Lack of SHA-1 checksum on certain malware alert in the webportal

Dear F-Secure,

 

I would like to repeatedly request that PSB endpoints should report the SHA-1 checksum on every malware alert to the webportal. Currently only Deepguard module based detections provide a checksum in F-Secure alerts, but traditional virus detection module based alerts do not. Let me explain why that asymmetry is a serious problem:

 

- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:

 

File: ...blahblah...\c-project\2\20190531\bin\Debug\20190531\2.exe
Hash: c6da49a63d096f2515f0a3ce920f5be0a6980ff7
Threat: Suspicious:W32/Malware!DeepGuard.n

 

Here I can use the Hash as a clue to start searching e.g. in VirusTotal webportal to find a sample that matches the SHA-1 value exactly. If I find one, I can report the case to F-Secure Virus Lab and they can fix the false malware detection. Thismethod works well.

 

- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:

 

File: ...blahblah...\Browny02\Brother\BrStMonW.exe

Threat: Heuristic.HEUR/AGEN.1019626

 

Here I see no Hash value to start searching for, so I cannot find an exact sample match to report. Searching for the file name is not possible in Virustotal and even if I find a file with that name elsewhere, it is ususally a different minor version of the same software, so it cannot be used to reproduce the false malware alert event and I cannot report the case to F-Secure Virus Lab to have it fixed.

 

Due to the lack of hash info in so many malware alerts (many of them obvious false alerts on the fist sight), I often feel helpless, as I would like to have them fixed by the FSC virus lab but can't find a way to submit them in a usable manner.

 

Please consider if anything could be done to alleviate this siuation!

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

 

EDIT: Title

LGT_Gabriele

Best Answer

  • AndyF-PMAndyF-PM Posts: 12 F-Secure Product Manager
    Accepted Answer

    Hi Tamas,

     

    Thanks for your post and request.

     

    We've looked into this, and we should be able to add more information such as the hash to the portal.

     

    I cannot give an exact timeline on this being available, but it's in our queue for implementation.

     

    Best Regards,

     

    Andy

     

    VadLaksh

Comments

  • I ran into a similar problem.. I translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929

    Sincerely: Sandor

    etomcat
  • etomcatetomcat Posts: 1,318 Superuser

    Hello,

     

    > translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929

     

    Please do this:

     

    - Upload the affected program file to "www.virustotal.com" (that website is run by Google)

     

    - When you see the virus scanner detection results, there will be a "Details" tab

     

    - Tell us the "SHA-1" value written there, something similar to: e33a0247f0ed3635a12a4927a6380308e430fe04

     

    This allows us to report the false malware alarm for fixing.

     

    Best regards: Tamas Feher, 2F 2000 Kft., Budapest.

  • Hi etomcat!

    SHA-1: fdeaf9713b68cd5e921a72b41fbe23550d0d6dd9

     

    Thanks and best regards,

    Sándor

  • etomcatetomcat Posts: 1,318 Superuser

    Hello Sandor

     

    This morning I've opened case ticket xxxxxxxx with the FSC virus analysis lab and currently waiting for their response.

     

    Best regards: Tamas Feher.

     

    Edit: Removed case number

  • etomcatetomcat Posts: 1,318 Superuser

    Hello Sandor,

    F-Secure viruslab sent the following ticket response on Friday morning:

     

    "Our analysis has found that the file you submitted is clean.
    We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.
    In the meantime, you may exclude this file from further scanning by using the following instructions:

     

    F-Secure Home Security products:

    https://community.f-secure.com/t5/F-Secure-SAFE/How-do-I-exclude-a-file-or/ta-p/56363

     

    F-Secure Business Security products:

    https://community.f-secure.com/t5/Business/Excluding-objects-from-Real-Time/ta-p/66013

     

    Best regards,
    F-Secure Customer Protection"

    Sethu
  • Thanks,

    I think that due to platform problem this error came out, it is produced by Delphi Vcl.FileCtrl Components, like FileListBox, DirectoryListBox, DriveComboBox, ...

    Regards,

    Sandor

This discussion has been closed.