On the topic of terminating F-Secure processes....

MacDefender

Level 14
Verified
Oct 13, 2019
685
I also got the feeling that for example malicious BAT files detection is something that needs to be improved, but 100% totally blind I can't say because F-Secure does actually from time to time catch even those as clearly can be seen here:
Yeah I’m curious what that sample does. DeepGuard flagged it as a PowerShell stager which makes me suspect it isn’t the batch file doing the dirty deed, it’s something it launched which DeepGuard knew how to monitor. The pathway from BAT -> EXE which is trusted but generic (like regedit, net, taskkill, etc) seems to be the big weakness.
 

valvaris

Level 5
Verified
Jul 26, 2015
223
Hello @MacDefender

could you share the script used to stop F-Secure Services?

Reason:
Would love to try that on the Commercial Product "F-Secure Elements Computer Protection".

My Test Results so far:
Tried to Kill Process with Process Explorer = Unsuccessful
Tried to stop Services via CMD = Unsuccessful

Best regards
Val.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
Reason:
Would love to try that on the Commercial Product "F-Secure Elements Computer Protection".

My Test Results so far:
Tried to Kill Process with Process Explorer = Unsuccessful
Tried to stop Services via CMD = Unsuccessful

Best regards
Val.
I actually don't think this was ever tested and genuine confirmed with the actual business/enterprise version, but they might also very well implemented some " general " fix. 🤷‍♂️

Thanks for the test anyway. Interesting.(y)
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
Hello @MacDefender

could you share the script used to stop F-Secure Services?

Reason:
Would love to try that on the Commercial Product "F-Secure Elements Computer Protection".

My Test Results so far:
Tried to Kill Process with Process Explorer = Unsuccessful
Tried to stop Services via CMD = Unsuccessful

Best regards
Val.
Wow then it sounds like the enterprise version does have self protection. Basically, the consumer one has processes called “fshoster32” and a 64-bit equivalent. For one test I simply wrote a batch file using taskkill to terminate it. For the other test I used “net stop” with the service name I found in Services.msc for F-Secure. That’s it. For a bonus third test you should try using msiexec to attempt to uninstall it.

But yeah what you’re describing makes it sound like the enterprise product is not affected. I’ve always wanted to try it but I’m not a business owner and whenever I fill out the trial form, their rep stops responding to me as soon as he realizes I’m not a business customer.
 

valvaris

Level 5
Verified
Jul 26, 2015
223
Wow then it sounds like the enterprise version does have self protection. Basically, the consumer one has processes called “fshoster32” and a 64-bit equivalent. For one test I simply wrote a batch file using taskkill to terminate it. For the other test I used “net stop” with the service name I found in Services.msc for F-Secure. That’s it. For a bonus third test you should try using msiexec to attempt to uninstall it.

But yeah what you’re describing makes it sound like the enterprise product is not affected. I’ve always wanted to try it but I’m not a business owner and whenever I fill out the trial form, their rep stops responding to me as soon as he realizes I’m not a business customer.
Hello @MacDefender

this is not possible with F-Secure Elements Computer Protection as long as it is configured in the Policy.

1626889991237.png

The Question marks give a little more insight what the feature does. Very nice!!! :D

Sincerely
Val.
 

CyberDevil

Level 2
Apr 4, 2021
83
I was able to report a bug to support (it was confirmed), when the UI continues to report that the protection is working and you are protected, although I terminated the main process through the task manager. Although, after 5 minutes, it nevertheless discovered that its great friend had died and said that there was no protection. :) I hope that in the next beta this will already be fixed :rolleyes:
 

peterfat111

Level 7
Mar 25, 2021
342
I was able to report a bug to support (it was confirmed), when the UI continues to report that the protection is working and you are protected, although I terminated the main process through the task manager. Although, after 5 minutes, it nevertheless discovered that its great friend had died and said that there was no protection. :) I hope that in the next beta this will already be fixed :rolleyes:
norton sometime just shut itself down and restart in like 30sec, I don't have to do anything and my protection is lost XD
 

MacDefender

Level 14
Verified
Oct 13, 2019
685
norton sometime just shut itself down and restart in like 30sec, I don't have to do anything and my protection is lost XD

Yeah F-Secure does the same during updates. I honestly wonder if you can make malware that just monitors the process list until the AV goes down for an update and then quickly rush your exploit through in 30 seconds.

Kaspersky I know refuses to stop the engine during updates, and will ask you to reboot if an engine update is needed. Emsisoft has a configuration option for which way you want to do it.
 

peterfat111

Level 7
Mar 25, 2021
342
Yeah F-Secure does the same during updates. I honestly wonder if you can make malware that just monitors the process list until the AV goes down for an update and then quickly rush your exploit through in 30 seconds.

Kaspersky I know refuses to stop the engine during updates, and will ask you to reboot if an engine update is needed. Emsisoft has a configuration option for which way you want to do it.
yes, norton goes down right after an update patch is applied.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
norton sometime just shut itself down and restart in like 30sec, I don't have to do anything and my protection is lost XD
Yeah F-Secure does the same during updates. I honestly wonder if you can make malware that just monitors the process list until the AV goes down for an update and then quickly rush your exploit through in 30 seconds.
That specific behavior was patched with F-Secure version 17.8.
Product updates no longer shut down the security core.
 

Anthony Qian

Level 2
Apr 17, 2021
90
It is a known issue and I have seen some discussions about it in their official forum in the past. But I just don’t know why F-Secure does not want to fix this problem, or just does not consider it a priority.
 
  • Like
Reactions: Nevi and roger_m

Filipe

Level 1
Feb 23, 2018
43
Self-defense and integrity checking - On August 20, the product manager wrote that the feature had been added to the backlog. You can vote and bring it up if you want.
Yeh @CyberDevil i saw that on F-Secure forum, that i check regularly, because of this exact same issue and i saw yesterday that was added to the backlog, lets hope will take less time than im thinking :unsure:
Today i will vote up, is just vote on the trend right ?
Also Thanks for paying attention to this "ridiculous" self defenses weaknesses ;)

F-Secure should also have password protected the settings, against processes termination and uninstallation several years ago in my opinion besides blocking unwanted or malicious behaviours from terminating the program.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
Self-defense and integrity checking - On August 20, the product manager wrote that the feature had been added to the backlog. You can vote and bring it up if you want.
@CyberDevil , impressive and big thanks for pointing out the issue and even get an official answer. Bookmarked and extra since it can be used for future ETA questions. Personal I suspect the fix won't be added in the now current Beta version and in the end I wonder how well. Hopefully I'm wrong.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,442
F-Secure should also have password protected the settings, against processes termination and uninstallation several years ago in my opinion besides blocking unwanted or malicious behaviours from terminating the program.
Let me try help and explain. F-Secure do not have password protection on it's settings when one use a administration account, because it already exist a specific elevation option where one is forced first to manually click and accept. It is very far fetched to state that this bypass issue work no matter what and all over. With a SUA ( standard user account ) one is even forced to use a password or other login option that the OS supply, if that also is activated, for setting access in F-Secure SAFE, home version. With a SUA the specific process termination is not even an issue at all. The process termination issue exist, on the administration account. Huge difference and yes important to understand.
 

Filipe

Level 1
Feb 23, 2018
43
U
Let me try help and explain. F-Secure do not have password protection on it's settings when one use a administration account, because it already exist a specific elevation option where one is forced first to manually click and accept. It is very far fetched to state that this bypass issue work no matter what and all over. With a SUA ( standard user account ) one is even forced to use a password or other login option that the OS supply, if that also is activated, for setting access in F-Secure SAFE, home version. With a SUA the specific process termination is not even an issue at all. The process termination issue exist, on the administration account. Huge difference and yes important to understand.
Yes thats completly true if we use the admin account always with elevation. im not stating that at all, i know that its not easy. Yes i think you explained very well and yes the issue indeed is with admin account. For example if i configuire the admin account to elevation only trusted and signed executables; elevation only with admin credencials on safe environment, do you think i more safe in this way that im using?


Kind Regards for explaining better than i did :)

Also im using the hard configured from Andy :) and i also have deployed several harderning policies thorught GP.
 
Last edited:
  • Like
Reactions: Zartarra
Top