F-Secure 18.2 released

[SeriousHoax]

F-Secure has three main issues.

1) F-Secure's cache for unsigned files needs to be improved. I mean after every signature update, unsigned apps takes longer to load with higher than average CPU and disk usage. The apps will launch immediately on subsequent run till the next signature update.

2) Another issue is, it slows down copying speed horrendously with high disk usage. The worst I have seen TBH. Open task manager and copy something like your browsers profile which contains a lot of small files, eg: Edge/Firefox, and you will see.

3) The age-old issue of F-Secure that most regular users will probably be aware of, and that is, sometimes its on demand scanner can't remove detected malware. You will have to manually delete the file. It happens a lot with java malware and even some packed EXE files.

I hope they work on this. Otherwise, everything else is pretty good. The ram usage is close to Bitdefender's level, but I don't think anyone should bother about the ram usage.
Edit: 4) Sometimes F-Secure's Deepguard blocks games without providing any notification. So it becomes hard to realize why the particular game or even an app is not working. Putting into exclusions solves it. I contacted F-Secure about this, and their response kind of meant they can't/won't fix the issue.

 

[Virtuoso]

F-Secure has three main issues.

1) F-Secure's cache for unsigned files needs to be improved. I mean after every signature update, unsigned apps takes longer to load with higher than average CPU and disk usage. The apps will launch immediately on subsequent run till the next signature update.

2) Another issue is, it slows down copying speed horrendously with high disk usage. The worst I have seen TBH. Open task manager and copy something like your browsers profile which contains a lot of small files, eg: Edge/Firefox, and you will see.

3) The age-old issue of F-Secure that most regular users will probably be aware of, and that is, sometimes its on demand scanner can't remove detected malware. You will have to manually delete the file. It happens a lot with java malware and even some packed EXE files.

I hope they work on this. Otherwise, everything else is pretty good. The ram usage is close to Bitdefender's level, but I don't think anyone should bother about the ram usage.

These are good suggestions, Please report these on F-Secure community forum, they seem to respond well there by reporting the issues to R&D team: F-Secure SAFE

I was using Bitdefender till last week and The RAM usage is significantly less, specially at idle F-secure is in the range of 50-70 MB RAM.

 

[SeriousHoax]

These are good suggestions, Please report these on F-Secure community forum, they seem to respond well there by reporting the issues to R&D team: F-Secure SAFE

I was using Bitdefender till last week and The RAM usage is significantly less, specially at idle F-secure is in the range of 50-70 MB RAM.

Good suggestion.
For me, the ram usage is always over 300 MB. Sometimes even 400. It depends on the ram you have on your system. I have 16 GB with most of it is unused most of the time. So I don't usually mind the ram usage.

 

[Virtuoso]

Good suggestion.
For me, the ram usage is always over 300 MB. Sometimes even 400. It depends on the ram you have on your system. I have 16 GB with most of it is unused most of the time. So I don't usually mind the ram usage.

Mine is 8 GB RAM, Bitdefender was using 250-350 MB and F-Secure is using 50-70 MB.

 

[MacDefender]

F-Secure has three main issues.

1) F-Secure's cache for unsigned files needs to be improved. I mean after every signature update, unsigned apps takes longer to load with higher than average CPU and disk usage. The apps will launch immediately on subsequent run till the next signature update.

This was made worse in one of the recent SAFE updates that added more cloud reputation lookup points when running trusted binaries. It seems like it is a measure to protect against LOLBin attacks where people ask a trusted process like 7Zip to execute something malicious. I think they really need an offline reputation database as well for common whitelisted items and maybe not invalidate it on every signature update.

2) Another issue is, it slows down copying speed horrendously with high disk usage. The worst I have seen TBH. Open task manager and copy something like your browsers profile which contains a lot of small files, eg: Edge/Firefox, and you will see.

3) The age-old issue of F-Secure that most regular users will probably be aware of, and that is, sometimes its on demand scanner can't remove detected malware. You will have to manually delete the file. It happens a lot with java malware and even some packed EXE files.

Yeah they really don’t care about disinfection and handling archives even.

I hope they work on this. Otherwise, everything else is pretty good. The ram usage is close to Bitdefender's level, but I don't think anyone should bother about the ram usage.
Edit: 4) Sometimes F-Secure's Deepguard blocks games without providing any notification. So it becomes hard to realize why the particular game or even an app is not working. Putting into exclusions solves it. I contacted F-Secure about this, and their response kind of meant they can't/won't fix the issue.

Ah yes. DeepGuard works by injecting into the process to inspect its actions. Emsisoft’s works the same way but has a huge whitelist of hashes they don’t inject into. This will break a lot of games that have anti-cheats which think that injected code = a cheat. So yeah technically speaking DeepGuard isn’t blocking the game, it’s more just breaking the game due to its actions.

Games are always touchy subjects in this regard. Most anti cheats are basically benevolent root kits and a lot of game engines just flat out execute unsigned LUA and C# scripts in the game data, which could easily be used to compromise a machine.


I’ll add a (5) weakness in that F-Secure is systemically weak against scriptors across the board. Half the fault is Avira is really bad at statically detecting JS/VBS/BAT malware, but their other engines are supposed to be helping here but they are still behind. DeepGuard can intercept some of these attacks via AMSI but that should be the last line of defense. They really need to add another engine that has strong performance against scriptors.

 

[JB007]

I’ll add a (5) weakness in that F-Secure is systemically weak against scriptors across the board. Half the fault is Avira is really bad at statically detecting JS/VBS/BAT malware, but their other engines are supposed to be helping here but they are still behind. DeepGuard can intercept some of these attacks via AMSI but that should be the last line of defense. They really need to add another engine that has strong performance against scriptors.

And what are the best AV against scriptors ?

 

[L0ckJaw]

How is TM doing against scriptors ?

 

[Shadowra]

I’ll add a (5) weakness in that F-Secure is systemically weak against scriptors across the board. Half the fault is Avira is really bad at statically detecting JS/VBS/BAT malware, but their other engines are supposed to be helping here but they are still behind. DeepGuard can intercept some of these attacks via AMSI but that should be the last line of defense. They really need to add another engine that has strong performance against scriptors.

This is not wrong, although I have noticed a small evolution in Avira.
On the other hand, DeepGuard is very effective against script attacks.
But I must say that it is not the only one (yesterday I managed to infect my virtual machine with a VBS script with Norton)

 

[Anthony Qian]

F-Secure has three main issues.

1) F-Secure's cache for unsigned files needs to be improved. I mean after every signature update, unsigned apps takes longer to load with higher than average CPU and disk usage. The apps will launch immediately on subsequent run till the next signature update.

2) Another issue is, it slows down copying speed horrendously with high disk usage. The worst I have seen TBH. Open task manager and copy something like your browsers profile which contains a lot of small files, eg: Edge/Firefox, and you will see.

3) The age-old issue of F-Secure that most regular users will probably be aware of, and that is, sometimes its on demand scanner can't remove detected malware. You will have to manually delete the file. It happens a lot with java malware and even some packed EXE files.

I hope they work on this. Otherwise, everything else is pretty good. The ram usage is close to Bitdefender's level, but I don't think anyone should bother about the ram usage.
Edit: 4) Sometimes F-Secure's Deepguard blocks games without providing any notification. So it becomes hard to realize why the particular game or even an app is not working. Putting into exclusions solves it. I contacted F-Secure about this, and their response kind of meant they can't/won't fix the issue.

Yes. F-Secure is bad at repairing threats. It cannot remove malicious code/part within a detected object.

DeepGuard is somewhat likely to incorrectly block safe apps that are not so common among F-Secure users.

 

[MacDefender]

And what are the best AV against scriptors ?

In my experience, Kaspersky and ESET. ESET of course has to because it has almost zero behavior blocker / runtime blocking support. But both of them seem pretty consistent at detecting common script malware via signatures.

For example, this is a VBS sample from Cape Sandbox yesterday: VirusTotal

Kaspersky posts a heuristic generic detection, ESET has a precise signature detection. F-Secure/Avira both do not (and this has been confirmed locally too as of 5 minutes ago).

I then trivially did a few things -- changed everything to lowercase (since VBS is not case sensitive), renamed the randomly named functions to Func1, Func2, Variable1, Variable2, etc: VirusTotal

A few engines lost detection but MS/ESET/Kaspersky get it still heuristically.

This is not wrong, although I have noticed a small evolution in Avira.
On the other hand, DeepGuard is very effective against script attacks.
But I must say that it is not the only one (yesterday I managed to infect my virtual machine with a VBS script with Norton)

Yeah Deepguard is definitely effective against supported script attacks. In particular VBS via WSH and Powershell both get aggressively monitored and there's many great DeepGuard detections of that. But many engines do not get monitored by DeepGuard -- for example, BAT, Python, Lua, JS via a Chromium V8 interpreter, etc.... those are all completely not monitored.

 

[MacDefender]

I should add a disclaimer that detecting script malware via signatures tends to be hard to do (I mean, it's theoretically impossible, it's the Halting Problem), I've analyzed in the past when ESET got mad at me and wrote a signature for one of my test scripts: Malware Analysis - "pyrate", Behavior Blocker Bypass POC #3

With that said, I'm sure signatures they write for real malware is much higher quality but there's no limits to how many ways you can represent the same code in a text file and make it hard for a static scanner to catch it.

My issue here is that I've found in my experience that F-Secure and Avira have almost 0 detection of JS/VBS/BAT malware, even popular samples where very similar samples get uploaded to Cape Sandbox daily. DeepGuard saves the day for some kinds of scripts, but I really want to see better performance here, whether it's DeepGuard catching all scripting runtimes, or a static scanner that is as effective as Kaspersky at script detection.

 

[JB007]

In my experience, Kaspersky and ESET. ESET of course has to because it has almost zero behavior blocker / runtime blocking support. But both of them seem pretty consistent at detecting common script malware via signatures.

For example, this is a VBS sample from Cape Sandbox yesterday: VirusTotal

Kaspersky posts a heuristic generic detection, ESET has a precise signature detection. F-Secure/Avira both do not (and this has been confirmed locally too as of 5 minutes ago).

I then trivially did a few things -- changed everything to lowercase (since VBS is not case sensitive), renamed the randomly named functions to Func1, Func2, Variable1, Variable2, etc: VirusTotal

A few engines lost detection but MS/ESET/Kaspersky get it still heuristically.

Thanks @MacDefender
McAfee also detects this sample.

 

[MacDefender]

Thanks @MacDefender
McAfee also detects this sample.

Yeah, enough AVs catch this and variants of this which show up on Cape and other malware sandboxes daily, I would love for Avira/F-Secure to be able to do this too. That would make F-Secure almost perfect — it’s already very strong against PE/MSIL malware

 

[blackice]

Ah yes. DeepGuard works by injecting into the process to inspect its actions. Emsisoft’s works the same way but has a huge whitelist of hashes they don’t inject into. This will break a lot of games that have anti-cheats which think that injected code = a cheat. So yeah technically speaking DeepGuard isn’t blocking the game, it’s more just breaking the game due to its actions.

Games are always touchy subjects in this regard. Most anti cheats are basically benevolent root kits and a lot of game engines just flat out execute unsigned LUA and C# scripts in the game data, which could easily be used to compromise a machine.

I’m glad I came across this. I was considering giving F-Secure a shot on my gaming rig, but this sounds like a pain. If Bitdefender didn’t have huge updates hitting my NVME I’d still be using that. Overall Defender or ESET still seem the least problematic for a gaming rig, I’ll keep my eye on F-Secure.

 

[MacDefender]

I’m glad I came across this. I was considering giving F-Secure a shot on my gaming rig, but this sounds like a pain. If Bitdefender didn’t have huge updates hitting my NVME I’d still be using that. Overall Defender or ESET still seem the least problematic for a gaming rig, I’ll keep my eye on F-Secure.

I mean, they do have a whitelist mechanism for known problematic games but they need to update it every time certain games get patched. I play a lot of Steam and MS store games and only rarely get hit by this. It might not be worth ruling out F-Secure simply for this reason.

 

[Sorrento]

I've recently copied over 100 GIG+ of data with F-Secure running with no apparent slowdowns at all, I wonder if users who have this issue have a conflict - I can't speak for disinfection as not tried malware & don't seem to acquire it - Though on a personal basis I wouldn't trust any AV to ever clean an infected system (of mine) I'd image back or worst case scenario reinstall - This might not apply to other users.

 

[blackice]

Though on a personal basis I wouldn't trust any AV to ever clean an infected system (of mine) I'd image back or worst case scenario reinstall

100% agree, this would be my approach as well.

 

[SearchLight]

Based on what everyone seems to be saying here in this most recent posting, F-Secure is buggy, and does not offer good protection in certain scenarios.

If this be the situation, then F-Secure would not be recommended as an effective security solution.

However, elsewhere in this forum others seem to disagree, and think it is effective. Anyone else feel this way?

 

[superleeds27]

Based on what everyone seems to be saying here in this most recent posting, F-Secure is buggy, and does not offer good protection in certain scenarios.

If this be the situation, then F-Secure would not be recommended as an effective security solution.

However, elsewhere in this forum others seem to disagree, and think it is effective. Anyone else feel this way?

Yep. Can get a bit confusing at times on here! Makes deciding just as hard!

 

[SearchLight]

Defending against Ransomware: 28 Protection Solutions Put to the Test under Windows 10

The fight against ransomware is a two-front battle waged both on home PCs and corporate workstations. How well does security software protect against these diabolical encryption attackers? In the current November test, 15 Internet security suites for consumer users and 13 solutions for corporate...

www.av-test.org

I offer the posting above for comparison purposes regarding the effectiveness of F-Secure.