Linux Security 64 Change Log
Linux Security 64 Beta Release Notes
Major Features in this Release
This is a beta release of Linux Security 64. This release introduces a new on-access scanner for continuous protection against viruses and potentially unwanted applications. In addition, Linux Security 64 features a system integrity checker for protection against unauthorized system modifications. The product also supports manual scanning of files.
Supported Platforms
Linux Security 64 supports the following Linux distributions:
- CentOS 7
- RHEL 7
- Oracle Linux 7
- Amazon Linux 2.0
- Debian 9
- Ubuntu 16.04
- Ubuntu 18.04
Dependencies
Linux Security 64 requires the following packages to be installed before installing the product:
CentOS, RHEL, Oracle Linux, and Amazon Linux
- fuse-libs
- libcurl
- python
Debian and Ubuntu 16.04
- libfuse2
- libcurl3
- python
Ubuntu 18.04
- libfuse2
- libcurl4
- python
Installation
Installing Linux Security 64 happens by first creating an installation package using Policy Manager and installing the product from the newly-created installer on the target machine.
Please, note that you will need the Policy Manager version 14.20 to be able to install and manage Linux Security 64.
-
Configure the Policy Manager Server to use F-Secure beta GUTS2 server:
- Log into a host with Policy Manager Server 14.20.
- Stop Policy Manager Server by running
systemctl stop fspms. - Remove everything from
/var/opt/f-secure/fspms/data/guts2/. - Open file
/etc/opt/f-secure/fspms/fspms.confand add-Dguts2ServerUrl=<A href="http://guts2tp.sp.f-secure.com" target="_blank" rel="noopener noopener noreferrer">http://guts2tp.sp.f-secure.com</A>to additional_java_args config parameter. - Start Policy Manager Server by running
systemctl start fspms
-
Create the installation package:
- In Policy Manager Console, select Tools > Installation Packages from the menu. This opens the Installation Packages window.
- Click import.
- Select Linux Security installation package you want to use and click Import.
- Select the imported installation package in the packages list and click Export.
- Specify a name and a folder for the exported zip file. A Remote Installation Wizard window will appear.
- Click Next.
- Enter your license keycode for the product and click Next.
- Adjust the address of your Policy Manager Server and it’s HTTP and HTTPS ports if you need and click Finish.
-
Copy the exported zip file to the Linux host in your network.
-
Install the product:
- Log into the Linux host as root.
- Make sure you have the prerequisites installed (refer to dependencies section above).
- Extract the zip file into an empty directory.
- Run the following command:
bash f-secure-linuxsecurity/f-secure-linuxsecurity-installer - Read and accept the license terms when prompted.
- After the installation process finishes, Policy Manager Console will shortly show the Linux host in Pending hosts list.
Uninstallation
You can uninstall the product from the command line.
- Log in to the Linux host as root.
- Run the uninstallation command:
- RHEL-based distributions:
rpm -e f-secure-linuxsecurity - Debian-based distributions:
dpkg -r f-secure-linuxsecurity
Known Issues
- CSLP-3285: Manual and scheduled scanning are present on the GUI but currently are not operational. You can use the “fsanalyze” command to perform manual scanning from the command line.
- CSLP-3288: Fsdiag generation does not work from the GUI. Use the command-line tool directly on the node, instead.
- CSLP-3286: The update service currently does not generate alerts in case of failures.
- CSLP-3291: Service status and statistics are currently not displayed in the policy manager UI.
- CSLP-3289: Alerts are not mirrored in the system log.
- CSLP-3292: Specifying special files or files in /proc and /sys in manual scanning may hang the product.
- CSLP-3293: Debian-based systems are shown as "Unknown" in the Policy Manager Console.
- CSLP-3309: Uninstall leaves 'fsaccd' process running. As a workaround, kill the fsaccd main process manually.
A re-install will fail if the process is still running.
Comments
-
We will be very disappointed if you can't install and use the command line client without having a Policy Manager. What we do is install the single client and programmatically do manual command line scans on the server (then we process and store the output from the scanner). We don't need on-access or integrity checking functionality (surely this can be turned off?). I hope it will be possible to purchase single licenses like before.
0 Like -
At the moment of release, it will not be possible to use LS64 with no PM.
Soon after, it might be possible, but to prepare installer you will have to use PM at least once.
Also, we are not going to have cheap command-line only license any more, it is bad business for us. You will have to purchase Client or Server Edition.
For the use case of "just scanning", we are going to release new version of Scanning and Reputation Server/Service that can be used unattended.
0 Like -
F-Secure Linux Security 64 RTM Release Notes
F-Secure Linux Security 64 provides an integrated, out-of-the-box security solution with strong real-time protection against viruses and potentially unwanted applications. It also includes host intrusion prevention (HIPS) functionality that provides protection against unauthorized system modifications, userspace and kernel rootkits. The solution can be easily deployed and managed using F-Secure Policy Manager.
Main features in this release
- New on-access scanner for continuous protection.
- New system integrity checker for protection against unauthorized system changes.
- Support for manual scanning of files.
- Configurable automatic updates.
- Support for management using F-Secure Policy Manager.
Supported platforms
Linux Security 64 supports the following Linux distributions:
- CentOS 7
- RHEL 7
- Oracle Linux 7
- Amazon Linux 2.0
- Debian 9
- Ubuntu 16.04
- Ubuntu 18.04
Dependencies
Linux Security 64 requires the following packages to be installed before installing the product:
CentOS, RHEL, Oracle Linux, and Amazon Linux
- fuse-libs
- libcurl
- python
Debian and Ubuntu 16.04
- libfuse2
- libcurl3
- python
Ubuntu 18.04
- libfuse2
- libcurl4
- python
Installation
To install Linux Security 64, you first need to create an installation package using Policy Manager, then use that installation package to install the product on the target machine.
Note that you will need Policy Manager version 14.20 to install and manage Linux Security 64.
- Create the installation package:
- In Policy Manager Console, select Tools > Installation packages from the menu. This opens the Installation packages window.
- Click Import.
- Select the Linux Security installation package you want to use and click Import.
- Select the imported installation package in the packages list and click Export.
- Specify a name and a folder for the exported zip file. A Remote Installation Wizard window will appear.
- Click Next.
- Enter your license keycode for the product and click Next.
- Adjust the address of your Policy Manager Server and its HTTP and HTTPS ports if necessary, then click Finish.
-
Copy the exported zip file to the Linux host in your network.
- Install the product:
- Log into the Linux host as
root. - Make sure that you have the prerequisites installed (refer to the dependencies listed above).
- Extract the zip file into an empty directory.
- Run the following command:
bash f-secure-linuxsecurity/f-secure-linuxsecurity-installer - Read and accept the license terms when prompted.
- After the installation process finishes, Policy Manager Console will shortly show the Linux host in Pending hosts list.
- Log into the Linux host as
Uninstallation
You can uninstall the product from the command line.
- Log in to the Linux host as
root. - Run the uninstallation command:
- RHEL-based distributions:
rpm -e f-secure-linuxsecurity - Debian-based distributions:
dpkg -r f-secure-linuxsecurity
- RHEL-based distributions:
Known Issues
- CSLP-3319: Manual scanning cannot be invoked from Policy Manager Console.
- CSLP-3320: Scheduled scanning reports do not contain checksums of the detected files.
- CSLP-3321: Scheduled scanning reports do not contain engine names and versions.
- CSLP-3322: Command-line and scheduled scanning also applies malware actions to files that are part of integrity checker baseline.
- CSLP-3323: Manual channel updates cannot be triggered from Policy Manager Console.
- CSLP-3289: All alerts are not mirrored in the system log.
- CSLP-3327: Removing the product does not stop or remove f-secure-linuxsecurity-scand service.
1 1Like -
Dear Sirs,
I would like to understand how this tiny, 3MB sized "F-Secure 64 for Linux Security" package is able to meet or exceed the anti-virus and other protective capabilities of the previous, almost 200MB sized "FSAV Linux Security 11.10.68" package?
Thanks in advance, Yours Sincerely:
Tamas Feher, Hungary.0 Like -
F-Secure Linux Security 64 Update 12.0.35 Release Notes
Change Log
- CSLP-3327: Uninstalling Linux Security 64 now properly stops and removes all the associated services.
- CSLP-3289: Alerts are now visible in system log.
Known Issues
- CSLP-3319: Manual scanning cannot be invoked from Policy Manager Console.
- CSLP-3320: Scheduled scanning reports do not contain checksums of the detected files.
- CSLP-3321: Scheduled scanning reports do not contain engine names and versions.
- CSLP-3322: Command-line and scheduled scanning also applies malware actions to files that are part of integrity checker baseline.
- CSLP-3323: Manual channel updates cannot be triggered from Policy Manager Console.
1 1Like -
F-Secure Linux Security 64 Update 12.0.39 Release Notes
Change Log
- CSLP-3346: Fix issue where updates were not properly registered as installed.
Known Issues
- CSLP-3319: Manual scanning cannot be invoked from Policy Manager Console.
- CSLP-3320: Scheduled scanning reports do not contain checksums of the detected files.
- CSLP-3321: Scheduled scanning reports do not contain engine names and versions.
- CSLP-3322: Command-line and scheduled scanning also applies malware actions to files that are part of integrity checker baseline.
- CSLP-3323: Manual channel updates cannot be triggered from Policy Manager Console.
0 Like -
F-Secure Linux Security 64 Update 12.0.52 Release Notes
Change Log
- Added support for Red Hat Enterprise Linux 8 and Suse Linux Enterprise Server 12.
- Configuration changes done via Policy Manager now applied more rapidly to Linux Security 64 installations.
- Miscellaneous bug fixes.
Known Issues
- CSLP-3319: Manual scanning cannot be invoked from Policy Manager Console.
- CSLP-3320: Scheduled scanning reports do not contain checksums of the detected files.
- CSLP-3321: Scheduled scanning reports do not contain engine names and versions.
- CSLP-3322: Command-line and scheduled scanning also applies malware actions to files that are part of integrity checker baseline.
- CSLP-3323: Manual channel updates cannot be triggered from Policy Manager Console.
1 1Like -
The Linux Security 64 product consists of sub-components that get software updates independently from main product updates.
To follow all the changes in the product, subscribe to the components' own change log threads:
1 1Like -
Change Log
- CSLP-3462: Fixed a crash in f-secure-linuxsecurity-scand.service that occurs during the scheduled scanning when scanned files have invalid UTF-8 codepoints in their file names.
- CSLP-3468: The amount of skipped files (scan errors) has been limited to 1000 in the scheduled scan report to avoid sending too long scan reports to Policy Manager.
- CSLP-3465: Removed the EULA acceptance prompt during the installation.
- CSLP-3485: Allow a regular user to run fsanalyze.
1 1Like -
New Linux Security 64 installation package has been released. The new installation package adds support for using Linux Security 64 in stand-alone deployments. The new installation package requires Policy Manager version 14.30 or newer. The previous installation package is still available for users with older Policy Manager versions.
The new installation package can be found from the downloads page.
0 Like -
New Linux Security 64 Update has been released. This update includes the following changes:
Change Log
- CSLP-3561: Fixed scheduled scanner issue with renaming and deleting harmful files as a non-root user in directories with the sticky bit set.
- CSLP-3356: To support isolated environments with restricted network connectivity, Linux Security 64 can now also be activated by using content stored on the file system (without downloading data over the network), and automatic product and virus definition database updates over the network can be disabled at installation time.
- CSLP-3614: Fix memory leak in scheduled scanning service.
- Added support for Policy Manager Proxies.
- Added support for stopping/starting all the services related to the product.
- Linux Security 64 now prevents locally changing settings that are marked as locked in Policy Manager.
- Miscellaneous enhancements and bug fixes.
Known Issues
- CSLP-3651: Product installation may fail with errors about installing databases when installing the product using a content package. As a workaround, try uninstalling the product as instructed in the Uninstalling the product section of the User Guide and retry the installation.
- The
offline-updateprogram will always install all product updates immediately, regardless of any customizations made in the product configuration to the schedule for installing updates.
1 1Like -
New Linux Security 64 Update has been Released (2020-04-16)
New BaseGuard Update (1.0.417) has been released. BaseGuard is part of Linux Security 64. This update includes the following changes:
- CSLP-3663: Fix an engine update failure where retrying an update may remove the engine files and cause scan service disruption.
- CSLP-3659: Fix an issue where certain valid licenses were not recognized.
- CSLP-3651: Fix an issue where isolated installation could fail to install databases.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 Update has been Released (2020-04-29)
New BaseGuard (1.0.429) and Linux Security 64 (12.0.146) updates have been released. BaseGuard is part of Linux Security 64. These updates include the following changes:
- CSLP-3670: Fixed security issues related to the Vulnerability Reward Program.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 Update has been Released (2020-07-16)
New Linux Security 64 (12.0.189) and BaseGuard (1.0.458) updates have been released. BaseGuard is part of Linux Security 64. These updates introduces the following changes:
- CSLP-3550: Linux Security 64 installations can now be managed using PSB portal. When Linux Security 64 is installed in PSB managed mode, PSB portal can be used to modify product configuration, inspect device status and initiate various remote operations on the client.
- CSLP-3720: Fixed an issue where content packages created using the Windows version of Policy Manager were incompatible with Linux Security 64.
- CSLP-3707: Linux Security 64 can now be installed on Debian 9 and Debian 10 systems running the “default” SELinux policy. This extends our existing SELinux support for the “targeted” SELinux policy on Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, CentOS 7, CentOS 8, and Oracle Linux 7. Please note that installing the product on Debian 9 and Debian 10 systems running SELinux requires the use of the latest product installation package. You can download the latest installation package at https://www.f-secure.com/fi/business/downloads/linux-security-64
- Added support for Ubuntu 20.04 and Oracle Linux 8.
0 Like -
New Linux Security 64 Update has been Released (2020-08-05)
New Linux Security 64 (12.0.191) and BaseGuard (1.0.462) updates have been released. BaseGuard is part of Linux Security 64. These updates introduces the following changes:
- CSLP-3728: Fix an engine update failure where retrying an update may remove the engine files and cause scan service disruption.
- CSLP-3735: Fix an issue in management server that prevented certain settings from being set using lsctl command.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 Update has been Released
A new BaseGuard update (1.0.482) and a new FSBG update (1.0.471) have been released. BaseGuard and FSBG are part of Linux Security 64. This update includes the following changes:
- CSLP-3722: Rapid Detection and Response functionality was added (see below).
- CSLP-3542: Optimized performance when on-access scanning and integrity checking are turned off.
- CSLP-3780: Fixed an issue where large number of mount points could cause product to stop working.
- CSLP-3661: Fixed an issue where system could get stuck during shutdown if a particular autofs & NFS configuration was used.
- Miscellaneous enhancements and bug fixes.
Rapid Detection and Response Support
Requirements
RDR functionality requires the auditd service to be installed and running on the system. Please, see known issues below.
Licensing
Please, use "PSB Server Protection Premium + RDR" subscription in order to deploy Linux Protection with RDR.
Supported systems
The compatibility list is the same as for Linux Protection with exclusions. The following Linux distributives are not supported due to RDR sensor incompatibility:
- SLES 12 SP 5
- SLES 15
- Ubuntu 20.04
- Oracle Linux with UEK kernel
Known issues
- It is required to install, enable and start the auditd package on your system before installing Linux Protection with RDR. Without auditd, RDR sensor installation will fail. If RDR sensor installation fails, an error like this will be printed to the system journal:
"Sep 29 14:07:37 localhost fsbg[6692]: update installation failed: /sensor/1601277158"
It is possible to fix the failed sensor installation by installing auditd and running the command
"/opt/f-secure/baseguard/bin/update $(/opt/f-secure/baseguard/bin/update --list | grep sensor | cut -d ' ' -f 1)";
- On Debian 10 with SELinux enabled the RDR sensor and auditd can fail in some configurations
- It is recommended to test the RDR sensor on the expected workload before deploying it into production, especially in network-heavy applications
0 Like -
New Linux Security 64 Update has been released
New BaseGuard (1.0.506) and FSBG (1.0.482) updates have been released. BaseGuard and FSBG are part of Linux Security 64. This update includes the following changes:
- CSLP-3801: Setting changes made on the PSB Portal now take effect immediately.
- CSLP-3802: Fixed an issue where Linux Security 64 installation would be named as UNKNOWN in the Policy Manager if the machine did not have a DNS name assigned to it.
- CSLP-3803: Fixed permissions on the Policy Manager certificate file
- CSLP-3804: Fixed an issue where ICAP service cache was stored in the wrong directory.
- CSLP-3806: Fixed in issue where scanning certain archives would result in an error.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 Update has been released
New Linux Security 64 (12.0.206), FSBG (1.0.491), and BaseGuard (1.0.508) updates have been released. FSBG and BaseGuard are part of Linux Security 64. These updates include the following changes:
- CSLP-3727: Add support for installing a specific version of the product using the --product-version installer option. This is currently only supported for Policy Manager managed Linux Security 64 installations. Using --product-version option requires that the version 2.0.25 (or later) of the Linux Security 64 Policy Manager installation package is used. Please note that using this feature requires that the machine where the product is installed is able to contact fsapi.com domain.
- CSLP-3797: Fix an issue where reinstalling the product with a different management mode would result in an error.
- Miscellaneous enhancements and bug fixes.
0 Like -
New pinnable Linux Security 64 version is available
New pinnable Linux Security 64 version "linuxsecurity-2020_1" has been released. Product version pinning enables Linux Security 64 installation to be locked to a specific version of the product. When product version has been pinned the installation will still receive new engine & definition updates. Linux Security 64 supports product version pinning when managed by Policy Manager.
Each pinnable product version has an associated expiration date after which the version will no longer be supported. For "linuxsecurity-2020_1" the expiration date is 2021-11-23T09:00:00Z.
"linuxsecurity-2020_1" contains the following components:
- Linux Security 64 version 12.0.206
- FSBG version 1.0.491
- BaseGuard version 1.0.508
To learn more about product version pinning refer to the "Configuring automatic update options with Policy Manager" section of the Linux Security 64 manual
0 Like -
New Linux Security 64 update has been released
New BaseGuard (1.0.525) and FSBG (1.0.499) updates have been released. BaseGuard and FSBG are part of Linux Security 64. This update includes the following changes:
- CSLP-3875: Real-time scanning now correctly excludes efivars file system.
- CSLP-3876: Fixed an issue where all on-access file scans would fail after a timeout.
- CSLP-3874: Fixed an issue where service restarts could cause Linux Security 64 to report licensing related errors when scanning files.
- CSLP-3810: Fixed an issue where errors from fsbg-statusd would sometimes show up in journal during updates.
0 Like -
New Linux Security 64 update has been released
New Linux Security 64 (12.0.213) update has been released. This update includes the following changes:
- CSLP-3708: Added a new lsctl load sub-command for restoring settings. The load sub-command differs from the preexisting set sub-command in that in the case values for some settings are omitted, load will set them to their default values. This can be useful when restoring settings from a backup made with an earlier version of the product that might not contain all the settings present in the current version of Linux Security 64.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 update has been released
New Linux Security 64 (12.0.222), BaseGuard (1.0.532) and FSBG (1.0.508) updates have been released. BaseGuard and FSBG are part of Linux Security 64. This update includes the following changes:
- CSLP-3832: Support disabling Linux Security 64 in a persistent way.
- CSLP-3855: Support basic authentication with proxies.
- CSLP-3883: Fixed an issue where enabling archive scanning for real-time scanning could cause slowness.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 update has been released
New BaseGuard (1.0.536) and FSBG (1.0.513) updates have been released. BaseGuard and FSBG are part of Linux Security 64. This update includes the following changes:
- CSLP-3898: Fixed a compatibility issue with certain external HTTP proxies.
- Miscellaneous enhancements and bug fixes.
0 Like -
New pinnable Linux Security 64 version is available
New pinnable Linux Security 64 version "linuxsecurity-2021_1" has been released. Product version pinning enables Linux Security 64 installation to be locked to a specific version of the product. When the product version has been pinned the installation will still receive new engine and definition updates. Linux Security 64 supports product version pinning when managed by Policy Manager.
Each pinnable product version has an associated expiration date after which the version will no longer be supported. For "linuxsecurity-2021_1" the expiration date is 2022-03-08T09:00:00Z.
"linuxsecurity-2021_1" contains the following components:
- Linux Security 64 version 12.0.222
- FSBG version 1.0.513
- BaseGuard version 1.0.536
To learn more about product version pinning refer to the "Configuring automatic update options with Policy Manager" section of the Linux Security 64 manual
5 Like -
New Linux Security 64 update has been released
New Linux Security 64 (12.0.242), BaseGuard (1.0.555) and FSBG (1.0.532) updates have been released. BaseGuard and FSBG are part of Linux Security 64. This update includes the following changes:
- CSLP-3571: Added a new status sub-command to lsctl command-line utility. Status sub-command makes it possible to inspect the state of the product and see various statistics related to scanning.
- CSLP-3892: Improve handling of sensitive setting values in lsctl command-line utility. Lsctl will now warn when sensitive setting values have been omitted from its output.
- CSLP-3888: Support scheduling the product to be automatically activated on the next boot. This feature can be useful in scenarios where Linux Security 64 is included in a virtual machine template that can be cloned and instantiated multiple times. By scheduling the activation to only happen when a new virtual machine is booted, each virtual machine can be activated separately. This feature requires the use of the latest Linux Security 64 installer.
- CSLP-3900: Improved the robustness of product activation. If product activation fails unexpectedly, it should now be possible to simply try activating the product again without the need to first manually uninstall the product. These improvements require the use of the latest Linux Security 64 installer.
- CSLP-3927: Fixed a performance issue where write-heavy loads could make on-access scanning unresponsive.
- CSLP-3928: Optimize integrity checker by skipping the scanning of files that have not been modified.
- CSLP-3916: Updated OpenSSL to 1.1.1k
- CSLP-3891: Fixed an issue where unexpected SIGPIPE signals could lead to service failures.
- Miscellaneous enhancements and bug fixes.
0 Like -
New Linux Security 64 installer package for Policy Manager has been released
New Linux Security 64 installer package for Policy Manager 15.20 has been released. This release adds support for including initial policy directly into the installation package.
When the policy is included directly into the installation package, it can be taken into use even before the client has contacted Policy Manager for the first time. This kind of early configuration can be useful for specifying settings that affect connectivity with Policy Manager.
The new installer requires the use of Policy Manager version 15.20 or greater. The new installer package along with our existing installers can be found from the downloads page.
Known Issues
When exporting an installer for setting up standalone Linux Security 64 installations (installations that will not be connected to the policy manager), please note that the included policy may contain settings which are marked as locked in the policy manager console. These settings cannot be changed locally after the product has been installed. Specifically, the setting "Allow user to unload the products" will always be locked.
1 1Like
