- Apr 1, 2019
- 2,882
I had run a scan about 40 minutes earlier…late cloud response? That’d be a pretty big delay.
Anybody seen a block like this before?
- Thread starter blackice
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Jul 27, 2015
- 5,458
Agree, so it raise a few extra questions. One can perhaps track something from their official database that might help:
F-Secure Latest Database Updates for F-Secure Capricorn
That was a bit weird. Capricorn is the Avira engine and I see that todays date for some reason is missing out several versions. 1-6 is not there. It starts with " 2023-01-19_07 ".
- Apr 1, 2019
- 2,882
I know ESET does some file system scanning when the system is idle. I wonder if F-Secure does something similar? I didn’t think it would be going through secondary drives.I ignored something like this earlier today, but since you posted... I got a warning from ESET that it detected a variant of win32.exe (IIRC) in E:\\kerish.rar file that I was holding AND that ESET could not clean. That file was just in miscellaneous storage and of no use to me, so I just deleted /wiped it. I did not manually scan E;\\ I did pause long enough to scratch my head but then got busy with something else. Curious!!??
- Apr 1, 2019
- 2,882
It’s really funny. I’m actually suppressing the urge to reinstall windows and wipe the game drive and starting from scratch so I just don’t have to bother with it. If I didn’t have kids to pick up from school and dinner to cook them I probably would have.Glad to see you stay curious, instead of as some simply un-install the AV no matter what brand/vendor and gets satisfied because now the new AV don't warn for infections!
Since you already submitted this, you will sooner or later get an answer, but personal I wonder not on exact what gets blocked because I have no doubt it's legit, but the warning message mention parts I can't see been said/asked in this thread.
F: , is that a external drive or USB?
Yes, it was Deepguard that flagged it. Did you view recent events? Deepguard would not have flagged it unless it was trying to run.
- Apr 1, 2019
- 2,882
There’s no blocks in the Deepguard list. The only thing logged is what I posted showing a block with an Avira signature.
- Apr 1, 2019
- 2,882
I'm not expecting a quick reply from F-Secure as I submitted as sample over a week ago for their opinion and still haven't heard back. So it could be a while. I'm thinking the signatures messed up some sort of suppression of that old Burnout Paradise detection. But, we will see.
In the meantime:
Kaspersky Threat Intelligence: Clean (and documented that it is the game file from 2018)
VT: Still Clean
Second Opinion:
ESET Online Scanner: No detection on full system scan and scan of File
Hitman Pro: No detection on system scan
Norton Power Eraser: No detection on full system scan and scan of File
Malwarebytes: No detection on full system scan and scan of File
EEK: No detection on full system scan and scan of File
File submitted to multiple vendors for analysis, as well as the only other new exe I've run in the last few months.
In the meantime:
Kaspersky Threat Intelligence: Clean (and documented that it is the game file from 2018)
VT: Still Clean
Second Opinion:
ESET Online Scanner: No detection on full system scan and scan of File
Hitman Pro: No detection on system scan
Norton Power Eraser: No detection on full system scan and scan of File
Malwarebytes: No detection on full system scan and scan of File
EEK: No detection on full system scan and scan of File
File submitted to multiple vendors for analysis, as well as the only other new exe I've run in the last few months.
- Jul 27, 2015
- 5,458
Yeah I was thinking the same because their official support for home users only works during the weeks ( business hours ), weekends are closed. But I can advice you to try call them next week if you haven't heard anything back. It's a good option that normally works and personal I enjoy it when I can speak in my native language, even if English works.
- Nov 21, 2022
- 248
sometimes it is not as simple as submitting a sample for analysis and a verdict
this case of burnoutpr.exe requires event trace logs to be submitted so that developer can identify the triggering event
the issue is not a signature (false positive) problem, if it was, then you would see brunoutpr.exe detected in virus total
the problem is a detection one, which is not a black-and-white one based on signature alone
it could be a bug in the security software
- Apr 1, 2019
- 2,882
Yep, which is why I contacted F-Secure with screenshots as well as the file and a description of the event.
I'm not the type of person to blow off a detection. Like I said, usually I'd just wipe the C: and the drive with the detection and start from scratch. But I'm waiting to see what they say.
- May 10, 2019
- 2,289
Exactly. That was the case for Kerish Doctor. The detection was not based on signature but rather on behaviour analysis.
Since F-Secure uses Avira SDK including cloud access if I am not mistaken, it seems F-Secure consulted the cloud for it detected some sort of suspicious activity. Thus, it makes sense to send logs to support so that they can determine the reason of detection and whether it is a FP or not.
- Jul 27, 2015
- 5,458
Did you send them the FSDIAG file? It's what F-Secure even have available local but called support tool. Start that will after a few minutes create a archive that is very important for the support as it automatic gives them a more fair chance.
- May 10, 2019
- 2,289
Good practice. Whenever sth is detected on my devices, I contact support and provide them with everything they request and then restore a clean system image.
I would not anything frim running all these second-opinion scanners as the detection was not based on signatures. The same goes for VT. The only thing that can sort this out is F-Secure support with the logs so that they can trace what exactly happened.
- Apr 1, 2019
- 2,882
I'm not sure about that. There's no blocks in Deepguard, so either the detection is a hiccup or the block didn't work properly.
The second opinion scanners could pick up if something else was running that is acting maliciously and just happened to trigger F-Secure when accessing the file in question (which I'm certain is clean). What I'm not sure about is what accessed the file and caused the detection in the first place.
I just did run it right before you asked, wish I had sent it with the submission. I have it ready to go when I hear from them.
- Apr 16, 2017
- 3,137
fwiw, I have telephoned FS support, 2 times, and quickly answered and very knowledgeable.
- Nov 21, 2022
- 248
the kind of issue you are seeing is probably outside the scope of he fsdiag collection utility
typically to troubleshoot this kind of item on windows involves event trace log (threre are different kinds on windows) or even developer custom kernel tracing
event trace logging is similar to a procmon trace (capture) and is not performed by a utility like fsdiag
- Apr 1, 2019
- 2,882
I did a chat with them and they said it was in the queue with the malware analysts. So I guess I’ll wait and see.
- Apr 1, 2019
- 2,882
Gotta love MalwareTips. Responses range from ‘shrug’ just a FP to OMG YOU COULD HAVE THE MOST DANGEROUS MALWARE EVER! I can wipe the drives at any time.
- May 10, 2019
- 2,289
Since you provided support with everything they need, then I believe it is time to restore a system image or do a clean install to be in the safe side, at last this is what I would do.
- Nov 21, 2022
- 248
the probability is high that it is not malware
the probability is high that it is a fs bug
upload the burnoutpf.exe to hybrid-analysis.com for malware sandbox analysis?
Similar threads
