OPTIMIZE MALWARE DEFINITIONS FOR ISOLATED NETWORKS

Hi girls and guys,

 

I'back for this question, could you help me idenify the channels that I use for my network clients!? I must precise that I work with FSSS 12.11 and FSCS 13.10 managed by FSPM 13.10.

 

In the admin Guide it's writen like writen under:

 

'conf\channels.json: this contains a list of the channels to be updated. By default, it includes updates for all the supported clients managed by Policy Manager, so we recommend that you leave only those that are necessary for your environment.'

 

Help me!

 

Best regards

 

--

Philipp

From France

Comments

  • VadVad Posts: 1,050 F-Secure Employee

    Hello Philipp,

     

    For FSCS 13.10 Standard you will need to have:

    aquarius-win32 (for 32bit OS)

    aquarius-win64 (for 64bit OS)

    deepguard-db

    hydra-win32

    hydra-win64

    lynx-win32

    lynx-win64

    ols-win32

    ols-win64

    sidegrade

    ulcore-win32

    ulcore-win46

    ulupdater-win32

    ulupdater-win64

    uss-win32

    uss-win64

    virgo-win32

    virgo-win64

     

    For FSCS 13.10 Premium you will need to have:

    fsoftupd

    channel in addition.

     

    For FSSS Standard 12.11 you will need to have:

    aquawin32

    avmisc

    fsav_1100_bin

    gemdb

    hipsn

    hydrawin

    mlcwin

    nifbin

    orsp-win-v2

     

    Again for Premium version you will need to have:

    fsoftupd

    channel in addition.

     

    Best regards,

    Vad

    frenchy35
  • etomcatetomcat Posts: 1,318 Superuser

    Hello,

    > ISOLATED NETWORKS

    There is a knowledge base article:

     

    Using archives to update malware definitions

    https://community.f-secure.com/t5/Business/Using-archives-to-update-malware/ta-p/102979

     

    Best Regards: Tamas Feher, Hungary.

  • Thank a lot vad,

     

    Where did your information comes!? I'd like to know where I can find information, about witch channel is needed for witch application!

     

    Anyway great thank for your reply

     

    Best regard

     

    --

    Phil

    France

  • Thanks tamas,

     

    I've read it before my question, my question of the day is, how can I do for download the thinest archive for my isolated network.

     

    Great thanks anyway

     

    --

    Phil

    France

  • Hi,

     

    could you tellm e where this information come from!?

     

    best regard

     

    --

    Phil

    France

     

  • VadVad Posts: 1,050 F-Secure Employee

    Hello Phil,

     

    I guess there is no official document. But if you have a machine with the Business Suite product installed (and connected to PM, which has all DB updates), you can find the list of the channels used by the client product as a set of sub-folders in the folder c:\ProgramData\F-Secure\FSAUA\content\ for 12.x clients, or in the folder c:\ProgramData\F-Secure\FSAUA\guts2\ for 13.x clients. One exception to this is the "sidegrade" channel, which is not present in this set, as it is used only in the pre-installation phase.

    Note, that the set is different for 32x and 64x Windows for 13.x BS clients.

     

    Best regards,

    Vad

     

    frenchy35
  • hi,

     

    Great thanks for your answer, thats a first step through my ojective, I've probably not explain it enough!

     

    In fact, my ultime step will be to identify which modules depend of which channels, and reversly.  :)

     

    best regard

     

    --

    Phil

    France

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Hi,

    honestly this is a dangerous idea you are following (or an obsolete one). Why?

    1) If the systems are in an isolated network, where does the threat come from? If from "removable media", you could easily check them on a non-isolated system.

    2) The detection rate for isolated system only doing a manual scan is around 70% for new (first seen) malware, maybe even worse.
    To compensate that, F-Secure has added Deepguard and other modules (and you should have all activated in an isolotaed network).
    BUT by their generic detection mechanisms they cause false positives or even false negatives. Again F-Secure compensates here using is Reputation network allowing to doublecheck the finding with a global Database using ORSP-Client. But that requires to be online.

    3) Without a direct connection to a PM the client will not be aware of a rollback, or emergency update and without online connection the client is not able to handle false positives efficently.


    So you see F-Secure is not designed for such an environment. (And non of the competitors is either)


    Now what can you do?

     

    If you have a very stable installation on the clients with only rare changes, and noone is allowed to bring in new installations you could use F-Secure without online connection (ORSP) but you have to  test the clients functionallity after each update, esp those that are connected to Deepgurad.

    Updateing a Client, even with an"isolated" copy of the "outside" PM is not very well documented. We have just started with the new GUTS2 updateing mechanism and I have no clue if a copy of the repository would work.

    All in all you will end up in a pretty regular and complex manual work to get updates to the clients, connected with a severy loss in detction rates and reliability. Maybe you could use a movable media that you mount to the ouside PM, start that PM, let it update the media, stop that PM, move the media to "isolated" PM, mount it there and start that PM again. But you still lack online reputation.

     

     

This discussion has been closed.