FS Server security slowing down/preventing windows update

Hi, 

 

as long as I remember, I've had problems with F-secure products and windows updates (10+ years). 
For now example, I'm trying to update 2020-01 Cumulative for Win Server 2016 and it's been sitting in 0% for couple of hours while fssm32 hogs up all the CPU.

 

Is there ever going  to be any change on this by F-secure? (maybe test the updates released by microsoft?)

If not, is there a list of locations that should be excluded from F-secure to succesfully install updates? 
I know this is a really really really bad choice, but I'm getting desperate.

krisvdv

Comments

  • hyvokarhyvokar Posts: 167

    Yet again, waited 4+ hours to update to finish, but it was stuck at 37% for another couple of hours. 
    Once again, disabled all the FS services, stoppped remaining FS processes and update finished immediatly.

     

    pls advice. Pointles to do this every month for dozens of servers.

  • MonikaLMonikaL Posts: 106 Moderator

    Hi hyvokar,

     

    If you are using F-Secure Server Security version 12.x, a hotfix has been created to address this issue with the product. The hotfix is available in F-Secure Server Security public web "Support and downloads" pages under "Hotfixes" section.

     

    https://www.f-secure.com/en/business/downloads/server-security

     

    Proceed to select 12.12 tab and download the F-Secure Server Security (Standard & Premium) 12.x FSAV Hotfix.

     

    Regards,
    Monika

  • hyvokarhyvokar Posts: 167

    Hi, 

     

    thank you for your reply.

    That hotfix has already been applied to all our servers last year. No help.

  • VadVad Posts: 1,055 F-Secure Employee

    Hello hyvokar,

     

    First of all, we would recommend to upgrade your product to SS 14 version.

    If this is not possible, then the workarounds, which may help are:

    1. Recommended exclusions.

    2. Turning off DeepGuard advanced process monitoring feature.

    You can also try with DeepGuard fully turned off, but this is not recommended approach.

     

    Best regards,

    Vad

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser
    "Recommended Exclusions"?
    F-Secure's recommendation is to NEVER set any exclusion except for debugging or temporary workaround!
    And to be more painful: This is a very bad UX for any new customer using the trials on any Windows platform (server and client).
    The product must work out of the box!
    my2ct
  • hyvokarhyvokar Posts: 167

    Unfortunately we cannot still upgrade to 14, since the change with the firewall is quite monumental.
    As per comp said, as a paying customer, I'd really like the product to work out of the box without exclusions. 


    I'll try disabling advanced process monitoring

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser
    The Firewall should be no problem
    1. previous SS had no firewall. Thus a bypass all configuration would do the job
    2. latest setup allows to drop the firewall interface completely, which will lead to unchanged settings as only Windows firewall an GPOs control what is happening.

    Thus no reason to wait!
    Vad
  • hyvokarhyvokar Posts: 167

    Fyi, same problem with CU 2020-02 for server 2016 (KB4537764)

  • hyvokarhyvokar Posts: 167
    edited March 12

    Same prolem continues with 2020-03 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4540670).

    As a test I installed update in question on a server that has f-secure services turned off, it took less than an hour.

    For server with identical hw (except faster disks) the installation first took 2 hours (in gui) and after that it has been stuck for additional hour in "Getting Windows ready Don't turn off your computer".

  • hyvokarhyvokar Posts: 167

    Left the update running, and after being 1.5hours at "Getting Windows ready Don't turn off your computer", computer rebooted and the update failed to install.


    So it's even worse than I thought.

  • hyvokarhyvokar Posts: 167

    Again, same problem with KB4556813 (2020-05 cumulative update for windows server 2016)

    update status has been "preparing to install updates" for 2,5 hours now. Identical server with f-secure services disabled installed the update in 40minutes. Opened a support ticket yet again.

  • hyvokarhyvokar Posts: 167

    F-secure support recommended to exclude following folders from real time scanning. I'm speechelss.


    c:\Windows\SoftwareDistribution\

    c:\Windows\WinSxS\

    c:\System Volume Information\

Sign In or Register to comment.