Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Scholar

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Orspdiag from my 'clean' server:

 

 

Spoiler

C:\Program Files (x86)\F-Secure\ORSP Client>orspdiag.exe
ORSP DIAGNOSTIC DUMP

ORSP: 1.2.17.257
FS: F-Secure Server Security 12.12 build 104 (SVE)
OS: Win64 10.0.14393 sp 0.0
System: 6143 MB RAM, 2 CPUs

Statistics start: 2019-01-16T17:25:45Z
Statistics end:   2019-01-17T12:28:37Z

General statistics:
Number of HTTP queries:         13
Number of HTTP submits:         1
Number of HTTP timeouts:        0
Number of HTTP errors:          0

Number of 0 queries:            1
Number of 0 responses:          1

Statistics for type 2:
Number of all placed queries:   439
Number of application timeouts: 23
Number of queries, that
        hit cache:              389
        hit server:             50
Number of server hits that got
        response data:          50
        empty response:         0
Server query roundtrip times (ms):
        min:                    0
        max:                    15111
        avg:                    491
        med:                    25
        stdev:                  2377
Oldest cache entry (seconds):   168186
Number of revoked entries:      0

Statistics for type 1:
Number of all placed queries:   4
Number of application timeouts: 0
Number of queries, that
        hit cache:              3
        hit server:             1
Number of server hits that got
        response data:          1
        empty response:         0
Server query roundtrip times (ms):
        min:                    52
        max:                    52
        avg:                    52
        med:                    52
        stdev:                  0
Oldest cache entry (seconds):   2431263
Number of revoked entries:      0

Number of submits of type 0:    1 (1514 bytes)

Tx: 9598 bytes, Rx: 10381 bytes

Histogram of server query roundtrip times (ms):
[0: 11] [20: 24] [40: 14] [80: 0] [160: 0] [320: 0] [640: 0] [1280: 0] [2560: 0] [5120: 1] [10240: 1]

Histogram of NRS safe:
[missing: 86] [empty: 0] [error: 0] [-100: 0] [-99: 0] [-79: 0] [-19: 0] [80: 46] [100: 0]

Histogram of NRS lookups:
[3: 96] [4: 29] [5: 7]

Histogram of NHIPS ratings from cache:
all:           [0: 69] [150: 3]
last 14 days:  [0: 30] [150: 3]
last 24 hours: [0: 4]

UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Server: orsp-c3-ec1.aws
Status: 200
Connectivity state: Ok
CRL state: Ok
Proxies: -


Current proxy: -

Cache: 99/10000 entries (NHIPS: 72, NRS: 27), 23663 bytes

C:\Program Files (x86)\F-Secure\ORSP Client>

 

 

Compared to ORSPdiag from a server that has not installed windows/f-secure updates

 

Spoiler
Spoiler

C:\Program Files (x86)\F-Secure\ORSP Client>orspdiag.exe
ORSP DIAGNOSTIC DUMP

ORSP: 1.2.17.257
FS: F-Secure Server Security 12.12 build 104 (SVE)
OS: Win64 10.0.14393 sp 0.0
System: 4095 MB RAM, 2 CPUs

Statistics start: 2019-01-17T01:07:33Z
Statistics end:   2019-01-17T12:43:26Z

General statistics:
Number of HTTP queries:         12
Number of HTTP submits:         1
Number of HTTP timeouts:        0
Number of HTTP errors:          0

Number of 0 queries:            1
Number of 0 responses:          1

Statistics for type 2:
Number of all placed queries:   285
Number of application timeouts: 0
Number of queries, that
        hit cache:              273
        hit server:             12
Number of server hits that got
        response data:          12
        empty response:         0
Server query roundtrip times (ms):
        min:                    0
        max:                    55
        avg:                    25
        med:                    21
        stdev:                  21
Oldest cache entry (seconds):   57802
Number of revoked entries:      0

Statistics for type 1:
Number of all placed queries:   5
Number of application timeouts: 0
Number of queries, that
        hit cache:              0
        hit server:             5
Number of server hits that got
        response data:          5
        empty response:         0
Server query roundtrip times (ms):
        min:                    24
        max:                    53
        avg:                    32
        med:                    26
        stdev:                  11
Oldest cache entry (seconds):   3338665
Number of revoked entries:      0

Number of submits of type 0:    1 (1391 bytes)

Tx: 8745 bytes, Rx: 7665 bytes

Histogram of server query roundtrip times (ms):
[0: 6] [20: 6] [40: 5] [80: 0] [160: 0] [320: 0] [640: 0] [1280: 0] [2560: 0] [5120: 0] [10240: 0]

Histogram of NRS safe:
[missing: 62] [empty: 0] [error: 0] [-100: 0] [-99: 0] [-79: 0] [-19: 0] [80: 26] [100: 0]

Histogram of NRS lookups:
[3: 71] [4: 13] [5: 4]

Histogram of NHIPS ratings from cache:
all:           [0: 1189] [150: 2]
last 14 days:  [0: 5]
last 24 hours: [0: 5]

UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Server: orsp-c2-ec1.aws
Status: 200
Connectivity state: Ok
CRL state: Ok
Proxies: -
Current proxy: -

Cache: 1214/10000 entries (NHIPS: 1191, NRS: 23), 257270 bytes

C:\Program Files (x86)\F-Secure\ORSP Client>

 

Scholar

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Answer from F-Secure-Support from Finland

 

I've have a direct solution of the problems, you can be can be be be prepared for subsequent solutions, in the Echtzeit-Scan folgende Pfade ausschließen
C:\Windows\WinSxSxS\
C:\System Volume Information\
C:\Windows\SoftwareDistribution\

 

In Q1/Q2 this year an ultralight version for servers will be released, which skips all possible IO's --> I don't think it's so good now either

Excluding the above mentioned paths at least leads to a successful installation of Windows Updates at Server 2016.

 

Greetz

 

Aspirant

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Any news on this?

There is no improvement noticable on our Server 2016 systems. With F-secure enabled the update process is taking forever, stop all f-secure services and the server updates within an hour including reboots. A Server with F-secure enabled is taking over two hours updating.

The new Capricorn engine makes no difference in the update process.

F-Secure
F-Secure

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Hello Martdl,

 

The only solution we have currently is the set of exclusions mentioned in the comment posted before yours.

 

Best regards,

Vad

Scholar

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Also have this problem on Windows 10.

 

We use CS 12.

 

Does the same problem occur with newer versions of CS?

Aspirant

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

That doesn't make any difference. Fix this please, we are currently disabling our SS products on servers during WSUS rounds. 

F-Secure
F-Secure

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Hello Martdl, DavidCES,

 

We have a hotfix now, which helps to resolve the issue for one of our customers. Please, contact support.

 

Best regards,

Vad

Highlighted
Scholar

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning


@ITMSuhl wrote:

Answer from F-Secure-Support from Finland

 

I've have a direct solution of the problems, you can be can be be be prepared for subsequent solutions, in the Echtzeit-Scan folgende Pfade ausschließen
C:\Windows\WinSxSxS\
C:\System Volume Information\
C:\Windows\SoftwareDistribution\

 

In Q1/Q2 this year an ultralight version for servers will be released, which skips all possible IO's --> I don't think it's so good now either

Excluding the above mentioned paths at least leads to a successful installation of Windows Updates at Server 2016.

 

Greetz

 


This solution seems to work for us aswell.

 

This is how i configured it:

 

Fsecure policy manager settings

 

Policy manager version 13.12.841

Aspirant

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

Is the * after the directorys needed? I've used this format: https://community.f-secure.com/t5/Business/Excluding-objects-from-Real-Time/ta-p/66013
And it doesn't make a difference.

Scholar

Re: Windows Update - Server 2016 - Problem DeepGuard and Real-Time-Scanning

@Martdl Im not sure if the * is needed, but it seems to work for us.

Did you set 'Excluded Objects Enabled = Enabled' setting?