Solved No database updates over the weekend? (Solved)

Status
Not open for further replies.

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
MNielsen's persistence paid off from using the F-Secure Community forums for an official response. (y)

Hello @MNielsen

Thank you for your post.

On March 23rd, we received a number of reports of increased false positive detections in the format of HEUR/AGEN.13* after a Capricorn database update. We have since rolled back the update with Capricorn database version 2023-03-24_11 and are continuing work this week on a permanent solution to decrease the false positive rate before resuming publishing.

In the meantime, our Security Cloud combined with Hydra and DeepGuard engines continues to protect our users as normal.


If you need any help or have any questions, please don't hesitate to reach out to us. We're here to help!

Thank you for choosing F-Secure ID Protection and have a fantastic day!

Man, I just renewed. Only to consider going back to MS Defender if this is how it’s going to be.
As quoted above, users remain protected.
 

Anthony Qian

Level 9
Thread author
Verified
Well-known
Apr 17, 2021
448
Good to know.

HEUR/AGEN.13* is an offline/local heuristic detection from Avira engine.

Maybe it's time for F-Secure to say goodbye to the Avira engine, as it does not provide adequate protection against script malware and copies ESET and Kaspersky's detection names.
 
Last edited by a moderator:

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
Good to know.

HEUR/AGEN.13* is an offline/local heuristic detection from Avira engine.

Maybe it's time for F-Secure to say goodbye to the Avira engine, as it does not provide adequate protection against script malware and copies ESET and Kaspersky's detection names.
Send an email to them and offer to evaluate the Avira engine, in case they are not capable of doing so. Maybe they will switch to Sophos or Bitdefender. Because they are not detecting your scripts.
This is the second time now you mention this name copying, what evidence do you have to support that they copy someone?
Last time you accused McAfee.
 

Jonny Quest

Level 15
Verified
Top Poster
Well-known
Mar 2, 2023
726
Hasn't that been an issue over the years for F-Secure though, a higher number of FPs? At least when I use to track it and they were part of AV-Comparatives Real-World Protection charts. Are they no longer a part of AV-Comparatives testing, as this one was from 2020? Real-World Protection Test July-October 2020

f secure.jpg
 
  • Like
Reactions: Trident

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Funny enough they just got back to me on a false positive from over a month ago. Where Avira’s sigs flagged need burnout paradise remaster as malicious. It’s a problem from 3 years ago, that STILL happens and they suppress it.
 
Last edited:
  • Like
Reactions: Trident and roger_m

Anthony Qian

Level 9
Thread author
Verified
Well-known
Apr 17, 2021
448
Send an email to them and offer to evaluate the Avira engine, in case they are not capable of doing so. Maybe they will switch to Sophos or Bitdefender. Because they are not detecting your scripts.
This is the second time now you mention this name copying, what evidence do you have to support that they copy someone?
Last time you accused McAfee.
There are many evidences to support my viewpoint.

1. Just received a reply from F-Secure about my submission. In this email, the analyst said the sample was detected as TR/Agentb.ezxim, which is an Avira detection name. "Agent" is a common term in detection name, widely used by many vendors, so it's nothing special. But "Agentb" is not common; in fact, it's Kaspersky's unique detection name for generic threats.

2. VirusTotal
This sample is detected by Kaspersky as HEUR:Trojan-Spy.Win32.Xegumumune.gen. The term "Xegumumune" seems quite special and is used by Kaspersky to describe malicious software programs that have the functionality of a keylogger (Kaspersky Threats — Xegumumune). Avira also detects it as TR/Spy.Xegumumune.liurq, which seems to copy K's detection name.

3. VirusTotal
This sample is a fake Telegram installer. At first, ESET detected it as "A Variant Of Win32/Adware.Smartspace.A" because of the adware component (VirusTotal) inside the MSI installer, which is not accurate as this sample is actually trojan. At that time, Avira could not detect this sample. I submitted this sample to Avira support for manual analysis, and a representative replied:
The file sent to us could be allocated to the following malware family:

- Adware/Smartspace.A

The detection of the malware sample will be available with the next upcoming (x)VDF update.
Lol. Avira still think it's just an adware and copied ESET's detection name.

4. VirusTotal
This sample is a skidware ransomware. Kaspersky first detected it as Trojan.Win32.DelShad.ldf, then Avira detected it as TR/DelShad.woltr. As far as I know, DelShad is also a unique term used by Kaspersky engine.

I've seen a lot of Avira's detection name that are similar to ESET's or K's, including: TR/Agent_AGen (_AGen suffix is unique to ESET to indicate automatically-generated detection), and TR/PDF.Alien.xxxxx (Alien is unique to K.).
 
Last edited:
  • Like
Reactions: roger_m

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
There are many evidences to support my viewpoint.
You’ve found evidence to support Copy Gate/CopyRa Antivirus and you don’t like this behaviour as it reveals a lower level of professionalism. Can’t blame you, I also like everything properly attributed and named (which today is diminishing unfortunately unless you are talking about genome analysis add-on in business product).

There is a belief within the antimalware industry that Eset and Kaspersky signatures are the most accurate and it’s not impossible for some vendors to copy from VT (which has many use cases across the whole industry).

For you it is a hobby to install antivirus software and then download various nasties to test it, so you’ve managed to learn the xegumumune and AGen detections meaning. The Avira researchers however, are not there to study Eset and Kaspersky naming, they are a relatively small team and they have a lot to deal with.

If you are not thrilled about the Avira professionalism then why did you deploy (and most probably purchase as well) a product that according to your earlier post, is heavily reliant on the Avira engine? Why did you not go for a product with a well-maintained proprietary one?
 
  • Like
Reactions: roger_m

Anthony Qian

Level 9
Thread author
Verified
Well-known
Apr 17, 2021
448
If you are not thrilled about the Avira professionalism then why did you deploy (and most probably purchase as well) a product that according to your earlier post, is heavily reliant on the Avira engine? Why did you not go for a product with a well-maintained proprietary one?
Well, I believe one must try something before commenting on it.

I've been an Avira user since high school. At that time, Avira stood out in the industry thanks to its APC system, which is super effective against new PE malware. However, Avira did not improve its ability to detect script/non-PE malware, making it obsolete in today's threat landscape.

In addition, I evaluate anti-virus software with an objective and fair attitude. I will not avoid talking about the flaws of this antivirus software just because I bought it.
 
  • Like
Reactions: roger_m

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
Well, I believe one must try something before commenting on it.

I've been an Avira user since high school. At that time, Avira stood out in the industry thanks to its APC system, which is super effective against new PE malware. However, Avira did not improve its ability to detect script/non-PE malware, making it obsolete in today's threat landscape.

In addition, I evaluate anti-virus software with an objective and fair attitude. I will not avoid talking about the flaws of this antivirus software just because I bought it
Without a doubt one must try before they comment. Even better, try before you buy.

Although this thread is not about Avira (though talking about F-Secure indirectly involves Avira to some extent) for me Avira never stood out with anything, apart from slow scanning, low detection rate on non-pe, atrocious UI designed in the early 90s, Luke FileWalker and using the PC built-in beeper years ago.

I am not sure how it’s doing with scripts today, having the Bullguard sentry now built-in and I am also not confident the Avira engine will be offered for an extremely long period of time in the future. F-Secure published an article stating that they are ready to switch engines at any time.

The previous time we spoke on the McAfee thread you were evaluating the products by downloading drivers from Chinese forums, I hope it’s not what you do in all evaluations.
 

M4RT1NE2

Level 14
Verified
Top Poster
Well-known
Mar 19, 2022
650
Without a doubt one must try before they comment. Even better, try before you buy.

Although this thread is not about Avira (though talking about F-Secure indirectly involves Avira to some extent) for me Avira never stood out with anything, apart from slow scanning, low detection rate on non-pe, atrocious UI designed in the early 90s, Luke FileWalker and using the PC built-in beeper years ago.

I am not sure how it’s doing with scripts today, having the Bullguard sentry now built-in and I am also not confident the Avira engine will be offered for an extremely long period of time in the future. F-Secure published an article stating that they are ready to switch engines at any time.

The previous time we spoke on the McAfee thread you were evaluating the products by downloading drivers from Chinese forums, I hope it’s not what you do in all evaluations.

Without getting away from the subject - Avira once saved my 'ass' :). Then it stayed on the PC for a long time until it got bloated
 

a090

Level 2
Mar 26, 2023
67
I am not sure how it’s doing with scripts today, having the Bullguard sentry now built-in and I am also not confident the Avira engine will be offered for an extremely long period of time in the future. F-Secure published an article stating that they are ready to switch engines at any time.

Have a link for this F-Secure article?

I checked their Blog as well as their Help / Support site articles and couldn’t find anything. I’m interested in reading what they said about potentially switching from the Avira engine, mainly because I just switched to F-Secure earlier this week as the AV on my new workstation.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
Have a link for this F-Secure article?

I checked their Blog as well as their Help / Support site articles and couldn’t find anything. I’m interested in reading what they said about potentially switching from the Avira engine, mainly because I just switched to F-Secure earlier this week as the AV on my new workstation.

Enjoy 😀
 

a090

Level 2
Mar 26, 2023
67

Enjoy 😀

Appreciate the link! Apparently I need to improve my reading focus because this is one of the articles I saw. But I competely missed this line:

“We are in full control of our capabilities and can switch engines and vendors if we deem that necessary…”

Thanks for linking it and forcing me to take another look. And just between you and me, I’m hoping F-Secure switches to the ESET engine. I can only imagine how much of a match made in heaven it would be when combined with DeepGuard. With some compatibility tuning, I think the new F-Secure line would be nearly unbeatable.

Also, the ESET engine doesn’t struggle in deleting malicious files, archived or not. Avira engine apparently does, which is why F-Secure’s DeepGuard detects malware that the engine cannot remove at times. A switch to the ESET engine would solve this problem too.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
Also, the ESET engine doesn’t struggle in deleting malicious files, archived or not. Avira engine apparently does, which is why F-Secure’s DeepGuard detects malware that the engine cannot remove at times. A switch to the ESET engine would solve this problem too.
I am not even sure if Eset offers any technology for OEMs. I remember there was a router using the Eset engine, but I am not aware if they still offer that.

Poor remediation capacity can’t be attributed to the Avira engine entirely, there is no guarantee that remediation is performed by that engine. The Avira engine might be calling a proprietary engine/service from F-Secure to do the removal (specially considering that the graph is not maintained by Avira) and since I don’t have F-Secure installed (neither I ever will) I am unable to investigate.
Hence, it’s not guaranteed that changing engines will improve the situation.

Checks are necessary and not jumping into quick conclusions/assumptions.
 
Last edited:

a090

Level 2
Mar 26, 2023
67
I am not even sure if Eset offers any technology for OEMs. I remember there was a router using the Eset engine, but I am not aware if they still offer that.

Poor remediation capacity can’t be attributed to the Avira engine entirely, there is no guarantee that remediation is performed by that engine. The Avira engine might be calling a proprietary engine/service from F-Secure to do the removal (specially considering that the graph is not maintained by Avira) and since I don’t have F-Secure installed (neither I ever will) I am unable to investigate.
Hence, it’s not guaranteed that changing engines will improve the situation.

Checks are necessary and not jumping into quick conclusions/assumptions.

Touché. I can’t argue with this. Point well made, and well taken. Although I still believe the F-Secure product line can only benefit from switching to the ESET engine. I don’t think anybody but Kaspersky comes close to having such accurate and timely sigs. And you’re correct on mentioning ESET may not offer their engine to OEMs. I believe I read somewhere Google Chrome’s malicious download blocking engine was using ESET tech, but cannot confirm. And even if true, you would likely need to enable the most intrusive options in Chrome to get that protection.

Furthermore, a deal with Google for the most popular browser in the world is an entirely different matter than offering that deal to a direct competitor in the European market. I can see a scenario where Chrome gets the engine but F-Secure is turned down.

A man can only dream…

One thing is for certain. I’ll be sticking with these Finns for as long as they keep the product clean, lean, and mean. It’s a breath of fresh air from the rest of the bloatware on the market (bloatware for me, maybe not for others).

Edit: Linked added for the relationship between Chrome and ESET. It’s real. And the tech is called “Google Chrome Cleanup, powered by ESET.”
 
Last edited:

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
I’ll be sticking with these Finns for as long as they keep the product clean, lean, and mean
With such an extreme list of requirements and in-depth analysis, in the end you have chosen mediocrity and assumptions based on geographical region over anything else. But that’s how it always works when someone is overthinking.

Btw there is no guarantee that the “clean” and “lean” product is not more resource-heavy than others who are “bloated”. Again, assumptions with no checks and investigation.

Enjoy the Finns. I personally wouldn’t install F-Secure even if they were the last one remaining.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
With such an extreme list of requirements and in-depth analysis, in the end you have chosen mediocrity and assumptions based on geographical region over anything else. But that’s how it always works when someone is overthinking.

Btw there is no guarantee that the “clean” and “lean” product is not more resource-heavy than others who are “bloated”. Again, assumptions with no checks and investigation.

Enjoy the Finns. I personally wouldn’t install F-Secure even if they were the last one remaining.
Why do you not recommend F-Secure and what do you recommend?
 

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,245
I've noticed that some publishers are copying the names of detections.
I don't understand how you can shoot F-Secure on sight and not see the others.

For example, I see FortiNet / FortiClient copying Eset's detection names very often.
The same with Webroot, which copies everyone (Microsoft, Bitdefender, Avast! etc)

As for the updates that are not available on weekends, this is a problem. But I think that the editor will rather rely on the updates in "streaming" on their Cloud.
To explain, in one of my tests, I had used a sample of the RedLine stealer. I was very surprised to see a DeepGuard detection with an Avira detection! (TR/Kryptik).
I don't think this lack of updates should affect F-Secure users. F-Secure has its Cloud and DeepGuard that can defend itself.

Where I agree with many users is the poverty of the Avira engine on script attacks. And I could see using Norton's anti-malware engine rather than another one. Even if Avira still has its detections.

NB : For @Anthony Qian , Nano also copied Eset in one of your VT :p

NANO-Antivirus Trojan.Win32.GenCBL.jplpxz

GenCBL => Eset
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
I don't understand how you can shoot F-Secure on sight and not see the others.
He can’t be shooting F-Secure, as the copying is done by Avira.
The Avira engine is, has been and up until Gen Digital pulls the plug on it (which is coming sooner rather than later) will be a mediocre and ancient affair, relying on signatures and heuristics. Apart from F-Secure, it’s mostly third-tier products utilising the Avira engine and some border very closely with fake AVs (TotalAV being a good example).

And I could see using Norton's anti-malware engine rather than another one. Even if Avira still has its detections.
Avira unfortunately hasn’t borrowed one bit from the Norton/Symantec engine which is highly praised across the whole industry and on many, many, many tests. The licenses are split between Broadcom Symantec and Norton and Broadcom will not allow this engine to be used by Avira anytime soon.

I am not sure where the belief that Norton’s engine is poor comes from, but anyone making these claims is lying.

@Gandalf_The_Grey on Friday I will reply to your question in a video.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top