F-Secure blocked Sage Business Desktop
My mum found that she could not get into Sage any more. When she tried to start it, a Windows error message was displayed saying that the sbddesktop.exe file was not accessible.
It had in fact been blocked by F-Secure Deep Guard:
F-Secure DeepGuard
Application was blocked. This was determined to be a high-risk application by system control heuristics.
Application path: \\?\c:\program files\common files\sage sbd\sbddesktop\v12\sbddesktop.exe
File hash: 36950ed19bb96d79bf61bddb3534b1ce1eca76b6
This appears to be the normal hash of sbddesktop.exe. Why was it blocked? I can't find the logs for F-Secure to see if I can gather any more information, but I have run fsdiag and collected the Zip file. there anything you can do to prevent this happening again, or to someone else?
There are also errors that may or not be connected:
F-Secure Anti-Virus
An error occurred while scanning \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\COMMON FILES\SAGE SBD\SBDDESKTOP\V12\SAGE.SBD.PLATFORM.IDENTIFIERS.CLI.DLL.
And a similar error relating to a Thunderbird database file. Lastly, there was a single error message in the event log a few days ago from F-Secure saying that a system scan had finished and the system was infected, but no further details were provided in the event log message.
This is F-Secure AV 2014 on Windows 7.
Comments
-
Scan the exe file on https://www.virustotal.com and select "re-analyze". What detection ratio is shown?
VirusTotal scans with 50 different AV engines, F-Secure is one of them.
-
I uploaded the current file and received this message:
File already analysedThis file was last analysed by VirusTotal on 2013-10-21 11:48:59 UTC, it was first analysed by VirusTotal on 2013-09-26 20:54:10 UTC.
Detection ratio: 0/47
You can take a look at the last analysis or analyse it again now.
I clicked on the Reanalyze button and it came back as 0/49, still clean.
-
Good! It appears clean. You should submit it to F-Secure Labs as a "False positive": https://analysis.f-secure.com/portal/login.html
I wouldn't recommend turning DeepGuard off but you could try that if you want. And I'm not sure if excluding the file from scan would help, but you could give it a try.
About the other "errors" which sounds a bit strange, I would do a scan with these to see if perhaps there's something wrong with the F-Secure scan:
-
Thanks, I submitted it as a false positive and got this response:
Subject: Re: SAS:62445 : False positive : [FS-T1047121]
Hello,
Thank you for your submission.
The false positive you experienced is caused by our proactive detection engine.
In case you got an alert popup, you might want to allow its execution manually.We also tried to reproduce the detection issue but it appears the file failed to execute properly as it showing application
configuration is incorrect.
However we will white-list the file and a database update will be released to resolve this issue.We apologize for any inconveniences that this false positive may have brought you. Should you have further questions, please do
not hesitate to email us again.I'm currently scanning the system with Safety Scanner and Malware Bytes as you suggested. The other errors that I found in the event log were:
11 2014-01-27 16:04:07+01:00 BIRTE-NEW BIRTE-NEW\User F-Secure Anti-Virus
An error occurred while scanning \DEVICE\HARDDISKVOLUME3\USERS\USER\APPDATA\LOCAL\TEMP\O3NRT3YC.PDF.PART.6 2014-01-26 00:54:29+01:00 BIRTE-NEW BIRTE-NEW\User F-Secure Anti-Virus
Manual scanning was finished - workstation was found infected!1 2014-01-21 18:26:27+01:00 BIRTE-NEW BIRTE-NEW\User F-Secure Anti-Virus
An error occurred while scanning \DEVICE\HARDDISKVOLUME3\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\9JBSQFAG.DEFAULT\PREFS.JS. -
Ok. Try launching the application once a day or so to see when the automatic database update has included it in the white-list.
What "An error occurred while scanning" means I don't know. If you didn't submit a Support Request after creating the FSDIAG file, I suggest you do that and attach the FSDIAG file so they can take a look at the log files and figure out what's causing these errors.
-
Thanks, I ran both scans and they detected a large number of objects which F-Secure had not detected, even in a full system scan. Unfortunately my mum removed them before I was able to submit them to F-Secure as malware samples.
Anyway I am rapidly losing confidence in F-Secure's protection, as this is the second time that the system has become infected despite running F-Secure and being up to date.
Thanks for the suggestions of the scanners!
-
To me it sounds as the F-Secure Anti-Virus hasn't been working properly which is unusual. If you send the FSDIAG to support hopefully you get an explanation for that. It would be valuable to know what was wrong. If you do that please keep us posted.
The Anti-Virus product is when it's working properly a good protection. However, the "Internet Security" product also includes Online Safety that has a couple of more protection functions like Browsing Protection and Banking Protection and is an overall better product. I assume most people get Internet Security or SAFE(which includes Internet Security), and not that many users get only the Anti-Virus.
For a better protection with Anti-Virus I suggest you use https://search.f-secure.com/ as search engine. It's a Google powered search with F-Secure safety ratings, to prevent going to harmful web sites.
But Browsing Protection that is part of Internet Security has a better protection because it can block harmful sites no matter how you got there, compared to only checking links on the search results page.
So I advice your mum to get the Internet Security product instead. You could also take a look at awards for Internet Security