Lack of SHA-1 checksum on certain malware alert in the webportal

Highlighted
Superuser

Lack of SHA-1 checksum on certain malware alert in the webportal

Dear F-Secure,

 

I would like to repeatedly request that PSB endpoints should report the SHA-1 checksum on every malware alert to the webportal. Currently only Deepguard module based detections provide a checksum in F-Secure alerts, but traditional virus detection module based alerts do not. Let me explain why that asymmetry is a serious problem:

 

- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:

 

File: ...blahblah...\c-project\2\20190531\bin\Debug\20190531\2.exe
Hash: c6da49a63d096f2515f0a3ce920f5be0a6980ff7
Threat: Suspicious:W32/Malware!DeepGuard.n

 

Here I can use the Hash as a clue to start searching e.g. in VirusTotal webportal to find a sample that matches the SHA-1 value exactly. If I find one, I can report the case to F-Secure Virus Lab and they can fix the false malware detection. Thismethod works well.

 

- Sometimes I see alerts like these in the PSB portal and think they may be false alarms:

 

File: ...blahblah...\Browny02\Brother\BrStMonW.exe

Threat: Heuristic.HEUR/AGEN.1019626

 

Here I see no Hash value to start searching for, so I cannot find an exact sample match to report. Searching for the file name is not possible in Virustotal and even if I find a file with that name elsewhere, it is ususally a different minor version of the same software, so it cannot be used to reproduce the false malware alert event and I cannot report the case to F-Secure Virus Lab to have it fixed.

 

Due to the lack of hash info in so many malware alerts (many of them obvious false alerts on the fist sight), I often feel helpless, as I would like to have them fixed by the FSC virus lab but can't find a way to submit them in a usable manner.

 

Please consider if anything could be done to alleviate this siuation!

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

 

EDIT: Title

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure Product Manager

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Hi Tamas,

 

Thanks for your post and request.

 

We've looked into this, and we should be able to add more information such as the hash to the portal.

 

I cannot give an exact timeline on this being available, but it's in our queue for implementation.

 

Best Regards,

 

Andy

 

7 REPLIES 7
F-Secure Product Manager

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Hi Tamas,

 

Thanks for your post and request.

 

We've looked into this, and we should be able to add more information such as the hash to the portal.

 

I cannot give an exact timeline on this being available, but it's in our queue for implementation.

 

Best Regards,

 

Andy

 

Scholar

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

I ran into a similar problem.. I translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929

Sincerely: Sandor

Superuser

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Hello,

 

> translated a previously compiled program again with Delphi 10.1 and got the following error: Heuristic.HEUR / AGEN.1042929

 

Please do this:

 

- Upload the affected program file to "www.virustotal.com" (that website is run by Google)

 

- When you see the virus scanner detection results, there will be a "Details" tab

 

- Tell us the "SHA-1" value written there, something similar to: e33a0247f0ed3635a12a4927a6380308e430fe04

 

This allows us to report the false malware alarm for fixing.

 

Best regards: Tamas Feher, 2F 2000 Kft., Budapest.

Scholar

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Hi etomcat!

SHA-1: fdeaf9713b68cd5e921a72b41fbe23550d0d6dd9

 

Thanks and best regards,

Sándor

Superuser

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Hello Sandor

 

This morning I've opened case ticket xxxxxxxx with the FSC virus analysis lab and currently waiting for their response.

 

Best regards: Tamas Feher.

 

Edit: Removed case number

Superuser

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Hello Sandor,

F-Secure viruslab sent the following ticket response on Friday morning:

 

"Our analysis has found that the file you submitted is clean.
We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.
In the meantime, you may exclude this file from further scanning by using the following instructions:

 

F-Secure Home Security products:

https://community.f-secure.com/t5/F-Secure-SAFE/How-do-I-exclude-a-file-or/ta-p/56363

 

F-Secure Business Security products:

https://community.f-secure.com/t5/Business/Excluding-objects-from-Real-Time/ta-p/66013

 

Best regards,
F-Secure Customer Protection"

Scholar

Re: Lack of SHA-1 checksum on certain malware alert in the webportal

Thanks,

I think that due to platform problem this error came out, it is produced by Delphi Vcl.FileCtrl Components, like FileListBox, DirectoryListBox, DriveComboBox, ...

Regards,

Sandor