask for the review of another, curious and possibly false blocking action by F-Secure PSB DataGuard. (It happened recently in a special software and hardware environment, a hungarian school and dormitory for the deaf and hearing impaired youth.)

     

    F-Secure Lab case number: xxxxx

     

    Date and time: 2019. 04.23. 11:05:00

    Customer: KzPTK Hallássérültek Óvodája, Általános Iskolája, Szakiskolája,
    EGYMI és Kollégiuma
    ( https://emea.psb.f-secure.com/#/c282728 )

    Computer: SZERETET-PC
    ( https://emea.psb.f-secure.com/#/c282728/devices/computer/2460239 )

    OS: Windows 10 Professional 64-bit, version 10.0.17763

    User: SZERETET-PC\Emőke

    Software: F-Secure Computer Protection Premium 19.2

    Module: DataGuard

    File: C:\$Windows.~WS\Sources\SetupHost.exe

    Target: C:\Users\Laci\Documents\Windows.iso

    Threat: reports.infections.types.ransomwareAccessControl

    Action: Blocked

     

    Remote submission of FsDiag has been requested, unique ID:

    xxxxx

     

    I hope it would help fine-tuning F-Secure PSB Computer Protection.

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, 2F 2000 Kft., Hungary.

     

    EDIT: Removed PII

  • etomcatetomcat Posts: 1,318 Superuser

    Dear Fedool,

     

    I would like to ask for a review of F-secure Lab ticket xxxxxx, regarding Dataguard's blocking of Mozilla Thunderbird Updater. I got the usual answer from first-round lab support to manually add exclusions, but I feel Thunderbird is such a popular e-mail client that the issue should be fixed centrally by F-Secure.

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, Hungary.

  • etomcatetomcat Posts: 1,318 Superuser

    Dear F-Secure Virus Lab,

     

    I would like to ask making "Dataguard" more intelligent, so that it does not need to rely on a myriad of manually configured exclusions to work properly.

     

    Please observe the following incident, where PSB DG is apparently preventing the open-source Mozilla Thunderbird e-mail client from applying a hotfix on itself:

     

    Date and time: 2019 August 09, 12:27:49

     

    Customer: https://emea.psb.f-secure.com/#/c285931

     

    Computer: https://emea.psb.f-secure.com/#/c285931/devices/computer/2431764

     

    OS: Windows 10 64-bit, version 10.0.17134

     

    Software: F-Secure PSB Computer Protection Premium client 19.5

     

    Module: F-Secure DataGuard

     

    File: C:\Users\telep\Desktop\PortOs\ThunderbirdPortable\App\Thunderbird\updater.exe

     

    Target: C:\Users\telep\Desktop\PortOs\ThunderbirdPortable\App\Thunderbird\thunderbird.exe.update_in_progress.lock

     

    Threat: Ransomware access control

     

    Action: Blocked

     

    I have reported that occurance or a very similar one in F-Secure Lab ticket xxxxxxx and received the usual response: "We would advise to add the application to the list of trusted applications under DataGuard".

     

    I don't consider that a good workaround, as F-Secure protection now requires as much or more attention to work properly as it requires to be alert and not click "Open" or "Run" on ransomware threats.

     

    What is the business case for antivirus protection then? Customers do expect automation and AI, since they have subscribed to the "cloud" based F-Secure PSB service taht promised them protection even without a sysadmin on hand.

     

    Thanks for your kind attention, Sincerely:
    Tamas Feher, Hungary.

     

    EDIT: Removed Case number

This discussion has been closed.