User Feedback F-Secure Quick Review

[MacDefender]

Nice review! Your experience matches mine with F-Secure.... In terms of its strengths, it's very good at executable and most PowerShell malware, including custom attacks (true zero days). It's pretty weak against batch, Python, and JS scripting, and Java can be very hit or miss (it strongly relies on Avira's cloud scanning which is decent at analyzing Java exploits but if Avira says it's okay, DeepGuard doesn't seem to offer much protection).

As you noted, cleaning is not F-Secure's strong suit. It often leaves things dangling, like startup entries resulting in a block every reboot. I would not suggest F-Secure as a way to clean up an already infected system, it's best for avoiding infection in the first place.

But yeah overall, it's so lightweight and has such a simple installation/uninstallation process that it's a no brainer alternative for something like Windows Defender -- it offers great protection and gets out of your way.

 

[McMcbrad]

Nice review! Your experience matches mine with F-Secure.... In terms of its strengths, it's very good at executable and most PowerShell malware, including custom attacks (true zero days). It's pretty weak against batch, Python, and JS scripting, and Java can be very hit or miss (it strongly relies on Avira's cloud scanning which is decent at analyzing Java exploits but if Avira says it's okay, DeepGuard doesn't seem to offer much protection).

As you noted, cleaning is not F-Secure's strong suit. It often leaves things dangling, like startup entries resulting in a block every reboot. I would not suggest F-Secure as a way to clean up an already infected system, it's best for avoiding infection in the first place.

But yeah overall, it's so lightweight and has such a simple installation/uninstallation process that it's a no brainer alternative for something like Windows Defender -- it offers great protection and gets out of your way.

Unfortunately, some infection vectors seem to have been overlooked totally by F-Secure. They are probably minor and won't affect many users, but still can't be ignored.

 

[MacDefender]

Unfortunately, some infection vectors seem to have been overlooked totally by F-Secure. They are probably minor and won't affect many users, but still can't be ignored.

Hopefully they improve this. AMSI was a recent addition as was more trigger points for DeepGuard inspection. I think they need to come up with a solution to deal with scriptors as one of their highest priorities. Full blown suites also tend to do better with secondary payload blocking at the networking level but F-Secure is also limited in that manner.

 

[McMcbrad]

Hopefully they improve this. AMSI was a recent addition as was more trigger points for DeepGuard inspection. I think they need to come up with a solution to deal with scriptors as one of their highest priorities. Full blown suites also tend to do better with secondary payload blocking at the networking level but F-Secure is also limited in that manner.

I understood from the UI that network protection works for all processes (and due to the fact that it works in browsers even without the extension), but it looks like it works only in-browser? Am I right?

By reading the help files, it looks like it works only on browser level. The review has been updated to reflect that and the overall rating has been decreased from 5 stars to 4.

 

[Gandalf_The_Grey]

This is what happens if the tool is used:
View attachment 249843
This is from the SRP Log:
Access to C:\Users\***\Desktop\FedEx_AWB_1988380371_NOV. 22_2020.jar has been restricted by your Administrator by the default software restriction policy level.

Great, thanks
Can you to try the same with @NoVirusThanks SysHardener with the default settings (Apply Selected)?
Still curious about the result...

 

[McMcbrad]

Great, thanks
Can you to try the same with @NoVirusThanks SysHardener with the default settings (Apply Selected)?
Still curious about the result...

This tool doesn't stop this particular infection.

 

[Gandalf_The_Grey]

This tool doesn't stop this particular infection.

Thanks for testing. That means that Simple Windows Hardening from @Andy Ful would be a great companion for F-Secure Safe.

 

[McMcbrad]

Thanks for testing. That means that Simple Windows Hardening from @Andy Ful would be a great companion for F-Secure Safe.

Simple Windows Hardening from @Andy Ful is a lot easier to deploy/deactivate and more effective than the NoVirusThanks hardener (in this particular test). It also didn't require a reboot, but only log-off. Overall it was a better experience.

 

[MacDefender]

I understood from the UI that network protection works for all processes (and due to the fact that it works in browsers even without the extension), but it looks like it works only in-browser? Am I right?

By reading the help files, it looks like it works only on browser level. The review has been updated to reflect that and the overall rating has been decreased from 5 stars to 4.

Yeah that's my understanding too -- it seems like it's mainly a browser-only feature. I have tried using the shell and Python scripts to download even simple things like EICAR and it doesn't trip. This isn't like ESET's network filter which is an always-on AV that scans all network traffic.

 

[McMcbrad]

Yeah that's my understanding too -- it seems like it's mainly a browser-only feature. I have tried using the shell and Python scripts to download even simple things like EICAR and it doesn't trip. This isn't like ESET's network filter which is an always-on AV that scans all network traffic.

And it isn't like Avast/AVG either. They block connections in all apps and once you download malware, in 2-3 minutes the link is blacklisted.
I was browsing some pages about STOP/DJVU ransomware with Eset before and it found malware in my browser cache (it recognised the ransomware note). Next day these webpages were blocked, due to the malware discovered (unfortunately this is more of an FP, but shows their reaction).

 

[SeriousHoax]

Excellent review Thanks for testing and more so for going in depth with the removal ability as it was something I requested the other day.
I found two bugs in F-Secure last week and just now reported to them. Hope it gets even better over time

 

[KonradPL]

Nice review thanks
Off topic
Guys how about Norton 360 in overall protection and scriptors?
Few years ago i had F-Secure Safe and i liked it

 

[McMcbrad]

Off topic
Guys how about Norton 360 in overall protection and scriptors?
Few years ago i had F-Secure Safe and i liked it

Norton 360 didn't do great on my last test and that wasn't too long ago. It missed pretty much everything I downloaded.
I can retest it soon, but it will be only a very quick one, as I have no interest in this product.

 

[MacDefender]

And it isn't like Avast/AVG either. They block connections in all apps and once you download malware, in 2-3 minutes the link is blacklisted.
I was browsing some pages about STOP/DJVU ransomware with Eset before and it found malware in my browser cache (it recognised the ransomware note). Next day these webpages were blocked, due to the malware discovered (unfortunately this is more of an FP, but shows their reaction).

Yeah Kaspersky does a good job with that too. But again, F-Secure is really privacy sensitive and arguably, phoning home with links you visit in realtime is not very privacy-friendly. That's always a difficult tradeoff.

 

[McMcbrad]

Yeah Kaspersky does a good job with that too. But again, F-Secure is really privacy sensitive and arguably, phoning home with links you visit in realtime is not very privacy-friendly. That's always a difficult tradeoff.

Well they do in the browser, where all user data is, but they don't do in apps (connecting mainly their official domains). It doesn't look like privacy is the reason behind it.

 

[MacDefender]

Norton 360 didn't do great on my last test and that wasn't too long ago. It missed pretty much everything I downloaded.
I can retest it soon, but it will be only a very quick one, as I have no interest in this product.

I find their signatures to be pretty okay, though there's recently more reliance on the generic AdvML.* detections, which are a mixed bag. Back in an enterprise setting I had a lot of trouble with PowerShell logon scripts being incorrectly detected as malware. SONAR's reputation database is pretty decent but SONAR's behavior blocker is not very good frankly. It's gotten a lot better at ransomware with the new "data protector" feature (which is basically specialized protection against certain folders and file extensions), but for how much that product reports back to Norton, it's nowhere near as effective as Kaspersky System Watcher.

 

[MacDefender]

Well they do in the browser, where all user data is, but they don't do in apps (connecting mainly their official domains). It doesn't look like privacy is the reason behind it.

I packet dumped it and it did not phone home per URL. It seems like it uses a Google Safe Browsing style design where it downloads a pack of reputation data covering many sites, triggered by visiting one. And it definitely has no feature where it reports malicious infected URLs back to their servers, which is pretty popular in a lot of AV products.

 

[McMcbrad]

I find their signatures to be pretty okay, though there's recently more reliance on the generic AdvML.* detections, which are a mixed bag. Back in an enterprise setting I had a lot of trouble with PowerShell logon scripts being incorrectly detected as malware. SONAR's reputation database is pretty decent but SONAR's behavior blocker is not very good frankly. It's gotten a lot better at ransomware with the new "data protector" feature (which is basically specialized protection against certain folders and file extensions), but for how much that product reports back to Norton, it's nowhere near as effective as Kaspersky System Watcher.

I was told by Tim Lopez, who was Norton Support and Community Manager before, that Data Protector is discontinued... And frankly I didn't see that feature on my last test. Norton centres everything around the Norton Insight reputation system and a code injector would easily bypass their Data Protector, even it it was present.
SONAR is not really a true behavioural blocker, it's also built around the Insight system mainly. It works great on *.exe files, where reputation can be applied, but it typically fails on everything else.
The way Norton reports data back is a total nonsense. It collects data, it waits for your system to be idle (on, but without using keyboard and mouse) and then it kicks in. Norton then has a very slow reaction time.
The ADVML heuristic is great, but again, mainly on *.exe files.

As for F-Secure, they could use the same data they use to block malicious URLs in browser to block them in other apps.

 

[MacDefender]

I was told by Tim Lopez, who was Norton Support and Community Manager before, that Data Protector is discontinued... And frankly I didn't see that feature on my last test. Norton centres everything around the Norton Insight reputation system and a code injector would easily bypass their Data Protector, even it it was present.
SONAR is not really a true behavioural blocker, it's also built around the Insight system mainly. It works great on *.exe files, where reputation can be applied, but it typically fails on everything else.
The way Norton reports data back is a total nonsense. It collects data, it waits for your system to be idle (on, but without using keyboard and mouse) and then it kicks in. Norton then has a very slow reaction time.
The ADVML heuristic is great, but again, mainly on *.exe files.

Wow. SONAR did really poorly on basically all of my simulated ransomware tests except when Data Protector was active. Oh well, Norton is one of those products, they've gone through a lot of ups and downs in terms of being so-so, being amazing again, and then back to so-so.

 

[KonradPL]

Norton 360 didn't do great on my last test and that wasn't too long ago. It missed pretty much everything I downloaded.
I can retest it soon, but it will be only a very quick one, as I have no interest in this product.

How about McAfee with scriptors? I seen a goo opinii about this product