Q&A Is F-Secure sleeping again?

Status
Not open for further replies.

marcopaone

Level 5
Verified
Jul 15, 2016
232
HI!

On VirusTotal Avira detect the ransomware as JAVA/SMSSend.zgxoh. But why not f-secure?
EDIT:
I tried to open it and anyway f-secure does not block it.
Result. System is Infected and files are encrypted.
1607278100517.png

1607278129974.png

1607278150626.png
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :


That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?
 

marcopaone

Level 5
Verified
Jul 15, 2016
232
Good question. I mean it! Maybe, because many AVs/tools have problems with script files as can been seen here :


That's the exact same sample btw and would be interesting to know with a dynamic test/scan. It's also a possible POC sample so that can very well be a reason. Maybe it needs to be submitted?
Also I tried to open it and anyway f-secure does not block it.
System is Infected and files are encrypted .
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,158
F-Secure Capricorn engine (Avira) may have a small delay time in updates compared to Avira proprietary solutions, but it isnt anything significant, just today were released 15 updates to it, so we can assume that the detection was included after you tested with a database update.

Anyway F-Secure DeepGuard should protect the machine in those situations, but unfortunately it didnt happen.

F-Secure Latest Database Updates for F-Secure Capricorn (f-secure.com)
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
If this is bypassing CFA it must be using some sort of special technique to encrypt. CFA is very protective and doesn’t have much of a whitelist, it also causes a lot of false positives.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.
 
Status
Not open for further replies.
Top