Disable scanning for "trojan.generic.xxx" in policy manager. Tons of false positive.

stmartistmarti Posts: 29 New Member

In tha last week we started getting tons of infection of "Trojan.Generic.11935054" for exe files.

ALL "infection" is totally wrong and false positive.

At the moment F-secure client security almost useless for us because it continues deleting files which are not infected at all.

 

So something seriously wrong with the latest virus definitions (when was introduced Trojan.Generic.11935054?!)

 

The big question is how can we configure the policy manager to not scan for any "generic" virus.

Comments

  • BenBen Posts: 2,641 F-Secure Product Expert

    This detection seems to have been introduce on 14th of October.

    You can always follow the virus definition release through the dbtracker page.

     

    It is not possible to exclude a given definition on the customer side. You might want to report the false positive to our lab, providing the exe files and explaining that the problem might be with this specific generic detection.

  • stmartistmarti Posts: 29 New Member

    I have registered on the sample analysis page, and uploaded two false positive.

    No feedback, and my submission list is empty.

     

    Is this service useable at all?

  • BenBen Posts: 2,641 F-Secure Product Expert

    Hello Stmarti,

     

    Did you fill the message field in English? This is a compulsory  step to receive feedback.

    If you need to contact our Response Team, include your question or incident details in the "Message" field. Else, please leave it empty.

     

    Also note that under certain circumstances submissions might be removed automatically  from the list.

     

    Are you still suffering of the false positives?

     

  • etomcatetomcat Posts: 1,319 Superuser

    Hello,

     

    If the generic alerts come from the Aquarius scan engine (old-school malware fingerprint database based detection technology) then I have no idea if they can be excluded. On the other hand, if these alerts come from the DeepGuard subsystem (Gemini engine?) within F-Secure, then maybe turning off the Deepguard Advanced mode (mini-DLL) scanning mode or even turning off the DeepGuard module entirely, could help as a temporary measure.

     

    However, turning off DeepGuard entirely would cut the protection level by about 33% and especially hurt in protecting against newly emerging malware!

     

    By the way, I usually try to avoid using the SAS website, because it works sluggishly and rather try to submit new, undetected malware samples or false virus alert files via e-mail attachment to F-Secure Lab.

     

    Best Regards: Tamas Feher, 2F 2000, Hungary.

  • stmartistmarti Posts: 29 New Member

    DeepGuard not enabled and never was.

    I've filled every field in the sample report form.

     

    We still getting tons of false alerts and f-secure deleting legitimate exe files.

     

    What is the f-secure lab email address?

  • etomcatetomcat Posts: 1,319 Superuser

    Hello,

     

    If you are a hungarian, false alarm file samples or undetected malware samples can also be sent to us, at: minta kukac 2f pont hu

     

    (I don't think F-Secure's Virus Lab partner address accepts samples directly from end users. Maybe other national partners also have local sample collection addresses.)

     

    Best Regards: Tamas Feher, 2F 2000, Hungary.

  • stmartistmarti Posts: 29 New Member

    Samples sent to hungarian office.

This discussion has been closed.