PSB setup loads unsigned DLL

I recently installed a trial of F-Secure Protection Service for Business on a Windows 10 device configured with Windows Defender ATP.

 

The installation of PSB triggered an alert on Windows Defender ATP, which appears to result from an unsigned DLL:

 

Executable with original file name 'FSSETUP.EXE' (Sha1: 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74) loaded DLL 'fsaua_i.dll' (Sha1: 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc) unsigned whereas it is generally signed by 'F-Secure Corporation'

 

I imagine that this is a false positive (threat-wise), since the installation executable was downloaded directly from F-Secure's server and the UAC prompt indicated a setup executable with a valid digital signature.

 

However, I am a little concerned to see that the "fsaua_i.dll" that was loaded onto this device appears to have never been seen before:

  • The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed, whereas it is normally signed by F-Secure.
  • The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID: DigiCert EV Code Signing CA (SHA2)").

 

Any ideas about what might be going on here? The installation took place on April 22, 2017, if that helps.

Best Answer

  • etomcatetomcat Posts: 1,318 Superuser
    Accepted Answer

    Hello,

     

    I see no problems here:

     

    > The DLL itself is named "fsaua_i.dll" and its SHA-1 fingerprint is "5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc". According to WD ATP, the "worldwide prevalence" is 1 -- meaning that it's only ever been seen on this device. Further, the DLL was not signed

     

    The VirusTotal website says that the file descibed by SHA1 = 5b36bd96a9ef3d3f2a462715a11e16f6ff070ddc is properly signed:

     

    F-Secure Automatic Update Agent Installation Plug-In,

    Signature verification: Signed file, verified signature,

    Signing date 08:56AM 12/9/2016,

    Signers: F-Secure Corporation / DigiCert EV Code Signing CA (SHA2) / DigiCert

    Counter-signers: DigiCert Timestamp Responder / DigiCert Assured ID CA-1

     

    See here for more:

    https://virustotal.com/hu/file/cb896eedfe3cd9438820218310d384671104efd0adc2e1c3a87e700c23c5e143/analysis/

     

    > The executable that loaded the DLL is "fssetup.exe" with a SHA-1 fingerprint of "648a1257c56ef23a3589be7d0ac3e4bfb0a6de74". Worldwide prevalence is ~81K, and it's signed by "INVALID: F-Secure Corporation" (issued by "INVALID

     

    The VirusTotal website says that the file descibed by SHA1 = 648a1257c56ef23a3589be7d0ac3e4bfb0a6de74 is properly signed:

     

    F-Secure Setup Core Engine
    Signature verification: Signed file, verified signature
    Signing date: 07:47AM 4/6/2016
    Signers: F-Secure Corporation / DigiCert EV Code Signing CA (SHA2) / DigiCert
    Counter signers: DigiCert Timestamp Responder / DigiCert Assured ID CA-1 / DigiCert

     

    See here for more:

    https://virustotal.com/hu/file/894525c5c0c43798d9ebf4cbbcd9207b36d003411f490d1765e6447e497e845b/analysis/

     

    (Now, if the mentioned SHA1 values have been falsified for your connection on-the-fly, then you are being targeted by such huge powers-that-be that antivirus is the least of you concern. But I don't think paranoia is justified here. More likely the "Microsoft Enterprise Protection ATP" messed up. It is not recommeded to run two different protection suites on the same computer, because they often clash and cause problems.)

     

    Best Regards: Tamas Feher, Hungary.

    MJ-perCompLakshantti-fsecureGuilherme_S

Comments

  • LakshLaksh Posts: 4,432 Community Manager

    Hi Guilherme_S,

     

    I am checking on this with our team. I will keep you posted once I have any information on this.

     

    Guilherme_S
  • Thanks Tamas. I'll report this to the Windows Defender ATP Team and report back when they figure out what happened.

  • Hi all,

     

    We double-checked the binaries with our team, and we couldn't find any signing problems. Tamas' also provided an extensive study of the problem, which indicated no problems in signing. Let's hope this was indeed a false alarm. 

     

    A super-big thanks to Tamas for the great detective work. Highly appreciated. 

     

     

    Cheers,

    - Antti, Senior Product Owner, PSB

    Guilherme_S
  • Thanks guys for carefully looking into this. I've already submitted a False Positive report to Microsoft's Windows Defender ATP Team, and included the information regarding VirusTotal's records for those files. They're looking into it now, I'll report back when I hear from them.

    etomcat
This discussion has been closed.