Advice Request No more HEUR/APC detections from F-Secure?

[MacDefender]

@Anthony Qian first mentioned something along these lines and I started doing a little testing of new Emotet/Snake samples.... In the past, zero-day detections usually come from HEUR/APC (Avira cloud). But recently, F-Secure is detecting them using "!fsmind" signatures, like "Trojan:W32/Generic.abch!fsmind" or "Backdoor:W32/Androm!fsmind_tc"

These appear to be unique to F-Secure and my best guess is that "fsmind" is the new replacement for "fso"/F-Secure Online. Is F-Secure no longer using Avira Protection Cloud? Anyone seen APC detections recently?


(I did confirm that 'fsmind' detections do not trigger when offline so it's definitely some sort of cloud based detection).


As an aside: VirusTotal's F-Secure is offline-only, these samples show up as clean on VT but the actual F-Secure product detects it statically.

 

[Shadowra]

Hello
Yes F-Secure still uses Heur/APC but if the F-Secure engine knows it, it will react with its engine.

 

[Anthony Qian]

When a sample is detected by both Avira Protection Cloud and F-Secure Security Cloud, the detection name given by F-Secure Security Cloud is usually displayed and the detection name given by Avira is hidden. In fact, F-Secure Security Cloud has the final say about the detection, so if a file is detected by Avira but whitelisted by F-Secure, the detection will be suppressed.

F-Secure still uses Avira Protection Cloud. In addition to matching hash in APC database, I noticed that F-Secure seemed to have the ability to upload suspicious files to APC for analysis during a scan session.

 

[MacDefender]

Good to know they're still using APC. I think it makes sense for F-Secure to focus on making their in-house engines better too, and I'm happy to say I haven't noticed any protection degradation.