New delivery protocol (GUTS2) for Virus definition downloads in Policy Manager

This discussion has a more recent version.
Katriina_MKatriina_M Posts: 445 F-Secure Employee

Starting from version 13.00, Business Suite products are switching to GUTS2 as a replacement for BackWeb to download virus definition updates. From now on Policy Manager will use GUTS2 to download all needed updates, including those for 12.x Client series and previous.

What is GUTS2?

GUTS2 is the new updates delivery infrastructure from F-Secure to distribute updates worldwide for all company products. Compared to BackWeb, it is more efficient in delivering diffs, as well as being more proxy friendly and easier to maintain. GUTS2 also features a global identifier for updates, which eliminates downloading full updates when switching between the F-Secure Cloud and Policy Managers.

Note: The Policy Manager Server will keep distributing updates via both BackWeb and GUTS2 protocols as long as older clients are supported.

What has changed with GUTS2?

  • Automatic Update Agent (AUA) is no longer needed for the Policy Manager Server (PMS). The AUA configuration file, previously used as an HTTP proxy source for Internet connections has now been replaced with an fspms.proxy.config file.
  • Migration of proxy settings takes place during the upgrade. Only the first proxy is migrated, and multiple HTTP proxies are not supported anymore. There is no fall back to direct Internet connections when a defined HTTP proxy is not accessible.
  • The F-Secure Automatic Update Agent tool that lists all downloaded updates has been dropped. As a replacement, the list of all updates served by the Policy Manager Server is shown in the Console when clicking Summary > Virus definitions on the server > Show details.
  • There are two separate lists for 12.x and newer updates as their update logic differs. The Downloads dialog appears empty if there are no hosts requesting updates; for example, a normal situation may be when hosts connect via Policy Manager Proxy which serves updates on its own.

Main improvements in GUTS2

Update diff handling

In the GUTS2 protocol, Policy Manager does not have to generate diffs on its own, saving CPU and IO resources, but rather relies on the cloud infrastructure to fetch diffs. The amount of diffs stored in the cloud is significantly larger than with on-premise diffs generation (for example: ~200 versions for Aquarius updates).

On-demand downloads

With the new protocol, on-demand downloads have been enabled to download only the relevant updates. For example, in environments without Linux products, the Policy Manager Server will not maintain Linux updates.

Note: No updates are requested from the Internet when computers are not in use. Every GUTS2 update is downloaded only when requested. This may cause a slight delay for the first client requesting an recently released update.

A typical on-demand download scenario is as follows:
  1. The Policy Manager Server (PMS) regularly (every 10 minutes by default) refreshes metadata about the latest F-Secure updates.
  2. The client periodically polls the PMS checking for the availability of new updates.
  3. When the client notices new updates, it requests the diff providing the previous version currently in use.
  4. The PMS accepts the request and starts downloading the update from the F-Secure Cloud asynchronously. The client is instructed (503 HTTP response code is returned) to come back in ~10 mins and check the updates again.
  5. The diff including versions from the previous version requested to the latest version is downloaded to the cache.
  6. On the next polling round, the client receives the requested update.

If another client connects to the Policy Manager requesting a diff from the same previous version, an update is served immediately.

If a client was offline and missed one or several updates, it requests a diff from the previous version in use and repeats steps 3-6; this is the reason why the updates cache for each version might contain several diffs from different previous versions.

What happens to shutdown clients?

If a client has been shut down for a long time, and the F-Secure Cloud cannot serve diffs for updating previous versions, it instructs the Policy Manager Server to provide the client with a full update archive. In these cases:
  • A 301 HTTP response code (moved permanently) with the redirect link to the latest update is used, and the client requests a full version from the PMS. If a full version has never been requested before, the PMS downloads it from the F-Secure Cloud (as in steps 4-6 for serving diffs).
  • If the PMS already has full content for any version in the cache, it is used as a basis for building up a full update archive for the latest version: if needed, the PMS requests diffs from that version to the latest one from the F-Secure Cloud, then builds a full update archive and serves it to the client.

Virus definition updates cache maintenance

The Policy Manager Server (PMS) maintains a cache of downloaded updates, which typically occupies 2-3GB of disk space. The PMS keeps a certain number of updated versions (10 by default); however, it is not equivalent to 'num_old_versions_to_compare' parameter in the AUS server.cfg configuration file. Saved versions are used only for re-building full updates, so changing the number of versions to keep will only make refreshing stored full content either more or less frequent.

When a new (11th in the default configuration) version is downloaded, the first (oldest) one is removed. If the oldest version contains full update content, and it is the only version with full content, the PMS builds full content for the newest version (requests required diffs from the F-Secure Cloud, if needed), and drops the old version completely.

To limit the cache size, Policy Manager maintains just 2 full archives for the channel which resides in the latest 2 versions. Every successful content building is followed by a clean-up procedure. It checks for the left content/archives and removes redundant (more than one full content and more than two archived out of the latest 2 versions).

Important additional information:

The HTTP proxy configuration file is located under the Policy Manager Server's data folder:
  • On Windows: <F-Secure installation folder>\Management Server 5\data\fspms.proxy.config
  • On Linux:/var/opt/f-secure/fspms/data/fspms.proxy.config
Downloaded updates are stored in the following folder:
  • On Windows: <F-Secure installation folder>\Management Server 5\data\guts2\updates
  • On Linux: /var/opt/f-secure/fspms/data/guts2/updates
Downloading and serving update events are logged into fspms-download-updates.log and fspms-serve-updates.log files, which can be found under the Policy Manager Server's logs folder:
  • On Windows: <F-Secure installation folder>\Management Server 5\logs
  • On Linux: /var/opt/f-secure/fspms/logs
The list of updates needed for 12.x clients previously stored in AUA configuration file is migrated to channels.json:
  • On Windows: <F-Secure installation folder>\Management Server 5\config\channels.json
  • On Linux: /opt/f-secure/fspms/config/channels.json

Updates for older clients are not downloaded if there are no clients with AUA component of 9.x and older versions in the environment.

To modify the default number of versions to keep in the updates cache, use the additional Java argument: '-DkeepGuts2UpdatesCount=n'

To modify a default 10 minutes interval for refreshing updates metadata from F-Secure, use the additional Java argument: '-DupdatePollingInterval=n' (where n is minutes)

The PMS limits the number of concurrent downloads of potentially large packages (50 by default) it serves to hosts. GUTS2 archives have also been included in the list of "protected" traffic types; these are now: installation packages, SWUP updates, SWUP databases and GUTS2 archives. Use '-DmaxSynchronousPackageRetrievalRequests=n' to change the default limit.

Windows AUA is automatically uninstalled during upgrade when no longer needed for other products like Server Security.

Linux AUA has to be manually uninstalled if not needed anymore; for example, for Linux Security.

Sign In or Register to comment.