Malicious code has been found in MBR file (Master Boot Record), how to proceed for further investigation.
Collect the MBR log from the infected machine for further investigation whether it is valid infection or false positive from F-Secure product.
Log Collection Instructions:
Install Sector Inspector "secinspect.msi" on the infected machine and note the installation directory. Download link: https://www.microsoft.com/en-us/download/details.aspx?id=19470 Locate installation directory C:\Program Files\Windows Resource Kits\Tools or C:\Program Files (x86)\Windows Resource Kits\Tools Execute "secinspect.exe" using cmd with the following argument. secinspect.exe > <log name>MBR.log Collect "<log name>MBR.log" that was generated Once the log has been collected, you can uninstall the tool using the same installer file "secinspect.msi" and choose uninstall option
Once "<log name>MBR.log" was collected, please submit through the Submit a Sample service portal (https://www.f-secure.com/en/web/labs_global/submit-a-sample) for further investigation. Select I want to give more details about this sample and to be notified of the analysis results. Malware team will investigate the log and give remediation instructions for further clean up.
Article no: 000006535
Web Content control is blocking pages by claiming they have been rated, for example, as adult material, even though the web page has nothing to do with that rating. How do I whitelist sites for PSB Computer Protection or Client Security? I want to access a site but Browsing Protection blocks it. What can I do?
You can report wrongly blocked pages and wrong web content categories to our labs. Check the box "I want to give more details about this sample and to be notified of the analysis results" and fill in the required information to get updates from labs as they check the link. Series 14 and newer of Business Suite products as well as PSB Computer and Server Protection will show webpage categories on the block page, which can give you more detail on why a page is blocked. To whitelist webpages in PSB settings profiles:
Log in to your PSB portal account Go to Profiles using the left-side menu Open the profile you want to modify Click on Browsing Protection from the left-side menu Scroll down to Sites Add the site you want to whitelist to the Allowed sites-list Click Save and Publish in the bottom right
To whitelist webpages using the Business Suite Policy Manager:
Log in to the Policy Manager Console Select the correct policy domain or host from the Domain tree on the left Go to Settings Select Advanced view from the selector in the top right Navigate to F-Secure Browsing Protection->Settings->Reputation Based Protection->Trusted Sites in the settings tree Click the Add-button to the right of the sites list to add new entries Press Ctrl+D or the Distribute policies-button in the top left to distribute the new settings
Observe that you might have to empty your web browser cache for the changes to take effect. This applies to both set of instructions listed above and to when you receive a notification from the labs that they have updated a page rating.
Article no: 000004384
This article applies to the following F-Secure products: Computer Protection for Mac, Client Security for Mac, SAFE for Mac, SENSE Application for Mac F-Secure product is installed on a Mac computer but the user interface shows that computer is not protected and that the real-time scanning is not activated.
After installation of the Mac product on macOS High Sierra, a red F-Secure (X) icon may appear when running real-time scanning. This is due to a new security feature, which has been introduced in macOS High Sierra (10.13) or higher. During first time installation, the security feature requires you to allow system software from F-Secure. Until the software is allowed, real-time scanning will fail.
Once the installation is complete, allow F-Secure software as follows:
Go to System Preferences > Security & Privacy, and select the General tab. Click Allow. Once this is done, the icon status changes to normal and the error message disappears.
Note: The steps described must be performed locally on the machine and not remotely. Full instructions with pictures: https://community.f-secure.com/t5/Business/Issue-with-real-time-scanning/ta-p/100546 In case the mentioned solution above does not work, carry out the following solutions one by one and verify if the real-time scanning could be enabled. Solution 1:
Check in System Preferences > Security & Privacy > Privacy > Accessibility and remove or disable 3rd party accessibility software such as the Better Touch Tool or MagicPrefs. Go to System Preferences > Security & Privacy. Select the General tab. Click the Allow button.
Check in System Preferences > Keyboard > Shortcuts > Full keyboard access to enable full keyboard access. Go to System Preferences > Security & Privacy, and select the General tab. Use Tab key to move the focus on the Allow button Press Spacebar on your keyboard while the Allow button is active.
Solution 3: Add F-Secure Team ID (6KALSAFZJC) to the list of approved kext developers by using "spctl kext-consent" command in the Recovery mode. Refer to the following page for more detail information: https://developer.apple.com/library/content/technotes/tn2459/_index.html#//apple_ref/doc/uid/DTS40017658-CH1-TNTAG4
Article no: 000001668
Customers own (developed) file causes a false positive detection by the F-Secure products.
To solve the issue, first sign the file with the digital signature certificate and then submit the file to F-Secure:
Open the Submit A Sample portal. Click Choose File and select the file to be submitted. Select I want to give more details about this sample and to be notified of the analysis result. Fill in the required details. Note: Select "False Positive" as the Sample Type and write "File whitelisting request" in the Subject field. Click Submit sample file.
The submitted file will be subjected to a verification process. Once verified clean, the file will be added to the list and the database will be updated accordingly to prevent the file from causing new false positive detections.
Article no: 000005979
How to install a Hotfix
There are several types of HOTFIXES. fsfix, jar, and zip.
FSFIX -> This is for Windows clients. This hotfix can be run on each Windows clients. JAR -> This is for Policy Manager deployment. You can deploy hotfix using Policy Manager automatically. ZIP -> This contains both FSFIX and JAR, sometimes only one from those. Users need to extract this file.
Internet Explorer may change the file extension for fsfix/ jar to ".zip" This is due to the security setting. When it happens, please change the file extension back to the original one. [How to install] Fsfix
Download the fsfix fix to target machine. Double click fsfix. Message is shown. Click "Yes" to proceed. Wait until installation finishes. You can see message window when it's finished. Click "OK" to finish installation.
Open policy manager console and select "installation" Click on "Installation package". Click on "Import" and import Jar file. Click on "Close" Select target PC(or domain) and click on "install package". Select package name and click on "OK" Deploy policy to targets.
Sometimes, a reboot is recommended. Please reboot your PC, if needed. This message is shown based on your OS status even if the hotfix does not need an OS reboot.
Article no: 000014849