After upgrading Server Security to version 14.00, the NTUSER.DAT file is often corrupted when loading server-based profiles Same issue with upgrade to Client Security 14.10
Avdaemon.dll is doing multiple service tasks. One of tasks is the setting conversion and resolving paths environment profiles e.g. %desktop% using user profile and loads each profile into memory. In this case Windows cannot find the local profile and is logging the user with a temporary profile. Changes you make to this profile will be lost when you log off. Ransomware loads user profile aka ntuser.dat to resolve protected path. It seems that it is doing it, even if anti-Ransomware is off. This issue will be fixed in the next versions of the products. Currently we have hotfix FSCS1410-HF11 that fixes the issue, but before applying the hotfix, which contains a new avdaemon.dll file, make sure the steps below help you resolve the issue:
Contact F-Secure support and we will provide you with the hotfix FSCS1410-HF11 and the new avdaemon.dll file Rename avdaemon.dll on one of the affected hosts and restart fshoster service to see if this helps. The avdaemon.dll is located here: C:\Program Files (x86)\F-Secure\Client Security and C:\Program Files (x86)\F-Secure\Server Security If the renaming avdaemon.dll solves the issue, replace the avdaemon.dll file with the fixed version and restart the fshoster service If the replacement helped, you can apply hotfix FSCS1410-HF11 on all of your affected clients
Follow these steps to install the hotfix to centrally managed computers:
Log into F-Secure Policy Manager Console Select Installation tab Click Installation packages Import the hotfix jar file Select appropriate domain or host from the Domain Tree press Install Select this hotfix FSCS1410-HF11 Distribute policies
Article no: 000012303
Policy Manager Console is unable to import Client Security for Mac 13.12 jar file. Error "Cannot import 'fscsmac-13.12-rtm.jar": 'ClassPath' entry in section(s) 'InstallationWizard' and 'UninstallationWizard' does not point to wizard entities" is shown when importing.
You have to upgrade your F-Secure Policy Manager to version 14.20 before importing Client Security for Mac 13.12 installation package. You can find all the latest installers from our Support and downloads page. For more information refer to the help guide.
Article no: 000017540
How can i find out what was the last policy issued to a host in Policy Manager Console?
Check the screenshot below. This shows the field Policy file timestamp, which reflects when the policy file for this host was created. The same screen also indicates, whether the host has this latest policy in use as the column Policy in use states Latest. However, some of these fields are not visible by default (e.g. Policy in use). To enable or disable them, right-click the column header and left-click to enable or disable different fields.
Article no: 000017386
I need to enable or disable the Browsing Protection feature on some client, how can I do it centrally using Policy Manager Console?
Open F-Secure Policy Manager:
Settings [Standard view] F-Secure Browsing Protection Uncheck the box to Disable or Enable Browsing Protection
After you have chosen your setting, make sure that the padlock is closed, after that you can distribute the policies (Ctrl+D)
Note: F-Secure Browser Protection is an integrated Module within the package, that can be only deactivated via Policy Manager or locally from the Client.
If you have disabled Browsing Protection for your Clients, and you want to hide the browser plugin deactivated message in main local UI
Please ask customer support to provide you the file FSCS1410-HF03-signed.jar when you submit a ticket. This specific hotfix removes notification about disabled BP from UI, while it is disabled.
Distribution details for centrally managed hosts:
Log in to F-Secure Policy Manager Console select the Installation tab Click Installation packages and select import to import the downloaded hotfix jar file Select appropriate domain or host and press Install Select the hotfix Distribute policies
Article no: 000004715
Firewall rules made with Policy Manager 14.x are not operational on Client Security 14.x clients. Firewall rules pushed from Policy Manager 14.x to Client Security 14.x clients do not appear in the Windows firewall.
Check that you have edited the same firewall profile that is in use on the client. This can be done by following these steps:
Open F-Secure Policy Manager Console Select the host or domain from the Domain tree Go to the Settings tab Go to the Firewall page Check that Host profile and Profile being edited match
If they match, the reason why the rule is not applied on the client is because it is an invalid rule. If the rule has many IP addresses in it, make sure that you have used a comma ( , ) in between each IP range as a value separator. Using a space or semicolon ( ; ) in between the IP ranges will invalidate the rule and it will not be visible in the Windows Firewall.
Article no: 000011310
Configured Application Control for Client Security 13.x hosts in Policy Manager 14.x but it does not stop the applications from launching
F-Secure Client Security 13 version does not support the Application control feature which is the reason why applications are still able to be launched after configuring the feature through F-Secure Policy Manager 14. The Application control feature is supported by F-Secure Client Security version 14 and newer. You will need to upgrade the hosts if you wish to use this feature. F-Secure Client Security 13 supports the Network Access Control feature which prevents unauthorized applications from gaining network access.
Article no: 000016529
Unable to change Management Server Address on Client Security or Server Security hosts because the public and private admin keys do not match. Need to migrate hosts between two Policy Manager Servers without having to do a re-installation of the software client side.
If your Policy Manager ONLY manages clients running Client Security 14.00 or newer, you can create a Keyreplacer yourself with a tool that can be provided to you by support. The tool comes with instructions on how to create the keyreplacer-file. You will need to know the IP-address or hostname of the new Policy manager, the http- and https-ports that it uses, and depending on the situation, its admin.pub-file (see steps to download admin.pub below). To deploy the keyreplacer, see steps for "Instruction to deploy the Key Replacer fix" below. In case you are also managing other installations, kindly provide us with the following information from the new Policy Manager for assistance to create Key Replacer fix.
Admin.pub file The Policy Manager management address The http- and https-ports used by the Policy Manager
( On Linux systems the port information can be found in the following log: /var/opt/f-secure/fspms/logs/fspms-stderrout.log ) To download admin.pub file, please follow these steps:
Login to the PM console In the top menu, click Tools > Server Configuration > Keys Click Export to download admin.pub and admin.prv files
Attach the admin.pub file to your e-mail reply and we will create the Key Replacer hotfix file for you.
Instruction to deploy the Key Replacer fix
Please close the Policy Manager Console and stop Policy Manager Server service in services.msc
You can also stop Policy Manager service by opening a command prompt with elevated mode and typing in the below command. net stop fsms
Configure the registry on the Policy Manager Server
Locate this registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Management Server 5" for - 32bits OS "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Data Fellows\F-Secure\Management Server 5" for - 64bits OS
Right-click on Management Server 5 Registry Key and add a new String Value with the following:
Name: additional_java_args Data field: -DallowUnsignedWithRiwsAndMibs=true Note: Please don't remove the -D on the beginning of the string or it will not work properly.
The same works for Linux, but you need to use config file /etc/opt/f-secure/fspms/fspms.conf instead of the registry. Create a new line with parameter additional_java_args and specify Java system properties in its value in quotes in the following format: -DpropertyName=value. Multiple properties can be specified using space as a delimiter. Property names and values are case sensitive.
Example: additional_java_args=-DallowUnsignedWithRiwsAndMibs=true -Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100
Start the Policy Manager Server service and open the Policy Manager Console Go to the Installation-tab and click Installation packages Click Import to import "KeyReplacer_unsigned.jar" file to the Policy Manager Console as an Installation package Deploy the KeyReplacer file to all clients, for example using a policy-based installation
After the deployment is finished import the hosts in the Policy Manager Console by going to the Installation tab and clicking "Import new hosts".
Article no: 000003212
This is the list with descriptions of the services installed for F-Secure Linux Security 64.
This information can be changed without notice.(06/Aug/2019) f-secure-baseguard-accd.service
Responsible for receiving access permission requests from the kernel through the fanotify API. It can grant access autonomously, but for malware analysis, it uses f-secure-baseguard-icap.service.
BaseGuard facility for email spam scanning. In LS64, the service is inactive.
A relic from the early days of BaseGuard. For full backward-compatibility reasons, the service cannot be removed, but it serves no purpose in any product.
Makes sure channel updates don't accumulate on the disk without limit.
The malware analysis service used for realtime, scheduled and manual scanning.
A local proxy for F-Secure's Online Reputation Service. It is used by f-secure-baseguard-icap.service.
Monitors F-Secure's GUTS2 service for channel updates and sends notifications to fsbg-updated.service.
Maintains the file integrity checker baseline.
Locally distributes policy settings to LS64 services.
Manages manual and scheduled scans.
Collects status and statistics information from LS64 services and relays them to the policy agent (fsma2)
Collects status and statistics information from BaseGuard services and relays them to the policy agent (fsma2)
Schedules the installation of online channel updates.
Locally distributes policy settings to BaseGuard services.
Article no: 000014984
After installation, user is unable to launch Policy Manager Console and they receive error: "The item referred by this shortcut cannot be accessed. You may not have the appropriate permissions".
The setup wizard creates the user group FSPM users. The user who was logged in and ran the installer is automatically added to this group. To allow another user to run Policy Manager Console you must manually add this user to the FSPM users user group. To add users to a group, use the following instructions:
Click on the Server Manager icon on the bottom left of the Windows desktop Select the Tools menu in the upper right, then select Computer Management Expand Local Users and Groups Expand Groups Double-click on the group to which you want to add users Select Add Enter the name of the user you wish to add to the group, then select Check Names You can separate names with a semicolon if you want to add more than one user Press OK when complete, then OK again to finish
Article no: 000017207
Windows Server operating system with Server Security 14.00 installed is hanging Windows Desktop operating system with Client Security 13.00 or newer installed is hanging
UPDATE: The issue related to F-Secure Ultralight Core Update 2019-10-01_01 has now been fixed in the latest Ultralight Core Update, which is available as an automatic update by name F-Secure Ultralight Core Update 2019-10-22_01. However, if you are still facing similar issues after the update fix, this may happen if F-Secure product have F-Secure Security Cloud Client enabled, but don't have access allowed to fsapi.com address. To resolve this issue, make sure that you have allowed access to fsapi.com from your environment. In case you have isolated environment, or otherwise cannot allow access to fsapi.com, disable F-Secure Security Cloud Client via Policy Manager Console:
Log in to Policy Manager Console. Go to Settings tab. Select Advanced view. Navigate to: F-Security Security Cloud Client > Settings > Client is enabled. Select No from the drop-down menu. Make sure that the setting is locked. Distribute policies (CTRL-D).
In case you should not have restricted network access, or if above steps didn't help, contact F-Secure support for further assistance.
Article no: 000016583
What are the main differences between F-Secure Linux Security 64 and F-Secure Linux Security 11.x?
Linux Security 64 is a native 64-bit application, however there are some differences compared to the previous released version Linux Security 11.x, most notably:
no support for standalone installation mode no support for Protection Service for Business (PSB) installation mode no firewall no web user interface (for remote management with browser) no support for F-Secure Policy Manager Proxies no support for unattended (scripted) installations
The list of supported Linux distributions is also different with some legacy distributions only being supported by Linux Security 11.x. Also note, that while the installer for LS 64 is created/exported in Policy Manager Console, neither Linux Security 11 nor Linux Security 64 can be deployed/pushed to hosts using Policy Manager Console.
Article no: 000014897
The following errors are show during Linux Security 64 installation. 1:f-secure-linuxsecurity-12.0.6-1 ################################# [100%] 2019-10-21 11:15:03 net/fshttp.c:1662 idle timeout occurred 2019-10-21 11:15:03 fshttps.c:560 a timeout occurred 2019-10-21 11:15:03 fsguts2.c:1830 unable to perform the HTTP operation, error 201 (timed out) 2019-10-21 11:15:03 fsguts2.c:1062 unable to fetch update information from the server, error 201 (timed out) 2019-10-21 11:15:03 src/guts2download.c:148 unable to fetch the list of updates, error 201 (timed out) 2019-10-21 11:15:03 src/guts2download.c:84 downloading the channel content failed, error 201 (timed out) Failed to activate the product!
Make sure the Policy Manager Server is accessible by the Linux Security 64 installation target machine.
Article no: 000017159
How to disable Advanced Network Protection for Client Security 14 in Policy Manager 14?
To centrally disable Advanced Network Protection from target hosts in Policy Manager 14, follow these steps:
Open F-Secure Policy Manager Choose the target host or domain from the Domain Tree Go to the Settings tab and use Standard View Go to Web traffic scanning section Choose from HTTP Scanning HTTP scanning enabled and set the value as disabled Distribute the new policy with the Distribute policies button
Now Advanced Network protection is disabled from the target hosts.
Article no: 000008143
After upgrading to F-Secure Client Security 14.10 or F-Secure Server Security 14 Client keeps asking for restart with notification "restart required F-Secure product received a critical update. To keep your protection up to date, restart your computer. Remember to save your work" After a restart the same notification is shown again F-Secure Ultralight services are not listed in the Windows services list Capricorn update is missing from Updates list in the local user interface
Note: If you click on the view log file button in the Updates view, it will bring you to the aua.log, where you can see similar entries: I: Installation of 'F-Secure Ultralight Core Update 2019-08-22_01' : Processing I: Installation of 'F-Secure Ultralight Core Update 2019-08-22_01' : Retry at restart I: Installation of 'F-Secure Hydra Update 2019-08-28_04' : Processing I: Update check completed successfully I: Installation of 'F-Secure Hydra Update 2019-08-28_04' : Retry at restart
This issue is related to Ultralight not installing or updating correctly. You can install one of the hotfixes bellow to solve the problem:
FSCS1410-HF01 FSCS1410-HF02 FSCS1410-HF07
Note: All these Hotfixes are applicable for Server Security 14.00 and Client Security 14.10 These hotfixes are not publicly available from our homepage. Open a support request and our customer service team can send you the hotfixes. If these hotfixes do not resolve the issue and Capricorn update is still missing from the Updates list, you can try removing the Capricorn update from your Policy Manager Server and re-download it. Follow these steps to re-download Capricorn update on your Policy Manager Server:
Stop Policy Manager Server Service Delete the following folder: C:\Program Files (x86)\F-Secure\Management Server 5\data\guts2\updates\capricorn-win64 Start Policy Manager Server Service
The Policy Manager Server will now re-download the missing Capricorn update. Wait for 30 minutes and check from the client if it has now been able to download and install Capricorn.
Article no: 000014676
Is SUSE Linux Enterprise Server 12 (SLES) a supported platform for F-Secure Linux Security 64?
SUSE Linux Enterprise Server 12 (SLES) has been added to the officially supported platforms for F-Secure Linux Security 64. For more details you can check the release notes on this link.
Article no: 000013134
F-Secure Linux Security 64 is not connecting to the Policy Manager Server and it is not visible in the "Import new hosts" tab in Policy Manager Console.
Verify the connection from F-Secure Linux Security 64 to the Policy Manager Server. If the issue persists, configure the address of Policy Manager Server using the server's IP address instead of hostname during the creation of the installation package.
Article no: 000016582
How to update malware definitions for Policy Manager 13.x/14.x in an isolated network.
Policy Manager offers two options for updating virus definitions in isolated networks that have no direct connection to the Internet.
If your network configuration allows Policy Manager to access internal resources with Internet access, we recommend that you use Policy Manager Proxy as the source for updates. For more details click here. If using Policy Manager Proxy is not an option, you can use a tool provided with Policy Manager to fetch the updates as an archive and copy that to the server where Policy Manager is installed. For more details click here.
Article no: 000002697
When using image files to distribute product installations, how can I reset the host UID for Policy Manager Proxy to prevent duplicate hosts appearing in Policy Manager?
If you use image files to distribute product installations, you need to make sure that there are no unique ID conflicts. For Policy Manager Proxy this can be prevented by following the steps below:
Stop F-Secure Policy Manager Server service:
Linux: [/etc/init.d/fspms stop] Windows: [net stop fsms]
Remove following two files:
<F-Secure Installation Folder>\Management Server 5\data\h2db\fspms.h2.db <F-Secure Installation Folder>\Management Server 5\data\fspms.jks
Use fspmp-enroll-tls-certificate script to generate proxy node certificate. Run the script and authenticate yourself as root administrator of the Master Policy Manager:
Linux: /opt/f-secure/fspms/bin/fspmp-enroll-tls-certificate Windows: <F-Secure Installation Folder>/Management Server 5/bin/fspmp-enroll-tls-certificate.bat
Start F-Secure Policy Manager Server service:
Linux: [/etc/init.d/fspms start] Windows: [net start fsms]
Article no: 000016987
How do I schedule reports on Policy Manager 14.x?
You can configure Web Reporting to send regular reports by email to one or more recipients. To send the reports by email, you need to enter the mail server details in Policy Manager Console. To do this:
Select Tools > Server configuration and click the Mail tab. Enter the mail server address and authentication information. Enter the address that you want to display as the sender in the report emails. This does not have to be a valid email address. Click OK.
To configure the report scheduling:
Note: You cannot schedule reports for individual hosts, only for domains. You can use the root domain if you want the reports to cover all configured domains.
Use semi-colons to separate multiple addresses.
If you choose to send the reports on a monthly basis, the reports for each month are automatically sent on the first day of the following month.
On the Web Reporting main page, select Scheduled reporting. On the policy domain tree, select the domain that you want to use for the reports. Note: You cannot schedule reports for individual hosts, only for domains. You can use the root domain if you want the reports to cover all configured domains. In the Recipient emails field, enter the email addresses that should receive the reports. Choose whether to send the reports daily, weekly or monthly.
If you want to send the reports on a weekly basis, select the weekday. If you choose to send the reports on a monthly basis, the reports for each month are automatically sent on the first day of the following month.
Select which reports you want to send.
The listed recipients will receive the selected reports in HTML format according to your settings. If you want to check that the report emails are delivered correctly, click Send reports now.
For more information: https://help.f-secure.com/product.html#business/policy-manager/latest/en/task_4644F99989CB41A4BD5BBC5FE87919A2-latest-en
Article no: 000003775
After updating to Server Security Premium 14.00, a group of Servers are not getting Virus Definitions After upgrading to Client Security 14.10, Clients are not getting updates from Policy Manager Server
You can apply the hotfix FSCS1410-HF07 to resolve the problem. If the problem persists, make you are experiencing the same problem, by opening the following logs from affected Client and investigate them. Logs are usually located in the following path: C:\ProgramData\F-Secure
Open the C:\ProgramData\F-Secure\Log\AUA.log and scroll down to the latest event to see if you have a similar error:
2019-09-23 15:17:09.502 [0e50.1388] I: Connecting to updateserver:80/guts2 (proxy proxy.demo.com:8888)
2019-09-23 15:17:09.517 [0e50.1388] I: Update check failed, error=115 (operation in progress)
Open the C:\ProgramData\F-Secure\Log\CCF\Guts2Plugin.log and scroll down to the latest event to see if you have a similar error:
2019-10-01 09:54:30.351 [1284.1258] I: Guts2Client::UpdateCurrentProxyForRootServer: Save successful proxy 'proxy.demo.com:8888'
2019-10-01 09:54:30.352 [1284.1258] I: Guts2Client::CheckForUpdatesFromServer: Check from server 'fsms:80/guts2'
2019-10-01 09:54:30.365 [1284.1258] I: Guts2Client::RefreshAvailablePackages: Trying with proxy 'proxy.demo.com:8888'
2019-10-01 09:54:30.581 [1284.1258] I: [fslib] server returned HTTP status code 503 (try again later)
2019-10-01 09:54:30.581 [1284.1258] *E: [fslib] unable to fetch update information from the server, error 115 (operation in progress)
2019-10-01 09:54:30.581 [1284.1258] I: Guts2Client::RefreshAvailablePackagesProxyConfigured: Failed to refresh available packages, error=115
2019-10-01 09:54:30.581 [1284.1258] *E: Guts2Client::CheckForUpdatesFromServer: Failed to refresh available updates list
2019-10-01 09:54:30.587 [1284.1258] I: CCFGuts2Plugin::ScheduleCheck: Scheduling next check in 156 seconds
As you can see, proxy.demo.com:8888' can answer 503 without forwarding a request to the Policy Manager Server/guts2 server. In this case, you could troubleshoot the HTTP-Proxy by checking the following:
Retry the URL from the address bar again by clicking the reload/refresh button, or pressing F5 or Ctrl+R. Restart your router and/or your device, especially if you're seeing the "Service Unavailable - DNS Failure" error. As an option, you could disable the HTTP proxy for AUA, to see if the connection issue is caused by AUA. You can do this from the Policy Manager Console:
3.1 Under the F-Secure Automatic Updates Agent > HTTP Settings > Use HTTP Proxy and set it to No. Deploy the policy.
If the changes you made now worked, make sure to enable your HTTP-Proxy to updateserver:80 (:443)
When upgrading from Client Security 13.xx series: GUTS2 updates were already available, so the behavior didn't change When upgrading from Client Security 12.10-12.3x: Everything in the Client Security > Policy Manager communication was changed. If you are upgrading from 12.00 or older - also the protocol was changed from HTTP to HTTPS (but guts2 are still downloaded via HTTP).
In the event that a proxy is/must be used ensure that no filtering for port 443 is enabled. Client Security 13.x already used GUTS2, where 503 was the "good answer", which means they would come back later, and that didn't cause fallback to the Internet.
Article no: 000015249
The symptoms include
clients are unable to download updates from the Policy Manager Server clients are unable to upload status information to the Policy Manager Server and will eventually show up in Policy Manager Console as disconnected hosts
However, clients might still be able to download updates because in the default configuration, fallback to F-Secure update servers is allowed. A couple of logfiles on the endpoont help to establish, if the client is having a connection problem due to the firewall blocking access on the server. Examples are for Client Security 14 but also apply for Server Security 14 and later. Policy Manager Server here is pms.acme.com listening on default ports 80 and 443. C:\ProgramData\F-Secure\Log\AUA\Aua.log 2019-10-02 12:07:25.311 [15d4.1d50] I: Connecting to pms.acme.com:80/guts22019-10-02 12:07:46.349 [15d4.1d50] I: Update check failed, error=110 (connection timed out) Same is also visible in this logfile: 2019-10-02 12:17:37.502 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy ''2019-10-02 12:17:58.535 [15d4.1d68] *E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Timeout, AsyncSendRequest failed: 12002)2019-10-02 12:18:07.536 [15d4.1d68] I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from pms.acme.com:443 with HTTP proxy '' Error 12002 translates to 12002 ERROR_INTERNET_TIMEOUT The request has timed out.
Server Security 14 uses the Windows Firewall. It is likely that the ports that the HTTP and HTTPS services are using are blocked in the firewall on the server where Policy Manager Server is installed in. This would cause the clients to be unable to be in contact with the Policy Manager Server. To resolve the issue, create a firewall rule allowing inbound HTTP and HTTPS traffic to the server where Policy Manager Server is installed. You can find instructions how to create firewall rules in Policy Manager 14 in this guide. Things to consider:
Make sure, the firewall rule is enabled. This is the first checkbox in the Firewall rules table. Make sure, the Server profile containing the rule is assigned as the "Server host profile". In the example below, the profile is called Server (cloned). The other rules in the profiles in this screenshot are also activated but this is is not needed to meet client Policy Manager Server communication requirements. As this particular rule is only required for the server host running Policy Manager Server, we have selected the server before making the change (the server called here DC1-PETERF)
Article no: 000016843