As MonikaL shared, obtaining the file samples during the first stage would be the most efficient way to resolve a false positive case.
The binaries are required for us to debug how the false positive may occur in a particular file and then apply the necesary fixes, while keeping the protection on a good level to still detect valid malware samples.
In some cases, the samples may be publicly available or already in our backend. I would recommend whenever possible to provide at least the file hash (SHA1) when filing a false positive case, so that we can check if the sample is already available to us. The PSB Management API documentation contains some examples on how to generate a report containing the detection details (including SHA1) programmatically: https://help.f-secure.com/product.html?business/psb-rest-api/1.0.0/en/concept_216D5455656A49A38AA049D6C7B37427-1.0.0-en
For cases where the sample is not available to us (e.g. internally-developed software), there's an easy-to-use F-Secure tool available that we recommend to both Home and Corporate users to utilize in order to safely retrieve the quarantined files before submission.
The tool would have to be executed at the endpoint where the samples were quarantined, and its usage instructions are described here: https://community.f-secure.com/t5/Common-topics/How-do-I-collect-quarantined/ta-p/78104
As PSB currently doesn't feature remote sample submission capabilities, I hope you find the above information useful for the time being.
... View more
First of all, thank you for sharing your concers with us regarding these threats targeting Brazil.
I'd like to share that the eight Virustotal samples mentioned in your post are at this moment already detected by signatures.
Like it has been shared in this thread, Virustotal can be useful to get a quick assessment on a sample, and it should be noted that many of the protection layers available in F-Secure products won't be visible in Virustotal results, including Deepguard, Security Cloud, etc. I'd recommend having a look at the latest edition of our Deepguard whitepaper to gain some insights on F-Secure's multi-layered security approach: https://www.f-secure.com/documents/996508/1030745/deepguard_whitepaper.pdf
To better address your concerns regarding Brazil-specific malware, we have already discovered some points were we need to make improvements and the protection coverage should gradually improve over the following weeks. If you have additional samples that are missed, we would appreciate if you can continue submitting them through our SAS portal. Finally, we would like to thank you once again for helping us improving our protection and products.
... View more
Dear hyvokar, My name is Victor, from the Anti-Malware Unit here in F-Secure. I'm glad you have reached us regarding these URL false positives, and I'm sure we'll be able to reach a satisfactory solution. I'm sorry to see that these false positives are a cause of frustration, so the first thing I've done is revise the 4 URL's submitted above and corrected their content ratings (3 of them were incorrectly classified as Adult content, while the other one was due to a heuristic phishing rule), so you should be able to access them again. To answer your question about what we are doing to prevent these false positives, I've been personally working closely with other members from the Labs for the past few months in reducing the amount of false positives, which should have been reduced as compared to earlier this year. There's still much work to be done, as the issue is technically complex to resolve, so what we can do for the time being is continue collecting your valuable feedback on sites that are blocked, so that we can work out the best way to address each one of them. I've seen you had opened a case with us back in July, so what I can recommend to make a more efficient use of your time would be to create a new case through the link below (once), and then keep on communicating with our analysts directly via email through that same ticket when you spot a new blocked site. It could also be helpful to submit a few problematic URL's in batch inside a text file, so that all can be handled as one submission. https://www.f-secure.com/en/web/labs_global/submit-a-sample Would that be agreeable with you?
... View more