F-Secure: left hand doesn't know what the right hand is doing? (PSB remote FSDIAG confusion)
A few months ago it became possible to initiate FSDIAG remote diagnostic collection for F-Secure PSB protected endpoint computers, through the PSB webportal account. As the admin assigns the task, a long unique FSDIAG identifier is displayed in the portal.
I have since experienced several cases, where I contact F-Secure Virus Lab to inquire about this or that particular PSB endpoint computer, which seems to have suffered a complicated infection incident. The FSC virus lab responds by asking for an FSDIAG result and I tell them the unique ID (in fact the unique ID was part of my original submission).
Yet they respond they have no access to FSDIAG and want me to submit the TAR.GZ or ZIP package as attachment. But I have no access to the FSDAIG result, in fact the very reason centrally-remotely initiated FSDIAG capability was introduced to PSB system to make effective support possible.
Please quickly sort out why one branch of F-Secure doesn't know about or doesn't know how to use a feature developed by another F-Secure branch and fix the problem.
Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.
The F-Secure Labs Team will consider about using the remote FSDIAG feature after checking on the possible GDPR constrains of granting the access to the team.
For the meantime, please take note that for malware and false positive incidents, we do still require the file samples to be submitted at the first stage.
While FSDIAG may be useful at a later stage during an ongoing case investigation, FSDIAG doesn’t contain the actual detected samples that we require to fix a detection. In most cases it is often sufficient to submit the affected file samples without requiring an FSDIAG to resolve the case.
> In most cases it is often sufficient to submit the affected file samples
In most F-Secure PSB related false virus alert cases, it is simply impossible for us to obtain binary file samples!
The essence of PSB is that there is no IT Security infrastructure on-site: the customer has no competent person on location and we don't have remote desktop access to them and most often haven't ever been to the town the customer is located and have no contract or even contact with them (e.g. many dozens of primary and secondary schools in the countryside in our case). How I am supposed to provide the lab with binary samples then?
I have been begging F-Secure to implement remote sample submission capability in the PSB SoP / SeP webportal accounts, but they always blame some kind of a bureaucratic obstacle. Without that capability and considering the relatively frequent occurance of Capricorn and DeepGuard scan engine false malware alarms, it is difficult to operate PSB effectively. The pattern I see is that whenever a false alarm occurs, PSB tends to get locally uninstalled from the particular endpoint.
Thanks for your kind attention, Sincerely:
Tamas Feher, Hungary.0 Like
victor_js Posts: 7 F-Secure Employee
As MonikaL shared, obtaining the file samples during the first stage would be the most efficient way to resolve a false positive case.
The binaries are required for us to debug how the false positive may occur in a particular file and then apply the necesary fixes, while keeping the protection on a good level to still detect valid malware samples.
In some cases, the samples may be publicly available or already in our backend. I would recommend whenever possible to provide at least the file hash (SHA1) when filing a false positive case, so that we can check if the sample is already available to us.
The PSB Management API documentation contains some examples on how to generate a report containing the detection details (including SHA1) programmatically:
For cases where the sample is not available to us (e.g. internally-developed software), there's an easy-to-use F-Secure tool available that we recommend to both Home and Corporate users to utilize in order to safely retrieve the quarantined files before submission.
The tool would have to be executed at the endpoint where the samples were quarantined, and its usage instructions are described here:
As PSB currently doesn't feature remote sample submission capabilities, I hope you find the above information useful for the time being.7 2Like
Regarding the comment about sample submission from the PSB portal, this feature request has been added to the backlog (as a possible future feature under consideration) when you suggested it so it has not been ignored.