a Youtuber claimed ( 2months ago ) that F-Secure SAFE Bypassed!

Parham
Parham Posts: 103 Enthusiast

Hi.

 

someone just gave me this link: https://www.youtube.com/watch?v=5E4fuuzVa5g

what does F-Secure think about that?

Thank You!

Comments

  • Parham
    Parham Posts: 103 Enthusiast

    Hi again.

    dear @Laksh

     

    may i ask you please track down this case and let us know what F-Secure thinks about that?

    Bumped!

  • Hi Parham,

     

    I have already noted on this and checking internally. I will try to post once I have any update.

  • Hi Parham,

     

    Based on the video, could you confirm or ask the video author if the test was done on a closed network?

  • Parham
    Parham Posts: 103 Enthusiast

    Hi Laksh,

    i am afraid i have no idea and also i have no connection with the guy..

    isn't clear in mentioned video?

  • Ukko
    Ukko Posts: 3,741 Superuser

    Hello,

     

    Sorry for my reply (since I'm not a F-Secure staff or something around this).

    Just because there such delay with official response... but based on this situation (and mainly based on potential response) --> I also want to ask about some things (so... maybe if there planned any official responses - maybe it possible to merge with my 'additional' ask too?!);


     

    Spoiler

    Also - sorry for my own suggestions about this example (youtube-video);

    I watched  this video when topic is created (and did not re-watch it else one time.. so... it will be only about points which I remember);

    I able to think about next points:

     

    ---> I not sure about:

    - there is "bypass" or

    - "undetected malware/harmful items";

     

    Generally.. it can be with "one" meanings between this. But "undetected" malware can be with many other examples too; And quite likely that it available and possible with large count of examples;

     

    Probably "bypass" (with my opinion) also likely... if it required; As potential situation.

     

    ---> not clear about "re-ask from F-Secure" about closed network (basically - it clear, but... based on video... I able to think that F-Secure Labs with full abilities/configuration and infrastructure for repeating it with this certain view; and maybe it not really main concern);

     

    What I remember from video... and what kind of "bypass" probably there was:

     

    Since it more as "PoC"-video probably and some of results based on this 'status' (but most of steps can be with another view or 'style'; All of them can be more "tricky" or with larger impact);

     

    --> Firstly there "bypassed" mail-communication layer;

    User received "dangerous malicious mail-letter" under mail-client;

    So -> trick-letter already there; F-Secure do not prevent it by their antispam module (if there was setting configured and supported under mail-client); Potential 'service'-provider also do not filter it; User also decided to read such letter;

     

    I able to think about this with next points:

    - with fresh builds of F-Secure SAFE it more likely to meet; Since spam-filter is dropped (?) at all; :)

     

    - I able to think about it as "OK". Because if there "mail-client" in use.... communication should be under encryption (with certain secure channels); And antispam-module by F-Secure (or scanning such traffic) not useful or not possible to scan it. So... if there "not encrypted" or risky protocols "in use" - most likely there can be another threat-steps (than this ones.. where required next actions);

     

    - with web-mail-services... there usually "spam"-filter can be with high rate of detection; But there anyway required kind of "signature/rules/hash/certain detection";

     

    --> Then user decided to open link from letter. And there "bypassed" kind of web-browsing protection (Secondly);

    So -> certain URL is not blocked as harmful-rated (or suspicious-rated);

     

    I able to think about this with next points:

     

    - quite likely that there is can be 'unrated' malicious website/page/resource;

    - or exploiting certain service, project or hacked page;

    - another tricks (I able to think about some of them);

     

    --> So certain malicious webpage is opened (or even it was direct link for downloading);

    And user trigger download certain malicious file (by additional step or by opening webpage);

    Browser trigger "prompt" about it... and user do not save it (?!), but open/launch.

    Generally - I remember that there was scanning by Scan Wizard (but I already do not remember when... so maybe certain steps was with another view);

     

    With any of meanings certain .hta file is launched. And there "bypassed" file scanning layer (Thirdly).

    It did not trigger detection by scan or by DeepGuard;

     

    I able to think about it as:

     

    - there can be a lot of limitations; and also not clear many points; so - there can be many suggestions;

     

    - it also possible that F-Secure do not detect certain .hta-file based on points that this is not harmful 'content' or malicious-code. There can be only 'valid' usage of powershell (as example) commands and abilities; Where is detection can be reasonable only based on "signatures" (or some tricks, but with avoiding a lot of false positives);

    Since - it was probably available to re-check and understand certain payload... but I did not this. So, there not clear also what .hta-file did and used. 

    I able to think that powerful-abilities of .hta  (with using scripts and default system tools under html-application) can be enough for perform many troubles by using only valid things. And it can be enough for this things/actions - what will be there under video as result; So - if it like that - most likely for proper detection it -> there required signature/hash or certain view of this certain example;

     

    - maybe it was certain usage of "vulnerability" (unknown) under another software. As example, about this date... probably there was many known 'unknown' vulnerabilities and exploit-using by many malware (include things like Dridex);

    So additionally to F-Secure - there can be "bypassed" system layers (including things like UAC and other);

    Not sure about why DeepGuard do not detect it (maybe additionally to .hta-file launched by user and if there in use system tools by .hta or exploiting certain vulnerability.... maybe there also was just "valid" steps to perform this "bypass" - since there quite many designs to do so.... long time how); Or maybe DeepGuard was on weekends (did not re-check day/timestamp under video.........);

     

    More looks as there "undetected" malware.

    But maybe there "known" malware-example (or even... .hta-file which usually detected by F-Secure..   OR things under .hta-file usually detected by F-Secure) and with this certain specific view and kind of trick there possible to perform "bypass" and avoid/drop detection (even it should be there); Quite likely probably (if we talk about target-things);
    Or even exploiting some direct vulnerabilities under F-Secure SAFE; With such meanings - maybe they/he able to be part of https://www.f-secure.com/en/web/labs_global/vulnerability-reward-program ;

     

    Basically - it not clear about this point... does DeepGuard or F-Secure another scanning/detection layers have to handle this file/files (I able to think that F-Secure Labs clearly able to check it; Also since.. probably such 'design' there already not months... but more time?!); but anyway -> certain malicious file is launched by user, it execute something...  and F-Secure did not think about it as about malicious/harmful/suspicious activities (based on somewhat reasons);

     

    --> Then there was many other potential steps (which generally F-Secure also able to detect with some of meanings?!) - but I not sure.. that I remember all of them.

     

    But I able to think about certain point of this (except - there mostly was kind of "potential" valid looks for F-Secure SAFE... since most of actions... can be as part of valid process ---> but anyway strange that it was globally undetected - even it probably expected);

     

    With some of recent articles/blog-articles (?!) by F-Secure there was claimed that Mimikatz marked as harmful/malware; So - it should be detected.... but there it was "in use" - but not detected ?! Or it was with another usage this tool (?!); Or/And there required many limitations (like "only" cloud-detection; or only certain "certain"-engine detection or something else?!);

    Since -> even this recent articles by F-Secure noted this tool as malware -> before this "article" -> and about this certain situation from article... -> there was probably undetected example of this tool?! maybe modified or so?! at least... based on some of F-Secure meanings;

     

    Anyway -> based on previous steps (or another with such result) - most likely there available to perform many other troubles and activities (even if "this ones from video" will be detected);

    So, most likely that such situation quite likely.. and can be with different result. Even there probably was kind of limitation and certain meanings only; Also probably required additional steps by user;

     

    And generally... video probably mainly about potential steps... and they able to perform many of such situations (with another view with different status of abilities).


    But I want to ask some things: 

     

    {FIRST---> Does layer of DeepGuard as "Inform me when unknown application trying to create network connection" which was disabled under video (and this "option" also dropped with fresh F-Secure SAFE builds) was USEFUL against such situation?;

     

    Looks like that, at least, with some of steps... such option should work and inform user about with certain prompt. And as additional layer/prompt-view quite useful. Does it work there?!

    And if yes -> so.... why it was dropped (?!).... it was quite good optional "option";

     

    {SECOND---> This point... I asked some (?! or more) times under community... but response did not comes. So maybe - it not possible to answer. And I already not able to create proper words about... but in general...  does F-Secure able to do (or even... "something fresh") against using valid/good/known software/services/channels/tools/steps? Totally, globally and only valid.

     

    Since with my opinion (we able do not talk about only things like scripts or so)... there so many potential abilities and tricks about this... that I not sure.. that it do not used too much often. And... under some of latest articles.. your words usually about certain malware-file (and its design; and about strange points) - even... probably there quite many more interesting examples; And probably did not discuss... about all of other certain things (like "hacked"-vectors, another activities and 'tools' in use); Probably it anyway re-checked with proper view (because... I able to think that it can be quite useful);

     

    As my own opinion about this ask -> I able to think about potential "layers of protection" - but I not sure.... does it possible (or useful/or required) to add there; And... just interesting - does there any checks by F-Secure about it?

     

    Thanks!

     

    Sorry for my long^ opinion! Smiley SadSmiley Sad

     

    Also... sorry for my worst English. Not really nice days and I just do not able properly re-try fix worst points for more readable-view. Sorry (if anyone will be read this, of course....).

     

    Thanks!

  • betoche
    betoche Posts: 49 Observer

    Hello, dude.
    He is doing security consulting, and his videos are arranged so the software will be bypassed, he did it for Comodo, ERP,Sophos, etc... some one flagged him 3 times and ask details of the settings used, he didn't give. 
    His tests are total garbage! don't consider it a s bypass if you take a look at his page he has more than 20 videos about bypassing every software :)

    from what I know he is from Cylance(CIA!)
    everything, he does have no meaning... the tool he uses, can be blocked easily by F-secure.
     P.S:
    Even if we consider it as a bypass we all know not every software provides 100% detection and prevention rate there are bugs, Vulnerabilities,..etc so when a GRP of criminal focus on one product and decide to bypass it they will do it because everything arranged! but there are patch updates, etc
    Btw he tested the home version of f-secure which is a toy so we can't consider it as bypass even if he did (as  I said he is from Cylance)

This discussion has been closed.
Feedback on New Design