Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox
I am seeing the below quoted, curious malware alerts in the F-Secure PSB EMEA "SoP" webportal. I have reported them to F-Secure Virus Lab as cases xxx and xxx and they are asking for samples in response. I find that request bizarre, considering that F-Secure Corp. itself is distributing these files on which the FSAV false alerts occur...
OS: Win 10 Pro 64-bit, version 10.0.17763
Software: F-Secure PSB Computer Protection client 19.3
File: C:\ProgramData\F-Secure\swup2\working\deployer\Patches\Firefox Setup 67.0.2_x86_HUN.exe
OS: Win 10 Ent 64-bit., version 10.0.17134
Software: F-Secure PSB Computer Protection Client 19.3
File: C:\ProgramData\F-Secure\swup2\working\deployer\Patches\Firefox Setup 67.0.2_x64_HUN.exe
Please review the situation if possible, because there is no way I could obtain binary file samples from those PSB endpoints, they are located in some hungarian school in the countryside, but I don't even know where exactly geographically and I don't have remote desktop to them and FSAV PSB doesn't yet support remote sample submission.
Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.
EDIT: Removed Case numbers
Thanks for reporting this. We will find the samples and send them to analysts.
Note, that F-Secure does not distribute these updates. We download them from vendor sites and have no way to verify if they will be false positived or not before that happens. Especially for deepguard which analyses events from running application, not just scanning the file.
Deepguard detections are often based on rarity of files and if you are the first one seeing this update then it's rare and deepguard treats it as suspicious. I assume signing for these updates is also somehow changed so it's not trusted and detection is triggered on system modification.1 1Like
Thanks for your super-quick response!
> I assume signing for these updates is also somehow changed
There was a minor scandal recently where one of Mozilla Firefox's certificates expired (wasn't renewed in time) and all browser extensions were disabled as a result. They had to issue new emergency cert as a result. The incident was discussed here:
Yours Sincerely: Tamas Feher, Hungary.1 1Like