DeepGuard & application blocking
Hello
I run F-Secure SAFE 18.2 on Windows 10.
Yesterday I started up an app on my PC and a notification was immediately displayed saying that DeepGuard had blocked the application because it had "tried to change another application". The same notification popped up several times over the next minute or so. The app, however, continued to run perfectly (it's an app called 'Soundly', a sound effects library, which I know is perfectly harmless).
My question is - why did the app continue to run if F-Secure thought it had blocked it?
Accepted Answer
-
Hi @Peter_B
This is possibly because the app "Soundly" tries to re-execute the same process when it fails.
It seems like there is a false positive on our detection.
Kindly create a ticket using the below link with the detection name and the process that triggered the detection and let our lab team handle it.
Answers
-
Hi @Peter_B
DeepGuard makes sure that you use only safe applications. The safety of an application is verified from the trusted cloud service. If the safety of an application cannot be verified, DeepGuard starts to monitor the application behavior.
Potentially harmful system changes that DeepGuard detects include:
- System setting (Windows registry) changes
- Attempts to turn off important system programs
- Attempts to edit important system files
-
Hi Jaims.
That's all great, but my question was more specifically about how F-Secure deals with applications that attempt to keep re-starting themselves.
F-Secure SAFE has now blocked two applications on my machine (both false positives, and I've created support tickets for both) and in both cases the app continued to function perfectly, whilst F-Secure continued to display notifications every few seconds that it had blocked the app.
It's left me wondering how effective F-Secure would actually be in dealing with a piece of malware that also keeps re-starting itself?
-
Hello,
Sorry for the discussion.
whilst F-Secure continued to display notifications every few seconds that it had blocked the app.
Could you check your "Quarantine" - called as "File and App Control" - and its DeepGuard part. Is something listed there?
// If so - there is an option to exclude / allow (Allow applications that DeepGuard has blocked | SAFE | Latest | F-Secure User Guides)
I mean, is it really Soundly blocked? Or certain type of action / operation?
How DeepGuard toast / prompt looked like? And what is information in "Recent Events" list.
Perhaps, if Soundly tried to run some scripts -> that action is blocked. Or if tried to access one of "Protected Folders" (Ransomware Protection) -> that operation is blocked.
So, application itself still working and continued to function.. while certain activities were blocked / denied. And application tried to re-run them (or so).
Just as a random thoughts.. otherwise it is a too tricky and vulnerable design of DeepGuard.
Thanks!
-
Thanks Ukko.
Notifications started popping up as soon as I launched Soundly. I wasn't actively using Soundly, but, as you say, Soundly may well have been doing something in the background.
Notifications just said that DeepGuard had blocked an application. The Recent Events list had lots of identical entries saying that Soundly 'tried to change another application'.
Nothing in the Quarantine list.
I've added the Program Files folder that soundly.exe lives in, and this has stopped all notifications, so I don't have a problem using Soundly now.
Take your point that we don't know exactly what F-Secure was blocking. In fact, it would actually be more helpful if F-Secure gave more details other than 'tried to change another application' in the recent events list. Would help understand situations like this.
-
Hello,
Thanks for your feedback and response!
I will try to play with Soundly a bit later.. just to check if I could reproduce this (of course, if your submission to F-Secure Labs with no results yet).
One point about more information - could you try to open Windows "Event Viewer" (I do it, usually, by right click Windows (start) logo and then "Event Viewer" entry). This is kind of Windows journal. My experience is about F-Secure SAFE beta - but I suppose that stable with related design - and Event Viewer with custom place for other services.
With my system - it is the last 'entry' in menu list (Applications & Services Logs or so). There could be F-Secure Ultralight SDK directory. Most of events about detections can be there. So, try to check one of them (about Soundly block event) and see if something more visible there.
For example, if I will try to launch tricky .bat file - then toast and F-Secure Recent Events will be with the only generic wording about. Like "application blocked because tried to open malicious website or document" and exact blocked application / detection name.
In Windows Event Viewer - I can see "content" of .bat-file, hash, path to executable (cmd.exe), process ID and other internal technical data.
Thanks!
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!