[FSIS 2014] question about DeepGuard


[FSIS 2014] question about DeepGuard

Hi all,

If DeepGuard F-Secure Internet Security 2014 "reacts" and asks for Internet access of a program, I noticed the following:

If you click the windows away (click on "X")  - which is not even necessary for programs without GUI - DeepGuard does not ask then for this program and the access is allowed. At least after a PC reboot, DeepGuard asks again afterwards.

I've read that (if not already automatically blocked or approved) DeepGuard will ask after first program start. That explicitly when you first start is asked (in a session) then, I think that is not really good. Would not it be better to ask each time thereafter, or at least - if the access was not allowed resp blocked - temporarily to block, right?

While My firewall blocks everything that is not explicitly allowed - I still think that part of DeepGuard not resolved well enough.

Or is it not better (reasonable) feasible with DeepGuard?


Sorry for my English!

Tags (2)

Re: [FSIS 2014] question about DeepGuard

I agree! I've made that mistake a couple of times myself, clicking the "X" thinking that Deepguard will block it for now and not add it as blocked in the Monitored Applications list. I thought the "X" would block for now and then ask me next time instead. But it doesn't, at least not until reboot as you say.


Another annoying thing is that when Deepguard asks you it has the block radio button selected, so you definitely think that it will be blocked if you just close the window without making a decision.


I don't know what F-Secure thinks but I consider this a bug. And it might be a dangerous one if let's say you want to try a new program but when Deepguard asks about it you feel unsure and change your mind. You might as well just close the window thinking it will be blocked, and you're in for a big surprise Smiley Embarassed


I think you should post in the Idea Exchange. I've actually made a suggestion myself of improving Deepguard related to connections, you can find it here. As it is now, when you allow a program in Deepguard it automatically also allows the program to make connections. I don't like that, especially when you're trying out a new unknown program. But still no response from F-Secure after over 3 months.


I control all outbound connections too, partly because of Deepguards behavior. I use WFC for this and I guess there's a chance you do to? And WFC itself in fact matches this description of an "unknown" program that Deepguard will ask about when it detects a connection.


Can @Ben perhaps comment on this or forward to someone who can? Also I'd appreciate a comment on my idea suggestion for Deepguard.

Give Kudos to say "thanks". Click "Accept as Solution" to inform others when your issue's been solved

Need more help? Submit a Support Request or chat with or call F-Secure support. Or try the User Guides

Tags (1)

Re: [FSIS 2014] question about DeepGuard

It's, of course, a shock.... when you are in first time understood that DeepGuard prompt can be closed just by Alt+F4 (or clicking to "close");

For example... I confused in that fact too, when understand that. But... just about fact that "so easy to close" and "not allowed/not blocked" after - but access to network connection.



But..... next points about "why it's not so hard":


- I not sure... but we talk about "alert/prompt" about trying to network connection (ask me about trying to network connection);

It's mean... that feature "optionally";

Some of users... can to disable it, for example;


- If we talk about all prompts... So it's mean - probably about totally malicious files... DeepGuard give alert just about "already blocked" - and not matter - how you close that alert (because it's another alert/prompt). It's blocked (hmm...but I not checked it... indeed).


Same situation with "unknown" applications, but.... probably here can be trouble. Just because - it's same with "just trying to network connection"; But...  DeepGuard give alerts for all try to connection. It's can be maximum-prompts (but not less than three - if it's not just one);


Also - it's not always matter - after restart/reboot repeat or not. Just DeepGuard will be alert during trying to network connection (probably just first try or some of them). And next launch - will be with alerts again and again. Probably it's can be trouble in DeepGuard "memory".


And here.... next points:


 - That window (DeepGuard alert) can be closed just by user. How I understand (but previously I thought that it's hard to meet) that behavior can be (by mistake and confused).  It's not good, but DeepGuard still can to give new alerts during other try to network connection. Also most part of same alerts about "close to safe" programs. If you download file and want to launch that - you can be prepared for same alerts.

If that alert created without your "wants"... it's already suspicious.. and not sure.. that in that situation... really need to click something... except "Block - OK";


Also about "allowed"-status..... just can be trouble... that if it's allowed by "trying to network connection" - it's can be allowed for all....  I not checking that... and just that can be trouble.


But in fact - it's must be like "if known/allowed application start to do SO STRANGE and MALICIOUS actions... it's give a new alert with block-information and etc.". Probably it's must be work like that. It's mean DeepGuard chcking/monitoring applications... but if application do just "trying to network connection" - why it's bad? I mean - if during prompt about trying to network connection - it's closed.... than application start be (?!) do malicious - it's already new alert... and already here need to do without any mistake.

But probably.... it's just be or "already blocked - because malicious" or just "behavior ask about try to network connection" (which will be each time.. if user do not choose anything...  Not from continous launch... but anyway - just and must will be); Here... probably all good... except "some" points about.... which probably hard to realization in malicious programs.


Also.... it's can be similar with (and that, of course, bad)... user can to allow "known malicious" program too... but quarantine (for example) or some alerts can to allow that "needs" - if user want this and ingore F-Secure attention/alert/status-information.




Also about window/prompt..... some of another behavior-hips/pro-active in another companies... can to "go around" just with another tricks... which not so hard to do (like if - "lock down machine" during potential alert - and etc.);


With DeepGuard alerts.. it all not worked... just because... - closed - just by user...

But it's of course... means that user must be careful with action-steps.

Possibly - DeepGuard alert give normal description for "which happened";


It's give information about "temporary blocked" during trying to network connection. And it's indeed LIKE that. Connection totally blocked.


here for user just two question - "allow it - because you know that application" or "block it forever - because you not sure.. that it's safe... and temporary blocked need to change for permament status";


Also have information about rating/popular-status and etc. Which can to help in dreams about.


Possible... it's not always hard to understand - can to allow or not.


For example, most part of trying... it's just needful feature for program and without that - you can not to work with program. It's mean - if you not sure that it's can be safe or you not launch that - it's of course need to block.


If you will try to launch it... and probably know... that it's can to use network connection... you need to allow that.


Here.... bad other situations.. when you want alert by DeepGuard.... but situation without that.. 


Sorry about a lot of text.





 - totaly malicious - blocked by DeepGuard as default - closed window means blocked still (need to check - because already I not sure in that - but... if it's not like that - it's so strange);


 - suspicious or close to that  - give normal information for choose.. which need to do - allow or not. Need to choose - and click OK;   Cancel here... can means.. that 'ask me later'   - and that new question can be or "right now" or after some minutes or with next launch.. or after restart system;  here question usually about network connection with detection-name.


 - trying to network connection - probably most part of that alerts... about safe programs. And if you decide to install or launch it....  DeepGuard just ask else one time "are you sure" to use that program. And in some situation - it's good. Because not always need to create in system "collection" of a lot programs. But.... possible... if you already launch it  - you already "allow" potential trying to network connection. Just think again...


 - closed DeepGuard prompt can just user. Other variants - hard to realization. Probably user need to ready time to time work together with multi-layer protection (not just always automatically-work). it's for user.


 - if you not launched anything.. but DeepGuard alerted about.... it's already suspicious - not matter.... which DeepGuard have a reason for alert - it's potential always need to block.


If user...in panic (and it's can be too) just closed (or randomly) DeepGuard alert.....   in most suspicious/malicious situations... DeepGuard or other layers... totally "right now" give else new alert.

If user... don't want to allow it.... he probably "stop" and "read" and "block it by - choose block - click OK".


Also.... that can be different.


During "launch" - DeepGuard can be just first layer (except signature-based).....  and it's can trying to launch dropper/downloader. If it's downloading another malicious program - new alert, new block;

Already here... user must to be carefull in actions....  and create a scan for system.


Anyway - if for program during alert - user close that... and without status (allow or block in DeepGuard storage) - DeepGuard re-alerted... or re-checking.. and etc New alert must be.


But here can be situation - if during that re-checking.. "unknown file" already start be "known file" (in repuation or popular-status, for example) - and it's already can to "miss" new alert.

But it's mean - first alert was not about critical malicious action, which probably always just "blocked automatically" and user just received information about i tby alert of DeepGuard. here already not matter... how user close that (but here can to check too.... - never try that)


I also.. create privat letter..... for stopping increasing my answer.


Sorry again.


Re: [FSIS 2014] question about DeepGuard

And ... if a program has no GUI a second program start/try is enough (tested with a server app) and the Internet access is open - WITHOUT that the alarm window of DeepGuard must be closed first. That's not good!

I also use WFC and can handle such things, but DeepGuard should be really DEEP and not just superficial.


Re: [FSIS 2014] question about DeepGuard

To explain the case with "no GUI" ...


I had the following case:


After first start (in a session) of a program without GUI (server app, initiate through a client-device in the network), the DeepGuard alarm windows appears and wait for user action. But for a second start/try through the client-device, the internet access is open even with the waiting alarm window ...

Hopefully it's clear now - it's difficult for me to explain in english, sorry ...




Re: [FSIS 2014] question about DeepGuard

Hello F-Secure Team, can you react to this please?


Re: [FSIS 2014] question about DeepGuard

Still no response from FS I see.....


This is not a wanted behavior by DeepGuard. IMO it's a "bug" or perhaps multiple bugs. So a comment at least would be nice!

Can @Chrissy or @AniaC please forward this to someone who can give us some answers? (I already tried Ben but no luck)


Re: [FSIS 2014] question about DeepGuard

Hi NikK!


Thanks for noticing!  I've already escalated the thread and have it on my monitoring list.  Should have a response soon :)

Has somebody helped you? Give Kudos as a way to say "thanks!"
Has your issue been solved? Mark the post using the "Accept as Solution" button to let others know.

Re: [FSIS 2014] question about DeepGuard

Thanks Chrissy!


In short:

A program should only be allowed to run if you manually allow it

To close a DeepGuard window without selecting allow or block should be treated as "Block it for now and ask later" (next time the program is launched)


Re: [FSIS 2014] question about DeepGuard

And note:

When a server application without GUI (started by a client device) with me here, it was not even necessary to close the DeepGuard window!

It was just approved at a later connection attempt. When I came to the PC with the server app, the DeepGuard window was still present.




NEWS about without GUI - after retesting ...


The case concerning "no GUI" I can not repeat (no more?). I do not know how I had done it at that time. However: does not change the case when the window is clicked away.

NEWS about without GUI - after retesting ...


Not sure, but I believe I had also the case again with a server app without GUI: after restart the client app and new try to connect the server app, the connection was possible, WITHOUT quit the appguard notify ("block or allow?") window first ...


PS: Would be good to hear some news about this theme from the F-Secure Team!