New Update FS Protection PC 18.4 releases (beta)

[MacDefender]

Avira engine would be the Capricorn? and from what I researched now the others would be these
- Hydra: Script based (heuristic) AV engine.
- Virgo: Certificate whitelisting engine.
- Lynx: Cloud scanning (sandbox) engine.

This is correct. The primary third party engine is Capricorn (Avira) and it does most of the heavy lifting for on-demand scans. Note that their in-house engines are really good at Office97 macro viruses and it tends to mop up most of those kinds of threats that Avira misses.

Also worth noting, DeepGuard (behavior blocker and memory scanner) is in-house and is one of the best dynamic protectors in the business. And FSO (F-Secure Online's cloud) is pretty powerful too, it's a hash based cloud scanner. It is pretty effective against zero days, but recently it's been clouded (no pun intended) by them auto-blacklisting all Abuse.ch and auto-sandbox-analysis (like JoeSandbox) samples.

 

[likeastar20]

This is correct. The primary third party engine is Capricorn (Avira) and it does most of the heavy lifting for on-demand scans. Note that their in-house engines are really good at Office97 macro viruses and it tends to mop up most of those kinds of threats that Avira misses.

Also worth noting, DeepGuard (behavior blocker and memory scanner) is in-house and is one of the best dynamic protectors in the business. And FSO (F-Secure Online's cloud) is pretty powerful too, it's a hash based cloud scanner. It is pretty effective against zero days, but recently it's been clouded (no pun intended) by them auto-blacklisting all Abuse.ch and auto-sandbox-analysis (like JoeSandbox) samples.

DeepGuard doesn't have a rollback feature, like the one in Kaspersky's System Watcher. Do you think is a must-have?

 

[upnorth]

auto-blacklisting all Abuse.ch and auto-sandbox-analysis (like JoeSandbox) samples.

That's way too inconclusive assessment and extra when the Hub results show the opposite. Last sample is a perfect example.

 

[Anthony Qian]

This is correct. The primary third party engine is Capricorn (Avira) and it does most of the heavy lifting for on-demand scans. Note that their in-house engines are really good at Office97 macro viruses and it tends to mop up most of those kinds of threats that Avira misses.

Also worth noting, DeepGuard (behavior blocker and memory scanner) is in-house and is one of the best dynamic protectors in the business. And FSO (F-Secure Online's cloud) is pretty powerful too, it's a hash based cloud scanner. It is pretty effective against zero days, but recently it's been clouded (no pun intended) by them auto-blacklisting all Abuse.ch and auto-sandbox-analysis (like JoeSandbox) samples.

They monitor PE samples on Abuse.ch.

 

[SeriousHoax]

They monitor PE samples on Abuse.ch.

Thanks for making it clear. Not a fan of this shortcut approach from a reputable company.

 

[Anthony Qian]

Thanks for making it clear. Not a fan of this shortcut approach from a reputable company.

Yeah. They block PE samples on Abuse.ch in a timely manner. Last time, someone uploaded a sample to Abuse.ch, which was later found to be a false positive of Kaspersky. This sample was immediately detected by F-Secure after several mins of submission to Abuse.ch. As for script samples like JS, VBS, etc. F-Secure’s cloud won’t block them automatically.

In contrast, F-Secure takes several days (typically 5 days) to process my manual sample submissions, which is disappointing.

 

[Sorrento]

Seems the release of the stable version 18.4 is delayed until August the 3rd.

I can't wait until then! I'm going to break my dolls house now as I'm so angry

 

[struppigel]

In contrast, F-Secure takes several days (typically 5 days) to process my manual sample submissions, which is disappointing.

It is a good sign that manual sample submissions are not processed fully automatically. There is a human looking into them to make sure you get the correct analysis result. This takes time, and it will vary on current workload, urgency and your status as a customer. Generally, false positives on system and production components are more urgent than false negative submissions. Business customers with thousands of licenses are more urgent than customers who use the product for their two home computers.

In contrast, blocklisting samples is done automatically and needs to be done fast for protection. Your manually submitted samples might still be put to automatic processing but maybe for whatever reason they are not flagged as malware in the processing backend and the final verdict from a human analyst definitely takes more time.

Antivirus companies use different sources of sample streams that they process daily and it is possible that the samples submitted to abuse.ch get a higher priority than some other sample sources. E.g., if the ratio of malware samples is especially high there, it makes sense to assign a high prio to that.
But I am sure the samples are not blocklisted without any other checks behind that. That would be too risky for any antivirus company.

 

[Anthony Qian]

It is a good sign that manual sample submissions are not processed fully automatically. There is a human looking into them to make sure you get the correct analysis result. This takes time, and it will vary on current workload, urgency and your status as a customer. Generally, false positives on system and production components are more urgent than false negative submissions. Business customers with thousands of licenses are more urgent than customers who use the product for their two home computers.

In contrast, blocklisting samples is done automatically and needs to be done fast for protection. Your manually submitted samples might still be put to automatic processing but maybe for whatever reason they are not flagged as malware in the processing backend and the final verdict from a human analyst definitely takes more time.

Antivirus companies use different sources of sample streams that they process daily and it is possible that the samples submitted to abuse.ch get a higher priority than some other sample sources. E.g., if the ratio of malware samples is especially high there, it makes sense to assign a high prio to that.
But I am sure the samples are not blocklisted without any other checks behind that. That would be too risky for any antivirus company.

1. Kaspersky, ESET, and Bitdefender also process malware submission by virus experts. But they can typically respond within hours. IMO, manual virus analysis does not equal long (>24 hrs) processing time.

2. According to my observations of the detection names, I noticed that almost all of the submitted malware samples were detected by the Avira engine (TR/[Family].xxxxx) in the end.

Our analysis indicates that the file you submitted is malicious and is detected as TR/Injector.tyhad by our products with the latest updates.

(I received the above reply after I requested F-Secure to update their DeepGuard/Heuristic detection system to tackle Magniber ransomware. As shown in the reply, F-Secure just asks Avira to add the corresponding detection, which cannot detect future variants of this ransomware. Avira's engine is really bad at detecting Magniber, btw.)

Our analysis indicates that the file you submitted is malicious and will be detected as TR/BAT.Agent.Y by our products with the latest updates.

We have submitted the file to the detection team for the evaluation, and one of the file (htmllayout.dll) is deems to be malicious. The file now will be detected with detection "TR/Redcap.7b7cf0" from Capricorn engine.

I was expected to see that F-Secure’s engine can detect these samples. However, it seems that F-Secure, after receiving sample submissions, first submits these samples to Avira for analysis, which results in a long processing time.

3. FP (safe apps incorrectly blocked by DeepGuard) submissions also take a long time for F-Secure to resolve.

4. @struppigel, I know you are a researcher of G-Data and maybe not so familiar with F-Secure's sample submission and processing. I encourage you and other interested MT members to submit a sample/website to F-Secure via Submit a sample | F-Secure, using your private email.

 

[MacDefender]

DeepGuard doesn't have a rollback feature, like the one in Kaspersky's System Watcher. Do you think is a must-have?

I find DeepGuard tends to declare something suspicious often times before even one file gets encrypted. If it's a good exploit, maybe some files.

I feel less comfortable with the System Watching approach of "hey go do your thing, I'll roll things back later" if anything. The more time you let malware run, the more things it can do which you'll either fail to roll back or can't roll back. For example, there's no rolling back of extortionware when it steals your files before encrypting them.

Again, DeepGuard tends to be sensitive and prone to false positives if you routinely deal with unknown PE files. KSW is much less prone to false positives. It is also an extremely extremely effective behavior blocker. Not giving a preference.

That's way too inconclusive assessment and extra when the Hub results show the opposite. Last sample is a perfect example.

They monitor PE samples on Abuse.ch.

Yeah. They block PE samples on Abuse.ch in a timely manner. Last time, someone uploaded a sample to Abuse.ch, which was later found to be a false positive of Kaspersky. This sample was immediately detected by F-Secure after several mins of submission to Abuse.ch. As for script samples like JS, VBS, etc. F-Secure’s cloud won’t block them automatically.

In contrast, F-Secure takes several days (typically 5 days) to process my manual sample submissions, which is disappointing.

(addressing these together): @upnorth I definitely admit this is purely a guess as an observer and an observation from 1-2 months ago, as I haven't recently been able to keep up with trends. I also am fairly confident of this pattern when it comes to PE malware on abuse.ch in particular. Some of the blacklisted samples I've looked at on abch were legit software that happened to trigger a sandbox heuristic and if there was any human inspection of the sandbox result, it would not have been marked as malware.

Personally, I think this technique is pretty effective against zero-days, my concern is mostly it biases some casual malware testing results. Of course the experts don't just get samples from Abuse.ch but a lot of the Youtube videos I'm watching, the samples do appear to basically be scraped from a public sandbox. It could make the results seem misleadingly good.

 

[upnorth]

Of course the experts don't just get samples from Abuse.ch

Correct, and also 100% for sure not all and everything as that is too farfetched. For any malware tester or re-searcher, that specific part should be obvious.

Antivirus companies use different sources of sample streams that they process daily

---

a lot of the Youtube videos I'm watching, the samples do appear to basically be scraped from a public sandbox. It could make the results seem misleadingly good.

Make assessment/s solely out of Youtube videos is not recommended. Ransomware videos as one great example that sadly time and time again never present their viewers how much actual damage was done. Too easy to include, but guess the knowledge is lacking or it's ignored. Samples information ( extremely important for any malware test or report ) also ain't included and impossible to track etc etc. But I'm gonna stop there as otherwise it's too easy to sidetrack and get off-topic with a YT/video debate that suits better in another thread.

 

[SeriousHoax]

I definitely admit this is purely a guess as an observer and an observation from 1-2 months ago, as I haven't recently been able to keep up with trends. I also am fairly confident of this pattern when it comes to PE malware on abuse.ch in particular. Some of the blacklisted samples I've looked at on abch were legit software that happened to trigger a sandbox heuristic and if there was any human inspection of the sandbox result, it would not have been marked as malware.

This behavior hasn't changed yet. I checked about 1 week ago. If anyone wants to ignore this fact, then that's their decision.

 

[Anthony Qian]

This behavior hasn't changed yet. I checked about 1 week ago. If anyone wants to ignore this fact, then that's their decision.

Choosing Abuse.ch as one of the malware sources is nothing wrong. Just admit it. Even F-Secure itself uses ".abch" suffix to show the source.

But worryingly, the sample quality on MB is not very good now. Corrupted samples and benign samples are mixed with malicious samples.

 

[Anthony Qian]

@upnorth, @struppigel, @MacDefender, @SeriousHoax, @Shadowra :

Just came across a clean sample on abuse.ch (MalwareBazaar) today: MalwareBazaar | Browse malware samples (VT link: VirusTotal).

This sample has a legitimate digital signature and is marked as "Clean/Not malicious" by Kaspersky and Microsoft.

Upon further investigation, according to the Any.run report, this sample is downloaded from the official Lenovo site (https://download.lenovo.com/pccbbs/mobiles/n32pg02w_v2_version.exe), so it is 100% safe to use!

However, this sample is detected by F-Secure as "Trojan:W32/Generic.abch!fsmind", as shown below:

Therefore, I think F-Secure does not perform a thorough sandbox analysis and just blocks almost all PE samples on MB/Abuse.ch.

 

[struppigel]

I am not sure what we are currently discussing about or why.

There is a difference between saying

all abuse.ch samples get blocklisted by F-Secure

vs

many abuse.ch samples get blocklisted by F-Secure

It was the former that I responded to and it had been stated by MacDefender but is now removed/corrected.

Regarding the reponse times of F-Secure @Anthony Qian

I have no idea how other companies do the sample processing. I can only tell you my perspective and that is: Depending on the file, it might either take 10 minutes, 2 days or 2 weeks to properly analyse it. That highly depends how the sample looks like.

That means response times that are below 24 hours are not always possible while also providing a proper analysis. They are only possible if done with shortcuts. E.g. someone may respond at the same day with an intial verdict and only correct later if it turns out to be a different one. Or the analysis is done sloppy, which can happen if there is a response time-limit imposed on the analyst. Or it was not handled by an analyst at all.

first submits these samples to Avira for analysis, which results in a long processing time.

That is certainly a contributor to longer response times.

 

[Anthony Qian]

I am not sure what we are currently discussing about or why.

There is a difference between saying


vs


It was the former that I responded to.

Regarding the reponse times of F-Secure @Anthony Qian

I have no idea how other companies do the sample processing. I can only tell you my perspective and that is: Depending on the file, it might either take 10 minutes, 2 days or 2 weeks to properly analyse it. That highly depends how the sample looks like.

That means response times that are below 24 hours are not always possible while also providing a proper analysis. They are only possible if done with shortcuts. E.g. someone may respond at the same day with an intial verdict and only correct later if it turns out to be a different one. Or the analysis is done sloppy, which can happen if there is a response time-limit imposed on the analyst. Or it was not handled by an analyst at all.


That is certainly a contributor to longer response times.

I noticed that you said:

But I am sure the samples are not blocklisted without any other checks behind that.

But based on the above example, it seems that F-Secure did not perform adequate double checks before blocking samples on Abuse.ch via their Security Cloud.

As for the processing time, actually, I've submitted ~20 ITW samples to F-Secure this year, and they always took a fairly long time (1 week) to process my submission. Btw, I submitted these samples to other vendors like ESET and Kaspersy, too. But they were able to reply to my submission in a timely manner, with a final verdict given by a human analyst. Bitdefender is more "diligent" because they can always respond within hours.

 

[MacDefender]

I don’t remember if I made the erroneous statement but in my opinion it looks like any sample uploaded to Abuse.ch, as long as it has some set of sandbox identified suspicious behaviors, would get the “!abch” cloud signatures. Then, even a tiny modification to change the hash would cause the sample to go undetected again.

I like the idea of getting on top of zero days, BUT this seems ripe for abuse to introduce false positives simply by uploading to MalwareBazaar. Between that and biased positive results…. Those are my big worries about this approach. A targeted malware actor on your organization will NEVER start with a sample that has a known hash on public sandboxes.

 

[struppigel]

I noticed that you said:
"But I am sure the samples are not blocklisted without any other checks behind that."
But based on the above example, it seems that F-Secure did not perform adequate double checks before blocking samples on Abuse.ch via their Security Cloud.

How does this refute my statement
I mean it exactly the way I wrote it. I did not say the checks are always sufficient (having no FPs is impossible). It was a reply towards "all samples are blocklisted"

Edit:

As for the processing time, actually, I've submitted ~20 ITW samples to F-Secure this year, and they always took a fairly long time (1 week) to process my submission. Btw, I submitted these samples to other vendors like ESET and Kaspersy, too. But they were able to reply to my submission in a timely manner, with a final verdict given by a human analyst. Bitdefender is more "diligent" because they can always respond within hours.

You are repeating your experiences and I feel tempted to repeat my explanations. But I already explained it as good as I can. So I will stop here before it creates a discussion circle.

 

[Anthony Qian]

How does this refute my statement
I mean it exactly the way I wrote it. I did not say the checks are always sufficient (having no FPs is impossible). It was a reply towards "all samples are blocklisted"

I said almost all samples. Not all samples.

Moreover, flagging legitimate Lenovo software as malicious is quite astonishing. A very simple check would prevent this FP issue from happening. I can't imagine how an anti-virus software could generate such false positives.

 

[struppigel]

I said almost all samples. Not all samples.

I know. That's why I wonder why you feel the need to discuss this with me.
It was MacDefender who said it, but corrected it later.

Moreover, flagging legitimate Lenovo software as malicious is quite astonishing. A very simple check would prevent this FP issue from happening. I can't imagine how an anti-virus software could generate such false positives.

That is a complex topic because how would this simple check look like? If you are interested to learn more about FPs in antivirus software, you will find some answers here: The real reason why malware detection is hard—and underestimated