What is infectionalert.type.7

RobM
RobM Posts: 12
in F-Secure Elements Endpoint Protection

I've had a couple of notifications this morning of Type infectionalert.type.7. These appear to have been blocked but reference different executables. One has blocked chrome.exe an another was a system file called PickerHost.exe. I can't find any reference to this type of infection. What is infectionalert.type.7?

 

 

Like

Comments

  • fedool
    fedool Posts: 154 F-Secure Employee

    Hello,

     

    Where did you see that? On portal or on client?

    Can you post a screenshot so we can understand it better?

    Like
  • RobM
    RobM Posts: 12

    Here you go.

    F-Secure infectionalert.type.7.PNG

    Like
  • fedool
    fedool Posts: 154 F-Secure Employee

    Thank you for reporting it. We will fix it shortly - it's missing localization for detected ransomware threats

    Laksh
    1Like
  • RobM
    RobM Posts: 12

    Not sure what that means but okay.

    Like
  • TimoU
    TimoU Posts: 1

    I got one also abit differrent

     

    F-Secure Protection Service for Business has identified the following security incidents:

    Time|Account|Host|Infection|Action|Type|Infected Object|Infected Object SHA1

    Wed, 28 November 2018 09:23:48 UTC|Company XX|HOSTNAMEXX||Blocked|infectionalert.type.7|C:\Windows\System32\PickerHost.exe|

     

               

    28.11.2018
    11.23.48    		URHEILUHALLIT\userxx reports.infections.types.ransomwareAccessControlEstettyC:\Windows\System32\PickerHost.exe
    Like
  • fedool
    fedool Posts: 154 F-Secure Employee

    This means that PickerHost.exe tried to change a file in one of protected folders (open it for writing). It's used for file selection as far as I can see.

    It may not be a problem if users use PickerHost.exe to browse to the files and we block it's write access but file selection UI may still work by opening files without write access.

    If this happens often - you can add PickerHost.exe to the list of allowed programs in ransomware protection

    TimoU
    1Like
  • RobM
    RobM Posts: 12

    Well, I guess the question is, is there an infection or not? If not, why are you blocking a valid system file? It's not just this one -- I've had similar issues with other system files. If I simply allow them am I opening myself up to an infection? 

    Like
  • RobM
    RobM Posts: 12

    Here's another one today. Am I supposed to just allow all of these executables?  If these are not infections, they are a constant nuisance and obfuscate those potentially real infections. How am I supposed to discern?:

     

    F-Secure Protection Service for Business has identified the following security incidents: Time|Account|Host|Infection|Action|Type|Infected Object|Infected Object SHA1 Wed, 28 November 2018 16:44:29 UTC|Berge Ford-internal|FLT-9||Blocked|infectionalert.type.7|C:\Windows\SysWOW64\dllhost.exe| Wed, 28 November 2018 16:44:39 UTC|Berge Ford-internal|FLT-9||Blocked|infectionalert.type.7|C:\Windows\SysWOW64\dllhost.exe|

    Like
  • fedool
    fedool Posts: 154 F-Secure Employee

    It's how ransomware protection and access control works. They block access to protected folders for all apps except allowed ones. We have whitelisted some safe system files and they can write to protected folders too but we cannot whitelist files like dllhost.exe - they are legit system files but they can be used to host malicious dll, for instance, which would encrypt all your files.

     

    Like
  • RobM
    RobM Posts: 12

    So how do I determine which app is calling this process and allow this app?

    Like
  • RobM
    RobM Posts: 12

     Seems like you should be able to differentiate between legitimate and malicious behavior. For example, my users can't save attached images or scans to their own folders. That leaves me the choice of either unprotecting the folder or allowing the file which, as you have just observed, can run malicious code. 

    Lapcmac
    1Like
  • Lapcmac
    Lapcmac Posts: 1

    Same type of thing here. 2 hosts on a network I've been brought in to look after report in on c:\windows\system32\Sihost.exe and a DLL in C:\windows\syswow64

     

    Fsecure seems to detect and block, but doesn't seem to take the process any further, so some days I'll get a flurry of reports, on others, maybe I won't get any. What to do to take the cleaning process to actually rooting this thing out--if an infection-- or determining if it's safe and simply allowing it?

     

    Begin Paste--

    F-Secure Protection Service for Business has identified the following security incidents:
    Time|Account|Host|Infection|Action|Type|Infected Object|Infected Object SHA1
    Mon, 21 January 2019 16:50:33 UTC|Khorshidi Law Firm, APC|PC||Blocked|infectionalert.type.7|C:\Windows\System32\sihost.exe|

    --End Paste

     

    That's all for now. Thanks!

    Like
This discussion has been closed.

Categories