Question about F-Secure DeepGuard alert
Hello everybody,
Today, when I started my computer, I suddenly received a warning from F-Secure DeepGuard that it had "excluded an application" that would open a malicious website or program. This is a "setup.exe" file, see Figure No.1, but unfortunately no path is given as to where and which setup.exe should be executed.
In the quarantine, see Figure No.2, it does not say that the DeepGuard has blocked an application or has quarantined it.
The information is therefore questionable for me! I would like to know which setup.exe was blocked by DeepGuard. I am assuming that it was the Google Chrome browser updater.
Is there a log somewhere where the DeepGuard records what it has blocked in a log file? It is a shame that the logs that can be viewed do not provide any path information, that urgently needs to be improved!
Thank you for your help and efforts.
Accepted Answers
-
Dear @1lluminate ,
The safety of an application is verified from the trusted cloud service. If the safety of an application cannot be verified, DeepGuard starts to monitor the application behavior. DeepGuard blocks new and undiscovered Trojans, worms, exploits, and other harmful applications that try to make changes to your computer, and prevents suspicious applications from accessing the Internet.
In your case it was a file or a program that has triggered a DeepGuard heuristic detection because it performs (or contains instructions for) actions similar to known trojans.
Potentially harmful system changes that DeepGuard detects include:
- system setting (Windows registry) changes,
- attempts to turn off important system programs, for example, security programs like this product, and
- attempts to edit important system files.
The F-Secure security product will automatically block the file from running, however, if you suspect that a file is incorrectly detected (a False Positive), it will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also submit a sample of it for re-analysis.
First of all, please check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
-
Dear Lucaseuropa
My problem is, I don't know exactly which setup.exe was blocked. No path is given in the log file. So I can only guess. But the whole thing already unsettles me.
I then imported an older backup and didn't connect to the internet, because it didn't find anything. Only after connecting to the Internet did the notice come. But as you can see, no information has been created in the log file by the DeepGuard.
So I am completely clueless which setup.exe it can be. It's just a guess that it's an update process.
The message only appears once and then no more!
I have completely scanned my system with F-Secure, no find. Then with Kaspersky, no find and finally with Bitdefender, no find either. Windows Defender couldn't find anything either, not even in the offline scan. I will now scan the system with Desinfec't 2020/2021 right now.
GIs there really no created "DeepGuard.txt" or "DeepGuard.log" where the Deepguard lists everything that it has blocked? Because the information is not helpful, unfortunately!
Maybe you can give me a log file so I can see which file he has blocked.
Thanks for your time and efforts!
-
Dear @1lluminate ,
Try to run the support tool:
- Open the product from the Windows Start menu.
- On the Antivirus page, select Settings.
- Select Support.
- Select Edit settings.
- Select Run Support Tool.
- Select Run diagnostics on the Support Tool window.
When the tool has finished running, it saves the collected data to an archive on your desktop, please open it and look for a DeepGuard log under Fsdiag\f-secure\logs\system\HIPS\DeepGuard.log
-
Hey @1lluminate,
I've permitted myself to merge your new discussion with the current one, to have all of your replies in one topic, as it is easier to handle this more effectively.
I will consult this with my colleagues from the technical department first. Should I know anything more, I will reply in this discussion.
Thank you for the understanding.
-
Hi 1lluminate,
My name is Calvin from the Tactical Defense Unit in F-Secure. There is a likelihood that the detection you are seeing is a false positive based on your description. Can you submit the generated FSDIAG (or a fresh one) to us so that we can analyze it further and potentially locate the file causing the alert?
To run the support tool and generate FSDIAG:
- Open the product from the Windows Start menu.
- On the Antivirus page, select Settings.
- Select Support.
- Select Edit settings.
- Select Run Support Tool.
- Select Run diagnostics on the Support Tool window.
To submit the generated FSDIAG zip to us:
- Go to our Submit a Sample (SAS) page.
- Select the File Sample tab. Click Browse, and attach your FSDIAG.zip file.
- Tick the I want to give more details about this sample and to be notified of the analysis results box to add in more information and receive feedback on the submitted file.
- Type in the verification Captcha code.
- Click Submit.
- Our analyst would then get back to you through email upon investigating the logs.
Do let me know if you have issue submitting the zip file to us.
-Calvin Gan
![[Deleted User]](https://community.f-secure.com/applications/dashboard/design/images/defaulticon.png)
Answers
-
-
-
-
Hi,
It seems that you ran into an 'exploit', where an innocent bystander (setup.exe) is asked to perform some malicious action. DeepGuard detected the malicious action and blocked it, but it didn't see who did the request. Exploits can be 'fileless', so scanning your computer may not find anything.
-Cale
-
Hello,
@Cale that honestly makes me a little nervous.
Again a summary of what I did, I hope I don't annoy you, I'm just really interested in the topic:
As I wrote in the comments, I took an old backup from March 27th, 2021, there was no message from DeepGuard, but I was able to observe in a split second during the automatic update of the Microsft Edge browser that there is a connection and that " TEMP directory "a folder is created. This happens in a fraction of a second. Based on this, it must be updated with the Microsoft Edge Canary or Microsoft Edge Beta.
With my backups from April 1st, 2021 and April 13th, 2021, an alarm message from DeepGuard occurred, but cannot understand the file. The colleagues found out the path
C: \\ Users \\ 1lluminate \\ AppData \\ Local \\ Temp \\ EDGEMITMP_F87CD.tmp \\ setup.exe
After I used the old backup from 03/27/2021 as a basis and no more message appeared from DeepGuard and I started the system with Live Linux DVD from Heise-Security Desinfec't 2020/201 with Kaspersky, Sophos, Avast, Open Threat Scanner scanned nothing was found. Even a scan with the Windows Defender Online / Offline, Malwarebytes and Emsisoft Emergency Kit did not produce any message.
Now I'm standing there and of course I'm puzzled, it could have been a false positive message, as the DeepGuard has often declared legitimate new program versions as dangerous for me until it has probably stored it in the cloud as harmless.
Or, what you say happened, it could be an exploit, which DeepGuard then hopefully blocked and thus could not unfold in the system.
A fileless exploit is of course the worst-case scenario, but let's not paint the devil on the wall, I cannot detect any abnormalities in the network traffic, and all common anti-virus scanners say that the system is "clean".
Unfortunately I couldn't provide you with the file that was created.
How realistic is it that my backup from March 27th, 2021 was still "clean" because there was no message from DeepGuard? In contrast to the backups vim 01.04 / 13.04.2021 where the message came immediately when I ran the Edge update process?
What do you mean cale? You are the expert. What do you recommend me
Sorry for the long message :)
Best regards
-
Hello Calvin, unfortunately I have restored my system as I write with a backup and there is no more message from DeepGuard. Unfortunately I can no longer provide you with the FSDIAG zip where the alarm appeared. I'm so sorry, it would have been great if your team had a look at this again. But I deleted the backup due to a possible infestation and went back a long time in the backup chain to minimize the risk, because nothing is 100% safe :)
But no matter how you write, I assume a "false positive", because when the backup was imported, F-Secure Internet Security was already updated and I was only able to open the TEMP folder in a fraction of a second:
C: \\ Users \\ 1lluminate \\ AppData \\ Local \\ Temp \\ EDGEMITMP_F87CD.tmp
see again. However, with a different serial number, e.g. in my case _F094CD.tmp
There was also no message on 2 other computer systems that are up to date but not currently online.
I still believe it was Microsoft Edge's update routine
Thank you very much to you and @Lucaseuropa and @Cale for your time and efforts. You are great!
Since I use F-Secure on all my computers and also take part in the beta test, I hope that I continue to do well for you :)
All the best
-
@1lluminate, thank you for the response! As you've restored the system to a previous backup, please do let us know (with a new FSDIAG to Submit A Sample page) should you face the detection occurrence again.
Have a great day!
-Calvin Gan
