upnorth

Moderator
Verified
Staff member
Malware Hunter
It's apparently detected also on VT. My best guess is that Deepguard don't find the actual file malicious when it's executed. Best advice is to send this to their support and ask them to check.

Update :

In this case F-Secure doesn't clean/delete the file after the static scan. Normally it does that automatic for most malicious files without any interaction, but it does work when quarantine the file.

I found the file on AnyRun so I fixed the submission and just waiting for a reply. I'll update here when I got the answer back.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
I just got a reply from the support saying the file is found to be malicious and immediately blocked via their Security Cloud. 🤷‍♂️

@marcopaone , test first to manually update the AV, unless it already done that itself. Now again try execute/run that file and let us know what happened. If it don't work we probably needs this tested and fully confirmed also with the stable version.
 

marcopaone

Level 4
Verified
I just got a reply from the support saying the file is found to be malicious and immediately blocked via their Security Cloud. 🤷‍♂️

@marcopaone , test first to manually update the AV, unless it already done that itself. Now again try execute/run that file and let us know what happened. If it don't work we probably needs this tested and fully confirmed also with the stable version.
Same result as before.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
This it's serious, an AV detecting a malicious file but allowing the user to execute it without warnings will result in infected computers.

Try contacting them again and explain the severity of this bug.
Yes, and no. I think one should remember the first initial report and what version it was found in.
Edit: i'm using the beta version.
And what is Beta versions normally known for?
This 100% for sure now, also needs a full confirmation on the stable version. Now if it's the exact same issue, then I would not hesitate for a second to report this again to the official support, and as I still have the support case number, that can easy be re-opened.

@marcopaone , I do hope you also reported this in the Beta channel on F-Secures forum as I know their official developers do visit those threads, so this " bug " would more then likely get fixed much faster if they also saw it, then us slowly turning the wheels here.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Huge thanks @harlan4096 for the assist and checking with a test on the latest stable version.

This gets a Protected, but not Clean verdict as the msi file leaves a changed registry key. The file auto terminate without no other trace on the system. No outbound connections. SOS ( second opinion scan ) after reboot was also done and found nothing.

I'm sending this to F-Secures support, and as before will update here as soon I get a reply.
 

MacDefender

Level 11
Verified
Yeah yikes this definitely sounds like a bug, where execution based scanning is somehow ignoring MSIs. I'm guessing some point after the malicious MSI drops its payload onto the system it'll get detected but given how bad F-Secure is at cleanup, it needs to be blocked before it actually gets a chance to run.

Hopefully F-Secure takes the bug report seriously. I've gotten some fairly fast responses filing bugs in their beta programs.
 
Top