F-Secure SAFE Banking Protection blocks Outlook access to Office 365 Exchange
Does anyone have an solution for this problem. We are a small office with 10 SAFE licenses assigned to a mix of Mac and PC devices. The PCs are currently running Windows 7 and Office 2016 (from the Office 365 download) with SAFE 17.0 - not been prompted about the 17.1 update yet. The Macs run Sierra or High Sierra and Office 2016 with SAFE version 17.1.
On the PCs. With Banking Protection enabled the Outlook client shows a 'not synchronised with Exchange' error a few minutes after the user opens a banking site. If you close the Banking Protection via the drop-down window at the top of the screen Outlook will find the Exchange server again and everything is normal. I'm not sure that closing the Protection is the expectedrecommended response, but this is also a repetitive task that the user doesn't want.
I have ticked the checkbox that says 'keep my current Internet connections open' in the Banking Protection setup but this DOESN'T have any positive effect on the problem - probably because Outlook is a client that polls the server and I suspect that the polling creates a new TCP session every time it happens, so technically it is not an existing session that the checkbox is supposed to handle.
In fact the checkbox does work correctly because without it ticked my remote support access to the PCs fails if the user has a banking site open in the browser.
You will appreciate that knocking-out Outlook is not an ideal modus-operandi, so to get around the problem we have turned-off Banking Protection - the lessor of the not ideal solutions.
I have never seen the problem on my Mac running Sierra and now High Sierra and I have Banking Protection enabled.
Any ideas? Other than turn off Banking Protection on the PCs.
Thanks in advance.
Sorry for my reply.
I'm also only F-Secure user.
There was some topics (with unclear status of situation) with related meanings:
Maybe good if there will be attention from F-Secure Teams.
If there will be stuck -> maybe possible to contact direct F-Secure Support Channels (chat as example):
for proper certified investigation.
As potential unofficial suggestion -> I able to think that maybe some of subdomains or cdn-domain or servers -- which used by this applications for communications is not allowed/whitelisted for Banking. Based on something... and such connection is prevented (as during direct visit under browser, for example).
I began to think about this.
And here are my thoughts.
- SAFE works fine in smartphones and computers
- in this case, Outlook server + clients
- I know, that it is possible to create safe solutions with Outlook-server and which are working properly
- there exist too F-Secure Business Security, for example email and server security-solutions
- is it possible to concentrate banking operations (payments etc) only in Apples computers?
- if you want more information about F-S Business Products, click this link
Thanks for your response.
As yet I have not tried putting the DNS of Office365 mail into the Whitelist on the Banking Protection sheet. To be honest I wasn't sure if this Whitelist/Blacklist was specific to Banking Protection or a SAFE generic one. Thinking about that statement again I'm not sure it matters if it is generic.
We have just changed a staff member and the new user (new profile) reported this Outlook off-line problem. I immediately realised that we'd had this problem previously and it was due to Banking Protection. Our Bookkeeper's tend to sit on banking sites (for a long time) and we are starting to use a site called Receipt-Bank, which technically is not a bank. it's an intelligent repository for business receipts, but is classed as a bank by F-Secure and this is the site that was causing the problem. So I took the quick, easy way out by applying the 'big hammer' and disabling Banking Protection!
I had read the two links you forwarded, but it looks like F-Secure had not got involved in either discussion - at least not given any definitive answer.
After hours this week, I'll try the Whitelist approach and see what happens.
Thanks for your input.
Please see my reply to Ukko as futher background.
I wish I could get rid of the W7 box for a Mac but no budget for that currently.
I am also aware that we are using a home type solution (SAFE) in a small business environment, but whilst we are only 5 people it is a good, cost-effective solution for both business and home machines.
Fully appreciate your input.
Thanks for picking-up on the problem. I had a chat/email conversation with Support yesterday and the following dialog (taken from the emails) may be of use. Otherwise I look forward to the Product team response.
I do realise that we are using a home solution, SAFE in a small business environment. This may not help the situation as business users operate differently to home users specifically in their tendancy to sit on banking sites and do other things concurrently.
Thank you for contacting F-Secure.
As discussed, kindly use the below step to disable F-Secure Banking Protection.
Launch the F-Secure Safe > Settings > Yes (allow to make changes) > Banking Protection > Untick Do not Interrupt my active internet connections. Then click Ok.
Please note that this step only applies to consumers. If you are a corporate customer, this is not the appropriate step for you.
What is Banking Protection and how does it work?
Please can I ask a point of clarification?
I was sure that the “Do not interrupt my active Internet connections” needs to be ticked, because this tick box ensures that any current/active sessions are maintained.
For example: I use Citrix GoToAssist technology (now owned by LogMeIn) to perform remote support access to users’ devices both in/out-of-hours. GoToAssist continuously polls the Citrix connection server with https:// packets at an interval < the default TCP timeout period to keep a session alive and show that access is available (a bit like VoIP phones poll their SIP server, only they use UDP primarily). If I untick the box then I lose the remote access link when the user has Banking Protection active. If I tick the box I can still get remote access because the session is created when the PC boots.
The description you point me to says:
On the PC, Banking Protection offers an elevated level of security. Once you have started an online banking session and Banking Protection mode has been activated, Banking Protection disconnects all untrusted applications from the Internet and prevents them from reconnecting while on a trusted banking site. Blocking connections prevents hijacking of your banking sessions keeping your money safe. You can also only access websites that are considered safe during a banking session, otherwise they get blocked.
Now [one] can create a Whitelist of valid websites to be permitted with Banking Protection active, and this may work for GoToAssist with https:// session, but Outlook is running in the background and talking with servers using IMAP/MAPI protocol. So, the Whitelist may work with entries as http:// or https:// but not with Outlook.
Hence the current solution of either disable banking Protection on Windows machines or use a Mac (which doesn’t suffer the problem) looks like the only answer.