Suspicious:W32/Malware!Gemini

Threat description

Details

Category: Malware
Type: Suspicious
Platform: W32

Summary

The file appears to be performing suspicious or potentially undesirable actions on the system. This may potentially indicate the presence of a malware infection, or that the suspect file is malicious.



Removal

Flagged as Suspicious

A file detected as Suspicious may be Quarantined as a precautionary measure. Once detected, the F-Secure security product may either automatically disinfect the suspect file or prompt the user to select a desired action. For more information, see: Support Community article: Automatic actions for viruses also used for suspicious items.

It is possible that behavior-based analysis can inadvertently cause a False Positive (FP). If you suspect this to be the case, please first ensure your F-Secure security program is completely up-to-date with the latest detection database updates, then rescan the suspect file.

If you continue to suspect a False Positive (or alternatively, a file identified as Clean should have been marked as malicious) you can submit a sample of the suspect file for further analysis via Labs: Submit A Sample (SAS).

More

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.



Technical Details

Suspicious:W32/Malware!Gemini is a proactive Heuristic Detection which may be triggered by a file that behaves in a suspicious manner indicative of malware infection. This detection may be seen in a variety of channels:

  • From an F-Secure antivirus product that has the "advanced heuristics option" enabled
  • From an F-Secure product with the DeepGuard feature enabled
  • From the Virustotal website

Note: Proactive behavioral analysis may lead to a compatibility issue that causes copy-protected applications to fail to start or crash. For more information, see:

  • Possible compatibility issues

1) From an F-Secure product that has the "advanced heuristics option" enabled

Heurisic analysis technology is available as a feature in F-Secure's Antivirus and Internet Security products. The Suspicious:W32/Malware!Gemini detection may be generated when a manual scan is performed with the Advanced Heuristics feature is enabled.

Please note however that the Advanced Heuristics feature is optional and is disabled in our products by default. The feature can be enabled in the Settings menu.

Use of this feature may be more appropriate for more advanced users. It may also be automatically enabled by some ISPs.

Note: False Positive on a legitimate file

Heuristic analysis may sometimes generate a false positive on a legitimate file. If the user is confident a flagged file is safe, it is possible to avoid generating a false positive on the file by disabling the Advance Heuristics feature while performing a manual scan.

Solution: Disregarding a False Positive by Temporarily Disabling Advanced Heuristics
  • In the product, go to Settings
  • Go to Computer, and select Manual scanning
  • Uncheck the 'Use advanced heuristics (slower)' option
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

  • In the product, go to Settings
  • Go to Computer, and select Manual scanning
  • Uncheck the 'Use advanced heuristics (slower)' option
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

2) From an F-Secure product with the DeepGuard feature enabled

DeepGuard is a Host-based Intrusion-Prevention System (HIPS) feature included in various F-Secure products. DeepGuard also uses a form of heuristics analysis and is enabled by default.

DeepGuard runs in the background while the user is working and constantly checks the processes running to ensure no malicious activity is taking place.

If an application process does behave suspiciously, DeepGuard will display a message notifying the user about the suspect activity and asking if it should be allowed to proceed. If the activity is considered may be significantly damaging, DeepGuard may block the activity altogether, unless the user authorizes its to proceed.

Solution 1 : Whitelist a Known, Legitimate Program or Process

If the user is certain the application or process is desired and non-malicious, they can configure DeepGuard to 'whitelist' the application or process,. Doing so will allow the application/process to run as per normal.

To whitelist an application or process:

  • In the product, go to Settings
  • Go to Computer, and select DeepGuard
  • Click the link'Open list of monitored programs'
  • Find the application in question and set the entry to 'Allow'
  • Click 'OK'.
  • In the product, go to Settings
  • Go to Security settings, and select DeepGuard
  • Click the link 'Change application permissions'
  • Find the application in question and set the entry to 'Allow'
  • Click 'OK'.
Solution 2 : Temporarily Disable DeepGuard (not recommended)

To continue using an application or process deemed suspicious, the user can also temporarily disable the DeepGuard entirely:

  • In the product, go to Settings
  • Go to Security settings, and select DeepGuard
  • Move the slider to turn off DeepGuard
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

  • In the product, go to Settings
  • Go to Computer, and select DeepGuard
  • Uncheckthe 'Turn on DeepGuard' option
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

3) From the Virustotal Website

This detection can also be seen from the DeepGuard scanning engine used by Virustotal, a website to which files may be submitted for scanning by multiple antivirus engines.

From Virustotal's website:

Virustotal.com is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

The detection of Suspicious:W32/Malware!Gemini by Virustotal's scan is equivalent to an automatic block by DeepGuard.

Possible Compatibility Issues

If a copy-protected application fails to start or crashes while DeepGuard is enabled, this may be due to a compatibility issue.

To continue using this application, it is advisable to temporarily disable the Advanced Process Monitoring component of the DeepGuard feature:

  • In the product, go to Settings
  • Go to Security setting, and select DeepGuard
  • Check the 'Use the compatibility mode (lowers security)' option
  • Click 'OK'.

A sample of the file involved in the compatibility issue may also be submitted for further analysis via Labs: Submit A Sample. When submitting the file, please provide a brief description of the problem.

  • In the product, go to Settings
  • Go to Computer, and select DeepGuard
  • Uncheck the 'Use advanced process monitoring' option
  • Click 'OK'.

A sample of the file involved in the compatibility issue may also be submitted for further analysis via Labs: Submit A Sample. When submitting the file, please provide a brief description of the problem.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Sample

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More