DeepGuard Application Permissions question.

Hello everyone.

I have a small question about application permission settings.

Earlier today I downloaded a program called D-Fend Reloaded which is a GUI frontend for DOSBox. When I triend to launch it, DeepGuard blocked it telling me the file was suspicious.

So I submitted the file to F-Secure for analysis via https://analysis.f-secure.com  I received a fast response from a technician telling me the file was indeed clean and that an update would fix the suspicious detection. F-Secure support is quick to respond. :)

Now I know that you can allow software manually so I tried allowing it, but it still get's blocked after doing that.


The question is: Is it not possible to run applications detected by DeepGuard even though you allow it? Or have I missed something in the settings?


First run of application before allowing it.

http://i.imgur.com/uB1RiBs.png

------------------------------------------------
Allowing application

http://i.imgur.com/OLGbT0x.png

http://i.imgur.com/x2mTzLR.png

------------------------------------------------
Application permissions

http://i.imgur.com/Yg8025d.png

------------------------------------------------
Trying to run the application after I allowed it.

http://i.imgur.com/6cF76Ck.png

http://i.imgur.com/WR263lY.png


View all sceens here: http://imgur.com/a/gMqCz  


I'm running Win7x64 with F-Secure Internet Security 2014 1.99 build 192

I can also provide FSDIAG file to the support team if they need it.

Answers

  • NikKNikK Posts: 931

    Based on your screenshots it should work. The only reason I know that would cause DeepGuard to ask/block for an already allowed program is that the file has been modified, like for example when a program has been upgraded to a new version. I assume that is not the case here, so I have no idea. I recommend sending an FSDIAG.

     

    It says the reason DeepGuard asked is because it's a Rare Application, "not commonly used". That does not indicate a false blocking of the program, so I don't understand the reply you got "that an update would fix the suspicious detection". Maybe it was an automatic reply if it was fast Smiley Wink

    Note: Even if you allow it, DeepGuard will still continue to monitor it for "bad" behavior. Perhaps it detected something, but the reason even after you allowed it remained the same: Rare Application.

     

    Keep us posted.

  • Hello.

     

    About the "update that would fix the detection." DeepGuard detected the application as Suspicious:W32/Malware!DeepGuard.an but it's not visible in the screenshot as I did not press the details button.

    The F-Secure employee that responded, told me it was a False Positive, so I don't think it was automated. Smiley Wink

     

    I will try to contact the support tomorrow and see if they can make things more clear.  :)

     

  • UkkoUkko Posts: 2,960

    Hello,

     

    In my experience was another situation. It's mean - allowing must to work here.

     

    In your situation - did you try to restart system?! Sorry, of course, about question.

    Or DeepGuard created certainly in one place/moment?

     

    Also you can just wait... when comes update for DeepGuard/Gemini or another... which have updates for behavior analysis.

    It's can take some time more, than just answer.

    After that.... detection missing and you already can to launch application without alerts. Just if it's something new will be (if it's "trying to network connection" or same) - if detection already not visible in alert.

     

    It's can be creating.. just because happened with "temp"-directory each time. But not matter if it's unpopular file.... which have specific setting. But also must be "fixing" by allowing.

  • NikKNikK Posts: 931

    Ok. Just tested on an exe file I coded myself(100% clean ;-) and it says Suspicious:W32/Malware!DeepGuard.r

    Mine ended with an .r and yours with .an so there is a difference, and perhaps what is required in your case as support says is an update.

    So I suggest you test again tomorrow before contacting support. Hopefully this update will have taken place and you won't have to contact them.

     

    BTW, I completely missed that your DeepGuard screenshot didn't have radio buttons for allow/block. This is how it should look for a "not commonly used" program that is not wrongly blocked:

    RareApplication.png

  • Hi everybody.

     

    Before I contacted the support, I tried to open the file one more time, still got blocked. The DeepGuard definitions had been updated, though i'm not sure if the dectection for this software was included.

    This is how it looked today:

     

    20140226DeepGuard.png

    As you can see DeepGuard's rep says it's clean.

    And the update window:
    20140226Settings.png

     



    Will update when I make some progress.

    Quick edit: Just noticed that the detection now said Suspicious:W32/Malware!DeepGuard.n not .an

  • NikKNikK Posts: 931

    According to DeepGuard Whitepaper it should work with whitelisting a blocked program: (so why doesn't it in this case?)

     

    Judgement on execution

    Based on the file’s reputation and behavior during emulation, DeepGuard makes one of four possible judgements:

    a) The file is malicious and blocked

    b) The user is given the option to allow or deny the launch

    c) The file is clean and allowed to execute

    d) The file’s status as clean or malicious is still unknown

    If the file is blocked from launching, a notification message is displayed (see Image 1, previous page) providing additional details and an option to whitelist the program, if so desired.

    If the status of the file is still unknown, DeepGuard allows the file to execute but continues to monitor it during the subsequent process monitoring stage.

  • TwixerTwixer Posts: 6

    Hello everyone.

     

    Today I got contacted by the support regarding my issue. I sent the file for analysis again and I'll wait for the results. 

    The problem with DeepGuard somehow solved itself. It no longer block's the file when I allow it. I can't reproduce the behaviour it had before so I guess i'll never know what went wrong.

     

    The good thing is that it seems to be working normally again.

    Thanks everyone for helping me in this issue. :)

     

     

  • NikKNikK Posts: 931

    A possible explanation is that it perhaps required another definition update to work. Anyway, nice to hear it's ok now :)

  • TwixerTwixer Posts: 6

    Yeah, that seems like a good explanation to the whole issue. :)

This discussion has been closed.