F-Secure Deepguard does not like Sumatra PDF

Champion

F-Secure Deepguard does not like Sumatra PDF

If I try to install Sumtra PDF, Deepguard complains that it is trying to change a process or something like that.  Is there really something wrong with Sumatra PDF?

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure Product Expert

Re: F-Secure Deepguard does not like Sumatra PDF

Hi baroque-quest,

 

I believe the DeepGuard prompt you got is detecting System modification attempt. This is because DeepGuard is proactive behavioural analysis system and it will continues to monitor application process.

 

Applications are monitored for a number of suspicious actions, including (but not limited to):
• Modifying the Windows registry
• Editing files in certain critical system directories
• Injecting code in another process’s space
• Attempting to hide processes or replicate themselves

 

As legitimate programs will also perform such actions from time to time, DeepGuard does not red-flag a program on the basis of a single action but instead watches for multiple suspicious operations. Once a critical threshold of suspect actions is reached, DeepGuard will block the process from continuing.

 

Refer F-Secure DeepGuard Whitepaper for more details.

 

Thanks.

 

Best Regards,
Jayson

"A person who never made a mistake never tried anything new" -Albert Einstein

Has somebody helped you? Say thanks by giving kudos. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.

View solution in original post

13 REPLIES 13
Superuser

Re: F-Secure Deepguard does not like Sumatra PDF

Hello,

 /some words added/

Probably it's can be situation, when installer trying to determinate all processes/kill process or refresh explorer.exe for launch services by current software. /but... also you should be able to see "more"-feature during DeepGuard prompt, where will be description for "which processes are changed" - it's can be just critical file/process/ - which can be addition for "other reasons".

If current file.. not really popular or known - it's can be like "totally suspicious actions" and detected by DeepGuard (that explanation for... situations... when not each installer will be with same prompt).

 

If you can to trust for current software and it's from trust-source. Probably here all OK :)

 

Also... you able to create a ticket for F-Secure SAS website (like sample submission) for checking "something wrong or not". Where will be answer about part - "safe or not" :)

Also installer and installed software - different things.

But also here can be "wrong" with meanings "not good realizations for installer-code".

 

 

Superuser

Re: F-Secure Deepguard does not like Sumatra PDF

Try scanning it with https://www.virustotal.com/. That will give you a good idea as to whether the file is safe or not. FS is probably just flagging it as it's an unknown process, but I believe there have been instances of malicious PDF files / applications, so it pays to be careful.
Superuser

Re: F-Secure Deepguard does not like Sumatra PDF

Probably "Sumatra PDF" can be detected by virustotal with some companies (if be honestly - I never use that, but current software some kind of heard by somewhat reasons?!); And it's anyway... just installer can be with payload; So, virustotal can to give view about detection just for adware-category. It's not really close to "safe or not"; Payload can be different too.

 

Anyway :) here will be detection by DeepGuard about action... and probably on virustotal it's not visible (like other behavior-detections by some other companies);

 

Like PDF-viewer... time to time.... I can to use STDU Viewer (STD Utility) or some kind of "close to that name" - if it's need something "portable" or "fast to look" in some situations (where not able to do it with another steps).

Champion

Re: F-Secure Deepguard does not like Sumatra PDF

Scanning the downloaded file with MBAM, F-Secure, and virustotal did not raise any red flags.  It was only upon installation that Deepguard complained.

 

I sent F-Secure support a specific query.

 

One reason I was a little confused is that while I have run into things which Deepguard had never white-listed, e.g. Intel's Desktop Utilities, Sumatra PDF had not been flagged in the past by Deepguard.  So did F-Secure accidentally add Sumatra PDF to the malware category or has someone hacked into that webpage and/or software?

 

Thanks to Ukko and Simon.

Superuser

Re: F-Secure Deepguard does not like Sumatra PDF

I guess it's possible that the program has changed or updated, and FS haven't added it to their whitelist yet.  You did the right thing by contacting Support, but you might get a quicker response by Submitting it as a Sample to the labs.

Highlighted
Superuser

Re: F-Secure Deepguard does not like Sumatra PDF


@baroque-quest wrote:

 

One reason I was a little confused is that while I have run into things which Deepguard had never white-listed, e.g. Intel's Desktop Utilities, Sumatra PDF had not been flagged in the past by Deepguard.  So did F-Secure accidentally add Sumatra PDF to the malware category or has someone hacked into that webpage and/or software?

 


 

DeepGuard time to time also with changes. It's can be new logic, new databases or other.

It's can be... that previously not detected, but now with detection. Also it's can be different in various operation-systems and etc.

 

But about Sumatra PDF - does you mean just installer?! It's of course can be with various situations.

If certainly about Sumatra PDF executbable files... probably you can to check "digital certs" (signed or not). And it's like "checking" for "hacked" or not.

 

And of course... how it already was replied...   any changes in software.. will be like new "reason" for DeepGuard be more targeted for that application.

 


@baroque-quest wrote:

Scanning the downloaded file with MBAM, F-Secure, and virustotal did not raise any red flags.  It was only upon installation that Deepguard complained.

 



 

Probably... I still think about that situation... like from first reply:

 

 - We talk about Installer (potential can be malicious and it's not related with installed-software already);

 

 - Installer can to use during installation "determination for all processes or kill processes";

Usually... it's need for "refresh" Explorer.exe or for simply.. refresh...  during adding new services for system (services by new software);

Or other reasons.. if installer created not really nice.

 

 - DeepGuard can to detect that. And it's will be like your description for situation.

--------------------------------------------------------------------------------------------------------------

 

But here need to look for "DeepGuard" prompt and addition ifnromation about "which processes" and etc.

Maybe it's indeed something malicious happened.

And it's action, which virustotal can not to show. Also like MBAM can not to detect - if F-Secure not detected it's by signature-based technologies.

 

Potentially here need to transfer certainly "installer"-file. for my opinion.

If I correctly understand situation.

Superuser

Re: F-Secure Deepguard does not like Sumatra PDF

Also.. can be important.. source of downloaded files.

Potentially installer can be with payloads... and already will be "adware"-detection;

 

First of randomly results by virustotal:

https://www.virustotal.com/da/file/923a1c2671321add62822080b6ef8499190f988163a024159818df9d5bbaf0f5/...

 

Here file detected as "adware" or potential unwanted application (F-Secure also detected it);

It's mean... current file from source, where installer or already software.. with payload.

 

It's mean - potentially your sample can be "new version" of something strange. But current one "example" - without valid signed certs.... and it's mean probably here just "trick".

Your file should be with signed certs (I think).

 

And probably here was just prompt by DeepGuard about "installer's actions", which probably indeed can be suspicious.

Champion

Re: F-Secure Deepguard does not like Sumatra PDF

Ukko and Simon:

 

I completely forgot about certificates.  Good point.

 

I always download directly from the source.  I never use CNET or other secondary sources because I always wonder if they have added some adware or worse.

 

Sumatra PDF has always bothered me a little because it has ads which intentionally confuse users into downloading adware/malware (DOWNLOAD HERE!).  I realize that websites for free products need useful ads, but I suspect that quite a few people who view his site fall victim to the fake downloads.

 

Support wrote back with: "I would suggest you to download Adobe Reader X to view your PDF files as the program is also free for download.  Adobe is a trust able and reputable software manufacturer for a very long time."

 

I find this response to be slightly amusing for two reasons.  First, if users are not sophisticated enough to un-select the "free" Chrome download, they will get more than they wanted, just as with Sumatra PDF's website.  And second, Adobe Reader has been the subject of many security flaws over the past few years, the reason many of us looked at alternative viewers.

 

That said, I downloaded Adobe Reader for this new PC.

Superuser

Re: F-Secure Deepguard does not like Sumatra PDF

I've not used it myself but I've often heard recommendations for Foxit PDF reader. Might be worth a look?

http://www.foxitsoftware.com/Secure_PDF_Reader/

Personally, I've never had a problem with Adobe Reader, and they seem to patch any vulnerabilities pretty quickly, on the whole. I guess the golden rule is, only open PDF files from trusted sources. :)