[FSIS 2014] question about DeepGuard


Re: [FSIS 2014] question about DeepGuard

Newest info about this:


According to the German forum (URL http://community.f-secure.com/t5/Schutz/FSIS-2014-Frage-betreffend/td-p/46367/page/2) it SHOULD be fixed (not tested myself (can not test at the time)) ...


Re: [FSIS 2014] question about DeepGuard

I did a test on a command-line utility I have that connects to the Internet. It was previously allowed, so I deleted it from the DeepGuard settings.


When launched I got a DeepGuard prompt. The block option was pre-set. I clicked the red X in the top right to close the window. The DeepGuard prompt appeared again. I closed it. It re-appered a 3rd time. I closed it.


After that no more DeepGuard prompts. I checked the Monitored Applications and the program was not in the list. After a few more attempts(without additional DeepGuard prompts) the program was successful in both running and connecting to the Internet. This is bad because I never allowed it Smiley Mad


Is this better than it was before when this thread was created? I don't think so


Re: [FSIS 2014] question about DeepGuard

Interesting! Thank you for your posting, NikK!


And this was really a unknown program for DeepGuard? Because "known good programs" are added automatically to the allow list of DeepGuard AFAIR ...


Kind regards,



EDIT: Yes you have right, it's seems that is NOT fixed! I have tried with a unknown program - after click to "X" the connection was possible (without an entry in deepguard)!


So, please fix this F-Secure! Thank you!


PS: FSIS 2015


Re: [FSIS 2014] question about DeepGuard


But close DeepGuard prompt by any buttons or ESC... not really design.


Potentially just an user able to close DeepGuard prompt. But he probably should not to do this action. Such as... he also able to "allow". Or disable protection of F-Secure features and etc.


If there can be automatic software for "to detect" and "to close" certainly DeepGuard prompt.... maybe it's can be detected by F-Secure as malicious (and sample should be known after some tries to use this). But also.. it's can to be with meanings "targeted attack". And probably.... here can be not so hard (as trying to create logic for "detect/close" DeepGuard prompt) steps for target-attack against F-Secure protection by another steps.




Trouble can be with situation, when.... DeepGuard prompt created... and "launched" code.. goes to "shutdown" user session. When you back to user session... DeepGuard closed and connection created.

But DeepGuard.... previously was... with protection against this kind of meanings. Such as... "software", which goes to be with "specific" steps (such as "shutdown user session" after some seconds of launch and which prevented by DeepGuard) does not break DeepGuard hook.


But maybe now it's changed (?!)... or just because here can be various meanings and you able to create something more good.. and re-check it.




And with another meanings... when "user's" closing DeepGuard prompt (three times) - next launches will be undetected some limit of time (ten minutes?! or more... or other required)..... it's of course... not nice... not good.


But.... here another additional points:

- it's network-based. any trouble with network-work by DeepGuard.. and prompt can be not created also.

- here should be without meanings... when network connection (here I mean - system connection with network) goes to be stable.. just after launch of system. And here can be meanings.. if network connection goes be good.. after launch and system......

DeepGuard also be ready to protect just after some time... after "time-point", when network connection established. Between this time-points can be various not nice actions also.


Re: [FSIS 2014] question about DeepGuard

Yes, I'm sure. I did one more test, after a reboot, and DeepGuard prompted me 3 times. I clicked the X to close it every time. After the 3rd time the program was launched and successfully downloaded files from the Internet Smiley Sad


I never allowed the program

It's not in the monitored applications list


If you close all DeepGuard prompts without allowing the program, then it's allowed to run anyway?! I don't get it. Could F-Secure please explain this!


Re: [FSIS 2014] question about DeepGuard

Like addition.


Probably here can be a logic. And here nice to check next:


-> Prompt by DeepGuard, when it's simply blocked as default (can be for "network trying connection" too). Without user decision variants.

What will be if close this prompt. Potentially... here should be blocked status and without "allow result" (after three time reminders).


-> Prompt by DeepGuard with user decision variants (where able to allow or block it).

With my opinion around... related with required-points for choose something and accept current decision.


If you close it.... without decisions.

If DeepGuard prompt does not created. He not able to create prompt about "variants of decision".

If DeepGuard does not block current sample automatically as "just block and enough" - he not able to block it with silence-mode after three reminders before.



And like addition for behavior of "close".
Probably here can be normal design... such as....

During "close" user think... that it will be closed. Such as any pop-ups... should be visible "available for close" by specific picture or by ALT+F4. And after closing.. should be "closed" reaction.

Such as.. "close" can be related with "canceled about any actions". Skip or close... or ignore.. or just close.

And here normal behavior for "close"-action by "close meanings" (such as... not choose something, where can be any actions after decisions).

And during "close" with any actions... (such automatic decision or trigger for something.. which can be with any malicious ADs) can be more potential troubles for work or "exploiting" current behavior.

Sorry for new additin words. Smiley Sad  Anyway... here should be and can be interesting just answer or explanation by F-Secure (or DeepGuard) team.


Re: [FSIS 2014] question about DeepGuard



Closing DeepGuard prompt without selecting Allow or Deny is interpreted as "I don't care" / "I have other stuff to do, leave me alone" kind of action. So DeepGuard uses automatic logic in this case. It is not the same as selecting Deny.



(F-Secure R&D)



Re: [FSIS 2014] question about DeepGuard

@Ville Thanks for explaining. The problem however is that no user can know this until they experience it themselves. It's good that it now takes 3 close attempts, but previously it required only one, and how would a user know that closing the window will allow the program to run.....


Personally I would prefer that the window can't be closed until I decide on one of the options. Then there would be no room for confusion, or even worse, a nasty infection because the program was allowed to run even without "explicit approval".


Re: [FSIS 2014] question about DeepGuard

From NikK:

"It's good that it now takes 3 close attempts, but previously it required only one, ..."


In MY test, after ONE click on "X", the 2nd connection attempt was allowed (without an entry in DeepGuard)!


However, a click on "X" should be at least with this logic: "I will not make a decision NOW, let it blocked...".


THEN two scenarios would be possible/senseful:


a) let it blocked temporary, for ex until next boot or for a certain time period




b) each connection try opens a new DeepGuard dialog.


THAT would be senseful IMHO.






Re: [FSIS 2014] question about DeepGuard

Sorry again for my reply.


Probably here one behavior (previously and now).

How I can to understand...  "Three attempts" it's just maximum (maybe) or just a limit about one application as one destination, but....


Anyway.... on current time... (for example.. today I goes to re-check it) also able to close just one time. And will be without any new prompts by DeepGuard, which can be related with:

-> type of applications;

-> how often application trying to do network connection;

-> something else.

But basically with my experience.... just three attemps can be as "limit". During specific background, when application goes to very-very-very suspicious for DeepGuard and created a lot of trying of network connection per one second  (here can be just prompts, which was prevented with one time... about first one prompt. And during DeepGuard prompt all other connections paused.... totally. So.. all of other goes under first one... if it closed.. because was "hooked" and because without decision-choose).




Also today I re-check it with FS Protection (?!) and here was funny situation. I get DeepGuard prompt and decided to "close it" by button.  And without new prompts by DeepGuard (not checked... about application connection), but it's logical.. because prompt was about module.. which potentially just one time create "ping". But after that... I found that Notification history (Chronology) have string about "Blocked decision" for current try. Not goes to check DeepGuard storage.... and already after some minutes (and a lot of other prompts for another modules) re-get else one prompt about current application/module (which will be just fresh one prompt.. such as "not blocked" before) and I allow it (which create situation.. that of course.. I not able to check DeepGuard storage about current point).


So... it's mean my close action by close button was marked as "application was blocked/denied" under chronology for F-Secure. 




With logic about "CLOSE"-button.. I still think that "Close"-button should to "close". And "close" means cancel or ignore any decisions. Without something else. I want to close it.. not save it. just cancel and close.

I not really love... logic with Windows/Internet Explorer, when you able to re-change any settings and choose "Cancel", but it's already real-time saving.. and does not matter.. that you don't want to accept your changes (which can be random-changes).


But... maybe here can be improving.


During choose "CANCEL"-Button or "ALT+F4"... if it possible...  to ADD something about:




or something like that.


and after that... "OK. But are you certainly want to do that?!" And after that.. else one prompt "Ok. We understand your dreams. You want to close it without decision-choose. Right?"  ....


Maybe it's can be better variant there.... if it's not possible create feature about "one-time/temporary blocking connection" (and it will be with default choose also.. when you close by "close"-button).


If there anyway... maybe "close" DeepGuard-prompt goes be with automatic logic around actions, which can be there important (on current time... I mean).