Yeah I’m curious what that sample does. DeepGuard flagged it as a PowerShell stager which makes me suspect it isn’t the batch file doing the dirty deed, it’s something it launched which DeepGuard knew how to monitor. The pathway from BAT -> EXE which is trusted but generic (like regedit, net, taskkill, etc) seems to be the big weakness.
On the topic of terminating F-Secure processes....
- Thread starter MacDefender
- Start date
- Feb 23, 2018
- 46
- Jul 27, 2015
- 5,458
The more interesting I would say is an ETA on parts I heard internally about. Still, that specific you have to try reach out directly to F-Secure and ask about. Best tip is either their own forum or their official support.
- Jul 26, 2015
- 263
Hello @MacDefender
could you share the script used to stop F-Secure Services?
Reason:
Would love to try that on the Commercial Product "F-Secure Elements Computer Protection".
My Test Results so far:
Tried to Kill Process with Process Explorer = Unsuccessful
Tried to stop Services via CMD = Unsuccessful
Best regards
Val.
could you share the script used to stop F-Secure Services?
Reason:
Would love to try that on the Commercial Product "F-Secure Elements Computer Protection".
My Test Results so far:
Tried to Kill Process with Process Explorer = Unsuccessful
Tried to stop Services via CMD = Unsuccessful
Best regards
Val.
- Jul 27, 2015
- 5,458
I actually don't think this was ever tested and genuine confirmed with the actual business/enterprise version, but they might also very well implemented some " general " fix.
Thanks for the test anyway. Interesting.
Wow then it sounds like the enterprise version does have self protection. Basically, the consumer one has processes called “fshoster32” and a 64-bit equivalent. For one test I simply wrote a batch file using taskkill to terminate it. For the other test I used “net stop” with the service name I found in Services.msc for F-Secure. That’s it. For a bonus third test you should try using msiexec to attempt to uninstall it.
But yeah what you’re describing makes it sound like the enterprise product is not affected. I’ve always wanted to try it but I’m not a business owner and whenever I fill out the trial form, their rep stops responding to me as soon as he realizes I’m not a business customer.
- Jul 26, 2015
- 263
Hello @MacDefender
this is not possible with F-Secure Elements Computer Protection as long as it is configured in the Policy.
The Question marks give a little more insight what the feature does. Very nice!!!
Sincerely
Val.
This is really awesome!Hello @MacDefender
this is not possible with F-Secure Elements Computer Protection as long as it is configured in the Policy.
View attachment 259816
The Question marks give a little more insight what the feature does. Very nice!!!
Sincerely
Val.
- Apr 4, 2021
- 456
I was able to report a bug to support (it was confirmed), when the UI continues to report that the protection is working and you are protected, although I terminated the main process through the task manager. Although, after 5 minutes, it nevertheless discovered that its great friend had died and said that there was no protection. I hope that in the next beta this will already be fixed
I hope that in the next beta this will already be fixed 
- Mar 25, 2021
- 515
norton sometime just shut itself down and restart in like 30sec, I don't have to do anything and my protection is lost XDI was able to report a bug to support (it was confirmed), when the UI continues to report that the protection is working and you are protected, although I terminated the main process through the task manager. Although, after 5 minutes, it nevertheless discovered that its great friend had died and said that there was no protection.
Yeah F-Secure does the same during updates. I honestly wonder if you can make malware that just monitors the process list until the AV goes down for an update and then quickly rush your exploit through in 30 seconds.
Kaspersky I know refuses to stop the engine during updates, and will ask you to reboot if an engine update is needed. Emsisoft has a configuration option for which way you want to do it.
- Mar 25, 2021
- 515
yes, norton goes down right after an update patch is applied.
- Jul 27, 2015
- 5,458
That specific behavior was patched with F-Secure version 17.8.
F-Secure 17.8 released
The latest stable version for F-Secure on PC have been updated to 17.8. The update should happen automatic. Update information also found in the local UpgradeMessages folder. Quote : " Version 17.8 Released June/2020 Completely redesigned Browsing and Banking protection Secure Browsing, also...
malwaretips.com
- Apr 17, 2021
- 454
It is a known issue and I have seen some discussions about it in their official forum in the past. But I just don’t know why F-Secure does not want to fix this problem, or just does not consider it a priority.
- Feb 23, 2018
- 46
- Apr 4, 2021
- 456
Self-defense and integrity checking - On August 20, the product manager wrote that the feature had been added to the backlog. You can vote and bring it up if you want.
- Feb 23, 2018
- 46
Yeh @CyberDevil i saw that on F-Secure forum, that i check regularly, because of this exact same issue and i saw yesterday that was added to the backlog, lets hope will take less time than im thinking
Today i will vote up, is just vote on the trend right ?
Also Thanks for paying attention to this "ridiculous" self defenses weaknesses
F-Secure should also have password protected the settings, against processes termination and uninstallation several years ago in my opinion besides blocking unwanted or malicious behaviours from terminating the program.
- Jul 27, 2015
- 5,458
@CyberDevil , impressive and big thanks for pointing out the issue and even get an official answer. Bookmarked and extra since it can be used for future ETA questions. Personal I suspect the fix won't be added in the now current Beta version and in the end I wonder how well. Hopefully I'm wrong.
- Jul 27, 2015
- 5,458
Let me try help and explain. F-Secure do not have password protection on it's settings when one use a administration account, because it already exist a specific elevation option where one is forced first to manually click and accept. It is very far fetched to state that this bypass issue work no matter what and all over. With a SUA ( standard user account ) one is even forced to use a password or other login option that the OS supply, if that also is activated, for setting access in F-Secure SAFE, home version. With a SUA the specific process termination is not even an issue at all. The process termination issue exist, on the administration account. Huge difference and yes important to understand.
- Feb 23, 2018
- 46
U
Kind Regards for explaining better than i did
Also im using the hard configured from Andy and i also have deployed several harderning policies thorught GP.
Yes thats completly true if we use the admin account always with elevation. im not stating that at all, i know that its not easy. Yes i think you explained very well and yes the issue indeed is with admin account. For example if i configuire the admin account to elevation only trusted and signed executables; elevation only with admin credencials on safe environment, do you think i more safe in this way that im using?
Kind Regards for explaining better than i did
Also im using the hard configured from Andy
and i also have deployed several harderning policies thorught GP.
Last edited:
Similar threads
