[FSIS 2014] question about DeepGuard

Alpengreis
Alpengreis Posts: 35 Explorer

Hi all,

If DeepGuard F-Secure Internet Security 2014 "reacts" and asks for Internet access of a program, I noticed the following:

If you click the windows away (click on "X")  - which is not even necessary for programs without GUI - DeepGuard does not ask then for this program and the access is allowed. At least after a PC reboot, DeepGuard asks again afterwards.

I've read that (if not already automatically blocked or approved) DeepGuard will ask after first program start. That explicitly when you first start is asked (in a session) then, I think that is not really good. Would not it be better to ask each time thereafter, or at least - if the access was not allowed resp blocked - temporarily to block, right?

While My firewall blocks everything that is not explicitly allowed - I still think that part of DeepGuard not resolved well enough.

Or is it not better (reasonable) feasible with DeepGuard?

MfG
Alpengreis

Sorry for my English!

Comments

  • NikK
    NikK Posts: 903 Forum Champion

    I agree! I've made that mistake a couple of times myself, clicking the "X" thinking that Deepguard will block it for now and not add it as blocked in the Monitored Applications list. I thought the "X" would block for now and then ask me next time instead. But it doesn't, at least not until reboot as you say.

     

    Another annoying thing is that when Deepguard asks you it has the block radio button selected, so you definitely think that it will be blocked if you just close the window without making a decision.

     

    I don't know what F-Secure thinks but I consider this a bug. And it might be a dangerous one if let's say you want to try a new program but when Deepguard asks about it you feel unsure and change your mind. You might as well just close the window thinking it will be blocked, and you're in for a big surprise Smiley Embarassed

     

    I think you should post in the Idea Exchange. I've actually made a suggestion myself of improving Deepguard related to connections, you can find it here. As it is now, when you allow a program in Deepguard it automatically also allows the program to make connections. I don't like that, especially when you're trying out a new unknown program. But still no response from F-Secure after over 3 months.

     

    I control all outbound connections too, partly because of Deepguards behavior. I use WFC for this and I guess there's a chance you do to? And WFC itself in fact matches this description of an "unknown" program that Deepguard will ask about when it detects a connection.

     

    Can @Ben perhaps comment on this or forward to someone who can? Also I'd appreciate a comment on my idea suggestion for Deepguard.

    Give Kudos to say "thanks". Click "Accept as Solution" to inform others when your issue's been solved

    Need more help? Submit a Support Request or chat with or call F-Secure support. Or try the User Guides

  • Ukko
    Ukko Posts: 3,741 Superuser

    It's, of course, a shock.... when you are in first time understood that DeepGuard prompt can be closed just by Alt+F4 (or clicking to "close");

    For example... I confused in that fact too, when understand that. But... just about fact that "so easy to close" and "not allowed/not blocked" after - but access to network connection.

    ------

     

    But..... next points about "why it's not so hard":

     

    - I not sure... but we talk about "alert/prompt" about trying to network connection (ask me about trying to network connection);

    It's mean... that feature "optionally";

    Some of users... can to disable it, for example;

     

    - If we talk about all prompts... So it's mean - probably about totally malicious files... DeepGuard give alert just about "already blocked" - and not matter - how you close that alert (because it's another alert/prompt). It's blocked (hmm...but I not checked it... indeed).

     

    Same situation with "unknown" applications, but.... probably here can be trouble. Just because - it's same with "just trying to network connection"; But...  DeepGuard give alerts for all try to connection. It's can be maximum-prompts (but not less than three - if it's not just one);

     

    Also - it's not always matter - after restart/reboot repeat or not. Just DeepGuard will be alert during trying to network connection (probably just first try or some of them). And next launch - will be with alerts again and again. Probably it's can be trouble in DeepGuard "memory".

     

    And here.... next points:

     

     - That window (DeepGuard alert) can be closed just by user. How I understand (but previously I thought that it's hard to meet) that behavior can be (by mistake and confused).  It's not good, but DeepGuard still can to give new alerts during other try to network connection. Also most part of same alerts about "close to safe" programs. If you download file and want to launch that - you can be prepared for same alerts.

    If that alert created without your "wants"... it's already suspicious.. and not sure.. that in that situation... really need to click something... except "Block - OK";

     

    Also about "allowed"-status..... just can be trouble... that if it's allowed by "trying to network connection" - it's can be allowed for all....  I not checking that... and just that can be trouble.

     

    But in fact - it's must be like "if known/allowed application start to do SO STRANGE and MALICIOUS actions... it's give a new alert with block-information and etc.". Probably it's must be work like that. It's mean DeepGuard chcking/monitoring applications... but if application do just "trying to network connection" - why it's bad? I mean - if during prompt about trying to network connection - it's closed.... than application start be (?!) do malicious - it's already new alert... and already here need to do without any mistake.

    But probably.... it's just be or "already blocked - because malicious" or just "behavior ask about try to network connection" (which will be each time.. if user do not choose anything...  Not from continous launch... but anyway - just and must will be); Here... probably all good... except "some" points about.... which probably hard to realization in malicious programs.

     

    Also.... it's can be similar with (and that, of course, bad)... user can to allow "known malicious" program too... but quarantine (for example) or some alerts can to allow that "needs" - if user want this and ingore F-Secure attention/alert/status-information.

     

    -----

     

    Also about window/prompt..... some of another behavior-hips/pro-active in another companies... can to "go around" just with another tricks... which not so hard to do (like if - "lock down machine" during potential alert - and etc.);

     

    With DeepGuard alerts.. it all not worked... just because... - closed - just by user...

    But it's of course... means that user must be careful with action-steps.

    Possibly - DeepGuard alert give normal description for "which happened";

     

    It's give information about "temporary blocked" during trying to network connection. And it's indeed LIKE that. Connection totally blocked.

     

    here for user just two question - "allow it - because you know that application" or "block it forever - because you not sure.. that it's safe... and temporary blocked need to change for permament status";

     

    Also have information about rating/popular-status and etc. Which can to help in dreams about.

     

    Possible... it's not always hard to understand - can to allow or not.

     

    For example, most part of trying... it's just needful feature for program and without that - you can not to work with program. It's mean - if you not sure that it's can be safe or you not launch that - it's of course need to block.

     

    If you will try to launch it... and probably know... that it's can to use network connection... you need to allow that.

     

    Here.... bad other situations.. when you want alert by DeepGuard.... but situation without that.. 

     

    Sorry about a lot of text.

     

     

    Just:

     

     - totaly malicious - blocked by DeepGuard as default - closed window means blocked still (need to check - because already I not sure in that - but... if it's not like that - it's so strange);

     

     - suspicious or close to that  - give normal information for choose.. which need to do - allow or not. Need to choose - and click OK;   Cancel here... can means.. that 'ask me later'   - and that new question can be or "right now" or after some minutes or with next launch.. or after restart system;  here question usually about network connection with detection-name.

     

     - trying to network connection - probably most part of that alerts... about safe programs. And if you decide to install or launch it....  DeepGuard just ask else one time "are you sure" to use that program. And in some situation - it's good. Because not always need to create in system "collection" of a lot programs. But.... possible... if you already launch it  - you already "allow" potential trying to network connection. Just think again...

     

     - closed DeepGuard prompt can just user. Other variants - hard to realization. Probably user need to ready time to time work together with multi-layer protection (not just always automatically-work). it's for user.

     

     - if you not launched anything.. but DeepGuard alerted about.... it's already suspicious - not matter.... which DeepGuard have a reason for alert - it's potential always need to block.

     

    If user...in panic (and it's can be too) just closed (or randomly) DeepGuard alert.....   in most suspicious/malicious situations... DeepGuard or other layers... totally "right now" give else new alert.

    If user... don't want to allow it.... he probably "stop" and "read" and "block it by - choose block - click OK".

     

    Also.... that can be different.

     

    During "launch" - DeepGuard can be just first layer (except signature-based).....  and it's can trying to launch dropper/downloader. If it's downloading another malicious program - new alert, new block;

    Already here... user must to be carefull in actions....  and create a scan for system.

     

    Anyway - if for program during alert - user close that... and without status (allow or block in DeepGuard storage) - DeepGuard re-alerted... or re-checking.. and etc New alert must be.

     

    But here can be situation - if during that re-checking.. "unknown file" already start be "known file" (in repuation or popular-status, for example) - and it's already can to "miss" new alert.

    But it's mean - first alert was not about critical malicious action, which probably always just "blocked automatically" and user just received information about i tby alert of DeepGuard. here already not matter... how user close that (but here can to check too.... - never try that)

     

    I also.. create privat letter..... for stopping increasing my answer.

     

    Sorry again.

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    And ... if a program has no GUI a second program start/try is enough (tested with a server app) and the Internet access is open - WITHOUT that the alarm window of DeepGuard must be closed first. That's not good!

    I also use WFC and can handle such things, but DeepGuard should be really DEEP and not just superficial.

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    To explain the case with "no GUI" ...

     

    I had the following case:

     

    After first start (in a session) of a program without GUI (server app, initiate through a client-device in the network), the DeepGuard alarm windows appears and wait for user action. But for a second start/try through the client-device, the internet access is open even with the waiting alarm window ...

    Hopefully it's clear now - it's difficult for me to explain in english, sorry ...

    Greetings,
    Alpengreis

     

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    Hello F-Secure Team, can you react to this please?

  • NikK
    NikK Posts: 903 Forum Champion

    Still no response from FS I see.....

     

    This is not a wanted behavior by DeepGuard. IMO it's a "bug" or perhaps multiple bugs. So a comment at least would be nice!

    Can @Chrissy or @AniaC please forward this to someone who can give us some answers? (I already tried Ben but no luck)

  • Hi NikK!

     

    Thanks for noticing!  I've already escalated the thread and have it on my monitoring list.  Should have a response soon :)

  • NikK
    NikK Posts: 903 Forum Champion

    Thanks Chrissy!

     

    In short:

    A program should only be allowed to run if you manually allow it

    To close a DeepGuard window without selecting allow or block should be treated as "Block it for now and ask later" (next time the program is launched)

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    And note:

    When a server application without GUI (started by a client device) with me here, it was not even necessary to close the DeepGuard window!

    It was just approved at a later connection attempt. When I came to the PC with the server app, the DeepGuard window was still present.

    Gruss
    Alpengreis

     

    *****

    NEWS about without GUI - after retesting ...

     

    The case concerning "no GUI" I can not repeat (no more?). I do not know how I had done it at that time. However: does not change the case when the window is clicked away.
    *****

    NEWS about without GUI - after retesting ...

     

    Not sure, but I believe I had also the case again with a server app without GUI: after restart the client app and new try to connect the server app, the connection was possible, WITHOUT quit the appguard notify ("block or allow?") window first ...

     

    PS: Would be good to hear some news about this theme from the F-Secure Team!

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    Newest info about this:

     

    According to the German forum (URL http://community.f-secure.com/t5/Schutz/FSIS-2014-Frage-betreffend/td-p/46367/page/2) it SHOULD be fixed (not tested myself (can not test at the time)) ...

  • NikK
    NikK Posts: 903 Forum Champion

    I did a test on a command-line utility I have that connects to the Internet. It was previously allowed, so I deleted it from the DeepGuard settings.

     

    When launched I got a DeepGuard prompt. The block option was pre-set. I clicked the red X in the top right to close the window. The DeepGuard prompt appeared again. I closed it. It re-appered a 3rd time. I closed it.

     

    After that no more DeepGuard prompts. I checked the Monitored Applications and the program was not in the list. After a few more attempts(without additional DeepGuard prompts) the program was successful in both running and connecting to the Internet. This is bad because I never allowed it Smiley Mad

     

    Is this better than it was before when this thread was created? I don't think so

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    Interesting! Thank you for your posting, NikK!

     

    And this was really a unknown program for DeepGuard? Because "known good programs" are added automatically to the allow list of DeepGuard AFAIR ...

     

    Kind regards,

    Alpengreis

     

    EDIT: Yes you have right, it's seems that is NOT fixed! I have tried with a unknown program - after click to "X" the connection was possible (without an entry in deepguard)!

     

    So, please fix this F-Secure! Thank you!

     

    PS: FSIS 2015

  • Ukko
    Ukko Posts: 3,741 Superuser

    Hello,


    But close DeepGuard prompt by any buttons or ESC... not really design.

     

    Potentially just an user able to close DeepGuard prompt. But he probably should not to do this action. Such as... he also able to "allow". Or disable protection of F-Secure features and etc.

     

    If there can be automatic software for "to detect" and "to close" certainly DeepGuard prompt.... maybe it's can be detected by F-Secure as malicious (and sample should be known after some tries to use this). But also.. it's can to be with meanings "targeted attack". And probably.... here can be not so hard (as trying to create logic for "detect/close" DeepGuard prompt) steps for target-attack against F-Secure protection by another steps.

     

    -----

     

    Trouble can be with situation, when.... DeepGuard prompt created... and "launched" code.. goes to "shutdown" user session. When you back to user session... DeepGuard closed and connection created.

    But DeepGuard.... previously was... with protection against this kind of meanings. Such as... "software", which goes to be with "specific" steps (such as "shutdown user session" after some seconds of launch and which prevented by DeepGuard) does not break DeepGuard hook.

     

    But maybe now it's changed (?!)... or just because here can be various meanings and you able to create something more good.. and re-check it.

     

    -----

     

    And with another meanings... when "user's" closing DeepGuard prompt (three times) - next launches will be undetected some limit of time (ten minutes?! or more... or other required)..... it's of course... not nice... not good.

     

    But.... here another additional points:

    - it's network-based. any trouble with network-work by DeepGuard.. and prompt can be not created also.

    - here should be without meanings... when network connection (here I mean - system connection with network) goes to be stable.. just after launch of system. And here can be meanings.. if network connection goes be good.. after launch and system......

    DeepGuard also be ready to protect just after some time... after "time-point", when network connection established. Between this time-points can be various not nice actions also.

  • NikK
    NikK Posts: 903 Forum Champion

    Yes, I'm sure. I did one more test, after a reboot, and DeepGuard prompted me 3 times. I clicked the X to close it every time. After the 3rd time the program was launched and successfully downloaded files from the Internet Smiley Sad

     

    I never allowed the program

    It's not in the monitored applications list

     

    If you close all DeepGuard prompts without allowing the program, then it's allowed to run anyway?! I don't get it. Could F-Secure please explain this!

  • Ukko
    Ukko Posts: 3,741 Superuser

    Like addition.

     

    Probably here can be a logic. And here nice to check next:

     

    -> Prompt by DeepGuard, when it's simply blocked as default (can be for "network trying connection" too). Without user decision variants.

    What will be if close this prompt. Potentially... here should be blocked status and without "allow result" (after three time reminders).

     

    -> Prompt by DeepGuard with user decision variants (where able to allow or block it).

    With my opinion around... related with required-points for choose something and accept current decision.

     

    If you close it.... without decisions.

    If DeepGuard prompt does not created. He not able to create prompt about "variants of decision".

    If DeepGuard does not block current sample automatically as "just block and enough" - he not able to block it with silence-mode after three reminders before.

     

    -----------

    Spoiler
    And like addition for behavior of "close".
    Probably here can be normal design... such as....

    During "close" user think... that it will be closed. Such as any pop-ups... should be visible "available for close" by specific picture or by ALT+F4. And after closing.. should be "closed" reaction.

    Such as.. "close" can be related with "canceled about any actions". Skip or close... or ignore.. or just close.

    And here normal behavior for "close"-action by "close meanings" (such as... not choose something, where can be any actions after decisions).

    And during "close" with any actions... (such automatic decision or trigger for something.. which can be with any malicious ADs) can be more potential troubles for work or "exploiting" current behavior.


    Sorry for new additin words. Smiley Sad  Anyway... here should be and can be interesting just answer or explanation by F-Secure (or DeepGuard) team.

  • Ville
    Ville Posts: 737 F-Secure Product Expert

    @NikK 

     

    Closing DeepGuard prompt without selecting Allow or Deny is interpreted as "I don't care" / "I have other stuff to do, leave me alone" kind of action. So DeepGuard uses automatic logic in this case. It is not the same as selecting Deny.

     

    Ville

    (F-Secure R&D)

     

    Ville

    F-Secure R&D, Desktop products

  • NikK
    NikK Posts: 903 Forum Champion

    @Ville Thanks for explaining. The problem however is that no user can know this until they experience it themselves. It's good that it now takes 3 close attempts, but previously it required only one, and how would a user know that closing the window will allow the program to run.....

     

    Personally I would prefer that the window can't be closed until I decide on one of the options. Then there would be no room for confusion, or even worse, a nasty infection because the program was allowed to run even without "explicit approval".

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    From NikK:

    "It's good that it now takes 3 close attempts, but previously it required only one, ..."

     

    In MY test, after ONE click on "X", the 2nd connection attempt was allowed (without an entry in DeepGuard)!

     

    However, a click on "X" should be at least with this logic: "I will not make a decision NOW, let it blocked...".

     

    THEN two scenarios would be possible/senseful:

     

    a) let it blocked temporary, for ex until next boot or for a certain time period

     

    or

     

    b) each connection try opens a new DeepGuard dialog.

     

    THAT would be senseful IMHO.

     

    Greetings,

    Alpengreis

     

  • Ukko
    Ukko Posts: 3,741 Superuser

    Sorry again for my reply.

     

    Probably here one behavior (previously and now).

    How I can to understand...  "Three attempts" it's just maximum (maybe) or just a limit about one application as one destination, but....

     

    Anyway.... on current time... (for example.. today I goes to re-check it) also able to close just one time. And will be without any new prompts by DeepGuard, which can be related with:

    -> type of applications;

    -> how often application trying to do network connection;

    -> something else.


    But basically with my experience.... just three attemps can be as "limit". During specific background, when application goes to very-very-very suspicious for DeepGuard and created a lot of trying of network connection per one second  (here can be just prompts, which was prevented with one time... about first one prompt. And during DeepGuard prompt all other connections paused.... totally. So.. all of other goes under first one... if it closed.. because was "hooked" and because without decision-choose).

     

    ------------------

     

    Also today I re-check it with FS Protection (?!) and here was funny situation. I get DeepGuard prompt and decided to "close it" by button.  And without new prompts by DeepGuard (not checked... about application connection), but it's logical.. because prompt was about module.. which potentially just one time create "ping". But after that... I found that Notification history (Chronology) have string about "Blocked decision" for current try. Not goes to check DeepGuard storage.... and already after some minutes (and a lot of other prompts for another modules) re-get else one prompt about current application/module (which will be just fresh one prompt.. such as "not blocked" before) and I allow it (which create situation.. that of course.. I not able to check DeepGuard storage about current point).

     

    So... it's mean my close action by close button was marked as "application was blocked/denied" under chronology for F-Secure. 

     

    --------------------

     

    With logic about "CLOSE"-button.. I still think that "Close"-button should to "close". And "close" means cancel or ignore any decisions. Without something else. I want to close it.. not save it. just cancel and close.

    I not really love... logic with Windows/Internet Explorer, when you able to re-change any settings and choose "Cancel", but it's already real-time saving.. and does not matter.. that you don't want to accept your changes (which can be random-changes).

     

    But... maybe here can be improving.

     

    During choose "CANCEL"-Button or "ALT+F4"... if it possible...  to ADD something about:

     

    new prompt/window as "ARE YOU SURE?! DO YOU WANT TO CLOSE THIS IMPORTANT PROMPT WITHOUT DECISION!?" :)

     

    or something like that.

     

    and after that... "OK. But are you certainly want to do that?!" And after that.. else one prompt "Ok. We understand your dreams. You want to close it without decision-choose. Right?"  ....

     

    Maybe it's can be better variant there.... if it's not possible create feature about "one-time/temporary blocking connection" (and it will be with default choose also.. when you close by "close"-button).

     

    If there anyway... maybe "close" DeepGuard-prompt goes be with automatic logic around actions, which can be there important (on current time... I mean).

  • Ukko
    Ukko Posts: 3,741 Superuser

    Smiley Sad Sorry again for new reply.

     

    Just like addition. Today I created new experience around DeepGuard (and FS Protection version) for checking some of previous words... so I just placed here some points about (when user with somewhat reason decided to close DeepGuard... which certainly means ignore-close.. where need to choose decision-variant):

     

    -> I get six prompts (by DeepGuard)  per one application (and probably it's not a limit as number of prompts).

    about different destination (IP) - such as... application with trying to network connection with some of destination (various three addresses or optionally ports);

     

    -> But THREE (as probably max-limit) for one destination. It's mean three prompts about trying to network connection under one IP/port... and between of tries... for another addresses. And already after "Three about one" (as first destination).... application goes be with connection (for current IP), but DeepGuard prompted about other still....  but just six prompts (as limit with local situation).

     

    -> AND... it's looks like... that maybe.... here can be limits about security-cloud work?! Such as it's not possible to create a lot of connection with short time-line?! For prevent any "blocking"-points by system-security-mechanism (around tcip as example and applications, which can be malicious).

     

    AND..... maybe here can be something around cache anyway?!

     

    -> Because... when... six prompts happened. Next launch goes be already without DeepGuard prompt (potentially... fifteen minutes?!).

    But re-copy application for another folder (any) ..... already create situation, when DeepGuard again able to prompted. Again six times.. with current sample.

     

    -> And also.. each "close by close-button" goes be marked (by Notification history/Chronology) as "application was blocked by DeepGuard". And now I check DeepGuard Storage... in fact.... it does not goes to DeepGuard storage as blocking application.

     

    -> Finally after a lot of tries with that... I get situation (already when I blocked application during DeepGuard prompt)... when trying to launch application (which marked as blocked under DeepGuard storage) comes without DeepGuard prompt about it (which should be there and was before some tries). Just system prompt about "not able to launch... because hooked around rights). Such as... prompt not created, but all actions around work (Windows journal, Chronology list, Action, DeepGuard storage information refreshed).

     

    Sorry if it was without helpful or interesting information. Maybe I already forget some things also.

  •  Can I use NoVirus EXE Thanks Radar Pro or Voodooshield with F Secure IS ? 

    need I VS or ERP with F Secure or it is not necessary?

  • NikK
    NikK Posts: 903 Forum Champion

    There's a thread here: Security products that complement F-Secure AV/IS

    If you scroll down to @Blackcat post you'll find EXE Radar Pro. But please read my post too Smiley Wink

     

    Don't know about Voodooshield but as a general advice try searching or asking at http://www.wilderssecurity.com/

    That's the number one site for security IMO. The users at that forum seem to keep track of everything. I've even seen my posts here quoted there many times (as an example of what they cover)

  • Alpengreis
    Alpengreis Posts: 35 Explorer

    F-Secure-Team, what is now with this behaviour?

This discussion has been closed.
Feedback on New Design