Got a blue screen and now I'm paranoid

Jrt_233
Jrt_233 Posts: 3 New Member


So I have a kind of weird question...


I have F-secure installed. I know that Windows Defender does not work 

with F-secure. But I did a full scan of my computer with Windows 

Defender because I got a blue screen earlier and wanted to do a scan 

with another program too just in case.


Background:

I was using Microsoft Edge (on a website some that might have suspicious 

adds but I never clicked on anything and the page has always been safe 

when I don't click on any adds and I have F-secure installed so I have 

never been worried). I had exited the "website with adds" and I was 

simply typing something to google search box when suddenly my PC's mouse 

stopped moving, Keyboard stopped working and my PC crashed to a blue 

screen and gave me some kind of memory error it was maybe Memory 

management or something else (I can't remember the exact one.) I don't 

know if being on that one website could be connected to this blue screen 

or if it was simply an error out of nowhere ( which my pc has never got 

before in the over 2 years I have had it).


If my PC is fine and nothing is wrong I'll still never visit any website 

with "too" many adds again AV installed or not.



Windows Defender keeps telling me about PUA: Win32/NetFilter


Location:

containerfile: C:\Recovery\Customizations\usmt.ppkg

file: C:\Recovery\Customizations\usmt.ppkg->\ICB\MachineSpecific\File\C$\Program Files (x86)\ASUS\GameFirst IV\Driver\tdi\i386\netfilter2.sys


file: C:\Recovery\Customizations\usmt.ppkg->\ICB\MachineSpecific\File\C$\Windows\System32\drivers\netfilter2.sys


Now when I pressed delete it "spins around"/does the process for a long 

time then it is gone and says that there are no current threats.

When I restart my computer or do another scan with Windows Defender it 

gives the same PUA notification again.


F-secure scan does not find anything.



I can't find the folder where the supposed PUA is located at.


(Also does Malware bytes work with F-secure installed?) I did a scan 

with it too and it at least didn't find anything either.


I would just want some clarification...is my PC safe? PUA is not a virus 

according to Microsoft support and it is not harmful (they told me 

this).

Is this true? Do I not need to worry about this notification? I just 

cancelled the Windows Defender scan last time it saw the supposed PUA 

again. But I'm still worried if it still exists. Is here some kind of 

way to be sure that it no longer exists without needing to disable 

F-secure in order to Windows Defender to maybe work properly?


This is really confusing because like I said earlier I know that Windows 

Defender does not work with F-secure so I can't even see protection 

history and I don't know if the delete option got rid of the program or 

not. And like I said earlier F-secure never notified me about the/any 

PUAs.


I'm just really paranoid about this. Even if the other scans don't find 

anything and even if Windows Defender finds something are my PC and 

accounts safe?

I need to confirm this...otherwise I will not feel safe using my PC 

anymore. I don't want to reset my whole PC and I have a lot of important 

files but no back ups.


Help is greatly appreciated!


My questions in short for clarification:


1. Windows Defender full scan keeps finding PUA but other AV scans 

don't. Does this mean that I'm safe?


2. Does Windows Defender do the "delete" option even with F-secure 

installed? And even if it does not is the program still gone since 

F-secure has not notified me about it?


3. Is the notification fine to ignore since the other scan don't find 

it?


4. Is PUA really not harmful? It is not a virus? It won't do any damage 

to my PC or privacy?


5. Why can't I find the location where the program is located at? (I'm 

not sure I have hidden files shown or not...they should be but I'm not 

sure.)


Once again help and opinions/suggestions are greatly appreciated.

Accepted Answer

Answers

  • Ukko
    Ukko Posts: 3,769 Superuser

    Hello,

    Sorry for my reply. I am only an F-Secure user (their home solutions).

    I will try to suggest something about your worries. But would it also be nice to know which version of Windows you have? Is it Windows 10?

    I have F-secure installed. I know that Windows Defender does not work with F-secure.

    Yes, and actually with the latest versions - Windows Defender should be automatically disabled (turned off) when F-Secure AV/IS/SAFE is active.

    But, in addition to above, you can configure limited periodic scanning by Windows Defender. In a way, as a scanning system on demand (no real-time protection and limited possibilities). Perhaps, there is a reference to this feature: Enable the limited periodic Microsoft Defender Antivirus scanning feature - Windows security | Microsoft Docs

    This is, in a sense, a "designed" way to brief scan the system with Windows Defender, even with an active F-Secure solution.

    In addition, Windows Security has a number of other options and functionality that work regardless of the AV solution used (and with Windows Defender off state). It is good to keep them on (although this can sometimes be inconvenient).

    I was using Microsoft Edge (on a website some that might have suspicious adds..

    Some (or all) Chromium-based (Webkit-,Blink-,Chrome-based) and some alternative browsers with built-in filtering for certain types of ads. This functionality can be defined and found in the following place (Microsoft Edge chromium): Settings-logo (three dots, for example) -- Settings -- Cookies / Site permissions -- there can be different options including Pop-ups and redirects / Ads and so. It is possible to "off" (block) it. There may be less questionable advertisements as a result.

    You could also try to use something like Adblockers (however, good to choose only trusted ones and good ones - but it is tricky to find so). It can be like a browser addon / extension for browser. Although this will be an effective solution against "advertising", it quite often affects the speed of browsing and in some ways can lead to illogical situations.

    when suddenly my PC's mouse stopped moving, Keyboard stopped working and my PC crashed to a bluescreen and gave me some kind of memory error it was maybe Memory management or something else

    If there was no very long interval between freeze and crash (Blue Screen), then this may not be connected with something very dangerous. Instead, it could be just due to overheating of the system or too high (multi-threaded) load on one of the layers (network, for example). In principle, this can also include the hardware point. Anyway, you can only make sure that all the latest available system / third-party drivers are installed and that things like hard drives are functioning properly.

    Blue Screen situations usually create a dump file with additional information. So there is a conditional opportunity to find out the specific cause of the crash (and what was involved in it). But if the situation does not repeat itself, then you maybe can ignore this fact.

    Windows Defender keeps telling me about PUA: Win32/NetFilter

    However, this already sounds more suspicious.

    Their reference about: PUA:Win32/NetFilter threat description - Microsoft Security Intelligence

    In general, this could mean the presence of installed suspicious software or browser extension (for example). In addition to some changes made in the system and already the absence of suspicious software. So, good to check list of installed applications in system and browser addons against "unknown" for you.

    But based on your further information, perhaps, situation is not so critical.

    C:\Recovery\Customizations\usmt.ppkg

    Sounds as about Windows 'backup' place with an ability to recover your system to its initial view. For example, with all pre-installed applications on your PC. For instance, """ICB\MachineSpecific\File\C$\Program Files (x86)\ASUS\GameFirst IV\Driver\tdi\i386\netfilter2.sys"""

    Sounds as a game directory. Probably, this file and other (of game) fil are famous trigger of detection by some security solutions. Maybe false positive event. And this ".sys" (driver) just looks suspicious for them.

    When I restart my computer or do another scan with Windows Defender it gives the same PUA notification again

    Perhaps, this discussion can be useful about: Windows Defender Identifies The SAME PUP As A Threat Repeatedly - Microsoft Community

    Also does Malware bytes work with F-secure installed

    You can try to use it, but both solutions can be with limitations or interruptions. And this is not officially supported or recommended.

    Even if the other scans don't find anything and even if Windows Defender finds something are my PC and accounts safe?

    Based on provided paths to detected items - most likely - situation is normal.

    First, it still looks like a static threat. Secondly, PUA (that is, only potentially unwanted). You could read, for example, how F-Secure identify Potentially Unwanted Applications: https://www.f-secure.com/v-descs/guides/classification_guide_pua.shtml

    All in all, Windows Defender can not to clean it since of 'tricky' place of detected item (inside package under "Recovery" part of system partition). Probably, it is even false positive detection (you can try to reach Microsoft Support and to transfer 'quarantined'/detected item information about subject of potential false positive detection). At least, because other security solutions did not find anything about it. However, I can to recommend check F-Secure scanning settings (to open F-Secure main screen by click on tray logo or doubleclick on desktop logo - "Settings" - allow changes by related button - switch tab to "Manual scanning" settings and to choose option like scan inside compressed files and uncheck scan only known file types to be dangerous).

    Windows Defender full scan keeps finding PUA but other AV scans don't. Does this mean that I'm safe?

    Likely yes. At least, based on provided information about detected items.

    Because, located under "C:\Recovery" folder. So, somewhat involved in preset or 'initial' state of system. For example, general information: https://en.wikipedia.org/wiki/Windows_Preinstallation_Environment#Windows_Recovery_Environment

    Then, it is "Customizations" subfolder. And container ".ppkg" (general quote about it is next one: ""This package "provisioning package (.ppkg)", stores updates, and applications installed and even used by Windows system since a factory installation""). Then it contains "ASUS\GameFirst IV". Perhaps, if your PC is powered by ASUS - then this game was preinstalled / packaged with PC. And the game itself contains drivers for their work. Which are looks suspicious for Windows Defender. Others either do not scan this part of the system. Or the files are considered safe (they ignore the false positive event). Anyway, files are static (from this partition/directory/folder). So, not used.

    Since of important / critical / restricted place of detected items - maybe there is no way to safely delete it. Thus, Windows Defender detect it after each scan. However, I provided URL to discussion about another possibility above.

    It is also, probably, protected against manual access to it by user.

    4. Is PUA really not harmful? It is not a virus? It won't do any damage to my PC or privacy?

    Not, it is potentially can be harmful. Based on certain PUA - can be different result. This detection is more looks like as a false positive. Otherwise, can be more like an adware. However, this is just speculation without any additional information.

    Thanks! Sorry for the large reply and sorry if it does not about something helpful. You can to ask additional things further.

  • Jrt_233
    Jrt_233 Posts: 3 New Member

    Thank you for the reply and sorry it took me so much time to reply.

    I have WIndows 10.

    I also can't find this "recovery" folder. I have hidden files shown so maybe it truly is just some folder that user cant directly access.

    Is it normal that F-secure and Windows Defender never gave me notification about the PUA. I got the notification about it after doing full scan with Windows Defender? F.secure scan or quick scan with Windows Defender found nothing.

    If F-secure never told me about the PUA was Windows Defender able to handle the PUA either quarantine or delete/block it even with F-secure enabled?


    I also had notification about the netfilter2.sys (I'm not sure if it was the same one) but I managed to find that folder. Under the ASUS Game FIrst IV and the file was no longer there. But I think that was different than this notification. I might remember wrong tho.

    So basically my question is can Windows Defender still quarantine or delete files even with F-secure. SInce the F-secure never had notification about detecting the PUA.

    Sorry for asking so many questions again but I just feel a bit paranoid since my PC usually never crashes and I havent had many notifications from any AVs before.

  • Jrt_233
    Jrt_233 Posts: 3 New Member

    Thank you so much again for the reply and detailed answers to my questipns I think after hearing all of this I believe my pc is fine. I will check the windows defender notification PUA discussion and try it to get rid of the repeating notification. Thank you for your help.

  • Ukko
    Ukko Posts: 3,769 Superuser
    edited December 2020

    by the way,

    In any case, it is good to keep most of the important files in a backup. Another hard drive (removable) or something like this. There are many ways to make a backup with smooth flow, different designs and so. At least, to do so from time to time (better than not doing it at all).

    And general security point is to make sure that installed applications (software), browsers addons are known for you and with up-to-date state. And of course, stay vigilant while browsing.

    Other than that, strong/unique passwords (securely stored), configured security solution and occasional 'for sure' manual full scans.

    // Most often, some kind of impact requires launching a suspicious file. For example, attachment to an email. Or download. Good to avoid unnecessary ones. Furthermore, even for fraudulent schemes and some similar things, user's interaction is required. Try to keep control over the things.

This discussion has been closed.
Feedback on New Design