PSB setup loads unsigned DLL
I recently installed a trial of F-Secure Protection Service for Business on a Windows 10 device configured with Windows Defender ATP.
The installation of PSB triggered an alert on Windows Defender ATP, which appears to result from an unsigned DLL:
Executable with original file name 'FSSETUP.EXE' (Sha1: 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74) loaded DLL 'fsaua_i.dll' (Sha1: 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc) unsigned whereas it is generally signed by 'F-Secure Corporation'
I imagine that this is a false positive (threat-wise), since the installation executable was downloaded directly from F-Secure's server and the UAC prompt indicated a setup executable with a valid digital signature.
However, I am a little concerned to see that the "fsaua_i.dll" that was loaded onto this device appears to have never been seen before:
- The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed, whereas it is normally signed by F-Secure.
- The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID: DigiCert EV Code Signing CA (SHA2)").
Any ideas about what might be going on here? The installation took place on April 22, 2017, if that helps.