Malicious code has been found in MBR file (Master Boot Record), how to proceed for further investigation.
Collect the MBR log from the infected machine for further investigation whether it is valid infection or false positive from F-Secure product.
Log Collection Instructions:
Install Sector Inspector "secinspect.msi" on the infected machine and note the installation directory. Download link: https://www.microsoft.com/en-us/download/details.aspx?id=19470 Locate installation directory C:\Program Files\Windows Resource Kits\Tools or C:\Program Files (x86)\Windows Resource Kits\Tools Execute "secinspect.exe" using cmd with the following argument. secinspect.exe > <log name>MBR.log Collect "<log name>MBR.log" that was generated Once the log has been collected, you can uninstall the tool using the same installer file "secinspect.msi" and choose uninstall option
Once "<log name>MBR.log" was collected, please submit through the Submit a Sample service portal (https://www.f-secure.com/en/web/labs_global/submit-a-sample) for further investigation. Select I want to give more details about this sample and to be notified of the analysis results. Malware team will investigate the log and give remediation instructions for further clean up.
Article no: 000006535
Customers own (developed) file causes a false positive detection by the F-Secure products.
To solve the issue, first sign the file with the digital signature certificate and then submit the file to F-Secure:
Open the Submit A Sample portal. Click Choose File and select the file to be submitted. Select I want to give more details about this sample and to be notified of the analysis result. Fill in the required details. Note: Select "False Positive" as the Sample Type and write "File whitelisting request" in the Subject field. Click Submit sample file.
The submitted file will be subjected to a verification process. Once verified clean, the file will be added to the list and the database will be updated accordingly to prevent the file from causing new false positive detections.
Article no: 000005979
This article is applicable to the following F-Secure products: Client Security, Policy Manager, PSB Portal, and Computer Protection
Is there a way to prevent customers from copying data to USB storage devices with F-Secure device contol? Can we block all USB storage devices with Business Suite Products
You can limit or block access permissions for removable drives using Device control. Refer to the following link for instructions:
Limiting access permissions for removable drives Blocking device access using predefined rules Getting Hardware ID for a device
Note: Device control can only be configured from the Policy Manger or PSB Portal (Profile editor). There is no local configuration user interface.
Article no: 000002202