Files which are excluded and or in excluded folder will get quarantined from time to time
Hi,
I am using F-Secure Anti-Virus 18.0 on Windows 10 #21H1.
I added an entire folder (D:\dev) to "Excluded" in "App and file control" window.
I even added an explicit file (D:\dev\myapp.exe) to that exclusion list:
windows.computer_security.internal.excluded_paths.5.path: "D:\\dev " windows.computer_security.internal.excluded_paths.5.type: "file" windows.computer_security.internal.excluded_paths.6.path: "D:\\dev\\myapp\\releases\\myapp.exe" windows.computer_security.internal.excluded_paths.6.type: "file"
But still, from time to time (not always), after reboot, that file will get quarantined:
2021-08-24 13:56:49.563 [1960.2fc4] I: LynxEngine::CustomScanFile: Cloud scanning success: \Device\HarddiskVolume8\dev\myapp\releases\myapp.exe (1328 ms), reason=fp ct=application/exe 2021-08-24 13:56:49.563 [1960.2fc4] I: UssPlugin::IsSystemWideInfection: Detected a possible infection, checking the system... 2021-08-24 13:56:50.669 [1960.2fc4] I: UssPlugin::IsSystemWideInfection: This seems to be an isolated issue, check took 1094 ms 2021-08-24 13:56:50.684 [1960.2fc4] I: ul::ScanningEnvironment::PostFileScan: Saved in quarantine, as object ID fb1f750 2021-08-24 13:56:50.684 [1960.2fc4] I: ul::ScanningEnvironment::PostFileScan: D:\dev\myapp\releases\myapp.exe : delete ok 2021-08-24 13:56:50.700 [1960.2fc4] I: fs::SPAPIClient::PropagateCustomEvent: alert: {"rl":"sp.evt.oas.alert","rv":{"aa":"dis,del,ren,quar","accesspid":9196,"act":"del","ar":"dis","engi":10020,"ifmly":"virus","iname":"Heuristic.HEUR/AGEN.1128017","obj":{"ref":"D:\\dev\\myapp\\releases\\myapp.exe","sha1":"30f914da778a20cd54b94986962d8e48efc3830a","tp":"fs"},"qrid":263321513,"termsess":0}}
The application is using Themida (h**ps://www.oreans.com/Themida.php) for DRM/code protection which is maybe triggering this.
Anyway, even if this would be the worst possible malware, if I am storing this in an excluded location, F-Secure should honor this all the time.
Answers
-
Hi @Norton
Thank you for reaching out to F-Secure Community.
I believe you have followed the instruction on this guide below to exclude the file and folder from future scanning but still F-Secure Anti Virus blocked the file.
Exclude files or folders from scanning
However, there should be in certain case that even if you have already added the file to the exclusion list the F-Secure Anti Virus will still block it because the file behaves like a virus or other harmful application as noted in the guide on below link:
View excluded applications
Note: If the application behaves like a virus or other harmful application, it cannot be excluded.
In this case, what you can do is you can try to submit your sample file to our lab and our team will check and verify the sample file:
-
My point is: The "Exclude" feature doesn't work. Even if this would be the worst possible computer virus, F-Secure should never mess with that file because file is excluded and also stored in an excluded location.
It can't behave like a virus because it's getting detected via cloud mechanism you cannot turn off anymore when not even running which means some services like Windows Search must access folder or through Windows explorer because that location is in my "Recent" list.
What I don't understand is the pattern: F-Secure usually gets crazy on system boot and will quarantine that file. When I now wait some minutes and release file from quarantine, everything will be fine. Even executing or re-creating that file via Visual Studio (I am a developer and this a development file which will change whenever I re-compile which also makes it impossible to submit an example) won't trigger F-Secure detection again until I reboot the system.
I watched this for past weeks!
Since this week, I don't know what has changed, F-Secure keeps re-detecting the file immediately after releasing from quarantine. Which is also kind of funny because the dialog in F-Secure warns me that if I will continue, this harmful file won't be detected in future anymore. To end the current detection loop I now have to stop F-Secure protection, release file from quarantine and can resume protection until I reboot again.
I would really like to understand what is going on here in the first few minutes each day after booting the system. Why is F-Secure detecting the file in the first minutes but not later anymore?
And that "Exclusion" feature has definitely some effect: When I remove the file and location from exclusion, file will get detected all the time. So it would also be interesting why cloud scan on first boot seems to scan even excluded files/folders.
This is really annoying and will probably drive me away from F-Secure soon (which is sad because I extended license just in February until 2023).