DeepGuard BUG?

Scholar

DeepGuard BUG?

During the test, it was found that when running the same executable malicious program, when the executable malicious program is in the windows desktop or any disk partition folder, DeepGuard does not prevent malicious programs from running, such as executable malicious programs. DeepGuard does not intercept when it is in the D:\Test\virus folder or in the D:\ virus folder. However, when an executable malicious program is located in the root directory of C:\ or D:\ or E:\, DeepGuard will successfully stop the malicious program from running. This is a serious mistake and I hope to fix this error as soon as possible.批注 2019-04-02 112316.pngMalicious program is on the desktop批注 2019-04-02 112420.pngThe malicious program is located in the root directory of the C drive.批注 2019-04-02 112505.pngThe malicious program is located in the root directory of the D drive.批注 2019-04-02 112548.pngThe malicious program is located in the root directory of the E drive.

我就是我 不一样的烟火
1 REPLY 1
Highlighted
Superuser

Re: DeepGuard BUG?

Hello,

 

If your experience is about beta F-Secure solution (FS Protection) - it is possible to create report under beta portal (beta.f-secure.com). It is can be useful with next meanings:

-- you can also attach a "fsdiag" (https://community.f-secure.com/t5/Common-topics/How-do-I-create-an-FSDIAG-file/ta-p/18190).

-- you can also attach a "malicious item" as archive (https://community.f-secure.com/t5/Business/How-can-I-recover-quarantined/ta-p/75736).


But just as discussion between users:

- used item is malicious indeed? Or is it something as test / check file?

Is it known what is malicious payload / intention there?

- did you try any other "suspicious" file? Is it works for any of them? If so - sounds that it is not a mistake, but something as a trouble. By the way, there is on-going F-Secure Vulnerability Reward Program: https://www.f-secure.com/en/web/labs_global/vulnerability-reward-program

I think that such a "trouble" is suitable for this program (for any future findings with related view).

 

My own feelings (before any other checks or explanations) - that maybe file is not enough suspicious for DeepGuard when it is located under user's folders.

But launch "such a suspicious" file from system (main) drive directory is  a "higher" trigger and score of suspicious attempt is jumped to enough level. As a result, file is blocked with such tries.

Possible to check situation further with try to add "any user's folder" to list of protected folders (Main user interface - Tools tab - App and File Control - Protected folders || Ransomware protection).

 

By the way, I am not sure about exact detection meanings - but maybe file is blocked as a "rare" application (or as part of ransomware protection). And there is a "Suspicious"-remark. So, maybe it is limited to "so so" safe files.  Thus, is it exploit or what is malicious action there (if subject of file is known for you)?

 

Sorry for my English. 

 

Thanks!