Q&A No more HEUR/APC detections from F-Secure?

MacDefender

Level 16
Thread author
Verified
Top poster
Oct 13, 2019
776
@Anthony Qian first mentioned something along these lines and I started doing a little testing of new Emotet/Snake samples.... In the past, zero-day detections usually come from HEUR/APC (Avira cloud). But recently, F-Secure is detecting them using "!fsmind" signatures, like "Trojan:W32/Generic.abch!fsmind" or "Backdoor:W32/Androm!fsmind_tc"

These appear to be unique to F-Secure and my best guess is that "fsmind" is the new replacement for "fso"/F-Secure Online. Is F-Secure no longer using Avira Protection Cloud? Anyone seen APC detections recently?


(I did confirm that 'fsmind' detections do not trigger when offline so it's definitely some sort of cloud based detection).


As an aside: VirusTotal's F-Secure is offline-only, these samples show up as clean on VT but the actual F-Secure product detects it statically.
 

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
321
When a sample is detected by both Avira Protection Cloud and F-Secure Security Cloud, the detection name given by F-Secure Security Cloud is usually displayed and the detection name given by Avira is hidden. In fact, F-Secure Security Cloud has the final say about the detection, so if a file is detected by Avira but whitelisted by F-Secure, the detection will be suppressed.

F-Secure still uses Avira Protection Cloud. In addition to matching hash in APC database, I noticed that F-Secure seemed to have the ability to upload suspicious files to APC for analysis during a scan session.
 
Last edited: