Business Suite

Sort by:
Issue: What is considered "new infection" in the F-Secure Policy Manager Web Reporting view? Resolution: Log on to your F-Secure Policy Manager Console Select the Policy domain   or Host   /   you want to edit Switch to the Alerts tab Every item in the list, which is not marked as "read" will be considered as "new" in the Web Reporting Note: As long as an item in the Policy Manager Console Alerts list is not marked as "read", it will appear in the Web Reporting in the list for "New top 10" and "New infection details". Article no: 000018681
View full article
Issue: When installing F-Secure Linux Security 11.10, the following error is shown after entering the license code: Invalid keycode. After that is requests the license code again: Please enter the keycode you have received with your purchase of F-Secure Linux Security. Resolution: Make sure that the license is typed correctly, and that you are entering a key belonging to the correct product. Trying to enter a code belonging to for example F-Secure Linux Security 64 would result in this error. The license key that you have received is to be used with Linux Security 64 bit server edition. Our licenses are dependent on the software version, meaning a license created for a software version 11 cannot be used on another version installation. If you don't have the correct license code you should contact your reseller and request  the license for Linux Security 11.XX as that is the one required for this version. Article no: 000018082
View full article
Issue: We have several F-Secure Scanning and Reputation Servers (SRS) to handle load balancing. How to check how many hosts are connected to each SRS server?  Resolution: The amount of connected hosts can be checked through the F-Secure Policy Manager 14.x advanced status view: Log in to Policy Manager Console  Select the SRS server from the Domain Tree Go to the Status tab and select Advanced view Navigate to F-Secure Scanning and Reputation Server > Statistics > Server > Connected hosts Here you can see how many hosts are connected to the selected SRS server. Article no: 000018602
View full article
Issue: Universal CRT is not installed therefore Client Security 14.x/Server Security 14.00 installation fails. In Policy Manger Console, push installations result in the status error message: "Installation failed. MSI error code is 1603." The following error can be seen in Windows Application Event Logs: "Product: F-Secure Client Security [Premium] 14.XX/F-Secure Server Security [Premium] 14.XX -- Universal CRT is not installed" Resolution: The latest version of Client Security 14.x and Server Security 14.00 require Windows Universal C Runtime to be installed on the system. Download and install Windows Universal C Runtime from the link here before installing F-Secure Client Security 14.x or Server Security 14.x.   Article no: 000008994
View full article
Issue: We used to be able see in the Policy Manager Console Alerts list frequent alerts with the source being F-Secure Anti-Spyware. After upgrading to F-Secure Client Security 13 or newer such alerts are not being sent from the clients. Where can we see events from the F-Secure Anti-spyware module? Resolution: The F-Secure Anti-Spyware reporting has been integrated to F-Secure Anti-Virus in F-Secure Client Security 13 and newer versions. If you have for example F-Secure Client Security 14 installed on your clients, any Anti-Spyware alerts are reported to Policy Manager Console, the source will be shown as F-Secure Anti-Virus.   Article no: 000018481
View full article
Issue: Does F-Secure Policy Manager create and maintain an audit log for user and admin activity? For example for these events: User login / logoff Host deletion  / add / rename events Policy sub-domain deletion / add / rename events  Change of policy settings Resolution: The F-Secure Policy Manager server logs can be found in the following folder: C:\Program Files (x86)\F-Secure\Management Server 5\logs The user login actions are not recorded, but there are 2 logs that record actions made by the users while logged in to the console. Changes made to policy settings: fspms-policy-audit.logs Changes made to the Policy domain computers/servers or specifically changes made to the policy domain structure: fspms-domain-tree-audit.logs Q: How to find out who deleted a policy sub-domain in Policy Manage Console? A: This information is available in the fspms-domain-tree-audit.logs. Below is an example, where a sub-domain called test was added and immediately deleted. 05.12.2019 09:44:17,785 INFO [audit.domainTree] - User 'admin' added domain test (id=76) to domain Root (id=1) 05.12.2019 09:44:23,615 INFO [audit.domainTree] - User 'admin' deleted domain test (id=76)   Article no: 000007129
View full article
Issue: Sub admins imported via active directory gets the error "No existing transaction found for transaction marked with propagation 'mandatory'. To get back to the Web Reporting main page click here" when they select any host on their domain structure in Policy Manager 14.20 Web Reporting. Resolution: A hotfix has been created that will resolve the issue. The fix will be included in the upcoming F-Secure Policy Manager 14.30 version. Contact F-Secure Customer Service here to obtain the hotfix. Once you have obtained the hotfix, follow these steps to install the hotfix: For Policy Manager Windows: Extract the file somewhere in the server (e.g. Desktop) Exit the Policy Manager Console Launch command prompt as administrator To stop Policy Manager Server services, type the following below and hit enter: net stop fsms Copy and replace the fixed fspms-webapp-1-SNAPSHOT.jar in <Policy Manager Server installation folder>\F-Secure\Management Server 5\lib Start Policy Manager Server services by typing the following below in the elevated command prompt and hit enter: net start fsms For Policy Manager Linux: Stop the F-Secure Policy Manager Server services by executing the following command: # /etc/init.d/fspms stop Copy the fix to the folder /opt/f-secure/fspms/lib Start the F-Secure Policy Manager Server services by the typing the following command below and hit enter: # /etc/init.d/fspms restart Article no: 000013564
View full article
Issue: By default, Linux distributions set a umask of 022. However, if this is modified e.g. to harden the underlying system, it can cause a problem where the Automatic Update Server process (bwserver) fails to start. This is due to the process bwserver not being able to read its own config-file /etc/opt/f-secure/fsaus/conf/server.cfg. This will prevent legacy clients from downloading updates from the Policy Manager Server. Legacy clients include: Email and Server Security version 12.x and older  Server Security 12.x and older Client Security versions older than 13.x. Resolution: The workaround is to manually set the permission for server.cfg after installation and restart the fspms daemon. As root execute the following commands: # chown fspms.fspms /etc/opt/f-secure/fsaus/conf/server.cfg # /etc/init.d/fspms restart Article no: 000018505
View full article
Issue: Message: Scanning 'message' by F-Secure Spam Scanner was unsuccessful. Reason: SSL certificate issue: X.509 error value Host: <example> (192.168.101.150, fe80::5c55:4250:d46d:3d83%10) Computer name: EX-EXCH01 User account: EXAMPLE\EX Product: F-Secure Content Scanner Server (OID: 1.3.6.1.4.1.2213.18) Severity: error (3) Message: Scanning 'message' by F-Secure Spam Scanner was unsuccessful. Reason: SSL certificate issue: X.509 error value. 56 similar errors occurred in last 10 minutes.   Resolution: F-Secure Spam Scanner connects to the detection center address https://aspam.sp.f-secure.com/ which has an Amazon certificate that expires on Tuesday, June 30, 2020. Ensure that you have trusted this certificate. You may also try running Windows Update to install the latest updates and certificates. The F-Secure Spam Scanner needs to be able to query aspam.sp.f-secure.com in order for it to work. It's hosted in the Amazon Web Services (AWS) Cloud and as a result does not have a static range of IP addresses.  Verify that you are able to access the following URL: https://aspam.sp.f-secure.com/bdnc/config Open the browser on the host where you have installed  F-Secure Email and Server Security and enter https://aspam.sp.f-secure.com/bdnc/config. You should get the following response: {"benchmarkInterval":3600,"benchmark":1,"servers":["aspam.sp.f-secure.com"],"statsInterval":1800,"enforceSSL":true,"benchmarkThreshold":5,"disableThreshold":10} If you do not get a similar response as above, verify that *.f-secure.com and *.fsapi.com are allowed in your firewall  If you require a proxy to connect to this address with your browser, then the anti-spam engine needs to be configured to use the same proxy. How to setup proxy server locally from your F-Secure Email and Server Security: Open the F-Secure Email and Server Security Web Console and navigate to Settings  Expand the Setting and under Engines expand the Use proxy server Activate it by moving the use proxy icon and provide the proxy server information Article no: 000017979
View full article
Issue: When Web traffic scanning feature is enabled, some web applications and URLs are inaccessible or there are connectivity or performance issues. Java-based applications unable to connect to an internal server or there are connectivity issues. Issue started after client received the F-Secure Online Safety 2019-11-19_01 update. Resolution: 1. Make sure ORSP Service (F-Secure Security Cloud) is enabled. You may find more information about the Security Cloud here How to enable ORSP via Policy Manager console: Log in to Policy Manager Console Select the host or domain from the Domain Tree Go to the Settings tab (Advanced view) Navigate to F-Secure Security Cloud Client > Settings Enable Allow deeper analysis and Client is enabled Distribute the policy (Ctrl+D) You can ping the ORSP Service on your local client and see if its reachable:  orsp.f-secure.com  From Web Browser  Open   http://orsp.f-secure.com/getc  and browser must be able to download certificate file from the URL. If it is reporting an error or hangs for several minutes, then there is a problem. Connectivity to DOORMAN service: Browse to  https://doorman.sc.fsapi.com/doorman/v1/healthcheck  browser must reply 'OK'   You might have to check your firewall settings and allow *.f-secure.com and *.fsapi.com. More about URL addresses for F-Secure update services can be found here. Note: If ORSP is off, this means that our security cloud client can not access our remote services. This is the root of the slowness/hangs/interoperability etc. 2. You can add the server address as trusted. This will exclude the server from Web Traffic Scanning. How to add the server address as trusted differs between F-Secure Client Security versions: For F-Secure Client Security 13.x: Log in to F-Secure Policy Manager Console Select the host or domain from the Domain Tree Go to the Settings tab and select Advanced view Navigate to F-Secure Anti-Virus -> Settings -> Settings for Web Traffic Scanning -> Trusted Servers Click Add and enter the server address  Distribute the policy (Ctrl+D) With Client Security 13.x clients the address needs to have the /* wildcard added after the server address, for example: http://193.110.109.55/* http://sql-server-2008:8080/* SAMPLESERVER:8080/* For F-Secure Client Security 14.x: Log in to F-Secure Policy Manager Console Select the host or domain from the Domain Tree Go to the Settings tab and select Standard view Go to the Web content control page Click Add on the right side of the Trusted sites list Enter the server address in the Address column Distribute the policy (Ctrl+D) With Client Security 14.x clients no wildcard is needed in the address, for example: http://193.110.109.55 http://sql-server-2008:8080 SAMPLESERVER:8080 If the steps above did not solve your problem, please try to disable Botnet Blocker and/or DeepGuard How to disable Botnet blocker: Log in to F-Secure Policy Manager Console Select the host or domain from the Domain Tree Go to the Settings tab and select Standard view Navigate to Web traffic scanning and select Botnet Blocker Set the DNS query filtering to Allow all queries Distribute the policy (Ctrl+D) Article no: 000004728
View full article
Issue: How will F-Secure Server Security and Client Security clients receive virus definition updates, if the Policy Manager Server is temporarily unreachable? Resolution: The client can be set to automatically switch over to the F-Secure Update Server if the Policy Manager Server is unreachable. The client will try for at least one hour (default) or more to reach the designated Policy Manager Server or Policy Manager Proxy. If the client is not able to reach the Policy Manager Server or the Policy Manager Proxy, it will then try to connect to the F-Secure Update Server instead to download the updates. Important: The host on which the F-Secure Client Security or Server Security is installed, must be able to reach required F-Secure domain: http://guts2.sp.f-secure.com To change this setting, follow these steps: Log on to your F-Secure Policy Manager Console Select the Policy domain   or Host   /   where you want to edit the policy on Switch to the Advanced view Navigate to F-Secure Automatic Update Agent > Settings > Communication > Allow fetching updates from F-Secure Update Server = Yes To adjust the time until this failover is used, modify the setting here: F-Secure Automatic Update Agent > Settings > Communication > Intermediate Server failover time Distribute the policy  Note: The time setting for the failover must range between 1 hour and 256 days   Article no: 000004400
View full article
Issue: How to check what versions of virus definitions are currently installed on F-Secure Client Security 14 or Server Security 14 with the Windows Command line? Resolution: Follow these steps to run the fs_oneclient_info tool to print out product information sheet: 1. Open the Command Prompt (cmd) as an Administrator 2. Depending on the product, navigate to: Server Security 14: C:\Program Files (x86)\F-Secure\Server Security Client Security 14: C:\Program Files (x86)\F-Secure\Client Security 3. Run command: fs_oneclient_info.exe This will print the following statuses: License status: license validity and expiration date Update status: Update server info, last update date and list of latest installed updates Setting status   Article no: 000018421
View full article
Issue: Our current license certificate does not contain the most recent subscription information or license keys. How can I get an updated license certificate which includes the license keycodes required for when installing or updating to the newest product versions?  Resolution: To get a new license certificate, proceed to contact your local reseller or F-Secure sales contact. If you are uncertain of who this contact is, kindly create a support ticket here. Article no: 000001527
View full article
Issue: FSMAUTIL is no longer available for F-Secure Server Security/Client Security 14.x, how do I reset the host UID? Resolution: In F-Secure Server Security/Client Security 14.x, there is a new tool introduced called resetuid.exe to reset the host identity. This tool will replace FSMAUTIL (F-Secure Management Agent Utility) for both the products. The tool can be found in C:\Program Files (x86)\F-Secure\Client Security\BusinessSuite\ (Client Security 14.x) or  C:\Program Files (x86)\F-Secure\Server Security\BusinessSuite (Server Security 14.x). Check the Help page for the procedure. Usage: RESETUID SHOWUID  Shows the host Unique Identity currently in use. RESETUID RESETUID {SMBIOSGUID | RANDOMGUID | WINS | MAC} [APPLYNOW] Schedules regeneration of the host Unique Identity using one of the specified methods: SMBIOSGUID        - uses SMBIOS GUID RANDOMGUID      - uses randomly generated GUID WINS                      - uses WINS (NetBIOS) name MAC                       - uses MAC (ethernet card) address APPLYNOW           - If the product is running, requests to apply new Unique Identity immediately. Otherwise, it is applied to the next start of the product. Article no: 000008416
View full article
Issue: Error or issue related to F-Secure components (e.g. Gatekeeper, Firewall, Network Interceptor Framework, Internet Shield) and more advanced debug logs are required to investigate the issue. How to enable advanced debug logging for F-Secure Client Security 13.x and F-Secure (Email and) Server Security 12.x clients? Resolution: Note: These instructions are applicable for Client Security 13.x and (Email and) Server Security 12.x clients. Newer products use a different tool to enable debug logging.  Follow the steps below to collect F-Secure debug logs. Download and run the F-Secure debug tool Click Update Debug Files Online Select the components you want to debug (e.g Firewall, Gatekeeper driver) Click Apply Changes Reproduce the issue that was reported and take note of the time Disable debugging by deselecting the components and click Apply Changes Click Collect Logs once the issue is reproduced Locate the FSDIAG on the desktop Send the newly generated FSDIAG log files for investigation and report when the issue was reproduced   Article no: 000002782
View full article
Issue: How do I create the netstat logfile on a Linux System? Resolution: Follow these steps to create the netstat logfile: 1. Open Terminal 2. Upgrade to Root 3. Insert the following command:  netstat -anp  4. When you have the following information, please create a text file of it with the following command: netstat -anp > example.txt 6. The file will be saved in the directory where you ran the command (you can verify the folder you are in by running the command: pwd) Article no: 000018382
View full article
Issue: How to uninstall F-Secure Server Security 12 or 14 from a Windows Server using the Uninstallation Tool? Resolution: If you cannot uninstall F-Secure Server Security from the program and features, you can uninstall it using the F-Secure Uninstallation Tool. Which uninstallation tool you should use depends on the F-Secure Server Security version that is installed on the Windows server.  Note: If you have F-Secure Email and Server Security installed on the server, do not use the Uninstallation Tool since a removal can cause issues with the email flow.  Note: If you have F-Secure Policy Manager Server installed on the same server, running the UninstallationTool.exe will remove it.   F-Secure Server Security 12.x: Download this uninstallation tool: https://download.f-secure.com/support/tools/uitool/UninstallationTool.exe Open the Command Prompt Navigate to the folder where you have stored the tool Run the following command: UninstallationTool.exe -a --server F-Secure Server Security 14.x:  Download this uninstallation tool: https://download.sp.f-secure.com/uninstallationtool/FsUninstallationTool.exe Run the uninstallation tool Follow the on-screen instructions This tool can be ran silently using the command prompt and adding the parameter --silent Article no: 000015608
View full article
Issue: Policy Manager Server is rejecting Policy Manager Console connections from a remote host.  When trying to connect to Policy Manager Server running on Linux using a Windows machine, the following error is displayed: "Cannot connect to server 172.16.0.6:8080. Check that the host name and port number are correct. Port number 8080 is used by default". Resolution: By default F-Secure Policy Manager Server is set up to only accept connections from localhost. Follow the steps below to allow remote connections and then test the connectivity from the remote Policy Manager Console. If Policy Manager Server is installed on a Windows OS: Stop F-Secure Policy Manager Server services Open registry Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5 Edit the value of [REG_DWORD] RestrictLocalhost to 0 Start F-Secure Policy Manager Server services If Policy Manager Server is installed on a Linux OS:  Stop the Policy Manager Server daemon (/etc/init.d/fspms stop) Open the file /etc/opt/f-secure/fspms/fspms.conf Check the line adminExtensionLocalhostRestricted value and make sure the value is set to false Save the file and restart the Policy Manager Server daemon (/etc/init.d/fspms restart) Once Policy Manager Server service has restarted, try to login from the remote Policy Manager Console. Please do check our other F-Secure Community KB article as well. Article no: 000001368
View full article
Issue: Windows Firewall status is red with error message: "Windows Defender firewall is not using the recommended settings to protect your computer" The Windows Firewall state is set to: ON Incoming connection is set to: Allow all connections to apps that are not on the list of blocked apps Resolution: If Windows Firewall is showing its status as red with message: "Windows Defender Firewall is not using the recommended settings to protect your computer", this is most likely due to the settings of the Unknown inbound and outbound connections from the F-Secure Client Security 14 firewall profile. In order to resolve the issue follow these steps: Open the Policy Manager console Select the host or domain from the Domain Tree Go to the Settings tab Browse to the Firewall menu Ensure the value under  "Profile being edited" is the correct profile Set the value of the Unknown inbound connections and Unknown outbound connections to Block Distribute the profile (ctrl +D) Once the host receives the new profile, the firewall should stop displaying the message and the status should turn to green.  Article no: 000018337
View full article
Issue: Will SUSE Linux Enterprise 15 be supported by F-Secure Linux Security version 11.10 and F-Secure Linux Security 64? Resolution: SUSE Linux Enterprise 15 will only be supported by F-Secure Linux Security 64 which is the successor of F-Secure Linux Security version 11.10. Currently, this support is planned to be available during the first half of 2020 Linux Security 11.10 will not support the latest Linux distributions and it only supports old non "systemd" Linux distributions.   Article no: 000018265
View full article
Issue: Is it possible to define wildcard exclusions with F-Secure Linux Security 11.10 or is full path the only supported option? Resolution: Wildcard exclusions for scans are not supported by F-Secure Linux Security 11.10. Full path is required to be used when creating exclusions.  Article no: 000018262
View full article
Issue: F-Secure Client Security 13.x or (Email and) Server Security 12.x installation using MSI Package failed due to "Setup Wizard ended prematurely" error. Resolution: The installation error "Setup Wizard ended prematurely because of an error" when running the F-Secure Client Security 13.x or (Email and) Server Security 12.x installation MSI file can be caused by the following: Ensure the subscription key used during the export of the MSI installation file is correct. Contact your local F-Secure reseller partner to obtain the license certificate with latest subscription key for F-Secure products Verify if there is any conflicting 3rd party software installed in the host If none of the above helped with the installation issue, proceed to contact F-Secure Customer Support here for assistance. Article no: 000001448
View full article
Issue: User get the following error message when trying to log in to Policy Manager Console: Cannot connect to server: authorization failed because the specified user credentials are invalid. Resolution: This error message appears because you are using either a wrong username or password when logging in.  The default username when logging in to Policy Manager Console is Admin. The password for the Admin account was set at installation, and if you do not know the correct password for the Admin account, you can reset it by following these steps: Stop F-Secure Policy Manager Server service  Open command line prompt as administrator Run the reset-admin-account.bat from this location: C:\Program Files (x86)\F-Secure\Management Server 5\bin\ Enter your new password Start F-Secure Policy Manager Server service Try to log in to Policy Manager Console To change the password for any other Policy Manager Console user account, use the following instructions: Log in to Policy Manager Console by using the Admin account (If needed, reset the password for the set Admin account by using the above instructions) To use the setting, in Policy Manager Console select Tools > Users To change the password, delete the existing user account Recreate the account. This option allows you to configure a new password for the set account Article no: 000009319
View full article
Issue: I have forgotten my login password to F-Secure Policy Manager Console, how do I reset the admin password? Resolution: If you have lost the password for the admin user, or if the account was accidentally deleted, you can reset the admin account for Policy Manager on Windows by following the steps below: Stop F-Secure Policy Manager Server service  Open command line prompt as administrator Run the reset-admin-account.bat from this location: C:\Program Files (x86)\F-Secure\Management Server 5\bin\ Enter your new password Start F-Secure Policy Manager Server service Try to log in to Policy Manager Console For Policy Manager on Linux, use the following script to reset the user account: /opt/f-secure/fspms/bin/fspms-reset-admin-account If you are still not able to login to Policy Manager Console, make sure the account used in the login windows is admin (and not administrator). Article no: 000002657
View full article
If you want to exclude files or folders from being scanned by Real-Time scanning, follow these steps:
View full article
Issue: What are the default ports used by Policy Manager Server and Policy Manager Proxy? This article lists the network ports that F-Secure Policy Manager Server and F-Secure Policy Manager Proxy uses. If you use any port filtering devices or software, verify that the required ports are available. Port filtering devices and software include firewalls, routers, proxy servers or IPsec.   Resolution: Default TCP-Ports: F-Secure Policy Manager:  8080 Default https-port used for Admin module used for communication with Policy Manager Console. 8081 Default https-port for F-Secure Policy Manager Web Reporting, the graphical reporting system included in Policy Manager Server. 443 Default https-port used for the host module used for communication with the hosts, excluding client database-updates. 80 Default http-port used for the host module used for communication with the hosts (legacy F-Secure clients). All F-Secure clients by default download database updates using this port. Default TCP-Ports: F-Secure Policy Manager Proxy: 443 Default https-port used for the host module used for communication with the hosts, excluding client database-updates. 80 Default http-port used for the host module used for communication with the hosts (legacy F-Secure clients). All F-Secure clients by default download database updates using this port. Note: F-Secure Web Reporting might not be enabled in your configuration. The Policy Manager Server admin module is not by default exposed to other network interfaces than localhost. Software Updater (SWUP) updates are downloaded on port 80.   Article no: 000018194
View full article
Issue: Can F-Secure Email and Server Security 12.12, which includes the Content Scanner Server module, be upgraded to F-Secure Server Security 14.x?   Resolution: F-Secure Email and Server Security and F-Secure Server Security are considered two different products, since Email And Server Security includes the Content Scanner Server module. This means that the upgrade feature in Policy Manager Console cannot be used to upgrade from Email and Server Security 12.12 to Server Security 14.x.   However, a policy-based installation via F-Secure Policy Manager Console can be used to install Server Security 14.x on the target host. The previous F-Secure Email and Server Security 12.12 installation will be sidegraded (uninstalled) by the F-Secure Server Security 14.x installation.  Follow these steps to install F-Secure Server Security 14.x on a host with F-Secure Email and Server Security 12.12: Log in to Policy Manager Console Select the target host or domain from the Domain Tree Go to the Installation tab Click on the Install button on the bottom of Installation tab  Choose the F-Secure Server Security 14.x installation package (import jar file if needed) and click OK Configure the installation package with the help of the installation wizard Distribute the policy  After the policy has been distributed to the host or domain, F-Secure Email and Server Security will be removed and Server Security will be installed.  Article no: 000018150
View full article
Issue: Does the server need to be rebooted after installing upgrade from (Email and) Server Security version 12.11 to 12.12? Resolution: When upgrading F-Secure Server Security 12.11 to 12.12, a reboot is not required for these upgrades to take effect. When creating the installer you will be given the choice between rebooting or not. For F-Secure Email and Server Security, if a restart is required cannot be reliably predicted. In general it does not require a reboot of the server. Therefore we recommend to perform the upgrade within a service window.   Article no: 000003204
View full article
Issue: How does the firewall automatic selection in Policy Manager work? How to set up the automatic selection profile? Resolution: To set the firewall automatic selection profile changes to work, create the auto select rule based on conditions such as gateway IP, DNS, etc. As an example, when the Windows Firewall profile is changed to different networks (public, private, domain), there is network change happening too. This can be used as the condition for firewall automatic selection rule to trigger. When a host is connected to Domain network, it will use default firewall profile "Office, file and printer sharing". When a host is connected to Public network and assign to DHCP IP address, it will switch to firewall profile "Server". When a host is connected to Private network that communicate to gateway IP (Example: 192.168.1.103), it will switch to firewall profile "My test firewall profile". Note: The firewall automatic selection is based on rules priority. The rule consists of two conditions: Method1/Argument1 and Method2/Argument2.  When both conditions are met, the profile specified in the rule is selected. The rules are evaluated whenever changes in the network interfaces are detected, and the rule with the highest priority is applied in case there are more than one matching rule.  If none of the rules match, the profile will remain unchanged. Therefore a fallback rule, with both methods set to Always, is usually put at the bottom of the rule set. Supported methods and arguments: Never: Never true (argument ignored) Always: Always true (argument ignored) DNS Server IP Address: IP address given as the argument matches with a DNS server DHCP Server IP Address: IP address given as the argument matches with a DHCP server Default Gateway IP Address: IP address given as the argument matches with the default gateway My Network: IP address given as the argument falls within the LAN subnet of the host Dialup: A dial-up connection is open (argument ignored) In IP address arguments, the asterisk (*) may be used as a wildcard, but only in place of whole pieces of the address. For instance 172.16.*.*, but not 172.16.*10.* or 172.16.*. Example: Method1 = Default Gateway IP Address Argument1 = 123.12.0.1 Note: The Argument value is irrelevant for Always, Never and Dialup methods. How to configure My Network rule in Policy Manager autoselect: https://community.f-secure.com/t5/Business-Suite/How-to-configure-MyNetwork-rule/ta-p/20670 Article no: 000013127
View full article
Issue: How to update F-Secure Linux Security 11.x virus databases manually in an isolated or offline environment with no internet connection? Is the update package self-contained, meaning it contains all signature updates, or is it an incremental update?   Resolution: Note: This article assumes deep technical understanding of both F-Secure's products and the relevant operating system. If you are unsure, contact F-Secure support for assistance. To update the virus definition databases for F-Secure Linux Security 11.x manually from the command line: Download the fsdbupdate9.run file from http://download.f-secure.com/latest/fsdbupdate9.run. The file is a self-extracting file that stops the AUA daemon, updates the databases and restarts the AUA. As a root user, run the  dbupdate fsdbupdate9.run  command where fsdbupdate9.run is the absolute or relative path to the fsdbupdate9.run file. The update package is self-contained and contains all necessary updates. Article no: 000011352
View full article
Issue: How do I run a manual scan using the command line on F-Secure Server Security 14.x or Client Security 14.x? Resolution: The command line option to execute a manual scan can be either used to run a scan on-demand. Additionally the command and the arguments can be used to fill the "Generic" scheduled scan task specific parameters. To run the task locally via command line: Press the Windows button Search for cmd.exe and press Enter Navigate to your F-Secure client's installation directory (for example: cd C:\Program Files (x86)\F-Secure\) For Client Security, navigate further to the Client Security directory. For Server Security, navigate to the Server Security directory. Type in fsscan.exe and add any of the below arguments/options, then press Enter The scan will be executed and further details will be returned in the command window Example 1 Retrieving information on available options: C:\Program Files (x86)\F-Secure\Client Security>fsscan -?   Usage: fsscan [options] Options: --sched, -s     Runs a scan optimized for scheduled scanning --target, -t <target> Scans the given <target> --report, -r <report> Writes an unformatted report to <report> file (only with -c) --delete, -d Deletes all harmful files found --collection, -c Runs a scan optimized for large collections of harmful files --noflyer, -f Skip showing scheduled scanning flyer -?, -h, --help Displays this help Example 2 Scanning a specific directory ( downloads directory of the user Foo) : C:\Program Files (x86)\F-Secure\Client Security>fsscan.exe -t C:\Users\Foo\Downloads\   Setting up a scheduled scan on a specific directory via Policy Manager Console: Log on to your F-Secure Policy Manager Console. Select the Policy domain   or Host   /   where you want to edit the policy on. In the Settings, select the Manual Scan item Go to the table under Scheduled scanning Add a new row Choose Task Type = Generic Edit the Task Type Specific Parameters, for example to scan the downloads directory of the user Foo: C:\Program Files (x86)\F-Secure\Server Security\fsscan.exe -t C:\Users\Foo\Downloads Exit the table Distribute the policy  Article no: 000011456
View full article
Issue: From where to download F-Secure Client Security 12 Standard or Premium installation file? Resolution: Client Security 12 is no longer supported and has reached its end-of-life on October 2018. Visit the product end-of-life announcement for more information. Current supported Client Security version is 13.xx and 14.xx. The software can be downloaded from the F-Secure business products download page. Note: Read the product release notes to verify the minimum requirements before installing the product. Article no: 000018070
View full article
Issue: Why are the setting changes for "Email Alert Forwarding" reverted automatically after changing the configuration in the F-Secure Email and Server Security 12.x Web Console? Resolution: Most likely Email and Server Security 12.x  has been installed to be centrally managed by a F-Secure Policy Manager Server. By default local user changes are disallowed for email alert forwarding. You can allow local users to change email alert forwarding through the Policy Manager Console: Log in to the Policy Manager Console Select the host or domain from the Domain tree  Go to the Settings tab Select the Alert sending page Untick the checkbox under Alert forwarding  Distribute the policy Now the local user is allowed to change email alert forwarding settings through the Email and Server Security Web Console.  Article no: 000018060
View full article
Issue: Strip attachments for internal emails are being filter by F-Secure Email and Server Security, though the strip attachments option is turned off. Resolution: Th email direction is based on the Internal Domains and Internal SMTP senders settings and it is determined as follows: Email messages are considered internal if they come from internal SMTP sender hosts and mail recipients belong to one of the specified internal domains (internal recipients). Email messages are considered outgoing if they come from internal SMTP sender hosts and mail recipients do not belong to the specified internal domains (external recipients). Email messages that come from hosts that are not defined as internal SMTP sender hosts are considered incoming.  Email messages submitted via MAPI or Pickup Folder are treated as if they are sent from the internal SMTP sender host. Note: If email messages come from internal SMTP sender hosts and contain both internal and external recipients, messages are split and processed as internal and outgoing respectively. Internal Domains Specify internal domains. Messages coming to internal domains are considered to be inbound mail unless they come from internal SMTP sender hosts. Internal Domains Separate each domain name with a space. You can use an asterisk (*) as a wildcard. For example, *example.com internal.example.net Internal SMTP Senders Specify the IP addresses of hosts that belong to your organization. Specify all hosts within the organization that Internal SMTP Senders send messages to Exchange Edge or Hub servers via SMTP as Internal SMTP Senders. Separate each IP address with a space. An IP address range can be defined as: • a network/netmask pair (for example, 10.1.0.0/255.255.0.0), Note: There is also virus scanning, where mb infections are blocked • a network/nnn CIDR specification (for example, 10.1.0.0/16), or • IPv6 address (for example, 1::, 2001::765d 2001::0-5, 2001:db8:abcd:0012::0/64, 2001:db8:abcd:abcd::/52, ::1). You can use an asterisk (*)to match any number or dash (-) to define a range of numbers. For example, 172.16.4.4 172.16.*.1 172.16.4.0-16 172.16.250-255.* Note: If end-users in the organization use other than Microsoft Outlook email client to send and receive email, it is recommended to specify all end-user workstations as Internal SMTP Senders. Note: If the organization has Exchange Edge and Hub servers,the server with the Hub role installed should be added to the Internal SMTP Sender on the server where the Edge role is installed. Important: Do not specify the server where the Edge role is installed as Internal SMTP Sender. You can make these changes on the Web GUI. To do so, open F-Secure Email and Server Security Web Console and navigate  to settings. Open the Administration from menu and navigate to Network Expend the Network section and enter the list of the Internal domains as explained above Enter the Internal SMTP senders as explained above Note: Network internal domains and internal smtp senders - determine email direction (inbound, outbound, internal) and then apply corresponding filters Article no: 000018032
View full article
Issue: Can F-Secure Linux Security 64 be pre-installed on a virtual machine Golden image? How to reset the Unique Identifier (UID)? Resolution: F-Secure Linux Security 64 does not have the capability of changing its Unique Identifier (UID). The UID is tied to the hardware and cannot be reset, hence Linux Security 64 cannot be pre-installed on a Golden Image. Article no: 000018034
View full article
Issue: Why is F-Secure Email and Server Security dropping password protected attachments? Resolution: If password protected attachments are being dropped from emails, you should review actions that are taken when emails include archived files. You can review and change the settings by following these steps: Log in to the Email and Server Security Web Console Select Email traffic scanning from the menu  Select Incoming mail On this page you will find the following settings for archived files: Action on archives with disallowed files Action on max nested archives Action on password protected archives Make sure that password protected archives are allowed to pass through if you do not want them to be dropped. The archived attachments can also be dropped if you have active match lists that are triggered for your email route as you have configured. If inbound archived attachments are dropped, they are most likely triggering the 'Disallowed Inbound Files' match list. You can from the above mentioned Incoming mail settings page check the setting for list of files to scan inside archives. This setting shows which match list it currently uses. The match list can be found in F-Secure Email and Server Security Web GUI: Go to the Settings page  Select List and templates When a match list is active for incoming email traffic, when a user sends an attachment file that is included in this list, the rule will be triggered and the file is dropped. If a file is being dropped, you can verify it from the logfile.log. Here are two example entries from the logfile log: Example 1: conditionReason: Attachment 'password_protected_example.docx' matches 'Disallowed Files Internal' stripping condition; Real type: application/msword; description: Microsoft Compound Document;Microsoft Word Document; password protected; extensions: DOC DOT  Example2: Attachment '2019-04-18_examplefile.pptx' matches  'Disallowed Inbound Files' stripping condition; Real type: application/msword; description: Microsoft Compound Document;Microsoft Word Document; password protected; extensions: DOC DOT  Action: Message stopped   To allow the files in the examples, you would need to remove the *.doc extension from the disallowed files match list. Article no: 000011451
View full article
Issue: Offload Scanning connection is down during a system restart. After system restarted, the connection is restored after few seconds. Resolution: This is expected product behavior if the Offload Scanning connection is established after few seconds during system restart. During system startup, the Offload Scanning Agent (OSA) service will attempt to establish a connection with the Scanning & Reputation Server (SRS). If the connection to SRS is unreachable due to some reason (e.g. Internal network congestion), the service will re-attempt to establish the connection. Article no: 000018019
View full article
Issue: Security Cloud Client is not connected on Server Security 14.x / Client Security 14.x Resolution: Make sure that the affected F-Secure host is allowed to connect to the URL orsp.f-secure.com. If this host requires a connection via HTTP proxy to access this URL, you have to configure these settings via the F-Secure Policy Manager Console: Log on to your F-Secure Policy Manager Console. Select the Policy domain   or Host   /   where you want to edit the policy on. Switch to the Advanced view. Go to F-Secure Security Cloud Client > Settings > HTTP Proxy. Modify the value to suit your HTTP proxy requirements: 'http://server:port', e.g. 'http://my.domain.com:1234' Distribute the policy  . Note: If there is no parameter set under F-Secure Security Cloud Client > Settings > HTTP Proxy, the F-Secure Security Cloud Client will use the proxy configuration from the F-Secure Automatic Update Agent (AUA) by default: F-Secure Automatic Update Agent > Settings > Communications > HTTP settings > Use HTTP proxy Note: Server Security 14.00 and Client Security 14.x do not support proxy authentication. Article no: 000014893
View full article
Issue: How can we configure a scheduled manual scan to only alert on detections (report only)? Resolution: This is currently not supported, but we are planning to improve this in upcoming versions of both Client Security 14.20 and Server Security 14.10. Both versions are expected to be released during the first half of 2020. Article no: 000017966
View full article
Issue: When starting a Scan for updates operation through the advanced settings view for Software Updater, the status gets stuck as "in progress" permanently. Resolution: How to remove that scanning task using H2 console: First you need to enable H2 console: Close F-Secure Policy Manager Console if it is open. Next steps must be done on a server where Policy Manager Server is installed Stop F-Secure Policy Manager Server service. Open Registry Editor (regedit). Go to HKLM>SOFTWARE>Wow6432Node>Data Fellows\F-Secure\Management Server 5\ Edit "additional_java_args" Add parameter (NOTE: Parameter is case sensitive):   -Dh2ConsoleEnabled=true  Close registry editor and start F-Secure Policy Manager Server service. Now open the H2 Console: Open Internet Explorer/Firefox/Chrome Go to https://<PolicyManagerServerIP>:<AdminPort> Eg. https://localhost:8080 **localhost can be used, if you are running this from the PM Server itself. And then Execute the following SQL statement: DELETE FROM operations WHERE type_oid_id IN (SELECT id FROM oid_dictionary WHERE oid='1.3.6.1.4.1.2213.59.3.10.1'); It will clean all other relevant entries automatically. Close the H2 console and restart the Policy Manager Console. Article no: 000017341
View full article
Issue: After upgrading from version F-Secure Server Security 12.12 to 14.00 on terminal servers, these servers have freezing, hanging and performance issues.  Unable to access the server, remote logins are only possible if all F-Secure services are disabled. Resolution: In such scenarios, there is most likely a hang in ORSP Client, which prevents ulcore from updating. This can be seen in the lynx.log: 2019-09-29 09:36:35.468 [09e8.3330] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-09-29 15:38:08.728 [09e8.2428] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-09-29 21:41:59.136 [09e8.3410] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-09-30 03:44:05.294 [09e8.2a0c] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-10-01 10:04:33.890 [09e8.2670] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com When a new object, such as a file or URL, is encountered on one client, the product communicates with the Security Cloud using the strongly encrypted Object Reputation Service Protocol (ORSP) to query for the object's reputation details. Anonymous metadata about the object, such as file size and anonymized path, are sent to the Security Cloud.  In this case, the reason of this hang is that queries to doorman.sc.fsapi.com, one of our back-ends, is blocked. To solve the issue, follow these steps: You need to allow f-secure.com and fsapi.com in your Firewall or External Proxy An other option is, to setup a HTTP Proxy instead of trying to allow fsapi.com, which would be allowed to connect and client will be configured to use the Proxy.  After you have set your Proxy, make sure you configure the HTTP Proxy address in the Policy Manager Console. Please refer to the screenshot below where to add the HTTP Proxy address. If the HTTP Proxy is not an option for you, you can switch OFF security cloud in the settings, as currently the connection to Security Cloud is blocked.  You may find more information about the Security Cloud here. Article no: 000017219
View full article
Issue: During mailbox indexation Exchange service becomes abnormally slow if F-Secure Email and Server Security is installed  Disabling the security features fixes the slowness issue Resolution: In the event that you are facing slowness during mailbox indexation, we suggest that you verify that you are following this Microsoft article about exclusions here. Article no: 000017943
View full article
Issue: User wants to exclude a specific software update from F-Secure Software Updater automatic installation. Resolution: You can create a rule to exclude a certain software update from Software Updater automatic installation in Policy Manager Console by following these steps: Log in to Policy Manager Console  Select the host or domain from the Domain tree  Select the Settings tab Go to the Software Updater page Click Add from the right side of Exclude software from automatic installation table Enter software name and/or bulletin ID  Distribute policy to the hosts  Now the selected domain or hosts will have an exclusion for the software updates you have created a rule for.  Article no: 000002779
View full article
Issue: When will a newer version of F-Secure Client Security for Mac be released that supports MacOS Catalina (10.15)? Resolution: A new version of F-Secure Client Security for Mac 13.12 was released on 29th of October. It has support for MacOS Catalina 10.15. Client Security for Mac 13.12  installation file is available on our downloads page.   Article no: 000016301
View full article
Issue: Does Policy Manager Proxy also proxy Software Update installation packages? Resolution: Yes, Policy Manager Proxy also proxies Software Updater installation packages. You can find more information, here.  Article no: 000017850
View full article
Issue: I would like to register my F-Secure Policy Manager Server which is not connected to a network (offline), how do I proceed? Resolution: Contact F-Secure support by opening a support request (https://www.f-secure.com/en/web/business_global/support/support-request) Provide the following information for F-Secure technical support to create an offline registration file: Account Name Customer ID Installation ID  Business Suite license Expiry date How to obtain Customer and Installation ID: Open F-Secure Policy Manager console, and go to Help menu > Registration dialog, or; Find the information from the Policy Manager Server installation folder, ...\F-Secure\Management Server 5\Data (Windows) or /var/opt/f-secure/fspms/data (Linux), open the file called upstream-statistics.json using notepad. Customer ID is on line 5 and Installation ID is on line 6. Once support has provided you with an offline registration file, use the following steps to activate it on your Policy Manager Server Windows: Copy the offline registration file to the folder F-Secure\Management Server 5\data Restart the F-Secure Policy Manager Server services by typing the following command in an elevated command prompt (CMD):   net stop fsms   net start fsms Linux: Copy the offline registration file to the folder /var/opt/f-secure/fspms/data  Restart the fspms daemon:  # /etc/init.d/fspms restart F-Secure Policy Manager will be activated until the expiry of your current subscription. After renewing the subscription you need to request a new registration token from support. Make sure to do this some time in advance so that you don't end up with an expired Policy Manager Server. Article no: 000001107
View full article
Issue: Server Security has scanning errors and causing performance and hanging issues on virtual servers. Application event log shows error: "The description for Event ID 301 from source FSecure-FSecure Application-F-Secure Anti-Virus cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer." Issue has started on one or more virtual servers at the same time. Lynx.log shows following error: W: ComTransaction::GetResult: Exception: Type: fs::BaseException, Reason: invalid status code 500, Function: fs::rs::AbstractTransaction<class fs::rs::Icap>::getResult, File: "c:\\workspace\\workspace\\spt_lynx\\src\\fsciapi\\svce_common\\transaction.h", Line: 235 F: ComTransaction::GetResult: Creating a new transaction failed. Resolution: On virtual servers the scanning is often offloaded to a Scanning and Reputation Server (SRS) to minimize the performance impact. If you have an Scanning and Reputation Server in use, the Event ID 301 error on the client side can be caused by an Scanning and Reputation Server that is having issues. Restart the Scanning and Reputation Server to see if it helps: Open the virtual machine console Log in to go to the Admin menu Select 6 to reboot or shut down the appliance The Power management menu opens Choose: Select 1 to restart the server If a restart of the Scanning and Reputation Server does not fix the issue, follow these steps to install a new one: https://help.f-secure.com/product.html#business/fsvs/latest/en/concept_FAA8187341EF42DA8264EAF45CF42B6B-fsvs-latest-en If a new installation of the Scanning and Reputation Server does not fix the issue, troubleshoot issues on the server where you have installed the Scanning and Reputation Server.  Article no: 000017702
View full article
Issue: F-Secure scan modules for Server Security Premium 12.11 Build 103 are not loaded on the terminal servers. The FSAUA reset tool has already been already executed without success. The server is running on Windows Server 2012 R2. When performing a manual scan the error "No scan modules loaded" appears. Resolution: First make sure you are able to ping your F-Secure Scanning and Reputation Server. If the ping results are ok, then the Agent is most likely down "Reason: Transport is down, Function: fs::rs::Library::newTransaction, File: "library.cpp", Line: 222, Error Code : 34" due to some changes made possibly in Policy Manager Server, like new installation, migration, settings removed. To make sure your clients are connecting to F-Secure Scanning and Reputation Server, open Policy Manager Console and check the settings bellow: For Clients 12.xx and 13.xx Open Policy Manager Server/ Console in advanced view and navigate to Offload Scanning Agent: Specifies the primary F-Secure Scanning and Reputation Server(s) that are used for remote content inspection and reputation services.  The server is defined as <host>[:<port>], where <host> is IP address or FQDN of the server and <port> is the port number the server accepts incoming connections from the client. If the port is not defined, then the default one is used. Use the comma separated list if multiple servers are used. For example, "192.168.1.10, 192.168.1.12:4344". Object identifier: 1.3.6.1.4.1.2213.74.1.10.10 For Clients 14.xx Open Policy Manager Server/ Console in Standard view and navigate to Real-time scanning and make sure your F-Secure Scanning and Reputation Server addresses are correct configured and the check box is selected. Article no: 000014714
View full article
Issue: How to setup the silent installation for Policy Manager Proxy 14.20 User is creating a policy-based upgrade and needs to export installer msi for rollout via group policies Resolution: Clean installations: For Windows Open Policy Manager Console and create temporary user with full access permissions for the root domain Download Policy Manager Proxy installer: fspm-14.10.88509.exe as an example Extract Policy Manager Proxy setup executable content. For 14.00 and older - via any archive manager, for 14.10 start the executable and grab all the content from temporary directory at root level of system drive Transfer admin.pub from Policy Manager to the extracted content Edit prodsett.ini in the same directory: uncomment and specify values for all properties in the section "F-Secure PM Proxy" Use user credentials created at first step for UpstreamPmUserName and UpstreamPmUserPwd properties Run "setup.exe /silent" at target host for 14.00 and older, starting from 14.10 executable is called like fspmp-14.10.88509-rtm.exe, so have to run "fspmp-14.10.88509-rtm.exe /silent" Remove user created at first step For Linux Open Policy Manager Console and create temporary user with full access permissions for the root domain Download installer: fspmp-14.10.88509-1.x86_64.rpm as an example Put admin.pub from PM to the dir with installer Create shell script with name like pmp.sh and following content: yum -y update libstdc++ yum -y install libstdc++.i686 rpm -i fspmp-14.10.88509-1.x86_64.rpm /opt/f-secure/fspms/bin/fspms-config << PMPCONFIG PM address PM port (usually 443) ./admin.pub PMP http port to be used (usually 80) PMP httpS port to be used (usually 443) PM admin username (created at first step) PM admin password (created at first step) PMPCONFIG Run the script: “./pmp.sh”. Remove user created at first step. Same things with Debian/Ubuntu, but use apt and dpkg instead, so sh script will look like: apt -y upgrade libstdc++6: apt -y install libstdc++6:i386 dpkg -i fspmp_14.10.88509_amd64.deb /opt/f-secure/fspms/bin/fspms-config << PMPCONFIG PM address PM port (usually 443) ./admin.pub PMP http port to be used (usually 80) PMP httpS port to be used (usually 443) PM admin username (created at first step) PM admin password (created at first step) PMPCONFIG After the script run, if everything is ok, PMP host should appear in PMC.   Policy Manager Proxy upgrades: For upgrades, as there is not need to configure PMP and generate certificates enough to just upgrade the build. For Windows: Extract PMP executable content via any archive manager Run "setup.exe /silent" For Linux: rpm -U fspmp-14.10.88509-1.x86_64.rpm dpkg -i fspmp_14.10.88509_amd64.deb Article no: 000016979
View full article
Issue:  I distributed an invalid policy to multiple hosts using Policy Manager Console. How can I troubleshoot this or identify what settings was changed and to which hosts it was distributed? Resolution: To locate this information, you can use available logfiles from the server running Policy Manager. fspms-domain-tree-audit.log Below is an example of this this logfile: 10.10.2019 13:21:59,139 INFO [audit.domainTree] - User 'admin' deleted host with identity 79fee1c5-e85b-4a90-b462-09354abb56fd (id=3) 10.10.2019 13:22:06,519 INFO [audit.domainTree] - User 'admin' moved host with identity b8a4bb94-2a9a-4830-b45b-8e45a531279c (id=36) to domain CS 14 hosts (id=4) 22.10.2019 14:14:12,929 INFO [audit.domainTree] - User 'admin' deleted host with identity f4ef246e-61c2-4ac1-949b-f0d3d3be4aa3 (id=35) 28.10.2019 10:54:20,208 INFO [audit.domainTree] - User 'admin' added domain test domain (id=39) to domain Root (id=1) This logfile allows us to understand host- and domain.operations (including the root-domain). Operations include the following: add, remove, rename, move. In our example, the last line, the user ADMIN added a new sub-domain "test domain" with id=39. Another file we are interested in called: fspms-policy-audit.log Below is an example of this this logfile: 23.10.2019 12:22:02,929 INFO [audit.policy] - type="lockedOnClient", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.60", oldValue="false", newValue="true" 23.10.2019 12:22:02,929 INFO [audit.policy] - type="lockedOnClient", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="false", newValue="true" 23.10.2019 12:22:52,528 INFO [audit.policy] - User="admin" applied the following policy changes: 23.10.2019 12:22:52,528 INFO [audit.policy] - type="setting", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="null", newValue="c:\test\printfile_release.exe" 23.10.2019 12:23:19,545 INFO [audit.policy] - User="admin" applied the following policy changes: 23.10.2019 12:23:19,545 INFO [audit.policy] - type="setting", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="c:\test\printfile_release.exe", newValue="" 23.10.2019 12:34:32,557 INFO [audit.policy] - User="admin" applied the following policy changes: This logfile provides an audit trail for setting changes meaning (what setting was changed and how). The sub-domain in Policy Manager Console is reflected by DomainId. The actual settings is referred to by the OID:   23.10.2019 12:22:52,528 INFO [audit.policy] - type="setting", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="null", newValue="c:\test\printfile_release.exe" How do we find the setting 1.3.6.1.4.1.2213.12.1.111.2.100.100.61 in Policy Manager Console? This is perhaps the trickiest part, because we do not have a list of settings available. However, you can find the settings by using Policy Manager. The part of the address that identifies the F-Secure company in the OID is 1.3.6.1.4.1.2213. The latter part identifies the application and the specific setting in the application. Here we have  12.1.111.2.100.100.61 See screenshot capture1.pnn: by selecting "F-Secure Anti-Virus" in Policy Manager Console, you can se that the application is "F-Secure Anti-virus" -> "Object identifier" = 1.3.6.1.4.1.2213.12 When we go further inside the settings in "F-Secure Anti-Virus", we can locate the relevant setting here: - F-Secure Anti-virus    -> Settings     -> Settings for real-time protection        -> Scanning options           -> File scanning               -> Inclusions and exclusions                 -> Excluded processes. To give you an example using syntax we saw in fspms-policy-audit.log: 23.10.2019 12:22:52,528 INFO [audit.policy] - User="admin" applied the following policy changes: 23.10.2019 12:22:52,528 INFO [audit.policy] - type="setting", domainId="39", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="null", newValue="c:\test\printfile_release.exe" Based on the information we learned, this entry translates to: Policy Manager Console User=Admin, applied the process exlusion "c:\test\printfile_release.exe" exclusion for domain "test domain" (DomainID was available in fspsm-domain-tree-audit.log) . Article no: 000017432
View full article