Advice Request PrivaZer.exe is quarantined.

Morro · May 30, 2021

Okay I do not know if this is the correct forum to report this, so if it is not then my apologies.

This afternoon at 15.52h DeepGuard from Ziggo Safe Online by F-secure (It is F-Secure Safe, just renamed for my IP Provider.) first blocked PrivaZer.exe when I tried to clean my trash bin. DeepGuard gave the reason " Supicious:W32/Malware!Online ". When I scanned PrivaZer Manually with Ziggo Safe Online, it was shown as safe. So I reported it to F-Secure as a False Positive and send a Copy of the file with it as well as was requested by F-Secure. (Waiting for an email with the results of their investigation of the file.)

Then later at 17.32h Ziggo Safe Online suddenly reported a danger, and it quarantined PrivaZer.exe, and for this reason...

After the restart I scanned my PC, and it is clean according to Ziggo Safe Online. But this is a very weird thing, since I have been using PrivaZer for a few years now, and I installed Ziggo Safe Online from F-Secure on May the second. So why did this not pop up sooner? Until I get an answer back from F-Secure I can not be fully certain that it is an FP but still this is a weird thing that happened?

plat · May 30, 2021

Well, what is your version number? Is it the latest one? PrivaZer just updated on the 29th of May, so the version is 4.0.24. It's not a common software, not like CCleaner, so perhaps it hasn't been universally whitelisted yet. Does the antivirus have a behavior blocker?

HitmanPro doesn't tag it via C:/ProgramFiles (x86), nor does Defender. If The_PrivaZer_Team knows about it via the PrivaZer thread, maybe he can contact directly.

Andrew3000 · May 30, 2021

I tried downloading the portable version from the Privazer site and the alert appears to me as well.

Morro · May 30, 2021

plat1098 said:
Well, what is your version number? Is it the latest one? PrivaZer just updated on the 29th of May, so the version is 4.0.24. It's not a common software, not like CCleaner, so perhaps it hasn't been universally whitelisted yet. Does the antivirus have a behavior blocker?

HitmanPro doesn't tag it via C:/ProgramFiles (x86), nor does Defender. If The_PrivaZer_Team knows about it via the PrivaZer thread, maybe he can contact directly.

View attachment 258584

I was indeed using the latest version 4.024, and like with F-Secure it contains DeepGuard. This is but a small piece of information from F-Secures DeepGuard Whitepaper PDF.

~ The DeepGuard module in F-Secure’s security products is a Host-based Intrusion Prevention System (HIPS), which
performs file reputation analysis and behavioural analysis. This module is responsible for the proactive, on-the-fly
monitoring and interception that serves as the final and most critical line of defence against new threats, even
those targeting previously unknown vulnerabilities. ~

There is much more to DeepGuard to explain here, sorry. You can read more about here...

https://www.f-secure.com/content/dam/f-secure/en/business/computer-protection/collaterals/digital/f-secure-deepguard-whitepaper.pdf

When I removed PrivaZer for now they asked for a reason, and through that way I explained why I removed PrivaZer for now. Hopefully that was enough? But I will post in the PrivaZer thread as well, thank you.

Ink · May 30, 2021

Use your own judgement. Are you able to rollback to a previous version of PrivaZer?

From Suspicious:W32/Malware.variant!Online Description | F-Secure Labs

The Security Cloud rating for the file indicates that it:

Has code similar to known harmful programs,

Or has code for performing harmful actions.

From F-Secure User Guides

Sometimes DeepGuard may block a safe application from running, even if you want to use the application and know it to be safe. This happens because the application tries to make system changes that might be potentially harmful.

From F-Secure User Guides

DeepGuard monitors applications to detect potentially harmful changes to the system.

Potentially harmful system changes that DeepGuard detects include:

system setting (Windows registry) changes,

attempts to turn off important system programs, for example, security programs like this product, and

attempts to edit important system files.

Reports for both files.

27MB download - VirusTotal
19MB download - VirusTotal

Morro · May 30, 2021

Spawn said:
Use your own judgement. Are you able to rollback to a previous version of PrivaZer?

From Suspicious:W32/Malware.variant!Online Description | F-Secure Labs

From F-Secure User Guides

From F-Secure User Guides

Reports for both files.

27MB download - VirusTotal

19MB download - VirusTotal

Every time I download the PrivaZer install file it downloads and installs version 4.0.24, and every time I try to install PrivaZer it gets seen as a threat and is quarantined immediately. As for the VirusTotal results, I had a feeling that would be the result. I hope that F-Secure soon notices that it is indeed an FP as I thought... maybe together with the team behind PrivaZer itself.

SeriousHoax · May 30, 2021

Have you submitted it here? Also choose the option, "I want to give more details....." fill in all the required info, and in the description section include the download source of PrivaZer and the detection name.

Submit a sample | F‑Secure

www.f-secure.com

Morro · May 30, 2021

SeriousHoax said:
Have you submitted it here? Also choose the option, "I want to give more details....." fill in all the required info, and in the description section include the download source of PrivaZer and the detection name.

Submit a sample | F‑Secure

www.f-secure.com

I have submitted it here...

Trojan:W32/Generic!Online | F-Secure Labs

Technical details and removal instructions for programs and files detected by F-Secure products.

www.f-secure.com

By using the tab next to the automatic action tab, and I got a confirmation email.

upnorth · May 31, 2021

Morro said:
I have been using PrivaZer for a few years now, and I installed Ziggo Safe Online from F-Secure on May the second. So why did this not pop up sooner? Until I get an answer back from F-Secure I can not be fully certain that it is an FP but still this is a weird thing that happened?

Smart move submit the file directly to F-Secure. F-Secure can and will make a better assessment now.

If something similar happened, I would also hesitate use any normal " old " software that never been flagged before. Weird, yes and no I would say. With certain code changes ( updates ) or how the software is packed etc, it's very possible. But better Safe then Sorry, so submit that file even to one extra major AV vendor wouldn't hurt.

Morro · May 31, 2021

I like how fast F-Secure solved this.

Greetings,

Thank you for your submission.

Our analysis has found that the file you submitted is clean.

We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.

For environments where applications change or get often updated, Deepguard may keep on detecting a new version of the application as 'rare' or 'suspicious'.

For these cases we'd appreciate if you could submit additional samples that are still detected in response to this email (inside a password-protected zip). This is so that the offending detection that caused the false positive can be fixed.

Alternatively, you may want to configure a temporary Exclusion inside your F-Secure product while the issue is investigated:

So Upnorth mentioning code can change was right on target alright. Why do I sound surprised about, considering what he does here.

(Sorry Upnorth if it sounds like that.)

And now PrivaZer works again, I also made an exclusion for PrivaZer as F-Secure mentioned. (Just to be safe for future updates.)

Stopspying · Jun 2, 2021

I clicked on the update button in the top right-hand corner of the Privazer GUI to download this update, I could see that I was downloading a file by watching the internet connection activity, but I was getting no confirmation dialogue for a download in FF. I have FF set so as I choose where to download files rather than end up with a big collection of assorted files in the 'Download' folder. I tried again, the same things happened. I tried a search for PrivaZer.exe/PrivaZer_free.exe in Everything ( I find this much quicker than Windows own search), nothing showed up.

A bit later on I switched on a second monitor for the same PC, in the top left-hand corner of it was a stack of dialogue boxes asking where I wanted to save PrivaZer_free.exe

Just thought I'd mention this quite basic mistake, in case anyone reading this has had a bad day and wants a laugh.

Search

Advice Request PrivaZer.exe is quarantined.

Morro

Level 18

Morro

plat

Level 29

Andrew3000

Level 11

Morro

Level 18

Ink

Administrator

Morro

Level 18

SeriousHoax

Level 49

Submit a sample | F‑Secure

Morro

Level 18

Submit a sample | F‑Secure

Trojan:W32/Generic!Online | F-Secure Labs

upnorth

Level 68

Morro

Level 18

Stopspying

Level 19

Similar threads