Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox browser.

Highlighted
Superuser

Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox browser.

Dear Sirs,

 

I am seeing the below quoted, curious malware alerts in the F-Secure PSB EMEA "SoP" webportal. I have reported them to F-Secure Virus Lab as cases xxx and xxx and they are asking for samples in response. I find that request bizarre, considering that F-Secure Corp. itself is distributing these files on which the FSAV false alerts occur...

 

OS: Win 10 Pro 64-bit, version 10.0.17763

Software: F-Secure PSB Computer Protection client 19.3

File: C:\ProgramData\F-Secure\swup2\working\deployer\Patches\Firefox Setup 67.0.2_x86_HUN.exe

Hash: 011defa74d030fadcf7773134d984e8247c673f1

Threat: Suspicious:W32/Malware!DeepGuard.pg

Action: Blocked

 

***************************

 

OS: Win 10 Ent 64-bit., version 10.0.17134

Software: F-Secure PSB Computer Protection Client 19.3

File: C:\ProgramData\F-Secure\swup2\working\deployer\Patches\Firefox Setup 67.0.2_x64_HUN.exe

Hash: d2985a9181d31b3df4063292d89477216a0bf086

Threat: Suspicious:W32/Malware!DeepGuard.pg

Action: Blocked

 

Please review the situation if possible, because there is no way I could obtain binary file samples from those PSB endpoints, they are located in some hungarian school in the countryside, but I don't even know where exactly geographically and I don't have remote desktop to them and FSAV PSB doesn't yet support remote sample submission.

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

 

EDIT: Removed Case numbers

1 ACCEPTED SOLUTION

Accepted Solutions
F-Secure

Re: Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox browser.

This issue was fixed yesterday.

Like I assumed, firefox changed signing certificate and this new update just started deploying lately.

3 REPLIES 3
F-Secure

Re: Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox browser.

Hello,

 

Thanks for reporting this. We will find the samples and send them to analysts.

 

Note, that F-Secure does not distribute these updates. We download them from vendor sites and have no way to verify if they will be false positived or not before that happens. Especially for deepguard which analyses events from running application, not just scanning the file.

Deepguard detections are often based on rarity of files and if you are the first one seeing this update then it's rare and deepguard treats it as suspicious. I assume signing for these updates is also somehow changed so it's not trusted and detection is triggered on system modification.

Superuser

Re: Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox browser.

Dear Fedool,

 

Thanks for your super-quick response!

 

> I assume signing for these updates is also somehow changed

 

There was a minor scandal recently where one of Mozilla Firefox's certificates expired (wasn't renewed in time) and all browser extensions were disabled as a result. They had to issue new emergency cert as a result. The incident was discussed here:

 

https://community.f-secure.com/t5/Business/Mozilla-org-s-big-mess-up-with/td-p/116847

 

Yours Sincerely: Tamas Feher, Hungary.

F-Secure

Re: Self-false alarm in F-Secure PSB "Software Updater" subsystem hits new 32/64-bit versions of Firefox browser.

This issue was fixed yesterday.

Like I assumed, firefox changed signing certificate and this new update just started deploying lately.