Solved No database updates over the weekend? (Solved)

Status
Not open for further replies.

Anthony Qian

Level 10
Thread author
Verified
Well-known
Apr 17, 2021
450
I've noticed that some publishers are copying the names of detections.
I don't understand how you can shoot F-Secure on sight and not see the others.

For example, I see FortiNet / FortiClient copying Eset's detection names very often.
The same with Webroot, which copies everyone (Microsoft, Bitdefender, Avast! etc)

As for the updates that are not available on weekends, this is a problem. But I think that the editor will rather rely on the updates in "streaming" on their Cloud.
To explain, in one of my tests, I had used a sample of the RedLine stealer. I was very surprised to see a DeepGuard detection with an Avira detection! (TR/Kryptik).
I don't think this lack of updates should affect F-Secure users. F-Secure has its Cloud and DeepGuard that can defend itself.

Where I agree with many users is the poverty of the Avira engine on script attacks. And I could see using Norton's anti-malware engine rather than another one. Even if Avira still has its detections.

NB : For @Anthony Qian , Nano also copied Eset in one of your VT :p



GenCBL => Eset
GenCBL = Generic certificate blacklist, which is unique to ESET. :) Nano is a very small company so it's possible but I still don’t like this behavior.

In terms of detection name sharing, I think it’s acceptable to share/copy the detection name of a type of popular malware, for example, Wannacry, WannaRen, etc., while creating your own detection algorithm (for example, ESET copied Kaspersky’s detection name for Pinduoduo backdoor trojan Google suspends top Chinese shopping app Pinduoduo. Kaspersky first named this threat VirusTotal as Pinduo, and ESET used this detection name.) I personally think it’s unacceptable to simply copy other vendors’ “unique” generic detection name, for example GenCBL, Agentb, Agent_AGen, etc., and not make the copied detection generic (I’ve seen Avira copied ESET’s Win32/Agent_AGen.xx as TR/Agent_AGen.xxxxx. ESET can detect multiple similar samples using this detection name, but Avira cannot)

FortiClient seems to have formal tech cooperation with ESET and shares some detections, because I've seen FortiClient and ESET can detect multiple samples belonging to the same threat family with the same detection name.
 
Last edited:

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,937
which is unique to ESET
The name yes, the method not really.

FortiClient
Fortinet copies not just Eset and there is no evidence of cooperation between the two. Detection names are not in any way protected under any applicable law and no one can prevent this from happening in any way. Again, if someone doesn’t like poor copycats, there are plenty of vendors who actually have the power to maintain their engine under their naming policies. Avira, Nano (struggling not to laugh just pronouncing that) and Fortinet are not on this list.
 

a090

Level 2
Mar 26, 2023
67
With such an extreme list of requirements and in-depth analysis, in the end you have chosen mediocrity and assumptions based on geographical region over anything else. But that’s how it always works when someone is overthinking.

Btw there is no guarantee that the “clean” and “lean” product is not more resource-heavy than others who are “bloated”. Again, assumptions with no checks and investigation.

Enjoy the Finns. I personally wouldn’t install F-Secure even if they were the last one remaining.

Ha. Maybe true, maybe not. At the end of the day, the mediocre product is the one that doesn’t fit your needs. Some people want an AV bundled with a VPN, registry cleaner, temp-file remover, all manner of browser extensions, and so on. Some people are cool with a product MITM their connections and installing their own hypervisors. Some others could not care less about their AVs siphoning off their data to sell to others. Some are cool with their AV bundling a cryptominer onto their system. Some don’t care their AV website still thinks we’re living in 2022. And some don’t worry about geographic region, geopolitics, “eyes” (5 & 14), etc. And the list goes on.

My response to this: More power to those people. May the Almighty bless you and keep you happy. But those things are issues for me. Some major, some minor.

And so those things invalidate 90% of the AV market for me. No problem, easier to pick from a smaller list. The next thing I look at is protection offered and in what way(s). And there some products rely on signatures too much. Others on their BB and heuristics. Still others on their web blocking.

And this is where we part ways yet again because I need something well-rounded. And F-Secure fits that bill, especially when it comes to how invasive it is on a system (not invasive), BB and heuristics (DeepGuard FTW), engine (Avira engine needs improvement but isn’t horrendous like others I won’t mention), and so on. It’s a middle-of-the-road product with good support. They respond fast and with respect. They still keep their public support forum active. And a plethora of other minute things that I care about.

So, all that being said, I chose the best product on the market. For me. Not for you; it’s a mediocre product for you, and that’s fine.

C’est la vie; to each their own.
 

Digmor Crusher

Level 24
Verified
Top Poster
Well-known
Jan 27, 2018
1,314
GenCBL = Generic certificate blacklist, which is unique to ESET. :) Nano is a very small company so it's possible but I still don’t like this behavior.

In terms of detection name sharing, I think it’s acceptable to share/copy the detection name of a type of popular malware, for example, Wannacry, WannaRen, etc., while creating your own detection algorithm (for example, ESET copied Kaspersky’s detection name for Pinduoduo backdoor trojan Google suspends top Chinese shopping app Pinduoduo. Kaspersky first named this threat VirusTotal as Pinduo, and ESET used this detection name.) I personally think it’s unacceptable to simply copy other vendors’ “unique” generic detection name, for example GenCBL, Agentb, Agent_AGen, etc., and not make the copied detection generic (I’ve seen Avira copied ESET’s Win32/Agent_AGen.xx as TR/Agent_AGen.xxxxx. ESET can detect multiple similar samples using this detection name, but Avira cannot)

FortiClient seems to have formal tech cooperation with ESET and shares some detections, because I've seen FortiClient and ESET can detect multiple samples belonging to the same threat family with the same detection name.
Wouldn't it be nice if they all used the same naming system? We all know that ain't going to happen.
 
  • Like
Reactions: Jack and Sorrento

Anthony Qian

Level 10
Thread author
Verified
Well-known
Apr 17, 2021
450
Wouldn't it be nice if they all used the same naming system? We all know that ain't going to happen.
Actually, almost all vendors follow industrial standards for malware naming. Therefore, although it looks different, the detection names of different vendors usually include platforms, types, malware families and numbers/letters to indicate different variants.

However, as I stated before, the detection techniques employed by different vendors differ, resulting in some special/unique terms used in detection name (ESET’s GenCBL, _AGen, and GenKryptik; Avira’s Redcap, and AGEN; Bitdefender’s Fragtor, and so on)
 

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,937
Wouldn't it be nice if they all used the same naming system? We all know that ain't going to happen.
Some vendors work under the CARO naming standard but still malware naming is a mess.

All further amplified by generic/heuristic/ml detection which today are a vast bulk. Only platforms like Intezer or business products with genome analysis can provide accurate detection.
 
Last edited by a moderator:

Zartarra

Level 7
Verified
Well-known
May 9, 2019
318
MNielsen's persistence paid off from using the F-Secure Community forums for an official response. (y)




As quoted above, users remain protected.
Again no updates through the weekend.

1680465514654.png
 

SeriousHoax

Level 48
Verified
Top Poster
Well-known
Mar 16, 2019
3,711
This again? Could this mean the previous false positive excuse was a lie? 🤔 The supposed false positive heuristic was from Avira but Avira never stopped updating their signatures.
F-Secure needs to come clean and explain what's actually going on.
 
  • Like
Reactions: Trident

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,937
This again? Could this mean the previous false positive excuse was a lie? 🤔 The supposed false positive heuristic was from Avira but Avira never stopped updating their signatures.
F-Secure needs to come clean and explain what's actually going on.
Not trying to be critical or anything but Avira VDF history:
02/04 - 1364 detections
02/04 - 1635 detections added
02/04 - 683 detections added
02/04 - 355 detections added
02/04 - 547 detections added
02/04 - 621 detections added
02/04 - 674 detections added
02/04 - 1226 detections added
02/04 - 1314 detections added
Total VDF detections for 02/04 = 8419

01/04 - 963 detections added
01/04 - 1377 detections added
01/04 - 764 detections added
01/04 - 292 detections added
01/04 - 734 detections added
01/04 - 5000 detections added
Total VDF detections added 01/04 = 9130

There is one missing from the 31 as well, as according to the tracker 7 updates were delivered and Avira released 8.
31/03 - 932 detections added

Total missing from F-Secure 18 481.
I’ve checked all updates released on 31/03 and there are no heur detections added whatsoever. It all seems like very precise signatures aiming to block one or more variant of threats, but nothing looks like a generic, let alone heuristic detection.

I am not convinced that it is a false positive.

The F-Secure Ultra Light architecture may block these threats without the Avira engine being updated.
 
Last edited:

robboman

Level 2
Verified
Jul 11, 2018
64
It's not clear to me if F-secure has access to the Avira cloud. If they do then as long as you have a internet connection protection should remain at the same level even without signature updates in the weekend. If F-secure has no acces to the avira cloud then a whole weekend without signature updates for the Avira engine seems problematic.
 

Trident

Level 30
Verified
Top Poster
Well-known
Feb 7, 2023
1,937
It's not clear to me if F-secure has access to the Avira cloud. If they do then as long as you have a internet connection protection should remain at the same level even without signature updates in the weekend. If F-secure has no acces to the avira cloud then a whole weekend without signature updates for the Avira engine seems problematic.
From an F-Secure whitepaper:

Lightweight products rely mainly on F-Secure Mind™ for malware analysis. Mind, which is the Security Cloud's sample analysis service, works in conjunction with the reputation service Karma. If the reputation of a file is previously unknown, the client may be asked to upload the sample-related metadata to the Security Cloud for analysis. The results of the analysis may cause the sample to be flagged as suspicious and to be uploaded for further processing. Once the potentially heavy analysis, including the behavioral analysis, is done, every Security Cloud client subsequently benefits from the analvsis and avoids waiting for the results.
We understand that users are very sensitive to any kind of negative effects protection has on their devices. This is why mobile protection needs to be battery-efficient without sacrificing the quality of protection. The Security Cloud can operate as the sole engine for lightweight products that only requires users to give their consent when uploading certain files for analysis. Only a fraction of the files from users are uploaded, as in most cases the safety of the file can be analyzed with existing data.


This behavior is resource-saving and optimal for mobile devices.

They claim even without Avira they can still do the job. But the Avira engine provides broader coverage, for example it detects phishing via HTML and PDF analysis as well. Avira is one of the vendors that add everything under the SAVAPI.

The thing is every time there are no updates, explanation on forum is different. Once it is storage issue, another time it is “no updates are needed”, third time it is false positive. I checked the release notes of both the SAVAPI and VDF and no heuristic detections were added neither to the database on the 23rd and 24th, nor to the SAVAPI engine which was last updated in December.
 
Last edited:

Anthony Qian

Level 10
Thread author
Verified
Well-known
Apr 17, 2021
450
It's not clear to me if F-secure has access to the Avira cloud. If they do then as long as you have an internet connection protection should remain at the same level even without signature updates in the weekend. If F-secure has no acces to the avira cloud then a whole weekend without signature updates for the Avira engine seems problematic.
Most cloud-based detection from APC (Avira Protection Cloud) can be triggered by F-Secure; however, I did notice that some APC detections won’t be triggered by F-Secure, especially new threats.
 

Gandalf_The_Grey

Level 79
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,839
FS Protection Release 19.1 beta 2 (5.2.597) did receive updates during the weekend:
2023-04-01 17:25:12.155 [1150.15c8] I: Downloaded capricorn-win64/1680360531 - 'F-Secure Capricorn Engine (64-bit) 2023-04-01_06', unpacked size 253586706 bytes (93771 bytes downloaded)
2023-04-01 17:25:37.486 [1150.1c20] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-01_06': Success
2023-04-01 19:42:21.065 [1150.15c8] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-01 19:42:27.759 [1150.15c8] I: Downloaded capricorn-win64/1680368308 - 'F-Secure Capricorn Engine (64-bit) 2023-04-01_08', unpacked size 253598483 bytes (59474 bytes downloaded)
2023-04-01 19:43:09.655 [1150.1c20] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-01_08': Success
2023-04-01 21:08:02.243 [1150.15c8] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-01 21:08:10.725 [1150.15c8] I: Downloaded capricorn-win64/1680374473 - 'F-Secure Capricorn Engine (64-bit) 2023-04-01_09', unpacked size 253616404 bytes (65639 bytes downloaded)
2023-04-01 21:08:57.495 [1150.1c20] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-01_09': Success
2023-04-01 22:16:22.074 [1150.15c8] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-01 22:16:30.375 [1150.15c8] I: Downloaded capricorn-win64/1680375508 - 'F-Secure Capricorn Engine (64-bit) 2023-04-01_10', unpacked size 253616403 bytes (44115 bytes downloaded)
2023-04-01 22:17:16.220 [1150.1c20] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-01_10': Success

2023-04-02 09:34:02.031 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 09:34:05.791 [1168.15b4] I: Downloaded capricorn-win64/1680415721 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_04', unpacked size 253686552 bytes (126519 bytes downloaded)
2023-04-02 09:34:31.039 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_04': Success
2023-04-02 10:40:31.121 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 10:40:39.435 [1168.15b4] I: Downloaded capricorn-win64/1680422477 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_05', unpacked size 253696281 bytes (57374 bytes downloaded)
2023-04-02 10:41:25.160 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_05': Success
2023-04-02 13:22:59.938 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 13:23:06.186 [1168.15b4] I: Downloaded capricorn-win64/1680431814 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_08', unpacked size 253705498 bytes (57029 bytes downloaded)
2023-04-02 13:23:52.809 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_08': Success
2023-04-02 14:54:24.725 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 14:54:32.422 [1168.15b4] I: Downloaded capricorn-win64/1680437514 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_09', unpacked size 253713691 bytes (55942 bytes downloaded)
2023-04-02 14:55:18.972 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_09': Success
2023-04-02 16:14:13.311 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 16:14:20.105 [1168.15b4] I: Downloaded capricorn-win64/1680439582 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_10', unpacked size 253713690 bytes (44112 bytes downloaded)
2023-04-02 16:15:06.469 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_10': Success
2023-04-02 17:43:43.985 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 17:43:52.007 [1168.15b4] I: Downloaded capricorn-win64/1680445726 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_12', unpacked size 253723932 bytes (58009 bytes downloaded)
2023-04-02 17:44:38.594 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_12': Success
2023-04-02 19:28:54.829 [1168.15b4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 19:29:01.710 [1168.15b4] I: Downloaded capricorn-win64/1680453529 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_14', unpacked size 253735197 bytes (58898 bytes downloaded)
2023-04-02 19:29:44.957 [1168.148c] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_14': Success
2023-04-02 21:52:56.131 [1048.14d4] I: Checking for updates from https://guts2tp.sp.f-secure.com
2023-04-02 21:53:04.853 [1048.14d4] I: Downloaded capricorn-win64/1680463599 - 'F-Secure Capricorn Engine (64-bit) 2023-04-02_16', unpacked size 253753630 bytes (66187 bytes downloaded)
2023-04-02 21:53:50.999 [1048.1b74] I: Installation of 'F-Secure Capricorn Engine (64-bit) 2023-04-02_16': Success
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top