Malware.ACAD/HighLight.C and Malware.ACAD/Burste.K detected infecting Autocad related files with extension .fas and .lsp F-Secure Antivirus is able to detect, but unable to remove the malware.
These files need to be removed manually as per official article from Autocad :- https://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/How-to-remove-fas-and-lsp-virus-from-a-server.html
Article no: 000019918
I've Installed F-Secure Email and Server Security but Windows Defender Real-time Protection is still on. Should I deactivate this when I'm using the F-Secure product?
Yes, Windows Defender should be deactivated when using F-Secure Email and Server Security. Multiple Anti-Virus products running at the same time may cause conflicts. On Windows Server 2016/2019, Windows Defender will not enter passive or disabled mode if you install a third-party antivirus. After installing a third-party antivirus you should uninstall Windows Defender AV on Windows Server 2016 to prevent problems caused by having multiple antivirus products installed on a machine.
Article no: 000002236
Where do you change the settings about alerts and when virus definition updates are considered outdated (old)?
Note: This feature has not yet been implemented in Client Security version 14.x or Server Security 14.x. Client Security 13.x and Server Security 12.x support this feature. In order to change these parameters, do the following:
Log in to your Policy Manager Console Select the Policy domain or Host / where you want to edit the policy on Go to Settings / Advanced view Choose F-Secure Anti-Virus Click Settings Choose Virus Definitions Updates In oder to receive alerts, set Alert Administrator when Virus Definitions Are Old as activated Set the Number of Days for Virus Definitions to Become Old Distribute the policy
Article no: 000005209
After uninstalling F-Secure Server Security 12.12 on a Windows Server 2016 Operating System, the product F-Secure Server Security is still shown in the Apps & Features list Product sttatus is shown as Unavailable Product cannot be removed from the list since the Uninstall and Modify buttons are greyed out Running the F-Secure Uninstallation Tool does not remove the product from the Apps & Features list Product is not shown on the Programs and features list
This issue is only visual and does not affect any new installations of the product. You can remove the product from the list by manually removing the F-Secure Product 1001 registry key by following these steps:
Open Windows Registry editor Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall Right click on F-Secure Product 1001 registry key Select Delete
Article no: 000018904
How will F-Secure Server Security and Client Security clients receive virus definition updates, if the Policy Manager Server is temporarily unreachable?
The client can be set to automatically switch over to the F-Secure Update Server if the Policy Manager Server is unreachable. The client will try for at least one hour (default) or more to reach the designated Policy Manager Server or Policy Manager Proxy. If the client is not able to reach the Policy Manager Server or the Policy Manager Proxy, it will then try to connect to the F-Secure Update Server instead to download the updates. Important: The host on which the F-Secure Client Security or Server Security is installed, must be able to reach required F-Secure domain: http://guts2.sp.f-secure.com
To change this setting, follow these steps:
Log on to your F-Secure Policy Manager Console Select the Policy domain or Host / where you want to edit the policy on Switch to the Advanced view Navigate to F-Secure Automatic Update Agent > Settings > Communication > Allow fetching updates from F-Secure Update Server = Yes To adjust the time until this failover is used, modify the setting here: F-Secure Automatic Update Agent > Settings > Communication > Intermediate Server failover time Distribute the policy
Note: The time setting for the failover must range between 1 hour and 256 days
Article no: 000004400
Our current license certificate does not contain the most recent subscription information or license keys. How can I get an updated license certificate which includes the license keycodes required for when installing or updating to the newest product versions?
To get a new license certificate, proceed to contact your local reseller or F-Secure sales contact. If you are uncertain of who this contact is, kindly create a support ticket here.
Article no: 000001527
Error or issue related to F-Secure components (e.g. Gatekeeper, Firewall, Network Interceptor Framework, Internet Shield) and more advanced debug logs are required to investigate the issue. How to enable advanced debug logging for F-Secure Client Security 13.x and F-Secure (Email and) Server Security 12.x clients?
Note: These instructions are applicable for Client Security 13.x and (Email and) Server Security 12.x clients. Newer products use a different tool to enable debug logging. Follow the steps below to collect F-Secure debug logs.
Download and run the F-Secure debug tool Click Update Debug Files Online Select the components you want to debug (e.g Firewall, Gatekeeper driver) Click Apply Changes Reproduce the issue that was reported and take note of the time Disable debugging by deselecting the components and click Apply Changes Click Collect Logs once the issue is reproduced Locate the FSDIAG on the desktop Send the newly generated FSDIAG log files for investigation and report when the issue was reproduced
Article no: 000002782
How to uninstall F-Secure Server Security 12 or 14 from a Windows Server using the Uninstallation Tool?
If you cannot uninstall F-Secure Server Security from the program and features, you can uninstall it using the F-Secure Uninstallation Tool. Which uninstallation tool you should use depends on the F-Secure Server Security version that is installed on the Windows server. Note: If you have F-Secure Email and Server Security installed on the server, do not use the Uninstallation Tool since a removal can cause issues with the email flow. Note: If you have F-Secure Policy Manager Server installed on the same server, running the UninstallationTool.exe will remove it. F-Secure Server Security 12.x:
Download this uninstallation tool: https://download.f-secure.com/support/tools/uitool/UninstallationTool.exe Open the Command Prompt Navigate to the folder where you have stored the tool Run the following command: UninstallationTool.exe -a --server
F-Secure Server Security 14.x:
Download this uninstallation tool: https://download.sp.f-secure.com/uninstallationtool/FsUninstallationTool.exe Run the uninstallation tool Follow the on-screen instructions
This tool can be ran silently using the command prompt and adding the parameter --silent
Article no: 000015608
Does the server need to be rebooted after installing upgrade from (Email and) Server Security version 12.11 to 12.12?
When upgrading F-Secure Server Security 12.11 to 12.12, a reboot is not required for these upgrades to take effect. When creating the installer you will be given the choice between rebooting or not. For F-Secure Email and Server Security, if a restart is required cannot be reliably predicted. In general it does not require a reboot of the server. Therefore we recommend to perform the upgrade within a service window.
Article no: 000003204
Offload Scanning connection is down during a system restart. After system restarted, the connection is restored after few seconds.
This is expected product behavior if the Offload Scanning connection is established after few seconds during system restart. During system startup, the Offload Scanning Agent (OSA) service will attempt to establish a connection with the Scanning & Reputation Server (SRS). If the connection to SRS is unreachable due to some reason (e.g. Internal network congestion), the service will re-attempt to establish the connection.
Article no: 000018019
Server Security has scanning errors and causing performance and hanging issues on virtual servers. Application event log shows error: "The description for Event ID 301 from source FSecure-FSecure Application-F-Secure Anti-Virus cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer." Issue has started on one or more virtual servers at the same time. Lynx.log shows following error: W: ComTransaction::GetResult: Exception: Type: fs::BaseException, Reason: invalid status code 500, Function: fs::rs::AbstractTransaction<class fs::rs::Icap>::getResult, File: "c:\\workspace\\workspace\\spt_lynx\\src\\fsciapi\\svce_common\\transaction.h", Line: 235 F: ComTransaction::GetResult: Creating a new transaction failed.
On virtual servers the scanning is often offloaded to a Scanning and Reputation Server (SRS) to minimize the performance impact. If you have an Scanning and Reputation Server in use, the Event ID 301 error on the client side can be caused by an Scanning and Reputation Server that is having issues. Restart the Scanning and Reputation Server to see if it helps:
Open the virtual machine console Log in to go to the Admin menu Select 6 to reboot or shut down the appliance The Power management menu opens Choose: Select 1 to restart the server
If a restart of the Scanning and Reputation Server does not fix the issue, follow these steps to install a new one: https://help.f-secure.com/product.html#business/fsvs/latest/en/concept_FAA8187341EF42DA8264EAF45CF42B6B-fsvs-latest-en If a new installation of the Scanning and Reputation Server does not fix the issue, troubleshoot issues on the server where you have installed the Scanning and Reputation Server.
Article no: 000017702
Unable to change Management Server Address on Client Security or Server Security hosts because the public and private admin keys do not match. Need to migrate hosts between two Policy Manager Servers without having to do a re-installation of the software client side.
If your Policy Manager ONLY manages clients running Client Security 14.00 or newer, you can create a Keyreplacer yourself with a tool that can be provided to you by support. The tool comes with instructions on how to create the keyreplacer-file. You will need to know the IP-address or hostname of the new Policy manager, the http- and https-ports that it uses, and depending on the situation, its admin.pub-file (see steps to download admin.pub below). To deploy the keyreplacer, see steps for "Instruction to deploy the Key Replacer fix" below. In case you are also managing other installations, kindly provide us with the following information from the new Policy Manager for assistance to create Key Replacer fix.
Admin.pub file The Policy Manager management address The http- and https-ports used by the Policy Manager
( On Linux systems the port information can be found in the following log: /var/opt/f-secure/fspms/logs/fspms-stderrout.log ) To download admin.pub file, please follow these steps:
Login to the PM console In the top menu, click Tools > Server Configuration > Keys Click Export to download admin.pub and admin.prv files
Attach the admin.pub file to your e-mail reply and we will create the Key Replacer hotfix file for you.
Instruction to deploy the Key Replacer fix
Please close the Policy Manager Console and stop Policy Manager Server service in services.msc
You can also stop Policy Manager service by opening a command prompt with elevated mode and typing in the below command. net stop fsms
Configure the registry on the Policy Manager Server
Locate this registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Management Server 5" for - 32bits OS "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Data Fellows\F-Secure\Management Server 5" for - 64bits OS
Right-click on Management Server 5 Registry Key and add a new String Value with the following:
Name: additional_java_args Data field: -DallowUnsignedWithRiwsAndMibs=true Note: Please don't remove the -D on the beginning of the string or it will not work properly.
The same works for Linux, but you need to use config file /etc/opt/f-secure/fspms/fspms.conf instead of the registry. Create a new line with parameter additional_java_args and specify Java system properties in its value in quotes in the following format: -DpropertyName=value. Multiple properties can be specified using space as a delimiter. Property names and values are case sensitive.
Example: additional_java_args=-DallowUnsignedWithRiwsAndMibs=true -Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100
Start the Policy Manager Server service and open the Policy Manager Console Go to the Installation-tab and click Installation packages Click Import to import "KeyReplacer_unsigned.jar" file to the Policy Manager Console as an Installation package Deploy the KeyReplacer file to all clients, for example using a policy-based installation
After the deployment is finished import the hosts in the Policy Manager Console by going to the Installation tab and clicking "Import new hosts".
Article no: 000003212
Carbonblack sensor and Server Security causing BSOD during reboot
When both products, Server Security and CarbonBlack sensor, are installed on the same server, BSOD occurs on every reboot. The problem is related to Windows Firewall. Existence of our drivers/services increases the chance of an MS bug to appear. Possibly our services issue some specific network requests, which cause memory corruption in the Windows firewall engine (memory corruption goes very deep into MS code of the firewall). This is an essential bug in the MS engine (possibly even a security vulnerability if such memory corruption could be made on request). This has been already reported to Microsoft. The workaround/solution is to stop MS firewall before reboot or try to relax/change firewall rules on the server. More information about Carbon Black: https://www.carbonblack.com/
Article no: 000016167
DNS resolution for certain sites are blocked with the product installed. How to avoid this from happening?
Most likely the DNS resolution is blocked by the Botnet Blocker feature. The site is rated as unsafe and hence blocked by the feature. You need to do the following: 1. Share the URL with the Labs team, for further investigation. The Labs team will whitelist the URL if the site is not malicious: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url 2. Whitelist the blocked site or the IP address of the blocked site via the Advanced View in the PM Console at: ======================================================================== * F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Hosts * F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Sites ========================================================================
Article no: 000003887
The administrator receives the following alert from a server running Server Security and Microsoft SQL Server: "F-Secure Management Agent failed in an internal operation. Setting the policy variable 188.8.131.52.4.1.2184.108.40.206.20 (error=-510)" was not successful."
The server in question was hosting multiple instances for SQL Server 2016.
Due to a limitation in the current software, the internal table for storing "missing updates" cannot accept multiple identical rows and Software Updater was detecting a missing update on both instances for MS SQL Server. Consequently, adding the second missing patch to "missing updates" table failed with error -510: "Set result: your table contains multiple identical rows". A fix for this issue will be released later 2019 in Client Security version 14.20. Server Security will also inherit the fix, once F.Secure releases a new version.
Article no: 000016213