PSB setup loads unsigned DLL

I recently installed a trial of F-Secure Protection Service for Business on a Windows 10 device configured with Windows Defender ATP.

 

The installation of PSB triggered an alert on Windows Defender ATP, which appears to result from an unsigned DLL:

 

Executable with original file name 'FSSETUP.EXE' (Sha1: 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74) loaded DLL 'fsaua_i.dll' (Sha1: 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc) unsigned whereas it is generally signed by 'F-Secure Corporation'

 

I imagine that this is a false positive (threat-wise), since the installation executable was downloaded directly from F-Secure's server and the UAC prompt indicated a setup executable with a valid digital signature.

 

However, I am a little concerned to see that the "fsaua_i.dll" that was loaded onto this device appears to have never been seen before:

  • The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed, whereas it is normally signed by F-Secure.
  • The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID: DigiCert EV Code Signing CA (SHA2)").

 

Any ideas about what might be going on here? The installation took place on April 22, 2017, if that helps.

Accepted Answer

Comments

  • LakshLaksh Posts: 4,444 Community Manager

    Hi Guilherme_S,

     

    I am checking on this with our team. I will keep you posted once I have any information on this.

     

    Guilherme_S
  • Thanks Tamas. I'll report this to the Windows Defender ATP Team and report back when they figure out what happened.

  • antti-fsecureantti-fsecure Posts: 10 Former F-Secure Employee

    Hi all,

     

    We double-checked the binaries with our team, and we couldn't find any signing problems. Tamas' also provided an extensive study of the problem, which indicated no problems in signing. Let's hope this was indeed a false alarm. 

     

    A super-big thanks to Tamas for the great detective work. Highly appreciated. 

     

     

    Cheers,

    - Antti, Senior Product Owner, PSB

    Guilherme_S
  • Thanks guys for carefully looking into this. I've already submitted a False Positive report to Microsoft's Windows Defender ATP Team, and included the information regarding VirusTotal's records for those files. They're looking into it now, I'll report back when I hear from them.

    etomcat
This discussion has been closed.