F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Superuser

F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Sirs,

 

I saw an apparent false blocking in FSAV PSB portal and reported it to the F-Secure Virus Lab as follows:

 

Ticket ID: xxxx

Date and time: 2019. feb. 22. 11:15:32

Customer: [a hungarian school]

Computer: [a desktop PC]

OS: Windows 10 64-bit, version 10.0.17763

User: [student's name]

Software: FSAV PSB Computer Protection Premium 19.1

Module: F-Secure DataGuard

File: C:\Windows\System32\PickerHost.exe

Target: C:\Users\Student\Pictures\f07_f4.jpg

Threat: reports.infections.types.ransomwareAccessControl

Action: Blocked

 

I asked the Lab to review the situation and make adjustments to the technology if necessary. I've just received this answer from them:

 

"With Access_Control_List and Discover_trusted_applications_automatically enabled in DataGuard, the feature does not trust by default:
C:\Windows\System32\svchost.exe
C:\Windows\System32\sihost.exe
C:\Windows\System32\PickerHost.exe

 

To workaround the issue, you can add the target path where the Windows process is working on, to the excluded folders in the Profile Editor at:
DataGuard > Manually defined folders > Excluded folders

 

Besides that, the application (for example, OneDrive, etc.) installed to the user directory is not trusted too. To workaround the issue, you can add the application path to the trusted applications in the Profile Editor at:
DataGuard > Access control list > Manually added trusted applications and folders"

 

I don't like this recommendation for a workaround. If the files in question are digitally signed and came from a reputable vendor (Microsoft) then why arent't they trusted automatically? I mean we cannot expect end-users like this primary school to have the skills for adding folder exclusions, etc. themselves and they don't have the money to employ security sysadmins.

 

The PSB system should work correctly by itself, because F-Secure is about automated solutions first and foremost, that's how and why it was sold to non-tech-savvy customers! I feel the technology should be tuned centrally by the vendor.

 

Thanks for your attention, Sincerely:
Tamas Feher, Hungary.

 

EDIT: Removed case number

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

We have reviewed these apps and we will add sihost.exe and PickerHost.exe to exclusions.

Thank you

16 REPLIES 16
F-Secure

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Hello,

 

Thank you for feedback.

Main point of dataguard protection is to protect your files. It's not about recognizing if the application which changes your file is trusteable or not. We know that some ransomwares inject into legit signed apps and do encryption of your files. If we would just trust everything what is correctly signed - we would not protect you from that.

But if we would not trust anything - it would create lot of false positives so we have a list of whitelisted apps. And PickerHost.exe is currently not there.

We will recheck again if we can trust PickerHost.exe

F-Secure

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

We have reviewed these apps and we will add sihost.exe and PickerHost.exe to exclusions.

Thank you

Highlighted
Superuser

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Fedool,

 

> we will add sihost.exe and PickerHost.exe to exclusions

 

Thank you for the response and the solution offered!

 

I would also like to ask if the Microsoft OneDrive online storage service agent's trust status could be revised as well, since the adoption of "cloud-based" solutions is accelerating?

 

I mean frequently recurring incidents like this, where e.g. a description of imaginary city sightseeing in ancient Rome isn't approved by F-Secure Dataguard:

 

Computer: https://emea.psb.f-secure.com/#/c282728/devices/computer/2475086

OS: Windows 10 64-bit, version 10.0.17134

Software: F-Secure PSB Computer Protection Premium 19.1

Module: DataGuard

 

Date and time: 2019.02.28. 10:04:51
File: C:\Users\user.name.HT\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Target: C:\Users\user.name.HT\OneDrive\Dokumentumok\5.o töri\Városnézés az ókori Rómában.docx
Threat: reports.infections.types.ransomwareAccessControl
Action: Blocked

 

Date and time: 2019.02.11. 10:05:54
File: C:\Users\user.name.HT\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Target: C:\Users\user.name.HT\OneDrive\Dokumentumok\5.o töri\Ókori Róma (Automatikusan mentett).doc
Threat: reports.infections.types.ransomwareAccessControl
Action: Blocked

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

Superuser

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Fedool,

 

Please also suggest a solution for "Onedrive.exe" related Dataguard events? One particular computer is spamming the PSB SoP portal with 655 (!) recent alerts for "reports.infections.types.ransomwareAccessControl" regarding Onedrive and .docx files, as seen here:

 

https://emea.psb.f-secure.com/#/c282728/devices/computer/2475086

 

The use of cloud is gaining importance and some kind of by default solution is needed.

 

Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

 

 

F-Secure

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

OneDrive is installed in C:\Users\ and not protected - we cannot trust it by default.

Otherwise malware can just inject there and do whatever it wants.

I wonder if you could add it to the list of trusted apps yourself in profile?

Superuser

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Fedool,

 

Thanks for your quick response!

 

> OneDrive is installed in C:\Users\ and not protected - we cannot trust it by default ... I wonder if you could add it to the list of trusted apps yourself in profile?

 

But if it is too dangerous for F-Secure Corp. to trust, why should I add it as an exception and shift the responsibility upon me? (Note: I'm not the affected end user, I just see those events happening in the PSB SoP portal and the 650+ DataGuard blocking messages are flooding the malware detection list which summarizes a total of app. 5000 computers, thus making the recognition of e.g. false virus alarm occurances rather difficult among the noise.)

> malware can just inject there and do whatever it wants

 

I wonder if that should be prevented by DeepGuard? (F-Secure DeepGuard already injects a mini-DLL into processes, preventing other attacks.)

 

Best regards: Tamas Feher, Hungary.

F-Secure

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

We cannot add user paths to be trusted by everyone because they are in unprotected folder by default. Imagine that you don't have OneDrive - malware can then just create there folder with the same name and we will trust it.

But when admin configures this exclusion - she should know that OneDrive is installer to this location and can add it a bit more safely.

 

Yes, DeepGuard will detect and block all known injection attacks but promise ofa  DataGuard feature is that it will protect your data no matter what, even if all other layers of protection are compromised or, for instance, there is no even persistent component on a system to detect. So, we need to be careful with exclusions there

Superuser

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Fedool,

 

Thanks for your qick response!

 

I have posted a (tangentially related) new thread in the community's Partner forum section:

https://community.f-secure.com/t5/Exclusively-for/Need-quot-anti-flood-quot/td-p/115403

 

Yours Sincerely: Tamas Feher, Hungary.

Superuser

Re: F-Secure PSB DataGuard not practically usable in low-tech environments, like public education?

Dear Fedool,

 

> We cannot add user paths to be trusted by everyone because they are in unprotected folder by default

 

I'd hope F-Secure could approach Microsoft Corp. with that problem and convince them to relocate the OneDrive program to a more systematic folder path, were Windows OS protections are available (so that 3rd party security software can better trust the cloud client).

 

Yours Sincerely: Tamas Feher, Hungary.