OPTIMIZE MALWARE DEFINITIONS FOR ISOLATED NETWORKS
Hi girls and guys,
I'back for this question, could you help me idenify the channels that I use for my network clients!? I must precise that I work with FSSS 12.11 and FSCS 13.10 managed by FSPM 13.10.
In the admin Guide it's writen like writen under:
'conf\channels.json: this contains a list of the channels to be updated. By default, it includes updates for all the supported clients managed by Policy Manager, so we recommend that you leave only those that are necessary for your environment.'
For FSCS 13.10 Standard you will need to have:
aquarius-win32 (for 32bit OS)
aquarius-win64 (for 64bit OS)
For FSCS 13.10 Premium you will need to have:
channel in addition.
For FSSS Standard 12.11 you will need to have:
Again for Premium version you will need to have:
channel in addition.
> ISOLATED NETWORKS
There is a knowledge base article:
Using archives to update malware definitions
Best Regards: Tamas Feher, Hungary.
I guess there is no official document. But if you have a machine with the Business Suite product installed (and connected to PM, which has all DB updates), you can find the list of the channels used by the client product as a set of sub-folders in the folder c:\ProgramData\F-Secure\FSAUA\content\ for 12.x clients, or in the folder c:\ProgramData\F-Secure\FSAUA\guts2\ for 13.x clients. One exception to this is the "sidegrade" channel, which is not present in this set, as it is used only in the pre-installation phase.
Note, that the set is different for 32x and 64x Windows for 13.x BS clients.
honestly this is a dangerous idea you are following (or an obsolete one). Why?
1) If the systems are in an isolated network, where does the threat come from? If from "removable media", you could easily check them on a non-isolated system.
2) The detection rate for isolated system only doing a manual scan is around 70% for new (first seen) malware, maybe even worse.
To compensate that, F-Secure has added Deepguard and other modules (and you should have all activated in an isolotaed network).
BUT by their generic detection mechanisms they cause false positives or even false negatives. Again F-Secure compensates here using is Reputation network allowing to doublecheck the finding with a global Database using ORSP-Client. But that requires to be online.
3) Without a direct connection to a PM the client will not be aware of a rollback, or emergency update and without online connection the client is not able to handle false positives efficently.
So you see F-Secure is not designed for such an environment. (And non of the competitors is either)
Now what can you do?
If you have a very stable installation on the clients with only rare changes, and noone is allowed to bring in new installations you could use F-Secure without online connection (ORSP) but you have to test the clients functionallity after each update, esp those that are connected to Deepgurad.
Updateing a Client, even with an"isolated" copy of the "outside" PM is not very well documented. We have just started with the new GUTS2 updateing mechanism and I have no clue if a copy of the repository would work.
All in all you will end up in a pretty regular and complex manual work to get updates to the clients, connected with a severy loss in detction rates and reliability. Maybe you could use a movable media that you mount to the ouside PM, start that PM, let it update the media, stop that PM, move the media to "isolated" PM, mount it there and start that PM again. But you still lack online reputation.