FS Protection PC Release 210 says it blocks CuteWriter - really?

Smooth upgrade to rel 210, thank you.

 

CuteWriter.JPG

Then out of the blue the event notification says that CuteWriter is blocked.


This detection from the F-Secure Security Cloud identifies a program that has behaviors or aspects which are considered undesirable, unwanted or risky, but do not meet the stricter definition of malware.

 

I can understand that the definitions in the cloud may have been updated to reflect new versions, but

1. This version of CuteWriter has been installed for two years

2. ULAV and Safe do not give notification (Have not tried IS yet)

3. What does it mean blocked? I can still use it as before without allowing.

Comments

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Sorry for my reply.

    Just as sidenote - there is F-Secure PUA Policy:
    https://www.f-secure.com/en/web/labs_global/potentially-unwanted-applications

    if noted application is not about such meanings - good option to transfer executable to F-Secure SAS as false-positive:

    https://www.f-secure.com/en/web/labs_global/inform-us

     

    I can understand that the definitions in the cloud may have been updated to reflect new versions,but
    1. This version of CuteWriter has been installed for two years
    2. ULAV and Safe do not give notification (Have not tried IS yet)
    3. What does it mean blocked? I can still use it as before without allowing.

    Concerned fresh versions can be indeed Security Cloud detection but as 'unknown' reputation or rare executable. Or brief reaction before signature (or so).

    But it is anyway still valid situation if any of versions are detected eventually. For example, fresh pattern or other triggers are added to Security Cloud. Then with 'next' launch or use such executable -> Security Cloud will trigger prompt that there is suspicious activities based on its own up-to-date database.

     

    Not sure why ULAV or SAFE do not give notifications... except potential situation that such detection is only with certain and specific background/step.

     

    For example, just because your words about:

    This detection from the F-Secure Security Cloud identifies a program that has behaviors or aspects which are considered undesirable, unwanted or risky, but do not meet the stricter definition of malware.

    Sounds that CuteWriter.exe is detected with "Reason:" like something.something.something!Online (for example).

     

    If so -> it may be false positive based on Security Cloud detection only and furthermore MAYBE can be during small timeframe. For example, when a lot of suspicious or real PUA were activated/used and Security Cloud start to trigger much more attention for anything close to such activities.

    For example, with my own experience was funny situations when after multiple detection for certain file/files per too much small timeframe (with practically one view) -> some of next detections comes from Security Cloud rather than offline(?!) signatures (as it was before).

    ----------------

    Most likely, blocked means "prevent detected actions/activities" during real-time action. One-time block.

    From F-Secure Online Help:

    As you are the best judge of whether you want to trust and use a 'potentially unwanted' or 'unwanted' application, you can choose how you want the product to handle it:
    ◾A potentially unwanted application - The product will display a warning notification message before the application is allowed to run normally. If you trust the application, you can allow the product to do so. You can also opt to have the product block the application.
    ◾An unwanted application - The product will block and quarantine the application. If you trust the application, you can exclude it from further scanning.

    Does CuteWrite.exe will trigger such detection later? or it was one-time only?

     

    With my own experience -> when some PUA is detected -> there is prompt with ability to allow/exclude it from further detections. But if I ignore such prompt -> it will not re-detect it too briefly or do not prevent to access/use. With manual scan it will detect it anyway (and maybe with certain ?! timeframe after or during certain step as first prompt).

     

    Thanks!

  • martink
    martink Posts: 427 Influencer

    OK, so the notification says pontetially, but when you click for more information potentially is dropped.

     

    The thing is that I did not launch or use CuterWriter to get the notification and that it is not really blocked.

  • Ukko
    Ukko Posts: 3,611 Superuser

    @martinkwrote:

    OK, so the notification says pontetially, but when you click for more information potentially is dropped.

    The thing is that I did not launch or use CuterWriter to get the notification and that it is not really blocked.


    I think that it is possible to create report with beta-portal about concern (after creating fsdiag-file).

    Just like my own feelings -> maybe it was a reason for such notification (you did not launch/use CuteWriter - but ?! does it possible that it was under background or so?! and thus some potential activities).

    If not -> maybe there was access to such file/folder-destination and F-Secure detect it.

     

    And with 'block'-concern and PUA items -> it is unclear for me too.

    With my understanding -> notification (not quarantine or remove action) about blocking PUA is notification only. Then you are able to handle this item OR it will be allowed. Even first action may be  is blocked indeed (since it can be anything which not affect further work). Or some limitations about it (where F-Secure do not able to undertand user's decision properly -> or 'ignore' any decision).

    I did not able to re-check with my own experience (I did not manage to find proper CuteWriter with F-Secure detection). And my examples of PUA with multiple different detections for it (based on step when it is detected) -> so, partly it will break proper understanding only PUA handling functionality. 

     

    Also, about "Potentially"-wording. With my own experience -> some of prompts will call it also as 'malicious or harmful' with specific steps. For example, prompt about detecting PUA by real-time network scanning traffic will call it as 'virus'.

     

    Thanks!

  • yeoldfart
    yeoldfart Posts: 556 Superuser

    I suggest you file in a bug report, don't forget to attach the report made by the dedicated tool.

  • Ukko
    Ukko Posts: 3,611 Superuser

    Hello,

     

    Just like quote from:

    https://www.f-secure.com/en/web/labs_global/potentially-unwanted-applications

     

    How F-Secure products handle PUAs and UAs
    
    Potentially Unwanted Applications:
    F-Secure products will display a warning notification message before the application or file is allowed to run normally.
    You can also opt to have the F-Secure product block a PUA.
    Unwanted Applications: F-Secure products will automatically block and quarantine the application or file. If you are certain you want to keep using the application or file, you can exclude it from further scanning by the product.

    Where potential statement is that 'PUA'-detection will trigger only 'a warning notification message' before further 'the application or file is allowed to run normally'.

    Even it is maybe called as blocked under prompt - but block should be by user's choice (?!). Though with my experience 'notification prompt' with ability to 'allow/exclude' from further scans or further 'notifications about' (rather than block PUA?! what is automatically in some situations with my own experience?!).

     

    Thanks!

This discussion has been closed.