Suspicious:W32/Malware!Gemini

Threat description

Details

CATEGORYMalware
TYPESuspicious

Summary

The file appears to be performing suspicious or potentially undesirable actions on the system. This may potentially indicate the presence of a malware infection, or that the suspect file is malicious.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either block or quarantine the suspect file or application, or ask you for a desired action.

Security programs can sometimes unintentionally identify a clean program or file as harmful if its code or behavior is similar to a known harmful program or file. This is known as a False Alarm or False Positive (FP).

For example, 'tmp.edb' and other '.edb' files stored at the location 'C:\WINDOWS\SoftwareDistribution\DataStore\Logs\' may be unintentionally detected as malicious by various security programs.

Checking for a fix

In most cases, a False Positive is fixed in a subsequent database release; updating your F-Secure security product to use the latest database is enough to resolve the issue. If you suspect a detected file may be a False Positive, you can check by first updating your F-Secure security product to use the latest detection database updates, then rescanning the suspect file.

Send a sample to F-Secure Labs

After checking, if you believe the file or program is still incorrectly detected, you can submit a sample of it to F-Secure Labs for analysis and correction:

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.

Also

Microsoft provides enterprise-level instructions for excluding files from scanning by antivirus software:

If a file was incorrectly quarantined due to a False Positive, you may choose to restore the item.

More

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.

Technical Details

Suspicious:W32/Malware!Gemini is a proactive Heuristic Detection which may be triggered by a file that behaves in a suspicious manner indicative of malware infection. This detection may be seen in a variety of channels:

  • From an F-Secure antivirus product that has the "advanced heuristics option" enabled
  • From an F-Secure product with the DeepGuard feature enabled
  • From the Virustotal website

Note: Proactive behavioral analysis may lead to a compatibility issue that causes copy-protected applications to fail to start or crash. For more information, see:

  • Possible compatibility issues

1) From an F-Secure product that has the "advanced heuristics option" enabled

Heurisic analysis technology is available as a feature in F-Secure's Antivirus and Internet Security products. The Suspicious:W32/Malware!Gemini detection may be generated when a manual scan is performed with the Advanced Heuristics feature is enabled.

Please note however that the Advanced Heuristics feature is optional and is disabled in our products by default. The feature can be enabled in the Settings menu.

Use of this feature may be more appropriate for more advanced users. It may also be automatically enabled by some ISPs.

Note: False Positive on a legitimate file

Heuristic analysis may sometimes generate a false positive on a legitimate file. If the user is confident a flagged file is safe, it is possible to avoid generating a false positive on the file by disabling the Advance Heuristics feature while performing a manual scan.

Solution: Disregarding a False Positive by Temporarily Disabling Advanced Heuristics
  • In the product, go to Settings
  • Go to Computer, and select Manual scanning
  • Uncheck the 'Use advanced heuristics (slower)' option
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

  • In the product, go to Settings
  • Go to Computer, and select Manual scanning
  • Uncheck the 'Use advanced heuristics (slower)' option
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

2) From an F-Secure product with the DeepGuard feature enabled

DeepGuard is a Host-based Intrusion-Prevention System (HIPS) feature included in various F-Secure products. DeepGuard also uses a form of heuristics analysis and is enabled by default.

DeepGuard runs in the background while the user is working and constantly checks the processes running to ensure no malicious activity is taking place.

If an application process does behave suspiciously, DeepGuard will display a message notifying the user about the suspect activity and asking if it should be allowed to proceed. If the activity is considered may be significantly damaging, DeepGuard may block the activity altogether, unless the user authorizes its to proceed.

Solution 1 : Whitelist a Known, Legitimate Program or Process

If the user is certain the application or process is desired and non-malicious, they can configure DeepGuard to 'whitelist' the application or process,. Doing so will allow the application/process to run as per normal.

To whitelist an application or process:

  • In the product, go to Settings
  • Go to Computer, and select DeepGuard
  • Click the link'Open list of monitored programs'
  • Find the application in question and set the entry to 'Allow'
  • Click 'OK'.
  • In the product, go to Settings
  • Go to Security settings, and select DeepGuard
  • Click the link 'Change application permissions'
  • Find the application in question and set the entry to 'Allow'
  • Click 'OK'.
Solution 2 : Temporarily Disable DeepGuard (not recommended)

To continue using an application or process deemed suspicious, the user can also temporarily disable the DeepGuard entirely:

  • In the product, go to Settings
  • Go to Security settings, and select DeepGuard
  • Move the slider to turn off DeepGuard
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

  • In the product, go to Settings
  • Go to Computer, and select DeepGuard
  • Uncheckthe 'Turn on DeepGuard' option
  • Click 'OK'.
Further action: Submit a sample

You can submit a file you suspect is a False Positive (FP) for further analysis via Labs: Submit A Sample.

3) From the Virustotal Website

This detection can also be seen from the DeepGuard scanning engine used by Virustotal, a website to which files may be submitted for scanning by multiple antivirus engines.

From Virustotal's website:

Virustotal.com is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

The detection of Suspicious:W32/Malware!Gemini by Virustotal's scan is equivalent to an automatic block by DeepGuard.

Possible Compatibility Issues

If a copy-protected application fails to start or crashes while DeepGuard is enabled, this may be due to a compatibility issue.

To continue using this application, it is advisable to temporarily disable the Advanced Process Monitoring component of the DeepGuard feature:

  • In the product, go to Settings
  • Go to Security setting, and select DeepGuard
  • Check the 'Use the compatibility mode (lowers security)' option
  • Click 'OK'.

A sample of the file involved in the compatibility issue may also be submitted for further analysis via Labs: Submit A Sample. When submitting the file, please provide a brief description of the problem.

  • In the product, go to Settings
  • Go to Computer, and select DeepGuard
  • Uncheck the 'Use advanced process monitoring' option
  • Click 'OK'.

A sample of the file involved in the compatibility issue may also be submitted for further analysis via Labs: Submit A Sample. When submitting the file, please provide a brief description of the problem.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info