Business Suite

Sort by:
Issue: Offload Scanning connection is down during a system restart. After system restarted, the connection is restored after few seconds. Resolution: This is expected product behavior if the Offload Scanning connection is established after few seconds during system restart. During system startup, the Offload Scanning Agent (OSA) service will attempt to establish a connection with the Scanning & Reputation Server (SRS). If the connection to SRS is unreachable due to some reason (e.g. Internal network congestion), the service will re-attempt to establish the connection. Article no: 000018019
View full article
Issue: How can we configure a scheduled manual scan to only alert on detections (report only)? Resolution: This is currently not supported, but we are planning to improve this in upcoming versions of both Client Security 14.20 and Server Security 14.10. Both versions are expected to be released during the first half of 2020. Article no: 000017966
View full article
Issue: After upgrading from version F-Secure Server Security 12.12 to 14.00 on terminal servers, these servers have freezing, hanging and performance issues.  Unable to access the server, remote logins are only possible if all F-Secure services are disabled. Resolution: In such scenarios, there is most likely a hang in ORSP Client, which prevents ulcore from updating. This can be seen in the lynx.log: 2019-09-29 09:36:35.468 [09e8.3330] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-09-29 15:38:08.728 [09e8.2428] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-09-29 21:41:59.136 [09e8.3410] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-09-30 03:44:05.294 [09e8.2a0c] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com 2019-10-01 10:04:33.890 [09e8.2670] .W: fs::rs::WinSocket::Impl::connect: Cannot resolve address doorman.sc.fsapi.com When a new object, such as a file or URL, is encountered on one client, the product communicates with the Security Cloud using the strongly encrypted Object Reputation Service Protocol (ORSP) to query for the object's reputation details. Anonymous metadata about the object, such as file size and anonymized path, are sent to the Security Cloud.  In this case, the reason of this hang is that queries to doorman.sc.fsapi.com, one of our back-ends, is blocked. To solve the issue, follow these steps: You need to allow f-secure.com and fsapi.com in your Firewall or External Proxy An other option is, to setup a HTTP Proxy instead of trying to allow fsapi.com, which would be allowed to connect and client will be configured to use the Proxy.  After you have set your Proxy, make sure you configure the HTTP Proxy address in the Policy Manager Console. Please refer to the screenshot below where to add the HTTP Proxy address. If the HTTP Proxy is not an option for you, you can switch OFF security cloud in the settings, as currently the connection to Security Cloud is blocked.  You may find more information about the Security Cloud here. Article no: 000017219
View full article
Issue: After upgrading Server Security to version 14.00, the NTUSER.DAT file is often corrupted when loading server-based profiles Same issue with upgrade to Client Security 14.10  Resolution: Avdaemon.dll is doing multiple service tasks. One of tasks is the setting conversion and resolving paths environment profiles e.g. %desktop% using user profile and loads each profile into memory. In this case Windows cannot find the local profile and is logging the user with a temporary profile. Changes you make to this profile will be lost when you log off. Ransomware loads user profile aka ntuser.dat to resolve protected path. It seems that it is doing it, even if anti-Ransomware is off. This issue will be fixed in the next versions of the products.  Currently we have hotfix FSCS1410-HF11 that fixes the issue, but before applying the hotfix, which contains a new avdaemon.dll file, make sure the steps below help you resolve the issue: Contact F-Secure support and we will provide you with the hotfix FSCS1410-HF11 and the new avdaemon.dll file Rename avdaemon.dll on one of the affected hosts and restart fshoster service to see if this helps. The avdaemon.dll is located here: C:\Program Files (x86)\F-Secure\Client Security and C:\Program Files (x86)\F-Secure\Server Security If the renaming avdaemon.dll solves the issue, replace the avdaemon.dll file with the fixed version and restart the fshoster service If the replacement helped, you can apply hotfix FSCS1410-HF11 on all of your affected clients Follow these steps to install the hotfix to centrally managed computers: Log into F-Secure Policy Manager Console  Select Installation tab Click Installation packages  Import the hotfix jar file Select appropriate domain or host from the Domain Tree press Install  Select this hotfix FSCS1410-HF11 Distribute policies Article no: 000012303
View full article
Issue: The symptoms include clients are unable to download updates from the Policy Manager Server clients are unable to upload status information to the Policy Manager Server and will eventually show up in Policy Manager Console as disconnected hosts However, clients might still be able to download updates because in the default configuration, fallback to F-Secure update servers is allowed. A couple of logfiles on the endpoont help to establish, if the client is having a connection problem due to the firewall blocking access on the server. Examples are for Client Security 14 but also apply for Server Security 14 and later. Policy Manager Server here is pms.acme.com listening on default ports 80 and 443. C:\ProgramData\F-Secure\Log\AUA\Aua.log 2019-10-02 12:07:25.311 [15d4.1d50]  I: Connecting to pms.acme.com:80/guts22019-10-02 12:07:46.349 [15d4.1d50]  I: Update check failed, error=110 (connection timed out) Same is also visible in this logfile: 2019-10-02 12:17:37.502 [15d4.1d68]  I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy ''2019-10-02 12:17:58.535 [15d4.1d68] *E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Timeout, AsyncSendRequest failed: 12002)2019-10-02 12:18:07.536 [15d4.1d68]  I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy '' Error 12002 translates to  12002 ERROR_INTERNET_TIMEOUT The request has timed out. Resolution: Server Security 14 uses the Windows Firewall. It is likely that the ports that the HTTP and HTTPS services are using are blocked in the firewall on the server where Policy Manager Server is installed in. This would cause the clients to be unable to be in contact with the Policy Manager Server.   To resolve the issue, create a firewall rule allowing inbound HTTP and HTTPS traffic to the server where Policy Manager Server is installed.  You can find instructions how to create firewall rules in Policy Manager 14 in this guide. Things to consider: Make sure, the firewall rule is enabled. This is the first checkbox in the Firewall rules table. Make sure, the Server profile containing the rule is assigned as the "Server host profile". In the example below, the profile is called Server (cloned). The other rules in the profiles in this screenshot are also activated but this is is not needed to meet client Policy Manager Server communication requirements. As this particular rule is only required for the server host running Policy Manager Server, we have selected the server before making the change (the server called here DC1-PETERF)   Article no: 000016843
View full article
Issue: FSMAUTIL is no longer available for F-Secure Server Security/Client Security 14.x, how to reset the host UID? Resolution: In F-Secure Server Security/Client Security 14.x, there is a new tool introduced called resetuid.exe to reset the host identity. This tool will replace FSMAUTIL (F-Secure Management Agent Utility) for both the products. The tool can be found in C:\Program Files (x86)\F-Secure\Client Security\BusinessSuite\ (Client Security 14.x) or  C:\Program Files (x86)\F-Secure\Server Security\BusinessSuite (Server Security 14.x). Usage: RESETUID SHOWUID  Shows the host Unique Identity currently in use. RESETUID RESETUID {SMBIOSGUID | RANDOMGUID | WINS | MAC} [APPLYNOW] Schedules regeneration of the host Unique Identity using one of the specified methods: SMBIOSGUID        - uses SMBIOS GUID RANDOMGUID      - uses randomly generated GUID WINS                      - uses WINS (NetBIOS) name MAC                       - uses MAC (ethernet card) address APPLYNOW           - If the product is running, requests to apply new Unique Identity immediately. Otherwise, it is applied to the next start of the product. Article no: 000008416
View full article
Issue: Visible effects: Windows Server operating system with Server Security 14.00 installed is hanging Windows Desktop operating system with Client Security 13.00 or newer installed is hanging Resolution: UPDATE: The issue related to F-Secure Ultralight Core Update 2019-10-01_01 has now been fixed in the latest Ultralight Core Update, which is available as an automatic update by name  F-Secure Ultralight Core Update 2019-10-22_01. However, if you are still facing similar issues after the update fix, this may happen if F-Secure product have F-Secure Security Cloud Client enabled, but don't have access allowed to fsapi.com address. To resolve this issue, make sure that you have allowed access to fsapi.com from your environment. In case you have isolated environment, or otherwise cannot allow access to fsapi.com, disable F-Secure Security Cloud Client via Policy Manager Console: Log in to Policy Manager Console. Go to Settings tab. Select Advanced view. Navigate to: F-Security Security Cloud Client > Settings > Client is enabled. Select No from the drop-down menu. Make sure that the setting is locked. Distribute policies (CTRL-D). In case you should not have restricted network access, or if above steps didn't help, contact F-Secure support for further assistance. Article no: 000016583
View full article
Issue: How to create a custom firewall rule (service)? Resolution: To create a custom firewall rule over the Policy Manager Console: For Client Security 14 Open the Policy Manager Console and go to the Settings-tab Go to Firewall, using Standard view (changeable in the upper right corner) Make sure the 14.X clients-tab is selected Select the profile you want to edit from the Profile being edited-dropdown menu (if the list only contains the default profiles, clone the one you want to use as a base as the defaults can't be modified) Click Add rule on the right of the firewall rules list and create the rule as needed (see step 6 if the service required is missing) If the service you want to add is missing, click on Configure network services below the firewall rule list. Click Add and follow the steps to add a new firewall service Check the Enabled-checkbox to the left of the rule name to make sure that it is in use Distribute the new policy by clicking the symbol in the upper left corner of the interface, or by pressing Ctrl+D For Client Security 13 Open the Policy Manager Console and go to the Settings-tab  Go to the Advanced view Select F-Secure Internet Shield  Go to Settings and select Services Press Add and create a custom rule Go to Rules and select the firewall Security Level you want to work with Press Add before/Add after and select the rule you have created Distribute the new policy by clicking the symbol in the upper left corner of the interface, or by pressing Ctrl+D Note: Make sure, that the correct Security Level is assigned to the workstations: <F-Secure Internet Shield>Security Level> Active Security Level>. To create a custom firewall rule locally on the workstation: In Client Security 14 In versions 14.00 and later, rules are added through the Windows firewall settings. You can reach them through the Client Security user interface: Open F-Secure Client Security Click on Tools Click on Firewall settings Click on the Change Windows Firewall settings...-link to be brought to the Windows firewall settings In Client Security 13 Open F-Secure Client Security Go to Settings and select Internet Connection Go to Firewall and select Services Press Add and create a custom rule Go back to Firewall and select Rules Select the firewall Security Level you want to work with Press Add and select the rule you have created Press OK Additional information can be found here: https://community.f-secure.com/t5/Business-Suite/How-do-I-create-a-custom/ta-p/116212 https://community.f-secure.com/t5/Business-Suite/How-do-I-create-a-custom/ta-p/116213 Article no: 000002698
View full article
Issue: How do I run a manual scan using the command line on F-Secure Server Security 14.x or Client Security 14.x? Resolution: The command line option to execute a manual scan can be either used to run a scan on-demand. Additionally the command and the arguments can be used to fill the "Generic" scheduled scan task specific parameters. To run the task locally via command line: Press the Windows button Search for cmd.exe and press Enter Navigate to your F-Secure client's installation directory (for example: cd C:\Program Files (x86)\F-Secure\) For Client Security, navigate further to the Client Security directory. For Server Security, navigate to the Server Security directory. Type in fsscan.exe and add any of the below arguments/options, then press Enter The scan will be executed and further details will be returned in the command window Example 1 Retrieving information on available options: C:\Program Files (x86)\F-Secure\Client Security>fsscan -?   Usage: fsscan [options] Options: --sched, -s     Runs a scan optimized for scheduled scanning --target, -t <target> Scans the given <target> --report, -r <report> Writes an unformatted report to <report> file (only with -c) --delete, -d Deletes all harmful files found --collection, -c Runs a scan optimized for large collections of harmful files --noflyer, -f Skip showing scheduled scanning flyer -?, -h, --help Displays this help Example 2 Scanning a specific directory ( downloads directory of the user Foo) : C:\Program Files (x86)\F-Secure\Client Security>fsscan.exe -t C:\Users\Foo\Downloads\   Setting up a scheduled scan on a specific directory via Policy Manager Console: Log on to your F-Secure Policy Manager Console. Select the Policy domain   or Host   /   where you want to edit the policy on. In the Settings, select the Manual Scan item Go to the table under Scheduled scanning Add a new row Choose Task Type = Generic Edit the Task Type Specific Parameters, for example to scan the downloads directory of the user Foo: C:\Program Files (x86)\F-Secure\Server Security\fsscan.exe -t C:\Users\Foo\Downloads Exit the table Distribute the policy  Article no: 000011456
View full article
Issue: Security Cloud Client is not connected on Server Security 14.x / Client Security 14.x Resolution: Make sure that the affected F-Secure host is allowed to connect to the URL orsp.f-secure.com. If this host requires a connection via HTTP proxy to access this URL, you have to configure these settings via the F-Secure Policy Manager Console: Log on to your F-Secure Policy Manager Console. Select the Policy domain   or Host   /   where you want to edit the policy on. Switch to the Advanced view. Go to F-Secure Security Cloud Client > Settings > HTTP Proxy. Modify the value to suit your HTTP proxy requirements: 'http://server:port', e.g. 'http://my.domain.com:1234' Distribute the policy  . Note: If there is no parameter set under F-Secure Security Cloud Client > Settings > HTTP Proxy, the F-Secure Security Cloud Client will use the proxy configuration from the F-Secure Automatic Update Agent (AUA) by default: F-Secure Automatic Update Agent > Settings > Communications > HTTP settings > Use HTTP proxy Note: Server Security 14.00 and Client Security 14.x do not support proxy authentication. Article no: 000014893
View full article
Issue: Unable to change Management Server Address on Client Security or Server Security hosts because the public and private admin keys do not match. Need to migrate hosts between two Policy Manager Servers without having to do a re-installation of the software client side.  Resolution: If your Policy Manager ONLY manages clients running Client Security 14.00 or newer, you can create a Keyreplacer yourself with a tool that can be provided to you by support.  The tool comes with instructions on how to create the keyreplacer-file. You will need to know the IP-address or hostname of the new Policy manager, the http- and https-ports that it uses, and depending on the situation, its admin.pub-file (see steps to download admin.pub below). To deploy the keyreplacer, see steps for "Instruction to deploy the Key Replacer fix" below. In case you are also managing other installations, kindly provide us with the following information from the new Policy Manager for assistance to create Key Replacer fix. Admin.pub file The Policy Manager management address The http- and https-ports used by the Policy Manager ( On Linux systems the port information can be found in the following log: /var/opt/f-secure/fspms/logs/fspms-stderrout.log ) To download admin.pub file, please follow these steps: Login to the PM console In the top menu, click Tools > Server Configuration > Keys Click Export to download admin.pub and admin.prv files Attach the admin.pub file to your e-mail reply and we will create the Key Replacer hotfix file for you. Instruction to deploy the Key Replacer fix Please close the Policy Manager Console and stop Policy Manager Server service in services.msc You can also stop Policy Manager service by opening a command prompt with elevated mode and typing in the below command. net stop fsms Configure the registry on the Policy Manager Server Locate this registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Management Server 5" for - 32bits OS "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Data Fellows\F-Secure\Management Server 5" for - 64bits OS Right-click on Management Server 5 Registry Key and add a new String Value with the following: Name: additional_java_args Data field: -DallowUnsignedWithRiwsAndMibs=true Note: Please don't remove the -D on the beginning of the string or it will not work properly.   The same works for Linux, but you need to use config file /etc/opt/f-secure/fspms/fspms.conf instead of the registry. Create a new line with parameter additional_java_args and specify Java system properties in its value in quotes in the following format: -DpropertyName=value. Multiple properties can be specified using space as a delimiter. Property names and values are case sensitive. Example: additional_java_args=-DallowUnsignedWithRiwsAndMibs=true -Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100   Start the Policy Manager Server service and open the Policy Manager Console Go to the Installation-tab and click Installation packages Click Import to import "KeyReplacer_unsigned.jar" file to the Policy Manager Console as an Installation package Deploy the KeyReplacer file to all clients, for example using a policy-based installation After the deployment is finished import the hosts in the Policy Manager Console by going to the Installation tab and clicking "Import new hosts". Article no: 000003212
View full article
Issue: F-Secure scheduled scan causes high CPU usage. How can I reduce this? Resolution: Follow the steps below to change the priority of the scan from "Normal" to "Background" to improve the host performance during scheduled scanning: Open F-Secure Policy Manager console. Click on the Settings tab. Select Advanced view. Click F-Secure Anti-Virus. Click Settings. Click Settings for Manual Scanning. Click Scanning Options. Change the Priority value to Background. Article no: 000001585
View full article
Issue: DNS resolution for certain sites are blocked with the product installed. How to avoid this from happening? Resolution: Most likely the DNS resolution is blocked by the Botnet Blocker feature. The site is rated as unsafe and hence blocked by the feature. You need to do the following: 1. Share the URL with the Labs team, for further investigation. The Labs team will whitelist the URL if the site is not malicious: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url 2. Whitelist the blocked site or the IP address of the blocked site via the Advanced View in the PM Console at: ======================================================================== * F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Hosts * F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Sites ======================================================================== Article no: 000003887
View full article
Issue: Universal CRT is not installed therefore Client Security 14.x/Server Security 14.00 installation fails. In Policy Manger Console, push installations result in the error message Installation failed. MSI error code is 1603. The following error can be seen in Windows Application Event Logs: Product: F-Secure Client Security [Premium] 14.XX/F-Secure Server Security [Premium] 14.XX -- Universal CRT is not installed  Resolution: The latest version of Client Security 14.x/Server Security 14.00 requires Windows Universal C Runtime. Download and install Windows Universal C Runtime from the link here before installing F-Secure Client Security 14.x/Server Security 14.00.   Article no: 000008994
View full article
Issue: When launching Citrix sessions/applications, the F-Secure system tray icon will also appear on the end-users machine, and will remain on the machine after closing the Citrix application. The F-Secure process for the user needs to be closed separately from the Citrix side to fully terminate the session. Resolution: The icon appears due to Citrix Seamless Configuration Settings. More information is available from the following link from Citrix: https://support.citrix.com/article/CTX101644&searchID=26517783 One option to test is to disable the Citrix tray icon agent, which can be done by adding the following registry key to every VDA machine: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Citrix/wfshell/TWI  SeamlessFlags:REG_DWORD = 0x20 It is strongly recommended to familiarize yourself with the information from Citrix before testing the solution, and to do a small-scale test before deploying any changes to production. Article no: 000014850
View full article
Issue: Carbonblack sensor and Server Security causing BSOD during reboot Resolution: When both products, Server Security and CarbonBlack sensor, are installed on the same server, BSOD occurs on every reboot. The problem is related to Windows Firewall. Existence of our drivers/services increases the chance of an MS bug to appear. Possibly our services issue some specific network requests, which cause memory corruption in the Windows firewall engine (memory corruption goes very deep into MS code of the firewall). This is an essential bug in the MS engine (possibly even a security vulnerability if such memory corruption could be made on request). This has been already reported to Microsoft.  The workaround/solution is to stop MS firewall before reboot or try to relax/change firewall rules on the server. More information about Carbon Black: https://www.carbonblack.com/ Article no: 000016167
View full article
Issue: After upgrading to F-Secure Client Security 14.10 or F-Secure Server Security 14 Client keeps asking for restart with notification "restart required F-Secure product received a critical update. To keep your protection up to date, restart your computer. Remember to save your work" After a restart the same notification is shown again F-Secure Ultralight services are not listed in the Windows services list Capricorn update is missing from Updates list in the local user interface Note: If you click on the view log file button in the Updates view, it will bring you to the aua.log, where you can see similar entries:  I: Installation of 'F-Secure Ultralight Core Update 2019-08-22_01' : Processing  I: Installation of 'F-Secure Ultralight Core Update 2019-08-22_01' : Retry at restart  I: Installation of 'F-Secure Hydra Update 2019-08-28_04' : Processing  I: Update check completed successfully  I: Installation of 'F-Secure Hydra Update 2019-08-28_04' : Retry at restart Resolution: This issue is related to Ultralight not installing or updating correctly. You can install one of the hotfixes bellow to solve the problem: FSCS1410-HF01 FSCS1410-HF02 FSCS1410-HF07 Note: All these Hotfixes are applicable for Server Security 14.00 and Client Security 14.10 These hotfixes are not publicly available from our homepage. Open a support request and our customer service team can send you the hotfixes. If these hotfixes do not resolve the issue and Capricorn update is still missing from the Updates list, you can try removing the Capricorn update from your Policy Manager Server and re-download it. Follow these steps to re-download Capricorn update on your Policy Manager Server: Stop Policy Manager Server Service Delete the following folder: C:\Program Files (x86)\F-Secure\Management Server 5\data\guts2\updates\capricorn-win64 Start Policy Manager Server Service The Policy Manager Server will now re-download the missing Capricorn update. Wait for 30 minutes and check from the client if it has now been able to download and install Capricorn.   Article no: 000014676
View full article
Issue: When a Citrix application is published for end users, traces of the server's F-Secure Server Security session also follows. Visible effects are: when the user logs off the Citrix session, the F-Secure process fshoster32.exe remains running an F-Secure system tray icon becomes visible on the end-user's desktop performance degradation due to many fshoster32.exe processes running.  When the user's fshoster32.exe process is ended manually on the Citrix side, the icon disappears and the user's session closes. Resolution: For more information about this situation and a suggested registry change that can be used to end processes together with the main executable, read the following Citrix knowledge base article: Graceful Logoff from a Published Application Renders the Session in Active State. The following registry key has been confirmed by customers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI Value Name:LogoffCheckSysModules Type:REG_SZ String:fshoster32.exe Make sure to familiarize yourself with the information from Citrix before making any changes to your environment. Also, confirm with a small scale test before pushing changes to production. Article no: 000015484
View full article
Issue: I am unable to have connectivity for my computer running a Business Suite product. We are using WPAD (Web Proxy Auto-Discovery protocol) to deploy http proxy server settings. Does Business Suite support WPAD for http proxy setting deployment? Resolution: WPAD is not officially tested nor supported by the Business Suite products, including Policy Manager. Article no: 000010593
View full article
This article applies to Client Security 14.x and later Server Security 14.x and later
View full article
F-Secure has released a new generation engine for one of our core scanning engines, which, at F-Secure, we call Capricorn. The engine change brings...
View full article