After installation, user is unable to launch Policy Manager Console and they receive error: "The item referred by this shortcut cannot be accessed. You may not have the appropriate permissions".
The setup wizard creates the user group FSPM users. The user who was logged in and ran the installer is automatically added to this group. To allow another user to run Policy Manager Console you must manually add this user to the FSPM users user group. To add users to a group, use the following instructions:
Click on the Server Manager icon on the bottom left of the Windows desktop Select the Tools menu in the upper right, then select Computer Management Expand Local Users and Groups Expand Groups Double-click on the group to which you want to add users Select Add Enter the name of the user you wish to add to the group, then select Check Names You can separate names with a semicolon if you want to add more than one user Press OK when complete, then OK again to finish
Article no: 000017207
Windows Server operating system with Server Security 14.00 installed is hanging Windows Desktop operating system with Client Security 13.00 or newer installed is hanging
UPDATE: The issue related to F-Secure Ultralight Core Update 2019-10-01_01 has now been fixed in the latest Ultralight Core Update, which is available as an automatic update by name F-Secure Ultralight Core Update 2019-10-22_01. However, if you are still facing similar issues after the update fix, this may happen if F-Secure product have F-Secure Security Cloud Client enabled, but don't have access allowed to fsapi.com address. To resolve this issue, make sure that you have allowed access to fsapi.com from your environment. In case you have isolated environment, or otherwise cannot allow access to fsapi.com, disable F-Secure Security Cloud Client via Policy Manager Console:
Log in to Policy Manager Console. Go to Settings tab. Select Advanced view. Navigate to: F-Security Security Cloud Client > Settings > Client is enabled. Select No from the drop-down menu. Make sure that the setting is locked. Distribute policies (CTRL-D).
In case you should not have restricted network access, or if above steps didn't help, contact F-Secure support for further assistance.
Article no: 000016583
What are the main differences between F-Secure Linux Security 64 and F-Secure Linux Security 11.x?
Linux Security 64 is a native 64-bit application, however there are some differences compared to the previous released version Linux Security 11.x, most notably:
no support for standalone installation mode no support for Protection Service for Business (PSB) installation mode no firewall no web user interface (for remote management with browser) no support for F-Secure Policy Manager Proxies no support for unattended (scripted) installations
The list of supported Linux distributions is also different with some legacy distributions only being supported by Linux Security 11.x. Also note, that while the installer for LS 64 is created/exported in Policy Manager Console, neither Linux Security 11 nor Linux Security 64 can be deployed/pushed to hosts using Policy Manager Console.
Article no: 000014897
The following errors are show during Linux Security 64 installation. 1:f-secure-linuxsecurity-12.0.6-1 ################################# [100%] 2019-10-21 11:15:03 net/fshttp.c:1662 idle timeout occurred 2019-10-21 11:15:03 fshttps.c:560 a timeout occurred 2019-10-21 11:15:03 fsguts2.c:1830 unable to perform the HTTP operation, error 201 (timed out) 2019-10-21 11:15:03 fsguts2.c:1062 unable to fetch update information from the server, error 201 (timed out) 2019-10-21 11:15:03 src/guts2download.c:148 unable to fetch the list of updates, error 201 (timed out) 2019-10-21 11:15:03 src/guts2download.c:84 downloading the channel content failed, error 201 (timed out) Failed to activate the product!
Make sure the Policy Manager Server is accessible by the Linux Security 64 installation target machine.
Article no: 000017159
How to disable Advanced Network Protection for Client Security 14 in Policy Manager 14?
To centrally disable Advanced Network Protection from target hosts in Policy Manager 14, follow these steps:
Open F-Secure Policy Manager Choose the target host or domain from the Domain Tree Go to the Settings tab and use Standard View Go to Web traffic scanning section Choose from HTTP Scanning HTTP scanning enabled and set the value as disabled Distribute the new policy with the Distribute policies button
Now Advanced Network protection is disabled from the target hosts.
Article no: 000008143
After upgrading to F-Secure Client Security 14.10 or F-Secure Server Security 14 Client keeps asking for restart with notification "restart required F-Secure product received a critical update. To keep your protection up to date, restart your computer. Remember to save your work" After a restart the same notification is shown again F-Secure Ultralight services are not listed in the Windows services list Capricorn update is missing from Updates list in the local user interface
Note: If you click on the view log file button in the Updates view, it will bring you to the aua.log, where you can see similar entries: I: Installation of 'F-Secure Ultralight Core Update 2019-08-22_01' : Processing I: Installation of 'F-Secure Ultralight Core Update 2019-08-22_01' : Retry at restart I: Installation of 'F-Secure Hydra Update 2019-08-28_04' : Processing I: Update check completed successfully I: Installation of 'F-Secure Hydra Update 2019-08-28_04' : Retry at restart
This issue is related to Ultralight not installing or updating correctly. You can install one of the hotfixes bellow to solve the problem:
FSCS1410-HF01 FSCS1410-HF02 FSCS1410-HF07
Note: All these Hotfixes are applicable for Server Security 14.00 and Client Security 14.10 These hotfixes are not publicly available from our homepage. Open a support request and our customer service team can send you the hotfixes. If these hotfixes do not resolve the issue and Capricorn update is still missing from the Updates list, you can try removing the Capricorn update from your Policy Manager Server and re-download it. Follow these steps to re-download Capricorn update on your Policy Manager Server:
Stop Policy Manager Server Service Delete the following folder: C:\Program Files (x86)\F-Secure\Management Server 5\data\guts2\updates\capricorn-win64 Start Policy Manager Server Service
The Policy Manager Server will now re-download the missing Capricorn update. Wait for 30 minutes and check from the client if it has now been able to download and install Capricorn.
Article no: 000014676
Is SUSE Linux Enterprise Server 12 (SLES) a supported platform for F-Secure Linux Security 64?
SUSE Linux Enterprise Server 12 (SLES) has been added to the officially supported platforms for F-Secure Linux Security 64. For more details you can check the release notes on this link.
Article no: 000013134
Security Cloud Client is not connected on Server Security 14 / Client Security 14.
Make sure that the affected F-Secure host is allowed to connect to the URL orsp.f-secure.com. If this host requires a connection via HTTP proxy to access this URL, you have to configure these settings via the F-Secure Policy Manager Console:
Log on to your F-Secure Policy Manager Console. Select the Policy domain or Host / where you want to edit the policy on. Switch to the Advanced view. Go to F-Secure Security Cloud Client > Settings > HTTP Proxy. Modify the value to suit your HTTP proxy requirements:
'http://server:port', e.g. 'http://my.domain.com:1234'
Distribute the policy .
Note: If there is no parameter set under F-Secure Security Cloud Client > Settings > HTTP Proxy, the F-Secure Security Cloud Client will use the proxy configuration from the F-Secure Automatic Update Agent (AUA) by default: F-Secure Automatic Update Agent > Settings > Communications > HTTP settings > Use HTTP proxy NOTE: Server Security 14.00 and Client Security 14.x do not officially support proxy authentication.
Article no: 000014893
F-Secure Linux Security 64 is not connecting to the Policy Manager Server and it is not visible in the "Import new hosts" tab in Policy Manager Console.
Verify the connection from F-Secure Linux Security 64 to the Policy Manager Server. If the issue persists, configure the address of Policy Manager Server using the server's IP address instead of hostname during the creation of the installation package.
Article no: 000016582
How to update malware definitions for Policy Manager 13.x/14.x in an isolated network.
Policy Manager offers two options for updating virus definitions in isolated networks that have no direct connection to the Internet.
If your network configuration allows Policy Manager to access internal resources with Internet access, we recommend that you use Policy Manager Proxy as the source for updates. For more details click here. If using Policy Manager Proxy is not an option, you can use a tool provided with Policy Manager to fetch the updates as an archive and copy that to the server where Policy Manager is installed. For more details click here.
Article no: 000002697
When using image files to distribute product installations, how can I reset the host UID for Policy Manager Proxy to prevent duplicate hosts appearing in Policy Manager?
If you use image files to distribute product installations, you need to make sure that there are no unique ID conflicts. For Policy Manager Proxy this can be prevented by following the steps below:
Stop F-Secure Policy Manager Server service:
Linux: [/etc/init.d/fspms stop] Windows: [net stop fsms]
Remove following two files:
<F-Secure Installation Folder>\Management Server 5\data\h2db\fspms.h2.db <F-Secure Installation Folder>\Management Server 5\data\fspms.jks
Use fspmp-enroll-tls-certificate script to generate proxy node certificate. Run the script and authenticate yourself as root administrator of the Master Policy Manager:
Linux: /opt/f-secure/fspms/bin/fspmp-enroll-tls-certificate Windows: <F-Secure Installation Folder>/Management Server 5/bin/fspmp-enroll-tls-certificate.bat
Start F-Secure Policy Manager Server service:
Linux: [/etc/init.d/fspms start] Windows: [net start fsms]
Article no: 000016987
How do I schedule reports on Policy Manager 14.x?
You can configure Web Reporting to send regular reports by email to one or more recipients. To send the reports by email, you need to enter the mail server details in Policy Manager Console. To do this:
Select Tools > Server configuration and click the Mail tab. Enter the mail server address and authentication information. Enter the address that you want to display as the sender in the report emails. This does not have to be a valid email address. Click OK.
To configure the report scheduling:
Note: You cannot schedule reports for individual hosts, only for domains. You can use the root domain if you want the reports to cover all configured domains.
Use semi-colons to separate multiple addresses.
If you choose to send the reports on a monthly basis, the reports for each month are automatically sent on the first day of the following month.
On the Web Reporting main page, select Scheduled reporting. On the policy domain tree, select the domain that you want to use for the reports. Note: You cannot schedule reports for individual hosts, only for domains. You can use the root domain if you want the reports to cover all configured domains. In the Recipient emails field, enter the email addresses that should receive the reports. Choose whether to send the reports daily, weekly or monthly.
If you want to send the reports on a weekly basis, select the weekday. If you choose to send the reports on a monthly basis, the reports for each month are automatically sent on the first day of the following month.
Select which reports you want to send.
The listed recipients will receive the selected reports in HTML format according to your settings. If you want to check that the report emails are delivered correctly, click Send reports now.
For more information: https://help.f-secure.com/product.html#business/policy-manager/latest/en/task_4644F99989CB41A4BD5BBC5FE87919A2-latest-en
Article no: 000003775
How does the firewall automatic selection in Policy Manager function? What mechanism should I set up the automatic selection profile?
To set the firewall automatic selection profile changes to work, create the autoselect rule based on conditions such as gateway IP, DNS, etc. As an example, when the Windows Firewall profile is changed to different networks (public, private, domain), there is network change happening too. This can be used as the condition for firewall automatic selection rule to trigger.
When a host is connected to Domain network, it will use default firewall profile "Office, file and printer sharing". When a host is connected to Public network and assign to DHCP IP address, it will switch to firewall profile "Server". When a host is connected to Private network that communicate to gateway IP (Example: 192.168.1.103), it will switch to firewall profile "My test firewall profile".
Note that the firewall automatic selection is based on rules priority. The rule consists of two conditions: Method1/Argument1 and Method2/Argument2. When both conditions are met, the profile specified in the rule is selected. The rules are evaluated whenever changes in the network interfaces are detected, and the rule with the highest priority is applied in case there are more than one matching rule. If none of the rules match, the profile will remain unchanged. Therefore a fallback rule, with both methods set to Always, is usually put at the bottom of the rule set. Supported methods and arguments:
Never: Never true (argument ignored) Always: Always true (argument ignored) DNS Server IP Address: IP address given as the argument matches with a DNS server DHCP Server IP Address: IP address given as the argument matches with a DHCP server Default Gateway IP Address: IP address given as the argument matches with the default gateway My Network: IP address given as the argument falls within the LAN subnet of the host Dialup: A dial-up connection is open (argument ignored)
In IP address arguments, the asterisk (*) may be used as a wildcard, but only in place of whole pieces of the address. For instance 172.16.*.*, but not 172.16.*10.* or 172.16.*. Example: Method1 = Default Gateway IP Address Argument1 = 220.127.116.11 Note: The Argument value is irrelevant for Always, Never and Dialup methods.
Article no: 000013127
After updating to Server Security Premium 14.00, a group of Servers are not getting Virus Definitions After upgrading to Client Security 14.10, Clients are not getting updates from Policy Manager Server
You can apply the hotfix FSCS1410-HF07 to resolve the problem. If the problem persists, make you are experiencing the same problem, by opening the following logs from affected Client and investigate them. Logs are usually located in the following path: C:\ProgramData\F-Secure
Open the C:\ProgramData\F-Secure\Log\AUA.log and scroll down to the latest event to see if you have a similar error:
2019-09-23 15:17:09.502 [0e50.1388] I: Connecting to updateserver:80/guts2 (proxy proxy.demo.com:8888)
2019-09-23 15:17:09.517 [0e50.1388] I: Update check failed, error=115 (operation in progress)
Open the C:\ProgramData\F-Secure\Log\CCF\Guts2Plugin.log and scroll down to the latest event to see if you have a similar error:
2019-10-01 09:54:30.351 [1284.1258] I: Guts2Client::UpdateCurrentProxyForRootServer: Save successful proxy 'proxy.demo.com:8888'
2019-10-01 09:54:30.352 [1284.1258] I: Guts2Client::CheckForUpdatesFromServer: Check from server 'fsms:80/guts2'
2019-10-01 09:54:30.365 [1284.1258] I: Guts2Client::RefreshAvailablePackages: Trying with proxy 'proxy.demo.com:8888'
2019-10-01 09:54:30.581 [1284.1258] I: [fslib] server returned HTTP status code 503 (try again later)
2019-10-01 09:54:30.581 [1284.1258] *E: [fslib] unable to fetch update information from the server, error 115 (operation in progress)
2019-10-01 09:54:30.581 [1284.1258] I: Guts2Client::RefreshAvailablePackagesProxyConfigured: Failed to refresh available packages, error=115
2019-10-01 09:54:30.581 [1284.1258] *E: Guts2Client::CheckForUpdatesFromServer: Failed to refresh available updates list
2019-10-01 09:54:30.587 [1284.1258] I: CCFGuts2Plugin::ScheduleCheck: Scheduling next check in 156 seconds
As you can see, proxy.demo.com:8888' can answer 503 without forwarding a request to the Policy Manager Server/guts2 server. In this case, you could troubleshoot the HTTP-Proxy by checking the following:
Retry the URL from the address bar again by clicking the reload/refresh button, or pressing F5 or Ctrl+R. Restart your router and/or your device, especially if you're seeing the "Service Unavailable - DNS Failure" error. As an option, you could disable the HTTP proxy for AUA, to see if the connection issue is caused by AUA. You can do this from the Policy Manager Console:
3.1 Under the F-Secure Automatic Updates Agent > HTTP Settings > Use HTTP Proxy and set it to No. Deploy the policy.
If the changes you made now worked, make sure to enable your HTTP-Proxy to updateserver:80 (:443)
When upgrading from Client Security 13.xx series: GUTS2 updates were already available, so the behavior didn't change When upgrading from Client Security 12.10-12.3x: Everything in the Client Security > Policy Manager communication was changed. If you are upgrading from 12.00 or older - also the protocol was changed from HTTP to HTTPS (but guts2 are still downloaded via HTTP).
In the event that a proxy is/must be used ensure that no filtering for port 443 is enabled. Client Security 13.x already used GUTS2, where 503 was the "good answer", which means they would come back later, and that didn't cause fallback to the Internet.
Article no: 000015249
The symptoms include
clients are unable to download updates from the Policy Manager Server clients are unable to upload status information to the Policy Manager Server and will eventually show up in Policy Manager Console as disconnected hosts
However, clients might still be able to download updates because in the default configuration, fallback to F-Secure update servers is allowed. A couple of logfiles on the endpoont help to establish, if the client is having a connection problem due to the firewall blocking access on the server. Examples are for Client Security 14 but also apply for Server Security 14 and later. Policy Manager Server here is pms.acme.com listening on default ports 80 and 443. C:\ProgramData\F-Secure\Log\AUA\Aua.log 2019-10-02 12:07:25.311 [15d4.1d50] I: Connecting to pms.acme.com:80/guts22019-10-02 12:07:46.349 [15d4.1d50] I: Update check failed, error=110 (connection timed out) Same is also visible in this logfile: 2019-10-02 12:17:37.502 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy ''2019-10-02 12:17:58.535 [15d4.1d68] *E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Timeout, AsyncSendRequest failed: 12002)2019-10-02 12:18:07.536 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy '' Error 12002 translates to 12002 ERROR_INTERNET_TIMEOUT The request has timed out.
Server Security 14 uses the Windows Firewall. It is likely that the ports that the HTTP and HTTPS services are using are blocked in the firewall on the server where Policy Manager Server is installed in. This would cause the clients to be unable to be in contact with the Policy Manager Server. To resolve the issue, create a firewall rule allowing inbound HTTP and HTTPS traffic to the server where Policy Manager Server is installed. You can find instructions how to create firewall rules in Policy Manager 14 in this guide. Things to consider:
Make sure, the firewall rule is enabled. This is the first checkbox in the Firewall rules table. Make sure, the Server profile containing the rule is assigned as the "Server host profile". In the example below, the profile is called Server (cloned). The other rules in the profiles in this screenshot are also activated but this is is not needed to meet client Policy Manager Server communication requirements. As this particular rule is only required for the server host running Policy Manager Server, we have selected the server before making the change (the server called here DC1-PETERF)
Article no: 000016843