F-Secure Safe - June 2021 Report

harlan4096

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,634
F-Secure Safe - June 2021 Report
Due to the small number of samples used in this tests, you should take results with a grain of salt. We encourage you to compare these results with others and take informed decisions on what security products to use.
__

C: Clean / P: Protected / P - NC: Protected - Not Clean / I: Infected / E: Encrypted

* Dynamic BB Bonus Test (Resident Protection Disabled)
* Partially Blocked
BSR: Before System Reboot

ASR: After System Reboot

June
2021​
Samples
Pack​
Static
Detection​
Dynamic
Detection​
Total
Detection​
System Files
Encrypted​
2nd Opinion
Scanners​
System
Final Status​
Thread
Link​
02/06/2021
6
4 / 6
1 / 2
5 / 6
No
C: WV HMP I: NPE
P - NC
03/06/2021
1
1 / 1
1 / 1*
1 / 1
1 / 1*
No
No
*
C
C
P*
04/06/2021
2
1 / 2
0 / 1
0 / 1*
1 / 2
0 / 1*
No
No
*
C: HMP I: WV NPE
I
I*
06/06/2021
2
1 / 2
1 / 2
1 / 1*
2 / 2
1 / 1*
No
No
*
C
P
P*
07/06/2021
1
0 / 1
1 / 1
1 / 1
No
C: HMP NPE I: WV
P - NC
09/06/2021
4
2 / 4
1 + 1* / 2
3 + 1*/ 4
No
C: HMP I: WV NPE
P - NC
12/06/2021
2
1 / 2
1 / 1
1 / 1*
2 / 2
1 / 1*
No
No
*
C
P
P*
14/06/2021
2
1 / 2
1 / 1
1 / 1*
2 / 2
1 / 1*
No
No
*
C
P
P
*
15/06/2021
5
3 / 5
1 + 1* / 2
4 + 1* / 5
No
C: HMP
I: WV NPE
BSR: I
ASR: I
17/06/2021
2
1 / 2
1 / 1
1 / 1*
2 / 2
1 / 1*
No
No
*
C: HMP I: WV NPE
P - NC
P*
18/06/2021
1
1 / 1
1 / 1*
1 / 1
1 / 1*
No
No*
C
C
P*
20/06/2021
1
0 / 1
1 / 1
1 / 1
No
C
P
21/06/2021
3
3 / 3
3 / 3
3 / 3*
3 / 3
3 / 3*
No
No
*
C
C
C*
23/06/2021
3
2 / 3
1 / 1
1 / 2*
3 / 3
1 / 2*
No
No*
C
C*
P
I*
25/06/2021
2
0 / 2
0 / 2
0 / 2
No
C
P
26/06/2021
2
1 / 2
1* / 1
0 / 1*
1 + 1* / 2
0 / 1*
No
No
*
C: WV HMP I: NPE
C*
I
P - NC*
28/06/2021
2
2 / 2
2 / 2
1 / 2*
2 / 2
1 / 2*
No
No
*
C
C
C
P*
30/06/2021
5
3 / 5
0 / 2
2 / 3*
3 / 5
2 / 3*
No
No
*
C
I*

P
I*
/06/2021
-
/
/
/*
/
/*
No
Yes
C: WV HMP NPE
I: WV HMP NPE
C
P - NC
I
Post#​
/06/2021
-
/
/
/*
/
/*
No
Yes
C: WV HMP NPE
I: WV HMP NPE
C
P - NC
I
Post#​
 
Last edited:

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Excited to see F-Secure tested again. Last time around it was pretty darn good against everything except scriptors. I am suspecting it'll be the same this time around, as I don't see anything different in version 18 in that regard. The DeepGuard whitepaper was updated slightly but has almost no new information (just a design language change to match their latest endpoint security related whitepapers)
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
Stable version 17.8 that was released June last year 2020, was for sure the biggest change " under the hood ". It's beta phase took 8 months to complete. With version 18 and now with the new released Beta 18.1, it's obvious what they concentrate on.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Stable version 17.8 that was released June last year 2020, was for sure the biggest change " under the hood ". It's beta phase took 8 months to complete. With version 18 and now with the new released Beta 18.1, it's obvious what they concentrate on.
Oh right, 17.8 was a significant change. If I recall correctly, it added AMSI and along the same lines, said that it added more trigger points where DeepGuard and F-Secure Cloud would take a look at the reputation of things being launched.

The 18.0/18.1 releases seem to be mostly facelifts. Not really judging that -- using Qt instead of native UI libraries isn't great (it makes the UI consume a lot more RAM and disk space than needed), but I don't think it'll have much of a protection benefit. But of course I don't see any other products actively tested in the Hub that measures Avira / Avira Cloud so it could be good to see how it's doing.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
Oh right, 17.8 was a significant change. If I recall correctly, it added AMSI and along the same lines, said that it added more trigger points where DeepGuard and F-Secure Cloud would take a look at the reputation of things being launched.
True.
For Windows users, any malicious software that uses obfuscation and evasion techniques on Windows 10's built-in scripting hosts is automatically inspected at a much deeper level than ever before, providing additional levels of protection.
That, I got a small feeling will show itself. Especially with several script samples, but not all and not always on static. I don't want to say too much until the test is actually completed, but from many previous internal tests I noted a big change on how script samples been handled. The part I personal don't like, but also fully understand is that it for sure works with it's own cloud service and also with AMSI, the final verdict can take up to 1 minute. Easy tested by simply extract for example a .vbs sample and just wait. 1 minute give or take, can of course be debated about, and I know I am a bit picky.

The 18.0/18.1 releases seem to be mostly facelifts. Not really judging that -- using Qt instead of native UI libraries isn't great (it makes the UI consume a lot more RAM and disk space than needed), but I don't think it'll have much of a protection benefit.
They are about to get rid of Qt.
Qt library is removed from the product, including ICU library and OpenSSL. This changed also the UI paradigm: with old UI, it was always running in memory, consuming memory and a bit of CPU even if user did not want to view the UI. It also needed to be loaded into memory after restart, affecting computer performance in restart. The new .NET based UI works so that UI is loaded into memory only when user opens it, resulting in less resource usage when app is protecting in the background.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
First result looked pretty good!

So in terms of signatures:
  • Trojan:W32/....!Online: F-Secure Online (their own cloud)
  • Worm:VBS/...: In-house engine (not sure which)
  • HEUR/APC: Avira Cloud
  • Exploit.EXP:/OfcKit: Avira Signatures

So half of the detections are from F-Secure's in-house engines and plus a DeepGuard hit, it once against shows that F-Secure brings a lot more to the table than just the Avira engine.

The dynamic DeepGuard hit is because it tried to drop an AutoRun, which DeepGuard is extremely sensitive against. You can see Dr. Web missed an AutoRun in the same sample pack.

And not sure if the last miss was just good at waiting longer for a trigger, but it didn't seem to do anything harmful and all that was left was a DLL with an incorrect extension (probably staged secondary payload from one of the tests). F-Secure doesn't care about that file extension and it's not going to execute until it's renamed as a DLL anyway.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
So far the trends look similar to before, though it seems like there’s more signature hits from their in house engines and less reliance on Avira and APC.

Seems like DeepGuard’s one miss to AutoRuns involved a chain of a script calling MSBuild. Unfortunately I’ve also found DeepGuard to be pretty blind to abused legitimate apps (whether it’s MSBuild or 7Zip), something Kaspersky System Watch is a bit smarter about.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
This time F-Secure managed to escape any encryptions and that's of course always important. Personal after this test, and even if F-Secure did well, I would say that DeepGuard needs to be tweaked for a better protection for autoruns keys. It's something it struggles with from time to time. Other major vendors got the exact same issue. It's a pattern that's pretty easy to trace and extra much thanks to statistical reports like this.

Big thanks @harlan4096 for another great test. (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top