Forum language: EN | FI
If I try to install Sumtra PDF, Deepguard complains that it is trying to change a process or something like that. Is there really something wrong with Sumatra PDF?
I believe the DeepGuard prompt you got is detecting System modification attempt. This is because DeepGuard is proactive behavioural analysis system and it will continues to monitor application process.
Applications are monitored for a number of suspicious actions, including (but not limited to):• Modifying the Windows registry• Editing files in certain critical system directories• Injecting code in another process’s space• Attempting to hide processes or replicate themselves
As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing.
Refer F-Secure DeepGuard Whitepaper for more details.
/some words added/
Probably it's can be situation, when installer trying to determinate all processes/kill process or refresh explorer.exe for launch services by current software. /but... also you should be able to see "more"-feature during DeepGuard prompt, where will be description for "which processes are changed" - it's can be just critical file/process/ - which can be addition for "other reasons".
If current file.. not really popular or known - it's can be like "totally suspicious actions" and detected by DeepGuard (that explanation for... situations... when not each installer will be with same prompt).
If you can to trust for current software and it's from trust-source. Probably here all OK
Also... you able to create a ticket for F-Secure SAS website (like sample submission) for checking "something wrong or not". Where will be answer about part - "safe or not"
Also installer and installed software - different things.
But also here can be "wrong" with meanings "not good realizations for installer-code".
Probably "Sumatra PDF" can be detected by virustotal with some companies (if be honestly - I never use that, but current software some kind of heard by somewhat reasons?!); And it's anyway... just installer can be with payload; So, virustotal can to give view about detection just for adware-category. It's not really close to "safe or not"; Payload can be different too.
Anyway here will be detection by DeepGuard about action... and probably on virustotal it's not visible (like other behavior-detections by some other companies);
Like PDF-viewer... time to time.... I can to use STDU Viewer (STD Utility) or some kind of "close to that name" - if it's need something "portable" or "fast to look" in some situations (where not able to do it with another steps).
Scanning the downloaded file with MBAM, F-Secure, and virustotal did not raise any red flags. It was only upon installation that Deepguard complained.
I sent F-Secure support a specific query.
One reason I was a little confused is that while I have run into things which Deepguard had never white-listed, e.g. Intel's Desktop Utilities, Sumatra PDF had not been flagged in the past by Deepguard. So did F-Secure accidentally add Sumatra PDF to the malware category or has someone hacked into that webpage and/or software?
Thanks to Ukko and Simon.
I guess it's possible that the program has changed or updated, and FS haven't added it to their whitelist yet. You did the right thing by contacting Support, but you might get a quicker response by Submitting it as a Sample to the labs.
@baroque-quest wrote: One reason I was a little confused is that while I have run into things which Deepguard had never white-listed, e.g. Intel's Desktop Utilities, Sumatra PDF had not been flagged in the past by Deepguard. So did F-Secure accidentally add Sumatra PDF to the malware category or has someone hacked into that webpage and/or software?
DeepGuard time to time also with changes. It's can be new logic, new databases or other.
It's can be... that previously not detected, but now with detection. Also it's can be different in various operation-systems and etc.
But about Sumatra PDF - does you mean just installer?! It's of course can be with various situations.
If certainly about Sumatra PDF executbable files... probably you can to check "digital certs" (signed or not). And it's like "checking" for "hacked" or not.
And of course... how it already was replied... any changes in software.. will be like new "reason" for DeepGuard be more targeted for that application.
@baroque-quest wrote:Scanning the downloaded file with MBAM, F-Secure, and virustotal did not raise any red flags. It was only upon installation that Deepguard complained.
Probably... I still think about that situation... like from first reply:
- We talk about Installer (potential can be malicious and it's not related with installed-software already);
- Installer can to use during installation "determination for all processes or kill processes";
Usually... it's need for "refresh" Explorer.exe or for simply.. refresh... during adding new services for system (services by new software);
Or other reasons.. if installer created not really nice.
- DeepGuard can to detect that. And it's will be like your description for situation.
But here need to look for "DeepGuard" prompt and addition ifnromation about "which processes" and etc.
Maybe it's indeed something malicious happened.
And it's action, which virustotal can not to show. Also like MBAM can not to detect - if F-Secure not detected it's by signature-based technologies.
Potentially here need to transfer certainly "installer"-file. for my opinion.
If I correctly understand situation.
Also.. can be important.. source of downloaded files.
Potentially installer can be with payloads... and already will be "adware"-detection;
First of randomly results by virustotal:
Here file detected as "adware" or potential unwanted application (F-Secure also detected it);
It's mean... current file from source, where installer or already software.. with payload.
It's mean - potentially your sample can be "new version" of something strange. But current one "example" - without valid signed certs.... and it's mean probably here just "trick".
Your file should be with signed certs (I think).
And probably here was just prompt by DeepGuard about "installer's actions", which probably indeed can be suspicious.
Ukko and Simon:
I completely forgot about certificates. Good point.
I always download directly from the source. I never use CNET or other secondary sources because I always wonder if they have added some adware or worse.
Sumatra PDF has always bothered me a little because it has ads which intentionally confuse users into downloading adware/malware (DOWNLOAD HERE!). I realize that websites for free products need useful ads, but I suspect that quite a few people who view his site fall victim to the fake downloads.
Support wrote back with: "I would suggest you to download Adobe Reader X to view your PDF files as the program is also free for download. Adobe is a trust able and reputable software manufacturer for a very long time."
I find this response to be slightly amusing for two reasons. First, if users are not sophisticated enough to un-select the "free" Chrome download, they will get more than they wanted, just as with Sumatra PDF's website. And second, Adobe Reader has been the subject of many security flaws over the past few years, the reason many of us looked at alternative viewers.
That said, I downloaded Adobe Reader for this new PC.
Foxit is a good reader, but be aware of the complaints for its recent versions regarding including "OpenCandy" in the installer:
"We sincerely apologize for this inconvenience. I'll forward your feedback and experience to our market development team for references and evaluating.PUP means Potentially Unwanted Products. The bundled third party software will not harm your system, but provide you with an offer of a third party product. And they are not mandatory to be installed. In the process of installing Foxit Reader, you shall have an Offer Screen which allows you to Accept or Reject the bundled tool, and you can un-check the option to choose not to install the recommended tool."
I prefer Foxit when copying text from PDFs. Other than that I use Adobe and Adobe is also my default PDF reader.
In both of these programs you can increase the security in its preferences.
For Adobe - enable protected mode and view for All Files http://helpx.adobe.com/en/reader/using/protected-mode-windows.html#main-pars_header_0
NikK wrote: "In both of these programs you can increase the security in its preferences."
Thanks, that is good to know.
The story regarding Foxit and Open Candy made me want to take a virtual shower. Yuk!