F-Secure
Tools
Suspicious:W32/Malware!Gemini
| Name : | Suspicious:W32/Malware!Gemini |
| Category: | Malware |
| Type: | Suspicious |
| Platform: | W32 |
Summary
The file appears to be performing suspicious or potentially undesirable actions on the system. This may potentially indicate the presence of a malware infection, or that the suspect file is malicious.
Additional Details
Suspicious:W32/Malware!Gemini is a proactive Heuristic Detection, which may be triggered by a file that behaves in a suspicious manner indicative of malware infection.
About Heuristic Detections
Heuristic analysis (also known as behavioral analysis) is an advanced type of antivirus technology that evaluates any potential threats by examining a suspected program's intended actions and effects on a computer system.
To examine a program's potential behavior, the antivirus program executes it in a self-contained, "virtual system" environment (also known as emulation). This allows the antivirus program to evaluate how the program's behavior affects the virtual system, without compromising or endangering the user's actual system.
A program that appears to perform suspicious or potentially malicious actions will trigger a Heuristic Detection, such as the one above.
More
The Heuristic Detection Suspicious:W32/Malware!Gemini may be seen in a variety of channels:
1) From an F-Secure product that has the "advanced heuristics option" enabled
Heurisic analysis technology is available as a feature in F-Secure's Antivirus and Internet Security products. The Suspicious:W32/Malware!Gemini detection may be generated when a manual scan is performed with the Advanced Heuristics feature is enabled.
Please note however that the Advanced Heuristics feature is optional and is disabled in our products by default. The feature can be enabled in the Settings menu.
Use of this feature may be more appropriate for more advanced users. It may also be automatically enabled by some ISPs.
Solution: Disregarding a False Positive by Temporarily Disabling Advanced Heuristics
Heuristic analysis may sometimes generate a false positive on a legitimate file. If the user is confident a flagged file is safe, it is possible to avoid generating a false positive on the file by disabling the Advance Heuristics feature while performing a manual scan:
Action Needed: Submit a Sample
False positive samples may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please select the 'False positive' sample type during submission.
2.) From an F-Secure product with the DeepGuard feature enabled
DeepGuard is a Host-based Intrusion-Prevention System (HIPS) feature included in various F-Secure products. DeepGuard also uses a form of heuristics analysis and is enabled by default.
DeepGuard runs in the background while the user is working and constantly checks the processes running to ensure no malicious activity is taking place.
If an application process does behave suspiciously, DeepGuard will display a message notifying the user about the suspect activity and asking if it should be allowed to proceed. If the activity is considered may be significantly damaging, DeepGuard may block the activity altogether, unless the user authorizes its to proceed.
Solution 1 : Whitelist a Known, Legitimate Program or Process
If the user is certain the application or process is desired and non-malicious, they can configure DeepGuard to 'whitelist' the application or process,. Doing so will allow the application/process to run as per normal.
To whitelist an application or process:
Solution 2 : Temporarily Disable DeepGuard (not recommended)
To continue using an application or process deemed suspicious, the user can also temporarily disable the DeepGuard entirely:
Action Needed: Submit a Sample
False positive samples may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please select the 'False positive' sample type during submission.
3) From the Virustotal Website
This detection can also be seen from the DeepGuard scanning engine used by Virustotal, a website to which files may be submitted for scanning by multiple antivirus engines.
From Virustotal's website:
"Virustotal.com is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines."
The detection of Suspicious:W32/Malware!Gemini by Virustotal's scan is equivalent to an automatic block by DeepGuard.
Action Needed: Submit a Sample
False positive samples may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please select the 'False positive' sample type during submission.
Possible Compatibility Issues
If a copy-protected application fails to start or crashes while DeepGuard is enabled, this may be due to a compatibility issue. To continue using this application, it is advisable to temporarily disable the Advanced Process Monitoring component of the DeepGuard feature:
A sample of this compatibility issue may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please provide a brief description of the problem in the Message field during submission.
About Heuristic Detections
Heuristic analysis (also known as behavioral analysis) is an advanced type of antivirus technology that evaluates any potential threats by examining a suspected program's intended actions and effects on a computer system.
To examine a program's potential behavior, the antivirus program executes it in a self-contained, "virtual system" environment (also known as emulation). This allows the antivirus program to evaluate how the program's behavior affects the virtual system, without compromising or endangering the user's actual system.
A program that appears to perform suspicious or potentially malicious actions will trigger a Heuristic Detection, such as the one above.
More
The Heuristic Detection Suspicious:W32/Malware!Gemini may be seen in a variety of channels:
• From an F-Secure antivirus product that has the "advanced heuristics option" enabled
• From an F-Secure product with the DeepGuard feature enabled
• From the Virustotal website
1) From an F-Secure product that has the "advanced heuristics option" enabled
Heurisic analysis technology is available as a feature in F-Secure's Antivirus and Internet Security products. The Suspicious:W32/Malware!Gemini detection may be generated when a manual scan is performed with the Advanced Heuristics feature is enabled.
Please note however that the Advanced Heuristics feature is optional and is disabled in our products by default. The feature can be enabled in the Settings menu.
Use of this feature may be more appropriate for more advanced users. It may also be automatically enabled by some ISPs.
Solution: Disregarding a False Positive by Temporarily Disabling Advanced Heuristics
Heuristic analysis may sometimes generate a false positive on a legitimate file. If the user is confident a flagged file is safe, it is possible to avoid generating a false positive on the file by disabling the Advance Heuristics feature while performing a manual scan:
• In the product, go to Settings
• Go to Computer, and select Manual scanning
• Uncheck the 'Use advanced heuristics (slower)' option
• Click 'OK'.
Action Needed: Submit a Sample
False positive samples may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please select the 'False positive' sample type during submission.
2.) From an F-Secure product with the DeepGuard feature enabled
DeepGuard is a Host-based Intrusion-Prevention System (HIPS) feature included in various F-Secure products. DeepGuard also uses a form of heuristics analysis and is enabled by default.
DeepGuard runs in the background while the user is working and constantly checks the processes running to ensure no malicious activity is taking place.
If an application process does behave suspiciously, DeepGuard will display a message notifying the user about the suspect activity and asking if it should be allowed to proceed. If the activity is considered may be significantly damaging, DeepGuard may block the activity altogether, unless the user authorizes its to proceed.
Solution 1 : Whitelist a Known, Legitimate Program or Process
If the user is certain the application or process is desired and non-malicious, they can configure DeepGuard to 'whitelist' the application or process,. Doing so will allow the application/process to run as per normal.
To whitelist an application or process:
• In the product, go to Settings
• Go to Computer, and select DeepGuard
• Click the link 'Open list of monitored programs'
• Find the application in question and set the entry to 'Allow'
• Click 'OK'.
Solution 2 : Temporarily Disable DeepGuard (not recommended)
To continue using an application or process deemed suspicious, the user can also temporarily disable the DeepGuard entirely:
• In the product, go to Settings
• Go to Computer, and select DeepGuard
• Uncheck the 'Turn on DeepGuard' option
• Click 'OK'.
Action Needed: Submit a Sample
False positive samples may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please select the 'False positive' sample type during submission.
3) From the Virustotal Website
This detection can also be seen from the DeepGuard scanning engine used by Virustotal, a website to which files may be submitted for scanning by multiple antivirus engines.
From Virustotal's website:
"Virustotal.com is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines."
The detection of Suspicious:W32/Malware!Gemini by Virustotal's scan is equivalent to an automatic block by DeepGuard.
Action Needed: Submit a Sample
False positive samples may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please select the 'False positive' sample type during submission.
Possible Compatibility Issues
If a copy-protected application fails to start or crashes while DeepGuard is enabled, this may be due to a compatibility issue. To continue using this application, it is advisable to temporarily disable the Advanced Process Monitoring component of the DeepGuard feature:
• In the product, go to Settings
• Go to Computer, and select DeepGuard
• Uncheck the ''Use advanced process monitoring' option
• Click 'OK'.
A sample of this compatibility issue may also be submitted to the Security Lab for further analysis via the Sample Analysis System (SAS). Please provide a brief description of the problem in the Message field during submission.