Protection malfunction - restart computer

Today for the first time I got that message when I started my computer. I checked common settings and noted that the Hydra and Aquarius updates were Not Installed. No errors in event logs. So I restarted. It took a long time before the shutdown part of the restart happend.

 

During boot and startup everything was extremely slow(I have pre-boot authentication) and when the desktop appeared I got a message about a new device installed?! Other than that everything seemed normal, except for errors in the event logs (see below)

I then did a cold boot to see if everything was normal, and it was.

 

Errors from event log before the cold boot, in chronological order:

  1. No scanner engines loaded and enabled. Virus protection is disabled.

  2. Intel(R) Management Engine Interface driver has failed to perform handshake with the Firmware.

  3. While validating that \Device\Serial0 was really a serial port, the contents of the divisor latch register was identical to the interrupt enable and the receive registers. The device is assumed not to be a serial port and will be deleted.

  4. The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.

Was the F-Secure product the reason for this?

Should I be worried? Or maybe it was only a strange one time occurrence?! 

Best Answer

  • BenBen Posts: 2,640
    Accepted Answer

    Hello NikK,

     

    Don't worry we are reading your posts. For some issues unfortunately, logs are necessary to investigate properly. We released yesterday a new version of one of our scanning component, but we haven't receive any report of problem about it so far.

     

    I would advise you to open a support ticket with an fsdiag  so that we can investigate properly what happened.

Answers

  • UkkoUkko Posts: 2,933

    Hello,

     

    If you have a reasons for overload during launch system.... probably it's can be "normal" (with meanings.. that close to safe), but in fact... of course... not normal :)

     

    For example, any my systems during overload at launch system (such as - various reasons, settings or backgrounds) can be with same view around F-Secure (such as... required for restart temporary; information about scan engines.. commonly can be too).

     

    Latest my experience with same view was about my try to use MBAM (latest version) and F-Secure (latest version as FS Protection), when MBAM was already installed during installation of F-Secure.

     

    So.. here without prompts about "conflicted software", but installation goes be slow - than should be.

    And first launch, of course, was with prompt about "something wrong with protection and required restart". It was able to repeat manually.. and if during first of minutes with that... goes to trying scan something... able to get information about "engines not loaded" (such as it also was prompted under installation end.. after restart... where needed else one restart by somewhat reason).

     

    Anyway.... my latest experience was with next background:

     

    -> MBAM with new versions.. without improving around performance. And it's still take too much.

    -> My system was with overload during launch MBAM/F-Secure at one time.... and if here will add something else.. for more powerful overload... will be same with your situation. In fact.. it's not really "overload" such as "not able to use system" - but take a lot of system resources and goes be "overload" around actions.

     

    -> Downloading updates for engines (and installing) take usually also a lot of resources. And maybe you get something same. Such as... reasons for overload and updates installing/downloading. Here happened too much long and detected as "something wrong with protection".

     

    Also.. usually I met same view about "troubles" during not stable network connection and after many days without updates (when F-Secure have to work with multi-steps around downloading updates). Or during upgrade for some browsers with Blink/Chromium-core (such as Google Chrome as best example).

    Or any other "overload" during scan some of files or executable-file analysis (such as time-out for that or related things) - but maybe it's already not likely with current versions of F-Secure.

     

    Sorry for my reply. Just I decided to add my descriptions/experience about same view of situation... when it was more safe... than something wrong around protection in fact.

  • SimonSimon Posts: 2,571

    Hi Nik,

     

    Not sure if these are connected to your issue, but a couple of times this week on my Windows 7 machine, MBAM has crashed on startup, and needed to be restarted.  Other than that, my Windows 7 machine has been behaving nicely.

     

    My Windows 8.1 laptop, however, has stalled on the Shutdown screen a couple of times in the last week or so, and I have had to force a shutdown by holding down the power button.  Really can't say if this is FS related, as I don't have any of the other symptoms you described, and the laptop seems to be otherwise running OK.  No noticable delays on startup, other than a Windows Update the other day.

  • NikKNikK Posts: 931

    Thanks for the input guys! I've checked and nothing has been installed or updated except definitions for FS and MBAM. If it was some kind of overload or loading conflict, I wonder why it happened all of a sudden. Especially when I haven't experienced anything like this before.

     

    I hope to get a response from someone from F-Secure. But I have the feeling I won't get a response when I post about a more advanced and unusual issue that's not like an average common problem here. From last week I have 2 issues about DeepGuard and no response at all so far.

    I hope F-Secure reads this! 

  • UkkoUkko Posts: 2,933

     

    Spoiler

    Hello,

     

    I think here can be various reasons... if it related with previous points.

    Such as.. time to time.. F-Secure create new updates, which required more steps and actions around memory or cache or drive usage. Such as.... remove previous signatures or re-place it..... with a lot of them; Or "long time" without updates before. Or... current new updates some kind of "large".

    Also during Network usage (if you have multi-devices) downloading/installing can be more slow... more hard. Slow-connection during check updates also can be a reason. And etc.

     

    Such as... my experience usually related with situations when:

     

    -> During situation before oveload at launch system (downloading new updates/loading modules of F-Secure and MBAM as example from latest experience).... all can be normal, but any additional steps (such as.. can be common steps -> launch else one application, open browser, open text-document or other) create total overload with meanings "time-out" (maybe) and F-Secure (but Windows also should be with prompt) about something wrong.

     

    -> Anyway... here indeed should be answer by F-Secure. Just because... F-Secure team should be with better information about potential reasons of current one backgrounds.

     

    Also it's related with your topic about DeepGuard. Which indeed very interesting things (and I just can to think about it... same with private letter... as "unknown"-status also should be created.. and if unknown application with first date.... by FIRST user.. here required ten minutes for get it under cloud. Current time looks for me as "worst". So good if your topic will be with attention by F-Secure). Just because cloud-based things should be with more visible reasons of work (also when application sample needed... maybe good to prompt it.. or anyway.. will prompt about risks. But maybe not really likely.. that any malware can be with first launch under user's system.... or if can be.. maybe ten minutes not so bad).

     

    Sorry again for reply. I still not really understand.. if there available to use spoiler-tag. Smiley Sad

     

     

     

  • NikKNikK Posts: 931

    Thanks for the input. Regarding DeepGuard I've always got the prompt immediately when starting a new program version the first time, or when a new program version makes its first connection. So I wonder if something's changed in DeepGuard recently to cause this delay? If so, it's bad.

     

    Most of my programs I only use myself and never share them. So there should never be any info about them in the cloud, except perhaps info from my own PC. But not for a new program version that's launched for the first time. I think this is a good simulation of a new malware. A program that there's no info about anywhere on the Internet.

    Who wants a warning 10 minutes after it's started? It made lots of connections during these 10 minutes.

  • NikKNikK Posts: 931

    Test of spoiler tag:

     

    Spoiler
    Text inside spoiler
    New line

     

    Something's changed with the Spoiler tag. If you press Enter for a new line it creates a new spoiler instead. Very annoying!

     

    Use Shift+Enter to get around it.

  • UkkoUkko Posts: 2,933

     

    Spoiler

    Yes, it's looks strange. So.. just because.. very interesting any response by F-Secure.

     

    Just as it was with private letter. I can to think... just if "hash" of application (or application as reason) usually goes to cloud (if your machine, where it's created, with F-Secure installation) and it's already known for cloud as "unknown application". So during first launch - you get prompt.

     

    If information about "fresh" application does not goes to cloud yet.. so during first launch... DeepGuard not able to get anything about this application. And here have just one potential reason for block it (how I can to understand.. behavior of your applications) -> trying to network connection. But here addition "trying by unknown application".

    And maybe "unknown"-status should be accepted by cloud. If it's not "unknown" yet (sounds strange) - it's should to take time... for cloud-work about metadata/hash or other under cloud.. for create information "it's UNKNOWN" application and should be prevented network connection.

     

     

    And after that can be explanation:

     

    -> for one application/hash can be delay around minutes (ten?!). It's can be ... and related with my experience time to time (but not always. I also have experience when one application multi-detected each fresh launch). Such as... DeepGuard remember about user-action (block or allow) and work with that... during some time.... and does not matter.. if it was allow (randomly) or prompt was closed. Need time to re-check "decision".

     

    It's can be if fresh application goes to be "totally unknown" and cloud does not have anything about it (such as it not goes under scanning with F-Secure common scanners) and DeepGuard without any instructions as "unknown here application or not). So... it's ignored during launch.. and just with next re-check by DeepGuard... it goes already with instruction "hey.... here unknown application with trying to network connection - block it".

     

    -> maybe also can be... if cloud-cache... work worst. And after changes under your application... it save some other settings (name of file, directory, size or something same and etc. IP for connection and etc.);

    So... maybe DeepGuard and Cloud can to think "hmm... it's still known application and dropped/ignored any decisions" (related if... you have allowed status under DeepGuard storage, for example). Or it's already "automatically" allow (not likely). Or something like that... when cloud-cache break normal analysis. Not likely.. because ten minutes too much.

     

     

    -> also can be situation (related with many HIPS-solutions... and partly with DeepGuard) - Network connection. Such as system loaded without network connection.

    Or your application launched during start of system.... or after re-fresh for explorer.exe;

    Or after re-connection with network.

    Or simply.. if network connection not really stable. Such as ... any cloud-reputation based things and NHIPS not nice.. certainly with current point. Such as... modern time - modern design about network connection for users. But I think.. it's still not really "speedy and stable" around all users. And can be strange situations.

     

     

    -> About ten minutes... it's a lot of.. 

    But if we talk about "malicious"... ten minutes for first user with fresh sample. Maybe not so "slow".

    Because.. previously (more, than ten years ago and around this) it's can to take weeks/months :) for find/create and detect by signatures (such as... already a lot of users with dangerous-points).

     

    And it's better... than some of cloud-based realization (another companies), where need thousands of users with troubles by malicious application and just after that.... reputation/behavior-based things.. start be with prompts about "suspicious application".

     

    More worst.. if here will be same behavior about another kind of DeepGuard work.
    And sorry... if your situation already with another kind of prompts...  just because I think about prompt when DeepGuard created prompt about "Unknown application trying to create network connection" and with available-status for choose "Allow/Deny".

    And we not talk about "unknown rare application with tryting to create network connection" with blocked as default (and potential "Gemini"-detection name or !Online-based).

     

     

     

  • NikKNikK Posts: 931

    Thank you Ben Smiley Very Happy

     

    I didn't notice the updated Scanner Manager before but now that you mention it that sounds very likely to be the reason to my problem. Yesterday I started my PC at 15:27, then a restart cause of the malfunction, and then a cold boot to see if everything was ok. I only noted the Not Installed ones for that day, but now I see that the Scanner Manager was the only successful one. After that was installed it failed to install Hydra and Aquarius and malfunctioned:

    FSupdates.png

     

    The description for Event ID 103 from source FSecure-FSecure-F-Secure Anti-Virus cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event:
    1  2014-11-04  15:35:23+02:00  F-Secure Anti-Virus
    No scanner engines loaded and enabled. Virus protection is disabled.

     

    Update: From the F-Secure "Product Timeline" I see a log from 3 minutes earlier, 15:32, that "Your computer is not protected"

     

    I'm satisfied with that explanation and hope it was only a one time occurrence. If you haven't received any reports about it I guess I'm the first then Smiley Wink 

     

    Please also try to take a look at my unanswered DeepGuard threads, thanks.

    http://community.f-secure.com/t5/Security/Deepguard-delay-in-detecting/td-p/62979

    http://community.f-secure.com/t5/Security/EMET-and-Deepguard-compatibility/td-p/62867

     

  • AniaCAniaC Posts: 275

    Hi @NikK , about the spoiler tag I wasn't able to reproduce this, but there obviously is a bug there.

    Which browser are you using? Have you had this issue for a long time?

     

     

  • AniaCAniaC Posts: 275

    Hi again, so now I know what the problem is  (thanks @Ukko for clarification) - once you have clicked "spoiler", and written something there; and then you want to leave the spoiler tag - Enter doesn't do the trick. Instead, you have to click below the grey box to type normally (or use Shift+Enter)

     

    I'll let our software supplier know about this inconvenience. 

     

     

  • AniaCAniaC Posts: 275
    Hi, we've confirmed that the spoiler tag not working properly is a bug on the supplier's side; I'll let you know when we have the fix.
  • vitovito Posts: 1

    I have the same problem of the subject and I opened a ticket, but stil nobody helped me.

    Can you help me Thanks

  • SimonSimon Posts: 2,571

    This is quite an old thread, and I think the original problem was solved.

     

    Perhaps it would be better if you started a new thread, giving some more details of your problem, including which version of F-Secure you are using, and which version of Windows, then maybe someone will be able to help you.

     

    By the way, you didn't say when you raised the support ticket, but in my experience, they can take 24-48 hours to be responded to, depending how busy the tech guys are.

  • Dillyd1Dillyd1 Posts: 1

    I have exactly the same issue, and restarting changes nothing?

  • emmanuelvemmanuelv Posts: 1

    You're not alone, i have exactly the same issue too Smiley Sad On many client, the lastest aquarius update 2015-06-11_05 can't be installed, but i don't know if it's the source of issue.

  • JouniJouni Posts: 135

    Hi all,

     

    We have had some reports of this problem during this week, and we are currently investigating the problem. However, in order to help us investigating this problem, I would suggest that you open a support request and provide fsdiag to us at:

    https://www.f-secure.com/en/web/home_global/support/support-request

     

    Here are the instructions to create fsdiag:

    https://www.f-secure.com/en/web/home_global/support/support-request#fsdiag

  • wzuurwzuur Posts: 2

    I have the exact same problem too.  Restarting does nothing.  I opened a ticket and no one has gotten back to me.  

This discussion has been closed.