How to turn off the "Restart Deletion Prompt"?
Hi, I have a problem.
When F-S finds a suspicious file that is running, it will prompt that the file has been blocked from running, but it needs to be restarted and deleted, I chose to postpone the restart, and listed the file as allowable, after a while, F-S reminded me that I need to make a restart choice, I even deleted the file, but F-S still kept reminding me to restart, I don't think there is a need to restart, this design is not smart enough, because the file no longer exists.
Also, why isn't there a setting that allows me to change the triggered action options?
Thanks for reading my question and look forward to your reply.
Answers
-
Hello,
Sorry for my comment. Just joining in in case an official answer appears here later.
Except that the things mentioned might just not be the right design….
it will prompt that the file has been blocked from running, but it needs to be restarted and deleted, I chose to postpone the restart, and listed the file as allowable, after a while, F-S reminded me that I need to make a restart choice, I even deleted the file, but F-S still kept reminding me to restart, I don't think there is a need to restart, this design is not smart enough, because the file no longer exists.
… Most likely, the process of cleaning (or deleting a file, or adding to quarantine) has already begun and it involves more than just "deleting" the file / or just making sure that the file has "disappeared" from the system / or is no longer detectable .
Since many threats will probably be destroyed on their own and without adding to the list of exceptions (or manual removal), but an attempt to remove / get rid of the threat (if it does not work without requiring a reboot) will still be done. It may be necessary to perform some operations after/during the reboot, perhaps carry out additional checks or do everything "safely".
Maybe there is some manual way to reset the restart "trigger" but..
Also, why isn't there a setting that allows me to change the triggered action options?
As stated in the guide pages - ""by default, the virus protection handles all harmful files automatically as soon as it finds them so that they can cause no harm."" and ""automatic scanning protects your computer in real time by removing harmful files from your computer before they can damage it."" so in best scenario ""if automatic scanning finds any harmful content, it puts the file to quarantine before it can cause any harm."";
I think that for "suspicious" types and PUA things there may be other options and it should be possible to choose / select an action-option. If DeepGuard (or similar functionality) strikes, then most likely the dangerous or suspicious action is blocked or the application itself is added to the blocking list (I don't know how often a restart might be required in such a situation).
Therefore, in most situations, it happens with real malware and any slowdowns or requests for action from the user are not very good for providing protection. In a sense, the user has authorized F-Secure to deal with malware and protect the system from malicious impact. Ask the user's attention to perform some action only in the most critical situations (or depending on his decision / approval in the context of privacy, for example).
In case of a false positive? I think that most often "removal" (without the possibility of reversing the action or "non-deletion") will be very rare or or will be more a type of "system infection" rather than a single-item detection).
If it's about choosing in the settings what to do when this or that is detected, then by default the recommended one for the "given" type of threat is used. What reasons could there be to change them.. to the extent to justify the presence of such an option and its guaranteed operation with any value. And, at the same time, if we know that we don't want something to be deleted or detected, then it’s easier to exclude it from real-time scanning in the settings.
perhaps for some reason such as this - there is no such setting in the UI.
Thanks!
-
Excellent answer @Ukko F-Secure had started the process of doing it's job and was already keyed in on the suspicious file, and just needed to finish the process by doing a restart.
I don't think it's a lack of F-Secure not being smart, as even though the file was deleted/quarantined, who knows what could still be running or going on in the background, as that's how it found it, running in the background. I'd rather be safe than sorry and just let F-Secure do any house cleaning it needs to do, including by it doing a restart.
IMO, I would rather restore a file I know is safe from quarantine, and add it to Excluded files, even if it involved an initial restart, than ask, wish for F-Secure to circumvent a process it had already begun.
Cheers :)
-
I need to clarify, I'm sure this warning is a false positive, F-S is blocking my proxy software, this software is safe, I've been using it for years, because I need it to proxy my traffic, so it's been running.
I don't think it's necessary to restart for a false positive, the point is that I've already excluded it, why is it still in F-Secure's "cache"? -
@TVC15 , thanks for your thoughts!
But I think it must be noted that the situation raised is likely a little more specific.
For example, as I understand it (I can't load / look at added pictures right now, unfortunately; so just based on its description) - here the file or process was already running or "busy" (or something else) - F-Secure wanted to delete it or clear it or quarantine it, but could not (for some reason), so " blocked" this item. And it requested a reboot to complete the cleaning (let's say). Or if it was blocked when trying to run, perhaps the item itself was detected somewhere in a critical place or the action was too strange. Or whatever reason being blocked but not processed without restart/reboot.
I mean, most likely it wasn't quarantined (and maybe wouldn't even be). But it was manually "allowed" (added to the exceptions), and then deleted by the user himself (while F-Secure was waiting for a reboot). Basically, this as similar thing will often happen for regular malware (it self-destructs or was temporary, and so on).. even.. in the midst of the counter-actions being taken. This does not negate the fact that a reboot is required not only for "direct removal" - but a whole series of measures or some simply basic practices (usually some "system" options are restored to default). Although I don't think that this restart was planning something very complicated.
So, the rest specific points are:
— sometimes there is no desire or opportunity to reboot. in such a situation, such a request, of course, would be annoyingly systematic. and I don't know what to recommend. I would try to reboot the system as quickly as possible. if it was known for certain that the file/item was safe or did not pose any threat or harm other than "static"; or manual deletion was sufficient, then would either ignore the request or look for a way to reset it manually.
— Sometimes F-Secure may delete a file and there will be no way to get it back. I think that most often this will be for the concepts of "system infections" (when multiple files are detected at once and combined into one group) or… by Scheduled scan - I think this type of scanning will ignore any exceptions/whitelists and all actions are automatic and maybe even without quarantine; right to deletion.. especially if quarantining is failed. But I am not sure.
-
Unless there will be a proper response from F-Secure teams and official representatives, just to discuss a bit.
I don't think it's necessary to restart for a false positive, the point is that I've already excluded it, why is it still in F-Secure's "cache"?
Yes. If it is very undesirable to do this now (or how long can you postpone the request - for two hours? then again for two? until restart). It's unnecessary for a false positive in a sense of 'not in rush'.
If there are no technical problems for restarting, then what problem do you see in order not to restart? In addition to some specific ones, something like those that would concern possible measures after a reboot - such as resetting the hosts file to a "normal" state, as an example?
I think F-Secure kept this prompt because it is no longer pinned to an 'item' as to a single unit, but to something like an 'incident' in the system that needs to be sorted. The "original trigger" (if it was software, an .exe, a proxy file) might no longer be in the system even for any other reason. These are already post-measures, which... were forced to be applied for some reason.
So, system needs to be cleaned. Or proceeding to deal with blocked detected item - which is… well… even if it is already gone - it was not the only point (probably) after the request has been generated.
Or did you mean by 'cache': detections re-appearing for the same software? And 'cache' is not referring there for 'postponed' restart request?
F-S is blocking my proxy software, this software is safe, I've been using it for years, because I need it to proxy my traffic, so it's been running.
can you look at recent events in Event history, was there any name of the detection/blocking written? (mouse-rightclick tray F-Secure logo; related entry in opened menu). Was it trojan; hacktool; something else. Was it any specific action or maybe 'exploit'-type move (it could be written like this or close to this). maybe something within proxy - detected - but proxy is claimed to be 'source'?
is it detected as unwanted software or as malware - should be 'visible' in wording used?
And the detection itself occurred during operation, and not during the launch of the executable file?
Anyway, I have now tried to run some sorts of similar things, but have not been very successful in repeating 'prompt' so far. I'm trying with the beta version and there are relatively significant changes - so...
// As I see your view is you want to tell to the 'restart prompt' something like "it was a false positive, relax, any action further is not needed ". To be honest, I don’t know if this is included in the design. I also think that without restarting, some collisions or conflicts may occur. I don't know exactly what the restart will do (what changes there will be).
What is your main task now - not to reboot the system for the next couple of months, years? or somehow avoid possible actions of the removal process? if you just remove the reboot request or let’s sat somehow cancel the "started" measures - then if you, as a user, have administrator rights in the system, then you can probably do something rudely. Somehow through the UI - unlikely.
Thanks!
// at least, your experience (yet) is not about constant reoccurrence of 'detection' itself. As it was there (where many things remain unclear to me on the topic):
- https://community.f-secure.com/en/discussion/123972/restart-required-restart-required-restart-required
- https://community.f-secure.com/en/discussion/124717/how-to-stop-the-restart-function-after-blocking-a-malware
-
If there are no technical problems for restarting, then what problem do you see in order not to restart? In addition to some specific ones, something like those that would concern possible measures after a reboot - such as resetting the hosts file to a "normal" state, as an example?
I figured it would be possible to add an ignore button, which means that the event could be skipped, which I used to have when I used Kaspersky. The biggest key point at the moment is that I don't have the freedom to make a choice (I can only restart or postpone).
Or did you mean by 'cache': detections re-appearing for the same software? And 'cache' is not referring there for 'postponed' restart request?
As I said, on other security software, if I choose to ignore it, I should be able to avoid a reboot (at least I won't be prompted to make a choice all the time), but as I understand it, once the F-S executes a command internally (restart), it will not be affected by external influences.
can you look at recent events in Event history, was there any name of the detection/blocking written? (mouse-rightclick tray F-Secure logo; related entry in opened menu). Was it trojan; hacktool; something else. Was it any specific action or maybe 'exploit'-type move (it could be written like this or close to this). maybe something within proxy - detected - but proxy is claimed to be 'source'?
I'm guessing that trying to empty the event clears the "cache", so all previous events have been deleted.
Maybe my appeal is not expressed correctly, and the restart prompt can be kept, but in fact the result I want is "ignore the restart prompt", which can be satisfied with just one more button, which means I can say YES or NO to it, but now it keeps urging me to restart.
-
Hello,
Thanks for your response. Since I can't play around with a stable solution yet (I have beta installed) I can't tell you if there is any simple way to skip this prompt. and I don't remember any official opinions on this matter. Like completely undo the matter before restart (and so making 'restart requirement' gone too). I mean to do this by something without violence for application and system.
then, just general conversation below.
I figured it would be possible to add an ignore button, which means that the event could be skipped, which I used to have when I used Kaspersky. The biggest key point at the moment is that I don't have the freedom to make a choice (I can only restart or postpone).
so, reasonable.
But if you are talking about the "ignore" button in the context of ignoring a detected threat, then this particular prompt is not about that. And the actual request about how to respond to the threat.. well.. either it was not there, or a default decision was made (failed due to an error or by design - and a restart was requested). So, you can only restart or postpone; and there is no way to make a choice like "cancel" the restart event; revert/deny disinfection process. Was it really possible to do something like this with other software? Like when the disinfection process itself already has asked to be restarted to complete? Is it something like a rollback of the decision / action taken completely (even before the whole rest of thing is applied)?
It sounds cool, but somehow strange to implement. Such as, something like "We found malware, tried to fix it, maybe partially did it, now we need to reboot and maybe clean it up or take some measures. Although, if you want, you can press a button and we will turn everything back before even attempting to finalize it". I think that technically this is possible - but it's just a little illogical. I would expect something similar before making a decision on some action regarding the detected malware. But not after in case of failed/incomplete cleaning (and feelin' bad that there is a need to make restart).
When there is already a reboot request here, canceling or rebooting are the two logical options. "Third" as to simply hide such a request (so as not to postpone every two hours) could be "appropriate" - but still would not cancel the process / event itself. If only there was a "fourth" option to cancel everything completely (but... there are too many additional details for this).
I think that the whole difficulty here is in the type of "notifications" / "prompts" / "requests". For some of them, what you would like to see is done. Others simply aren't available in F-Secure for some situations. And the current one described is a relatively specific situation (it's not like a request for permission or something, but rather a notification of what will be done. And instead of doing it automatically, it gives the opportunity to postpone or do it right now. Something like notification about a restart requirement from Windows Updates; which can be 'unchecked' so as not to be shown though).
So, this is a notification that a restart is already scheduled (and does not ask whether you want it or whether to somehow process the detected item, since it has already been autohandled). Let's look at this as if we were talking about real malware?! how should F-Secure software know that it is now truly a false positive... even if the user says / thinks so. Giving such an opportunity would not be very justified (I mean the opportunity to cancel "procedures" that would have been done due to a reboot).
- Postpone option operates here as an act of good will.
- The fact that some item was blocked and some measures were taken and for some reason a restart was required is something like a "limitation" of the current decision-making design for specific types of threats and situations.
- There should not be a re-detection or requirement of a request because of an "item" which was excluded or removed. If it was excluded from a certain type of checking and another type of checking is not the source of the request.
- A previously postponed prompt will appear again because it was postponed (and not 'removed' in some way). I am not sure if it is possible to 'drop' it easily (or skip it) - but maybe there is a way(?!). I do not want to mislead you.
Maybe my appeal is not expressed correctly, and the restart prompt can be kept, but in fact the result I want is "ignore the restart prompt", which can be satisfied with just one more button, which means I can say YES or NO to it, but now it keeps urging me to restart.
Just to clarify - the option to postpone a reminder about the need to restart for, say, some significant time (week, month, year) would be similar?
If in your sentence, "YES" would mean "yes, restart now". And "NO" would mean "no, don't restart now". Does it mean, for example, "POSTPONE" (and checkbox "don't remind me again") will be the solution too?
the prompt is not just about "do you want restart?"; the prompt is about "the restart is needed". the actual need is unclear.
Maybe reminder is scheduled somewhere as a plain thing. But the planned action (maybe) is not. And in the context that most often (and in the best situation - always) such a request should only be about malware - and not a false positive - it is undesirable to cancel an action aimed at fixing the situation when triggered (because of this, there is probably no such "button" in the user interface).
Thanks!
-
Hello, @wajika ,
just tried playing around with stable F-Secure solutions and got some ideas, just to give you a bit of hope for freedom and choice.
Obviously, I cannot recommend any of these non-recommended actions. And I am also not sure about the actual result. And of course - if it is still relevant and desirable.
What I tried is: to trigger a restart prompt by getting detection for already running application. So, the cleaning/quarantining did not work, the file itself was renamed and a reboot request appeared. I postpone it for five minutes and started trying something in between. Every five minutes I checked whether it worked or not. And tried the next one point.
It's not a fact that all actions are required, but I will give the sequence that led to the fact that I did not receive the request within twenty minutes (but I didn't try longer). All actions (except for the last one - although - it is partially too) require administrator rights in the system and require rudeness.
— first of all, system registry in Windows has the next
HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\NS\default\OneClient\Restart\Pending
place, which could contain pending restart event (as I suppose). for example, with my experience there was "Type" 'spyware' one.
I tried to delete it (only this Key/Value in Pending 'folder'). Didn't help. I tried delete its entire folder (Pending). Didn't help. I tried then to delete "Restart"-folder. Didn't help too. But I deleted folders/values manually in registry. So, just in case I place it there.
Note: you will not be able to delete the specified keys, values and paths in the registry unless you disable Tamper Protection in F-Secure Settings before proceeding.
You can enable Tamper Protection afterwards.
— I also decided to try "turn off" all security features in F-Secure Settings (Settings - Help&Support tab - Turn off protection - Turn Off) and immediately almost turning on back. Basically, my idea was to 'restart' services (like fshoster/fsulhoster possible to restart manually or via command prompt) - but I decided to check this way.
— at this stage, I thought that probably the request itself or the entry in the registry was also saved in the cloud (as a fail-safe, backup). So I wanted to try messing around with "C:\ProgramData\F-Secure" folders about some backup/cloud type things, but..
having received another reboot prompt (after the past five minutes), I decided to do the following:
— keeping the prompt window open, I launched Task Manager, looked that this process is called "Restart notification for user" (fs_restart_64.exe) and couldn't think of anything better than to right-click on this entry in Task Manager and "end task" - so, process killed, the prompt window disappeared. Twenty minutes passed and it didn't appear again.
basically, I did not try to do this before any other steps (but just interesting - what the result would be). Also, I think such way of closing this prompt might be equal to "(X)" closing - which is not choosing "restart" or "postpone". And it is quite likely that such a decision/action will be treated as a delay up to a maximum of two hours. And then the prompt can be triggered again.
But I don't have the opportunity to test this better and not reboot the system for two hours now.
What I did after that was I tried to restart system to make sure that the system still bootable. Then waited nearly ten minutes and no prompt there.
if you still need some kind of workaround, you can try something described for free choice. but this is highly discouraged and, in particular, such actions can always damage something in the software or system.
But as for how such a situation could be improved in a general sense, such a prompt should usually be to the point and aimed at getting rid of malware. So the current design is relatively correct after all. But maybe F-Secure Teams will come up with something someday to make it convenient for all users in all unforeseen situations.
Thanks!
-
Thank you @Ukko keep up the follow-up.
I've been bogged down by a lot of things in the morning, and now I'm finally free, and I'll reply in order.
Regarding the previous part you said
When I used to use Kaspersky, it supported ignorance, which meant that even if a real threat was found, it would terminate it and tell me that I needed to restart to remove it completely, but if I chose to ignore it, it wouldn't always prompt me to make a choice.
I'll interject a sentence that compared to Avast and the like, the interaction design aspect of F-S is really cumbersome, and you can feel it when you experience it for a while.
If in your sentence, "YES" would mean "yes, restart now". And "NO" would mean "no, don't restart now". Does it mean, for example, "POSTPONE" (and checkbox "don't remind me again") will be the solution too?
Yes,I don't want to be pushed to make a choice all the time.
As for the other aspects you mentioned, I don't know how to reply, I guess how the F-S is designed must have its concerns, but from my point of view, I think it's too cumbersome.
————————————————————————-
The following is the response to today's post.
Thank you very much for the little experiment you did to solve this problem.
I tested your steps and I found that the value of the local registry is different from what you said, my side is "virus".
Also, I don't understand the meaning of the next steps.But you find fs_restart_64.exe This process, I think is important, based on my guess, this process reads the record somewhere in real time and pushes a restart "message".
Now the process that pushed the restart message has been found, but I don't know where its records are kept. I don't think it should be kept in the cloud, there are so many F-S users, it's impossible to imagine how much cloud space is needed, which means a lot of cost.
-
Thank you very much for the little experiment you did to solve this problem.
I tested your steps and I found that the value of the local registry is different from what you said, my side is "virus".
Also, I don't understand the meaning of the next steps.But you find fs_restart_64.exe This process, I think is important, based on my guess, this process reads the record somewhere in real time and pushes a restart "message".
Now the process that pushed the restart message has been found, but I don't know where its records are kept. I don't think it should be kept in the cloud, there are so many F-S users, it's impossible to imagine how much cloud space is needed, which means a lot of cost.
-
Hello,
I'm a little lost, I wrote a lot of content in order to reply to your previous message, but I forgot to upload the picture after submitting it, I revised it again, and then the reply was gone after submission
Well, I do see your current comment with pictures; I will try to keep it up with. I also almost finished writing the answer and accidentally deleted it (and the draft got lost). Now I'm rewriting it again. :)
I tested your steps and I found that the value of the local registry is different from what you said, my side is "virus".
so, reasonable. It reflects the detection in your system. the file which you considered to be safe.
This simply reflects the following (as I understand it) - the type of reason why the restart is pending. So it could be a type of virus or spyware. Or malfunctioning, upgrade, whatever else. Everything that is included in the logic and that can request a restart and be a pending restart to complete something.
In my case - it was indeed a spyware (PUA detection). So, if your detection was about names like virus, trojan, malware or something like this - then 'virus' is more suitable type of pending restart.
Also, I don't understand the meaning of the next steps.
This is partly because I explained poorly and was unable to convey the idea. On the other hand, this is because everything is very far from the intended design of use.
My idea was as follows:
- this key and value pair in the registry most likely reflects the reason itself and the knowledge that a restart is required. That's why it's called paths as Restart, Pending. Maybe.
- I thought if we manually remove/delete it (as administrators) - then pending restart can be dropped.
So, you can right-click on "Type" (which is about 'virus' value) and rudely select 'Delete'. The same can be done for the "Pending" folder and the "Restart" folder. I manually deleted one by one: the value inside the "Pending" folder, then the Pending folder itself, and then the "Restart" folder itself - since the prompt was still shown five minutes later after the postpone action.
I think it is possible to delete only this entry: "Type" (virus). So that the Pending branch is empty, for example.
You won't be able to delete these things in the registry without disabling the feature called Tamper Protection in the F-Secure settings (go to settings through the UI). You can then turn it back on.
after I deleted them in the registry (not necessarily all three things), the request to reboot still appeared. I am more than sure that the basic settings, some things from the registry, statistics, and so on are saved in the cloud (or kind of) to provide fault tolerance. So I thought that either the reboot request was coming from there. Or the settings were simply cached for now and the cloud's / local's backup version was still used.
So then my ideas were:
- restart F-Secure services (I decided not to do this manually, but simply turn off all protection and turn it back on - I did this through the option in the settings with the appropriate name).
- but when the reboot request appeared. I just opened Windows Task Manager (ctrl+alt+del) - then saw this 'task', rightclick -> end task. and that's it.
I described everything else in the previous comment with slightly more detailed instructions/steps for each action.
But you find fs_restart_64.exe
as a real hack and violent way - you can just 'cut' this file from F-Secure directory in Program files - it is easily located and can be found briefly - and past it somewhere (for later restore). Most likely there will be 'fail/crash' while attempting to use it and so - no prompt request.
however this was my last resort opportunity which I did not try. Because managed to sort it more smoothly (as I think) - but still not sure that with a robust solution.
just to conclude, my ideas were (unrecommended and dangerous basically):
— manually delete in Registry in Restart/Pending path - the "Type:virus" entry by rightclick 'Delete' (beforehand - you need to disable Tamper Protection in F-Secure SETTINGS via user interface).
— optionally, turn off all security features in F-Secure SETTINGS (in Support tab, in the bottom) by using related button. this is a kind of possibility to restart services in case if something cached/stored via that way. Turn on back almost immediately. The alternative way is to restart F-Secure services manually - but you will need to know how to do this properly. I just not recommend it.
— when restart prompt appeared again, open Task Manager, kill this task ""Restart notification for user" (fs_restart_64.exe)" in Task Manager list by rightclick "end task". You can use Task Manager in not advanced view/expanded - but minimized/short version. Like if it is 'full' view - then click "less details" in the bottom and only small number of active foreground processes are listed in the front.
— check if situation is sorted.
just keep in mind that this does not mean that during the next reboot (whenever that may be) some measures will not be taken that were planned. and also that it may not be possible to do this without any damage
Thanks!
-
So, @wajika
I'll try to reduce this entire flow of information from me into something more understandable:
FIRST POINT:
is to try to understand where the 'flag' comes from (or where it is stored) indicating that a restart needs to be made.
My assumption is that this registry tree is related:
HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\NS\default\OneClient\Restart\PendingSo, "Restart" is subkey of "OneClient" key; and "Pending" is subkey of "Restart" key.
"Restart" and "Pending" shown as 'folders'. So, the 'Pending' key (folder) has its data / value like "Type" with 'virus' in your case.It is possible to rightclick "Type" and in menu should be an option to 'Delete' it (also, 'modify' and other options).
By deleting it - I would think we would get rid of the reboot prompt. Since there will be nothing in the Pending restarts section.
When I tested this, even after deleting the "Restart" and "Pending" keys (visible as folders) - which is most likely not required to delete at all, the request to reboot still appeared.
Therefore, perhaps this action of deleting Type:Virus is not enough, but perhaps without it it will not be possible to do the rest.SIDENOTE: to remove these important things in the registry, you need to disable the Tamper Protection feature in the F-Secure settings (can be found in the UI). Otherwise - attempts to delete will fail. You can reenable it after manipulating with registry is done.
SECOND POINT:
is to understand why after editing the registry, a reboot request is still created (a window appears with the "restart" or "postpone" buttons). I thought there were two explanations - either the settings are still taken from the backup (which can also be stored both locally and in the cloud) and that means we need to somehow update the cache or find out when it will no longer be relevant, or we need to restart the F-Secure services - so that the information is updated and reloaded.
// later edit: what I mean is that obviously F-Secure shouldn't and won't trust such manual changes to registry values. It will use trusted ones. And trust the corrections that were made in acceptable ways. Or possible edits, even if the administrator did them, but there was no "possibility" for this. So, I don't know if this makes sense as such (I tried to delete it just in case). I think that specifically in this part, it can work.
I tried turning off all security features and turning them on again. something like restarting the protection. This can be done by using the corresponding feature, which is available in the F-Secure settings in the Support section (at the bottom of the Settings page) and there is a button somewhere at the bottom.
THIRD POINT:
It may be enough to do this (what I will describe now) without the things described above.
When the reboot request appears - so, the window with the choice of decision (restart/postpone) will be visible. You will need to open the Task Manager (ctrl+alt+del or any other way) - there you will see a process called "Restart notification for user" (refers to fs_restart_64.exe). You can select it - right-click - click "end task" from the menu. In my situation, the window closed and did not appear again for twenty minutes.
I admit the possibility that this method of closing (as well as something like hitting (X) in window) will simply push back the prompt to the default maximum of two hours. But I didn't have an opportunity to check this and wait two hours to see if the prompt would appear again.
Therefore, if none of the described things would help, then probably (I would) only have to try to manually deal with the named fs_restart_64.exe (I would take it somewhere temporarily and then return it to the F-Secure folder);
If that didn’t help, I don’t know.clarification - all actions assume that you have administrator rights in the system.
Thanks!
-
So, you can right-click on "Type" (which is about 'virus' value) and rudely select 'Delete'. The same can be done for the "Pending" folder and the "Restart" folder. I manually deleted one by one: the value inside the "Pending" folder, then the Pending folder itself, and then the "Restart" folder itself - since the prompt was still shown five minutes later after the postpone action.
I don't see where you say "Pending" folder and the "Restart" folder.
I think it is possible to delete only this entry: "Type" (virus). So that the Pending branch is empty, for example.
You won't be able to delete these things in the registry without disabling the feature called Tamper Protection in the F-Secure settings (go to settings through the UI). You can then turn it back on.
after I deleted them in the registry (not necessarily all three things), the request to reboot still appeared. I am more than sure that the basic settings, some things from the registry, statistics, and so on are saved in the cloud (or kind of) to provide fault tolerance. So I thought that either the reboot request was coming from there. Or the settings were simply cached for now and the cloud's / local's backup version was still used.
Do you mean that after deleting the registry and folder, F-S will still prompt a restart? Is it found in the wrong place? However, it is also possible that F-S is using cloud storage.
as a real hack and violent way - you can just 'cut' this file from F-Secure directory in Program files - it is easily located and can be found briefly - and past it somewhere (for later restore). Most likely there will be 'fail/crash' while attempting to use it and so - no prompt request.
If you are sure that it is the message prompted by this process, then you can indeed move it. But in general, it is not a formal operation.
-
sorry for my late reply.
I don't see where you say "Pending" folder and the "Restart" folder.
the correct name (as I think) is "key/subkey" ('Pending' registry key, 'Restart' registry key). It just has its style/logo as a folder / document case. That's why I called it that.
So, as in your screenshot you can locate this path (via / in Windows Registry):
HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\NS\default\OneClient\Restart\Pending
like 'Restart' is a subkey of OneClient; and 'Pending' is a subkey of Restart registry key. They seem to be nested inside each other.
The last one "Pending" registry key has its extra data/value - which is visible as "Type" (name) and "virus" (value) in your case. So, I think it is enough to delete this "type:value" (it is possible to rightclick "Type" and menu should be opened with an option "Delete", 'rename' and other options). I don't think that registry key "Pending" itself will create a reason for prompt unless it has 'type:virus' (or 'type:spyware' or 'type:something') there. As a trigger/reminder.
Do you mean that after deleting the registry and folder, F-S will still prompt a restart? Is it found in the wrong place? However, it is also possible that F-S is using cloud storage.
Well, in my experience - after deleting mentioned 'keys' in Registry - I still experienced restart prompt window after each postpone for five minutes.
Like: I deleted only "Type" with value "spyware" (in my case). Waited five minutes - got prompt again. Postponed it (for five minutes).
Deleted "Pending" key in Registry. After five minutes (in its scheduled) - I got prompt again.
Deleted then "Restart" key in Registry and again got prompt after five minutes.
So, just because 'hard' playing with Registry did not help immediately I tried play further. In principle, I consider it normal that there is no way to manually tamper with the registry in a violent way and expect that F-Secure will pick up the changes as if nothing had happened (especially if this is not expected and is not intended to happen).
If we assume that this particular change was acceptable (that is, F-Secure can accept it as "its own"), then this did not happen immediately due to local backup settings / similar things from the registry (which also could be paired with its cloud version of backup). So, it was probably used further. I don't know what changed the situation later. I thought that restarting the services would still be useful - since it would update the information for F-Secure, perhaps resetting the need to show a restart request. Despite the fact that I did not restart the services (hosters) directly, I tried to use the built-in feature to disable all protection - so, in the settings there is such a button as turning security features off. And immediately turned it back on. Since I assumed that in general some services would be restarted in this (normal) way already.
However, I still saw the reboot request again. Then I decided to look at what this window (prompt) is called in Task Manager. I have already described this. I thought - let me rightclick in the list of Task Manager processes for this task (process) and click "end task". The task is 'killed'. The window closed. (for next twenty minutes) - there was no repeated request to reboot.
If this was not a coincidence (and the request simply had to appear two hours later as the maximum postpone option that was chosen by such a rude closure) - then perhaps the situation has improved in a way you want it.
If you are sure that it is the message prompted by this process, then you can indeed move it. But in general, it is not a formal operation.
I am not sure, but this executable will create a window that is visible when a restart is requested, with "restart" or "postpone" buttons. Well, don't "create" actually... but let's say... be this window.
in my understanding, if the "reboot request" says to this .exe 'let's show a notification', but this .exe does not exist in expected place, then there will be no request. Most likely there will be an error window, or maybe just a crash in the background. However, yes... this is a very undesirable way to solve your situation. And I don't recommend it..
If the previous steps had not helped me, then perhaps I would try this one just for fun (for myself). But I think the most normal thing is to simply not try to get rid of the reboot request, but to do it when asked. :)
However, if there is a real need - I think to playing around registry keys (type:virus) and trying to restart F-Secure protection services (by turning it off and turning it on back) with further 'strange' action by killing task of this restart-prompt window is the only way now. Unless official F-Secure people can suggest something more proper.
Thanks!
-
A very detailed analysis of the process that hardly makes any plain consumer more happy, it's best to wait for solutions to the root problem led by the product development team with help of artificial intelligence. That automatic handling of malware has been a bit of a "weak link" also in f-Secure's products for years.The best thing is we have something better to wait in the future i presume..
-
@JOnes true, but honestly I do not see a real problem here. Nevertheless surely the steps described will not make anyone happy (only as a last hope, subject to some dire need that is not entirely obvious).
That automatic handling of malware has been a bit of a "weak link" also in f-Secure's products for years
the discussion above (lately) was no longer about "automatic handling of malware" as such.
In my opinion, automatic processing of malware, spyware, viruses, unwanted applications are mostly very good; and its default decisions are rather logical and self-consistent. Especially with its still current F-Secure stable solution (Ultralight-based).
I can't quite imagine how for any plain consumer it could be much better or radically different.
Of course, things could be better. Like if, for example, all actions would be applied based on a specific threat down to the smallest detail. And not based on the threat type or generic detection type. But I don't know much about such examples (except for some exceptions / inclusions). And, in general, it would not always be very reliable.
For the topic under discussion, perhaps the reboot request itself was not critical by its origin, but simply a safety net. Since it was created (likely) only because the "discovered" object was already running and, accordingly, read-only. For example, in my experience with detected spyware, the file was renamed (to .0xe to make it impossible to autorun again). Considering that once a detection has appeared, there is no obvious way to know that it is a false positive - almost the only option for a security solution is to require a reboot using all the comprehensive measures that are deemed necessary for further cleaning/fixing.
What would a user do without automatic processing? But asked to decide manually… He would say - don't save me from malware? Or would he say - yes, save me? If the latter, then the reboot request would still appear. If the first, then in the case of a real threat, it is very dangerous.
The very topic of discussion now is about the reboot request window/prompt. Which I also think is made quite pleasant for any plain consumer. There is a "restart" button and there is a "snooze" button for this reminder for some minutes/hours. If you postpone it, you will be reminded after the selected time.
OP tried to rid of it (for whatever reason) and thought that it is not good when impossible to 'ignore' this prompt (like it will always ask you to restart until you do this). In context - so that he is not reminded of the need to reboot. Well, I am not sure why, I also do not think that detected item indeed is a false positive, but he already claimed that deleted it. And then did not restart system anyway. My advice would be to simply scan the system again (Full Scan). Or reboot on request.
However, just trying to understand what's up with this reminder to reboot - I thought about the ideas expressed above. Which also shows how well things are now done in F-Secure (Ultralight-based).
To be honest, I have already begun to better imagine how it works (especially regarding why reminder appears and why it appeared without a key in the registry; and additionally why if you postpone the reboot in the reminder, and then do it manually without a request - it will work and will not create a new reminder) - and, so, some things in my other comments do not quite correctly convey the idea of the design. Robust and simple. Which, on the whole, I really liked and I think is well made for stable, bug-free software.
Thanks and sorry for this reply.
// I also want to add: how important it is to use a system using things like UAC for any rights elevation; as well as the correct use of the standard Windows account type for everyday use (and not Administrator-type). And how cool it was to implement the long-requested Tamper Protection feature, which is great in the current stable F-Secure solution.
-
@Ukko In fact (IMO) these types of security analyse discussions(Windows registry hacks were very popular in the 1980s and 1990s, particularly among F-Prot users.😀)should belong in forums other than those intended for consumer users, e.g. for FS-protection beta testers, and perhaps in the future they could actually be a complete separate part of the community as well(Feature Request)
-
Thanks @Ukko, every one of your replies is very detailed.
Regarding the path to the registry, I always thought that there was only the concept of values and keys.
I followed your steps to remove the "virus" value of the registry. I also clicked on the "Turn off protection" button, but I still get a restart prompt.
I looked at the "Restart\Pending" path to the registry and it was already empty.
======================Again, I would like to say thank you for your patience and analysis, we spent too much time discussing this issue, but the product folks at F-S didn't have any feedback, so the more time we spend, the more time we wasted.
In addition, seeing your previous comments, I would like to say that you can try other software (Kaspersky, Avast and so on), their interactive processing design is more user-friendly (reducing a lot of operation steps).
Their products have detailed plans when "viruses are found", "handed over to the user to deal with", and "next steps".
Like I said before, we don't know what the F-S was designed for, maybe this simplification is what makes it special. -
I apologize for yet another spam/offtopic comment of mine, just to close the topic on my end as well. :)
In fact (IMO) these types of security analyse discussions … should belong in forums other than those intended for consumer users..
@JOnes yes, you are right.
But I think no harm to anyone. The discussion in this topic is purely theoretical and almost fantasy. and, in general, I would not have started it if I had not thought that it was a good "fictional" showcasing of the good aspects of the F-Secure security mechanism and good security practices in general. But your points are pretty much valid.
However, the described things are even more "harmless" and more difficult to carry out without one's own desire or need (since in this specific situation they do not affect anything and as such it is difficult to be used otherwise.. without one's own desire and only with very powerful state of abilities) than general ones workaround or troubleshooting tips as suggested usually with the current Kyber (tls 1.3 implementation) situation. Which is also quite harmless as a "hack" for the current day.
So I don't think this is anything close to the old school hacks mentioned. :) but I don't know; because more familiar with the 2000s (if not talking about / counting "historical" familiarization).
And, also, the general idea of bypassing "restart prompt" is unnecessary action. Indeed the request (notification/reminder) about the need to reboot appeared for thing, and not just for fun. And taking into account the context of the original message of the topic, my opinion is that this is a good design; with a sufficient level of freedom and choice.
I also clicked on the "Turn off protection" button, but
wajika, Don't forget to turn it back on. There is no need to leave it disabled.
and it was already empty.
In case there is a desire to do a reboot, agreeing with the request to reboot (if it is still present), then you can return / add-back this registry name/value to the keys in order to implement all the intended auto-cleaning measures (as I think) using a reboot. I just wrote to let you know that most likely there is such an option. to make things as they were before any your attempts.
I think that the reboot request appears because we are postponing it. therefore this last state is remembered and postponed for the selected time. if we "postpone" again, then it rescheduled itself again even without 'key' in registry. a way to do it differently: I described it earlier in the comments as well ('ending task/killing process' part). But I repeat where it all began - all this is very unsuitable and is not recommended.
Thanks!
-
I spent some more time testing in the afternoon, and although I tried again and again, I haven't come up with the right steps yet, but overall you're right.
I also found an interesting thing when I was looking up the process, in fact, F-S has three ways to deal with ["quarantine", "delete", "exclude"], but it handles it automatically, if you can add ignore here, then everything that follows will not appear.
In short, I don't make up my mind that the design of the F-S is right or wrong, but I think that making it more user-friendly is what a good product should have. -
"C:\Program Files\F-Secure\TOTAL\ui_net6\fsactiononinfection.exe" /ElevateToExclude={"alert_type":"oas","available":["quarantine","delete","exclude"],"file_name":"Patch.exe","infection_type":"riskware","location":"C:\Users\Administrator\Desktop\Adobe.After.Effects.CC_2018_v15.0.1.73_Windows\Adobe After Effects CC 2018 v15.0.1.73 Windows\Patch","object_type":"file","read_only":false,"recommended":"quarantine","threat":"PotentiallyUnwanted:W32/App.caad125358!Online"}I attach the command line I found.
Also, I'm guessing that the actual parent process of the action message prompt is "fshoster64.exe".
In the afternoon, I collected a piece of process running data, and I originally intended to find out the specific source, but there was too much data and too much work, so I gave up. -
Hello,
in fact, F-S has three ways to deal with ["quarantine", "delete", "exclude"], but it handles it automatically, if you can add ignore here, then everything that follows will not appear.
Well, only for certain situations and certain types.
For example, if it is an 'archive' - then, the only way to deal is "skip".
I think the three options given were the “available” options for that particular situation. And, basically, 'exclude' is a kind of 'ignore'.
However, indeed most types of threats are handled automatically. To be honest, it is written somewhere in Help / how-to / online guide - how and which type is processed by default. I just can't find it for some reason.
And most often (and almost exclusively) this only applies to detection by the real-time scanning module (automatic scanning). If you scan manually (context scan, Virus Scan or Full Virus Scan through the UI with the Scan Wizard window), then you will make the decision manually with the ability to "override" the default one (override what is in the list of available other options).
Automatic scanning picks up directly only "active" threats or those that have been accessed. That is a critically important event. Therefore, action is required immediately. Some things are skipped for automatic scanning (most likely "archives" before unpacking or manipulating them). That is, both the load and the ability to react without 'reason' are reduced.
"fshoster64.exe".
is just one of main / core services of F-Secure. So, as such, it will be the 'ruler'.
But the window/prompt is shown by another executable/process (does not matter who triggered). As I understood it.
Thanks again. Sorry for one more reply from me.
I don't make up my mind that the design of the F-S is right or wrong, but I think that making it more user-friendly is what a good product should have.
// yes… the only trouble is in the definition of "user-friendly". many will have different opinions. as well as there can be multiple approaches for a similar level of friendliness.
If your only goal is for F-Secure to not process anything on its own by default and always ask for advice, approval or decision-making from the user, then you can probably create a new feature request there: Feature Requests — F-Secure Community
because I quickly couldn't find something similar. As for returning the option to decide on your own for detections by automatic scanning, I didn't see it. Or even if some additions/improvements of the current real-time scanning view. Maybe I just overlooked it.
-
Finally, I would like to describe the whole situation for future reference.
I have this agent software called winxray running on my computer, and then I installed F-S TOTAL, and after installing it, I didn't realize that F-S would identify it as a virus, but F-S prompted that the virus appeared and had been dealt with, and because it was running, it prompted me to restart to solve it, and then I added winxray to the exclusion list and turned off the prompt, but F-S kept urging me to restart, and then this post appeared.This software is not a virus, I have submitted it to avira (the engine used by the F-S) several times as a false positive, but it has not been fixed.
If anyone needs to verify, I've also uploaded the attachment and then can test as well.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!