Q&A PrivaZer.exe is quarantined.

Morro

Level 11
Verified
Jul 8, 2012
533
Okay I do not know if this is the correct forum to report this, so if it is not then my apologies.

This afternoon at 15.52h DeepGuard from Ziggo Safe Online by F-secure (It is F-Secure Safe, just renamed for my IP Provider.) first blocked PrivaZer.exe when I tried to clean my trash bin. DeepGuard gave the reason " Supicious:W32/Malware!Online ". When I scanned PrivaZer Manually with Ziggo Safe Online, it was shown as safe. So I reported it to F-Secure as a False Positive and send a Copy of the file with it as well as was requested by F-Secure. (Waiting for an email with the results of their investigation of the file.)

Then later at 17.32h Ziggo Safe Online suddenly reported a danger, and it quarantined PrivaZer.exe, and for this reason...

dYW92c7.jpg


After the restart I scanned my PC, and it is clean according to Ziggo Safe Online. But this is a very weird thing, since I have been using PrivaZer for a few years now, and I installed Ziggo Safe Online from F-Secure on May the second. So why did this not pop up sooner? Until I get an answer back from F-Secure I can not be fully certain that it is an FP but still this is a weird thing that happened?
 
Solution
I like how fast F-Secure solved this. :D

Greetings,

Thank you for your submission.

Our analysis has found that the file you submitted is clean.

We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.




For environments where applications change or get often updated, Deepguard may keep on detecting a new version of the application as 'rare' or 'suspicious'.



For these cases we'd appreciate if you could submit additional samples that are still detected in response to this email (inside a password-protected zip). This is so that the offending detection that caused the false positive can be fixed.





Alternatively, you may want to...

plat1098

Level 24
Verified
Sep 13, 2018
1,343
Well, what is your version number? Is it the latest one? PrivaZer just updated on the 29th of May, so the version is 4.0.24. It's not a common software, not like CCleaner, so perhaps it hasn't been universally whitelisted yet. Does the antivirus have a behavior blocker?

HitmanPro doesn't tag it via C:/ProgramFiles (x86), nor does Defender. If The_PrivaZer_Team knows about it via the PrivaZer thread, maybe he can contact directly.

jottiprivazer.PNG

:cool:
 

Morro

Level 11
Verified
Jul 8, 2012
533
Well, what is your version number? Is it the latest one? PrivaZer just updated on the 29th of May, so the version is 4.0.24. It's not a common software, not like CCleaner, so perhaps it hasn't been universally whitelisted yet. Does the antivirus have a behavior blocker?

HitmanPro doesn't tag it via C:/ProgramFiles (x86), nor does Defender. If The_PrivaZer_Team knows about it via the PrivaZer thread, maybe he can contact directly.


:cool:

I was indeed using the latest version 4.024, and like with F-Secure it contains DeepGuard. This is but a small piece of information from F-Secures DeepGuard Whitepaper PDF.

~ The DeepGuard module in F-Secure’s security products is a Host-based Intrusion Prevention System (HIPS), which
performs file reputation analysis and behavioural analysis. This module is responsible for the proactive, on-the-fly
monitoring and interception that serves as the final and most critical line of defence against new threats, even
those targeting previously unknown vulnerabilities. ~

There is much more to DeepGuard to explain here, sorry. You can read more about here...


When I removed PrivaZer for now they asked for a reason, and through that way I explained why I removed PrivaZer for now. Hopefully that was enough? But I will post in the PrivaZer thread as well, thank you. :)
 
Last edited:

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,158
Use your own judgement. Are you able to rollback to a previous version of PrivaZer?

From Suspicious:W32/Malware.variant!Online Description | F-Secure Labs
The Security Cloud rating for the file indicates that it:
  • Has code similar to known harmful programs,
  • Or has code for performing harmful actions.

From F-Secure User Guides
Sometimes DeepGuard may block a safe application from running, even if you want to use the application and know it to be safe. This happens because the application tries to make system changes that might be potentially harmful.

From F-Secure User Guides
DeepGuard monitors applications to detect potentially harmful changes to the system.

Potentially harmful system changes that DeepGuard detects include:
  • system setting (Windows registry) changes,
  • attempts to turn off important system programs, for example, security programs like this product, and
  • attempts to edit important system files.

Reports for both files.
 

Morro

Level 11
Verified
Jul 8, 2012
533
Use your own judgement. Are you able to rollback to a previous version of PrivaZer?

From Suspicious:W32/Malware.variant!Online Description | F-Secure Labs


From F-Secure User Guides


From F-Secure User Guides


Reports for both files.

Every time I download the PrivaZer install file it downloads and installs version 4.0.24, and every time I try to install PrivaZer it gets seen as a threat and is quarantined immediately. As for the VirusTotal results, I had a feeling that would be the result. I hope that F-Secure soon notices that it is indeed an FP as I thought... maybe together with the team behind PrivaZer itself.
 

Morro

Level 11
Verified
Jul 8, 2012
533
Have you submitted it here? Also choose the option, "I want to give more details....." fill in all the required info, and in the description section include the download source of PrivaZer and the detection name.

I have submitted it here...


By using the tab next to the automatic action tab, and I got a confirmation email.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,302
I have been using PrivaZer for a few years now, and I installed Ziggo Safe Online from F-Secure on May the second. So why did this not pop up sooner? Until I get an answer back from F-Secure I can not be fully certain that it is an FP but still this is a weird thing that happened?
Smart move submit the file directly to F-Secure. F-Secure can and will make a better assessment now.

If something similar happened, I would also hesitate use any normal " old " software that never been flagged before. Weird, yes and no I would say. With certain code changes ( updates ) or how the software is packed etc, it's very possible. But better Safe then Sorry, so submit that file even to one extra major AV vendor wouldn't hurt.
 

Morro

Level 11
Verified
Jul 8, 2012
533
I like how fast F-Secure solved this. :D

Greetings,

Thank you for your submission.

Our analysis has found that the file you submitted is clean.

We have identified the issue as a False Positive, which will be resolved automatically via F-Secure's Security Cloud.




For environments where applications change or get often updated, Deepguard may keep on detecting a new version of the application as 'rare' or 'suspicious'.



For these cases we'd appreciate if you could submit additional samples that are still detected in response to this email (inside a password-protected zip). This is so that the offending detection that caused the false positive can be fixed.





Alternatively, you may want to configure a temporary Exclusion inside your F-Secure product while the issue is investigated:

So Upnorth mentioning code can change was right on target alright. Why do I sound surprised about, considering what he does here. :) (Sorry Upnorth if it sounds like that.)

And now PrivaZer works again, I also made an exclusion for PrivaZer as F-Secure mentioned. (Just to be safe for future updates.)
 
Solution

Stopspying

Level 14
Verified
Jan 21, 2018
637
I clicked on the update button in the top right-hand corner of the Privazer GUI to download this update, I could see that I was downloading a file by watching the internet connection activity, but I was getting no confirmation dialogue for a download in FF. I have FF set so as I choose where to download files rather than end up with a big collection of assorted files in the 'Download' folder. I tried again, the same things happened. I tried a search for PrivaZer.exe/PrivaZer_free.exe in Everything ( I find this much quicker than Windows own search), nothing showed up.

A bit later on I switched on a second monitor for the same PC, in the top left-hand corner of it was a stack of dialogue boxes asking where I wanted to save PrivaZer_free.exe 🙄

Just thought I'd mention this quite basic mistake, in case anyone reading this has had a bad day and wants a laugh. 😕🤣
 
Top