Hi there,
after deploying FSPM 13/FSC 13 all workstations experience deep guard warnings when opening executables which are allowed by PM. The hashes are correct but FSCS seems to ignore them:
Here are the most recent alerts (120) from Policy Manager:
Security alert: Malware blocked
From: XXXXXXXXXXXXXXX, 2017-11-03 10:52:34 +01:00
Details: Action by malware was blocked. Malware path: \xxx\xxxx\xxxxxx.exe File hash: 643a2495c509e842885091b918a74b772d64c336
This email was automatically generated by F-Secure Policy Manager. Please do not reply to this message.
FSPM
SHA-1-Hash Hinweise Vertrauenswürdig Aktiviert
643a2495c509e842885091b918a74b772d64c336 xxxxx.exe Ja Ja
Can you help us with that?
Regards,
Dirk
Hello Dirk,
Normally allowed applications should not be blocked in version 13.
Please, contact support. We will need diagnostic information from affected client machine for investigation.
Best regards,
Vad
Hi Dirk,
I have the same problem with dg and some more, look at my post 1 over yours...
LG
Martin
HI,
Same problem here with deepguard.
Hello,
Submit sample here so virus lab crew can fix the false alarm centrally:
https://www.f-secure.com/en/web/labs_global/submit-a-sample
You will struggle for ever with the problem if you don't do that.
(Some apps modify themselves while running so the checksum changes. These are not possible to exclude statically via hash and the only fix is to modify the scan logic to avoid the false alarm in the first place.)
Best Regards: Tamas Feher, Hungary.
Hello Dirk and RmB,
Did you already happen to provide diagnostic information to support for investigation? As I already mentioned, unfortunately, we can't reproduce this problem, and need your help to continue.
Best regards,
Vad
Hey Vad,
I did - support ticket is xxxxxx - I will provide fsdiag data asap.
Dirk
Hey Vad,
I just sent a sample and result of fsdiag.
Dirk
Hi!
It seems, that our problem is well known mictray64.exe file. New updated file is already deployed to our enviroment and deepguard should ignore this file, because we excluded it already.
Really don't get it why we keep getting these error messages.
Hello everybody,
We now have a fix for the whitelisting issue. It will be delivered over the channel in one-two weeks.
If you want to try/take it in use now, please, contact support.
Best regards,
Vad
This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
https://community.f-secure.com/t5/Business/FSCS-DeepGuard-ignores-hashes/td-p/101063
Visit the Community
Check our Forums or How-to & FAQs for advice or answers