Protection for CVE-2021-40444

I would like to know the moment F-Secure Elements Endpoint Protection and Client Security has protection for CVE-2021-40444. Recommended registry changes have been set up using GPO, but it takes time and needs workstation reboot.Since F-Secure is installedhe default MS Defender is disabled, defender has protection for this.



  • LomMLomM Posts: 3 New Member


  • gancalgancal Posts: 29 F-Secure Product Expert

    Hi @memika ,

    Good day to you and thanks for reaching out!

    While specific information regarding the exploitation of CVE-2021-40444 is still being investigated, we have ascertained that our Capricorn engine in Endpoint Protection products is able to detect known malicious samples in-the-wild with the detection name Malware.W97M/Dldr.Donoff.xxxxx or Malware.W97M/Dldr.Agent.xxxxx. At the same time, our Security Cloud is able to detect these malicious samples as well if it is enabled. Detection name will end with !Online if it's detected through Security Cloud.

    These detection should already prevent the malicious document files from being executed. Hope this clarifies your concern.


    Calvin Gan

    Tactical Defense Unit

  • JohnWickJohnWick Posts: 22 New Member

    According to Virustotal F-Secure does not detect this:

    This worries me a lot. Like really a lot.

  • memikamemika Posts: 2 New Member

    Microsoft updated the original artickle, so I just added more Group Policy Settings (Preferences, Registry) for the HKEY_CLASSES_ROOT part. I keep these applied until MS patch is applied, which might not catch next weeks patch tuesday, will see.

  • gancalgancal Posts: 29 F-Secure Product Expert

    @JohnWick , thanks for raising it up and we definitely understand your concern regarding missing detection.

    Rest assured, I can verify and confirm that the file you linked is currently detected by us as Malware.W97M/Dldr.Agent.vvwhk.

    While VirusTotal is a good tool to get an indicator of the status of a sample, the way VirusTotal integrates scanning engine from different vendors does at times produce varying results. In F-Secure's case (and for most vendor), a static signature based scanner was implemented in their backend to scan for samples. The frequency of VirusTotal fetching our database update is dependent on their implementation and we have no control over that. This often times resulted in varying detection status from various vendors.

    VirusTotal has also written a blog on why their site should not be used to compare vendor performance which you can find it here:

    I hope the above explains why our detection name is not appearing in VirusTotal's scan result. Feel free to let me know if you have more concerns.


    Calvin Gan

  • JohnWickJohnWick Posts: 22 New Member

    Ok, good. Thank you Calvin!

Sign In or Register to comment.