F-Secure SAFE "Security Cloud Malfunction" error (macOS 10.13)

mrFmrF Posts: 8 Observer

Hi,

I contacted the support with the following issue but couldn't get any help. I am now trying to get help debugging via the forum, let's see how that goes. Here's my problem:

After restoring my macbook pro with a Time machine backup, F-Secure SAFE now shows the Security Cloud Malfunction error. I tried the steps to fix the hosts file at https://community.f-secure.com/safe-en/kb/articles/6282-f-secure-product-shows-error-notification-security-cloud-malfunction-on-a-mac-computer with no luck. I contacted the support asking where I could re-download SAFE v 17.8 which is the last compatible with my OS in order to re-install from scratch but I was told that F-Secure doesn't provide old versions of SAFE. I was told to update my system to macOS 10.14. However, the last macOS version supported on my mac is 10.13 (mid-2010 model) so I can't update and I am blocked.

I would like to try a bit of debugging before giving up. So here's my question: where do I find the SAFE start-up logs? I'd like to find more details about the error instead of just this "Security Cloud malfunction" error, like what does malfunction exactly. Any F-Secure staff to provide guidance for debugging?

Thanks.

Accepted Answer

  • ArthurValArthurVal Posts: 98 F-Secure Employee
    edited April 28 Accepted Answer

    Now that you mention the permissions of the parent directory, they indeed look a bit off.

    I did a bit of digging and experimenting and I think I managed to end up in the same situation as you are currently in.

    The correct permissions for "/usr/local/f-secure/var/orsp" directory are root:daemon.

    So I'd recommend trying to assign those with chown like so

    sudo chown root:daemon /usr/local/f-secure/var/orsp
    

    And then restarting ORSP service with launchctl

    sudo launchctl unload /Library/LaunchDaemons/com.f-secure.orspclient.plist
    sudo launchctl load /Library/LaunchDaemons/com.f-secure.orspclient.plist
    

    I can see that it is enough on my machine for it to stop reporting Security Cloud Malfunction errors in the UI and to get it working properly. Let's see how it goes on yours!


    Laksh

Answers

  • ArthurValArthurVal Posts: 98 F-Secure Employee

    Hello, @mrF!

    Thanks for reaching out! As far as I recall, SAFE displays that message about Security Cloud malfunction when it is unable to communicate with F-Secure online reputation lookup services.

    Let's try to see if we can find more details of why the connection fails. Hold down Alt(Option) key and click on the SAFE icon in the menubar top-right area of the screen. When you do that, you should see additional "debug" menu options in the drop down menu including a section called "Cloud diagnostics". Click on that and it will open a page in your browser with Security Cloud connection diagnostics. Could you please share the output that is visible on that page?

    Thanks!

    Best regards, Arthur

    SAFE Mac R&D Team


    Ukko
  • mrFmrF Posts: 8 Observer

    Thank you for your reply Arthur. I really appreciate your support here.

    I have tried to access the cloud diagnostic page from the "debug" menu but unfortunately, the page is not accessible. I just got an error: "Safari can't open the page http://127.0.0.1:49165/diag/dump/ because Safari can't connect to the server 127.0.0.1".

    I wanted to see if that port was open but I didn't get a hit (sudo lsof -i:49165 returns nothing). However, it seems that other ports might be used:

    $ sudo lsof -i -P -n | grep LISTEN
    OrspServi  107               daemon   10u  IPv4 0x4d9e693f72d77f07      0t0  TCP 127.0.0.1:49160 (LISTEN)
    F-Secure   502 <redacted>    4u  IPv4 0x4d9e693f6e53df07      0t0  TCP 127.0.0.1:49153 (LISTEN)
    

    I see a bunch of other open ports with established connections related to F-Secure or Safe\x20A but I can't really tell what's relevant at a glance.

    Going to http://127.0.0.1:49160/diag/dump/ shows the following log:

    ORSP DIAGNOSTIC DUMP
    
    ORSP: 1.3.1.92
    FS: F-Secure ORSP Client 1.3.1 build 92 (en)
    OS: Darwin 17.7.0
    System: 8192 MB RAM, 4 CPUs
    
    Statistics start: 2021-04-28T05:22:18Z
    Statistics end:   2021-04-28T05:22:33Z
    
    General statistics:
    Number of HTTP queries:		1
    Number of HTTP submits:		1
    Number of HTTP timeouts:	0
    Number of HTTP errors:		3
    
    Number of 0 queries:		1
    Number of 0 responses:		1
    
    Number of submits of type 0:	1 (1197 bytes)
    
    Tx: 3371 bytes, Rx: 956 bytes
    
    Histogram of server query roundtrip times (ms):
    [0: 0] [20: 0] [40: 0] [80: 0] [160: 0] [320: 0] [640: 0] [1280: 0] [2560: 0] [5120: 0] [10240: 0] 
    
    Histogram of NRS safe:
    [missing: 0] [empty: 0] [error: 0] [-100: 0] [-99: 0] [-79: 0] [-19: 0] [80: 0] [100: 0] 
    
    Histogram of NRS lookups:
    -
    
    Histogram of NHIPS ratings from cache:
    all:           -
    last 14 days:  -
    last 24 hours: -
    
    UUID: 3d961e27-cb9d-4766-b773-0f589c9d7714
    Server: orsp-c1-ec1.aws
    Status: 200
    Connectivity state: Ok
    CRL state: Ok
    Proxies: -
    Current proxy: -
    
    ORSP GMT time: 2021-04-28 11:25:33
    

    Is that a relevant log?

    Ukko
  • ArthurValArthurVal Posts: 98 F-Secure Employee

    Alright. Yes, this output looks relevant. This is the page that should have opened by clicking on that diagnostics option.

    But for some reason, the port that SAFE is trying to communicate with this localhost service of ours is different from the actual port that it's using. That does not look right. So to me it looks like the actual "Security Cloud" service is fine and it reports successful connection to the backend.

    Status: 200
    Connectivity state: Ok
    

    But SAFE is trying to communicate with it by using the wrong port and that's the root cause of the error message that you are seeing in the UI.

    Have you already tried rebooting your Mac? My hope is that it should reset and sync up when both SAFE and that localhost service restart. I have one more a bit experimental idea if reboot does not resolve this situation. But hopefully it will not come to that.

    BR, Arthur


    Ukko
  • mrFmrF Posts: 8 Observer

    I believe that your diagnostic is correct. Using port forwarding seems to help and the error goes away:

    ssh -L 49165:localhost:49160 localhost
    

    So yes, the problem is local and the f-secure backend works properly. Out of curiosity, how is SAFE determining which port to use? is it from a config file or something we can edit?

    BTW, the reboot doesn't help unfortunately. I've had the issues for weeks during which the mac got power cycled many times. I just didn't get to troubleshoot the issue sooner.

    Ukko
  • ArthurValArthurVal Posts: 98 F-Secure Employee

    Yes, indeed. There is a config file that this localhost service is writing down the port that it assigned during start up.

    The file is located at /usr/local/f-secure/var/orsp/port. This file should be updated when F-Secure ORSP service (a.k.a. Security Cloud client) starts up.

    A simple attempt that we can do is to check what is saved in that file at the moment. Most likely, that outdated port came from Time Machine backup. I'm bit surprised that reboot did not resolve the issue. One theory could be that ORSP service is failing to modify that file with the most up to date port for some reason (file permissions perhaps?).

    These are the permissions that I can see on my machine. Could you check if permissions are different on your machine?

    -rw-r--r-- 1 daemon daemon 6 Apr 28 12:49 port
    

    If it's indeed an outdated port saved there, we can try to correct it to the actual port that ORSP service is using and restarting SAFE menubar app by holding down Alt and selecting "Quit" from he drop down menu. This will force SAFE to read that file again and hopefully find the correct port. One indication would be that "Cloud Diagnostics" should successfully open that diagnostics page.

    That is of course a temporary solution because port will be most likely different on the next system boot. But we can start from here to gather a bit more information about the situation.

    BR, Arthur


    Ukko
  • mrFmrF Posts: 8 Observer

    Ok, so I tried to modify /usr/local/f-secure/var/orsp/portand restart SAFE. Indeed, cloud security functioned properly.

    As you suspected, after a reboot, the port has changed so the filed doesn't seem to update as expected. The permissions seems correct to me:

    $ ls -l /usr/local/f-secure/var/orsp/port
    -rw-r--r--  1 daemon  daemon  6 Apr 28 15:36 /usr/local/f-secure/var/orsp/port
    

    Thanks again for the assistance.

    Ukko
  • mrFmrF Posts: 8 Observer

    Just to be sure, to which groups should daemon belong? The parent dir permissions are:

    drwxrwxr-x  16 root    wheel   512 Apr 28 15:36 orsp
    


  • mrFmrF Posts: 8 Observer

    Yep, that was it! The error is gone and the browsing protection is back (and persistent after reboot)

    Thanks a lot @ArthurVal , I am very very grateful for your help here. Without your guidance, I wouldn't have identified the issue. 👍️

    I am really confused as to what could have caused this... I have no idea how I got in this situation because I ended up in this state straight out of the restoration from the time machine backup. This problem has nothing to do with F-Secure SAFE obviously but is 100% coming from my setup.

    ArthurValLaksh
  • ArthurValArthurVal Posts: 98 F-Secure Employee

    Was happy to help! Great to hear that it's resolved for you as well.

    Yeah, I cannot come up with a proper explanation what exactly might have caused it. But most likely Time Machine affected the permissions for some reason or they already have been tampered with before making the backup.

    I will bring this situation up in the team and we will discuss if there is something we can do to detect similar issues and fix them automatically.

    Cheers!


    Laksh
  • ArthurValArthurVal Posts: 98 F-Secure Employee

    One thing that came up after our internal discussion with the team. Do you by any chance have HomeBrew installed on your Mac?

    HomeBrew sometimes makes wrong decisions or assumptions for /usr/local/... paths when it manages/updates its packages. That would be on point of interest for us to locate the possible root of the issue.

    Best regards, Arthur


  • mrFmrF Posts: 8 Observer

    I am afraid that it will be a bit difficult for me to provide meaningful feedback regarding how this issue happened.

    A few weeks back, my system refused to boot and I suspected a disk failure. I grabbed another SSD, reinstalled macOS 10.13 and used my time machine backup to restore apps and documents. I immediately noticed the SAFE issue but the core functionality seemed to be working (Virus scan and DB updates). I quickly found the article I mentioned in the OP but the hosts file trick didn't help. I left it like that for weeks, lacking time to dig deeper.

    I also installed homebrew, yes, but it was well after the restoration and it wasn't present in the backup. I didn't noticed any change wrt to SAFE behavior after the installation but I didn't check files permissions. The dirs created by Homebrew appear to have correct permissions with my user being the owner unlike the files and dirs under /usr/local/f-secure owned by root.

    I have not knowingly altered any file or dir permission under /usr/local and I am pretty sure that it came out of the restoration even if I don't understand why.

    Ukko
  • ArthurValArthurVal Posts: 98 F-Secure Employee

    Ok, thanks for update!

    Yeah, I believe that we have a task in our backlog to detect similar file permissions issues generically and fix them in an automated fashion. So hopefully this approach should fix most obvious permissions issues like this one in the future.

    BR, Arthur


    mrF
Sign In or Register to comment.