cancel
Showing results for 
Search instead for 
Did you mean: 

Business Security

Top Contributors
Sort by:
In Windows, every device has a few sets of properties that can be used to identify the device or the class of the device. In the table below the...
View full article
There are several ways to get the Hardware ID for a device for the Device Control rules; Using Device Control statistics or Windows Device Manager.
View full article
Device Control is provided with the following set of common rules:
View full article
Device Control allows an network administrator to protect the network by disallowing the use of some hardware devices, such as USB sticks, CD-ROM...
View full article
This article provides information about the use of the Policy Manager for Windows database recovery tool.
View full article
Symptoms This issue affects PSB Server Security, PSB Email & Server Security and Client Security versions 11.x and 12.x. Internet Explorer fails to load and shows "Internet Explorer cannot display the webpage" when trying to access the F-Secure Web Console. Diagnosis Some settings in Internet Explorer may have prevented the Web Console UI from loading/working. Solution To resolve the issue, reset Internet Explorer settings. Note that resetting Internet Explorer is irreversible and all previous settings are lost after reset. Open Internet Explorer. Click on the Tools icon from the top-right corner of the window, then select Internet options. Go to the Advanced tab, and select Reset. In the Reset Internet Explorer Settings dialog box, click Reset. When Internet Explorer finishes applying the default settings, click Close, then Ok. Restart your computer to apply changes.
View full article
You can reset the host UID by using FSMAUTIL (F-Secure Management Agent Utility). One way to do this would be adding a command to the user login script. This utility is typically located in the "\F-Secure\Common" directory.   Operations: FSMAUTIL RESETUID {SMBIOSGUID | RANDOMGUID | WINS | MAC} [APPLYNOW] - Regenerate the host Unique Identity.   Where: SMBIOSGUID - use SMBIOS GUID as host Unique Identity RANDOMGUID - use randomly generated GUID as host Unique Identity WINS - use WINS (NetBIOS) name as host Unique Identity MAC - use WINS (NetBIOS) name as host Unique Identity APPLYNOW - restart F-Secure Management Agent to regenerate the host Unique Identity and take it into use immediately
View full article
Question How do I query useful information on my F-Secure product using the Polutil.exe tool? Answer Use the executable POLUTIL.exe tool located in the Common directory under the root of your product’s installation directory to export the data that you need. Execute the following command in command prompt:   …/F-Secure/Common>POLUTIL.EXE g [enter OID here]   Below are some examples of common objects/variables along with their OIDs, and the associated values that you may find useful for monitoring systems.   F-Secure Anti-Virus (1.3.6.1.4.1.2213.12.*) Object/Variables OID Values Example output Virus Protection Status 1.3.6.1.4.1.2213.12.2.140 0 – Status unknown 16 – Disabled 17 – Expired 18 – Malfunction 32 – Active, virus definitions up to date 33 – Active, virus definitions old 34 – Active, virus definitions very old, system is vulnerable 35 – Active, virus definitions not installed, system is vulnerable 19 – Installation incomplete C:\Program Files\F-Secure\common>POLUTIL.EXE g 1.3.6.1.4.1.2213.12.2.140 32   Virus Definition Serial Number 1.3.6.1.4.1.2213.12.2.125 This prints the serial number of the currently installed virus definitions with the format “YYYY-MM-DD_nn” C:\Program Files\F-Secure\common>POLUTIL.EXE g 1.3.6.1.4.1.2213.12.2.125 2006-10-08_01 Real-Time Scanning 1.3.6.1.4.1.2213.12.2.111.10 0 – Disabled 1 – Enabled C:\Program Files\F-Secure\common>POLUTIL.EXE g 1.3.6.1.4.1.2213.12.2.111.10 1   F-Secure Software Updater (1.3.6.1.4.1.2213.59.*) Objects/Variables OID Values Example output Software Updater enabled 1.3.6.1.4.1.2213.59.1.10 0 – No 1 – Yes C:\Program Files\F-Secure\common>POLUTIL.EXE g 1.3.6.1.4.1.2213.59.1.10 1   F-Secure DeepGuard (1.3.6.1.4.1.2213.53.*) Objects/Variables OID Values Example output DeepGuard enabled 1.3.6.1.4.1.2213.53.1.5 0 – Disabled 1 – Enabled C:\Program Files\F-Secure\common>POLUTIL.EXE g 1.3.6.1.4.1.2213.53.1.5 1   F-Secure Real-Time Protection Network Client (1.3.6.1.4.1.2213.57.*) Objects/Variables OID Values Example output Real-Time Protection Network availability 1.3.6.1.4.1.2213.57.2.20 0 – Available 1 – Not available C:\Program Files\F-Secure\common>POLUTIL.EXE g 1.3.6.1.4.1.2213.57.2.20 1
View full article
When deploying cloned virtual machines from a template, Policy Manager identifies them as identical machines even when each machine is configured to...
View full article
To maintain a high protection level, you may notice an increase in bandwidth due to the increased number of updates released per day. Policy Manager...
View full article
This article provides information on how you can exclude files from scanning by using wildcard characters in the F-Secure antivirus products.
View full article
The global F-Secure content delivery network used by the definition database update services uses dynamic addressing and traffic routing. The content...
View full article
DeepGuard settings in most F-Secure business products are configured to provide the best possible protection depending on the level of control you...
View full article
Symptoms Software Updater does not automatically install updates not signed by trusted authority Diagnosis Some updates, for example Notepad++, WinZip, and 7-Zip, are released unsigned. Software Updater does not automatically install unsigned updates and reports the installation error “There is no signature”. Solution The administrator can use the selective installation from the Policy Manager Console to install these updates.   Alternatively, the administrator can use the setting 1.3.6.1.4.1.2213.59.1.20.30 to ‘Allow unsigned updates automatic installation’. Note, however, that this may decrease the level of protection, because it applies to all future updates, which are installed according to automatic installation rules, including missing updates of newly installed products.
View full article
Symptoms Installation of some updates can hang Diagnosis The installation of updates runs under the local system account without user interaction. On rare occasions, the installation can hang because it waits for user’s input or is handling an error. The installation is cancelled after the timeout period, which is 4 hours by default. After the timeout, the batch installation continues, skipping the problematic patch / update. Software Updater reports the installation error as “Installation hung up”. Solution To forcibly retry the installation of the problematic update, use the selective installation.
View full article
Symptoms Some proxy configurations can prevent Software Updater functionality (CTS-91963/CSEP-543). Diagnosis If your corporate network is behind a proxy or a firewall that has strict deny rules, Software Updater may be unable to download patches from some sites. Solution Make sure that your proxy allows hosts to access download.microsoft.com and the download sites of other vendors (web or ftp), whose products are installed in your corporate environment.
View full article
Symptoms Unable to open attachment scanned via IMAP on Thunderbird email client (CTS-91745/CSEP-441) Diagnosis Sometimes, Thunderbird cannot download messages or attachments via IMAP protocol when E-mail scanning is turned on. Solution In these cases, the user can turn off the ‘mail.server.default.fetch_by_chunks’ setting in Thunderbird at the host:   Open Thunderbird and go to Tools > Options. In the dialog that opens, select Advanced settings (rightmost icon) and go to the General tab. Click the Config Editor... button. The Advanced options dialog opens. In the Advanced options, set the following value: mail.server.default.fetch_by_chunks = false Close the dialogs and restart Thunderbird. For centrally managed hosts, the administrator can use the setting 1.3.6.1.4.1.2213.12.1.113.400.10.20 in Advanced mode to Allow partial FETCH for IMAP clients. Note, however, that this decreases the level of e-mail protection.
View full article
Symptoms Scanning e-mails that are encrypted with Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols is not supported. When TLS and SSL protocols are used, e-mail scanning either cannot scan e-mails or may block them.    Diagnosis E-mail scanning only works with unencrypted e-mails using protocols POP3, IMAP or SMTP. Solution Turn off e-mail scanning if you use either TLS or SSL protocols for secure e-mail transmissions.   If E-mail scanning is configured to listen to a port which is used by TLS- or SSL- encrypted e-mail, the traffic is blocked completely even when e-mail scanning is turned off [89415]. To solve this issue, reconfigure E-mail scanning to listen to the standard unencrypted port (110) or to any unused port, if port 110 is used already.
View full article
Symptoms Change in Browsing protection settings may look ineffective due to caching. Diagnosis Sometimes it may seem that new Browsing protection settings do not do anything because the browser finds the page content from the browser cache. Solution Use Ctrl-F5 to ignore the cache and reload the web page content. 
View full article
Question Why Software Updater does not install some updates automatically? Answer Software Updater only installs security-related updates automatically. Non-security-related updates, and service packs installation are required to be initiated manually via the Software updates tab under the Policy Manager Console.   In Policy Manager 12, a checkbox Show non-security-related updates has been introduced under the Policy Manager Console > Software tab. Unchecking the checkbox hides the following update types: Microsoft security tools Non-security updates Service packs Note: This checkbox is Policy Manager Console-specific setting. If you change the setting in one Policy Manager Console, it would not affect another Policy Manager Console connected to the same Policy Manager Server.
View full article
This article explains how the Launch Scan After Update functionality works for the Anti-Virus component.   Launch scan after update   The Anti-Virus scanner will enumerate all running processes and find their executables on the disk. Each executable file on the disk is then scanned, and if an infection is found, a real-time scanning alert is generated. This feature is similar to real-time scanning that scans files on disk before they are opened or executed. The difference here is that it is scanning executable files of processes that are already running.   The scanner is not actually scanning the computer's memory per se. More information   The setting is found in the Advanced Mode window of the F-Secure Policy Manager Console (PMC): F-Secure Anti-Virus > Settings > Virus Definition Updates > Launch Scan After Update.
View full article
Question How does the Automatic Update Agent (AUA) fetch its updates by order of priority? Answer The Automatic Update Agent (AUA) uses the below logic to prioritize its updates fetch.   Legend: PMS Policy Manager Server PMp Policy Manager proxy (Update proxy) HTTPp HTTP proxy RDP Root Distribution Point (F-Secure Update Server)   If AUA is configured to use PMS, HTTP proxy and PM proxy: PMS ↔ HTTPp ↔ PMp ↔ AUA PMS ↔ PMp ↔ AUA PMS ↔ HTTPp ↔ AUA PMS ↔ AUA RDP ↔ HTTPp ↔ PMp ↔ AUA RDP ↔ PMp ↔ AUA RDP ↔ HTTPp ↔ AUA RDP ↔ AUA If AUA is a standalone installation with proxies: RDP ↔ HTTPp ↔ PMp ↔ AUA RDP ↔ PMp ↔ AUA RDP ↔ HTTPp ↔ AUA RDP ↔ AUA If Neighborcast (client) is enabled, update procedure is as follows: Client gets the list of available updates from PMS/Automatic Update Server. Client makes decision to download an update. Client sends Neighborcast query via broadcast UDP packet over the configured Neighborcast port. Other clients act as Neighborcast server having the update reply back with a unicast UDP reply. Client picks a suitable peer and sends a unicast UDP ‘open session’. After positive confirmation, client proceed to download the file over HTTP directly from the selected peer. After downloading all the files, client terminates the Neighborcast session. Client checks the received files against MD5 hashes and downloads any missing or corrupted files from PMS/Automatic Update Server.
View full article
Summary   This article explains how you can collect an MBR rootkit sample for F-Secure Labs to analyse. Before performing any of the steps, you will need:   a USB drive (or other similar removable media) F-Secure Rescue CD   Collecting an MBR rootkit sample   To collect an MBR rootkit sample, do as follows:   Insert the thumbdrive to the powered-down system. Boot from F-Secure Rescue CD and let it initialize until the screen presents the choice to continue or restart the computer. Press Alt-F2 to switch to the console. List all available drives with the fdisk -l command. Use the sizes of the disks to pick out the thumbdrive. Mount the thumbdrive with the following command: mount %devicename% where %devicename% = the name of the thumbdrive Example: Name of thumbdrive: /dev/sdc1 Command: mount /dev/sdc1 Use the following command to dump the MBR, which is usually (but not always) the first sector of the hdadrive: dd if=%device_name% of=%filename% bs=512 count=1 where %device_name% = name of the device and %filename% = name of the output dump Example: Name of the output dump: /tmp/mbr_disk Command: dd if=/dev/hda of=/tmp/mbr_disk bs=512 count=1 You may also use the above command to dump the first sector of other drives, if you feel the information may be relevant. Note: Ensure the name of the output dump is changed to avoid overwriting the dumped MBR information. Example: Name of the output dump: /tmp/mbr_disk1 Command: dd if=/dev/hda1 of=/tmp/mbr_disk1 bs=512 count=1 Copy the dumped information to the thumbdrive with the following command: cp %name of output dump% %file on thumbdrive% You can determine the path to the thumbdrive by typing the df command and noting the relevant entry in the "mounted on" column. Example: cp /tmp/mbr_disk /media/shc1/mbr_disk Use an uncompromised machine to submit all the dumped files to F-Secure via the Sample Analysis System , along with any relevant details. The dumped files may also be sent in as an attachment to a reply for an existing SAS case.
View full article
Policies are single files created on F-Secure Policy Manager and automatically picked up by the client machines. They define the settings of the F-Secure programs that are installed on the client machines. Settings may include files to be scanned, scheduled scans, and information on whether the user is allowed to change the settings or not.
View full article
As of version 10, it is not possible to install F-Secure Client Security as a standalone installation. Client Security 10 requires that F-Secure Policy Manager 10.10 is available, and this requires a separate computer (server) to be available in the network environment.   If you have an existing environment with Client Security 9.x configured as a standalone installation, depending on the use case, F-Secure provides the following alternative solutions for you:   For home computer users, we recommend that you use the F-Secure Internet Security product. If you have a network with multiple computers for running a business without dedicated server hardware, we recommend the Protection Service for Business solution.  For additional information, contact your local F-Secure partner or F-Secure sales.
View full article
Symptoms The firewall drops some frames during network communication, preventing proper operation of third-party applications. Diagnosis Sometimes the firewall drops non-RFC-compliant frames during network communication. This may prevent proper operation of third-party applications. Solution To resolve the issue, disable the Stateful Inspection Level setting. This can be done in a centrally-managed enviroment.   What is the Stateful Inspection Level" setting?   The level of stateful inspection performed on datagrams in the firewall. Stricter levels are safer but may cause compatibility issues with network protocol implementations which do not fully conform with the standards. We recommend that you use the strictest level whenever possible.   RFC: Inspection according to network protocol standards. Datagrams not fully compliant with RFC documents may be dropped.   Disabled: No inspection other than keeping track of connections. Protection against DoS and other network attacks is lower than normally.   More information   The relevant setting is located at F-Secure Internet Shield // Settings // Firewall Engine // Stateful Inspection Level.
View full article
This article contains some pointers about installing F-Secure Client Security and F-Secure Policy Manager. It is intended for use by technical staff to assist in the planning process.   Client Security and Policy Manager rollouts   Planning the installation and number of servers required   Use one Policy Manager Server (PMS) for every 10.000 clients if possible More than 10.000 clients per PMS can be difficult to administer and also places additional load on the server which can lead to a negative user experience Use one Policy Manager Server per branch office or at least “major branch office” Deploy a Policy Manager Proxy Server (PMP) installation in each branch office where no PMS is installed that has more than ~10 clients Rolling out: Preparation   Create the policy domain structure before rolling out the clients Configure the policy before rolling out the clients. Firewall rules and PMP configuration are worthy of special attention in a distributed environment! Create autoimport rules and check that they function correctly before rolling out Rolling out: Implementation   Push-installing more than 20 or so clients at a time from the Policy Manager Console (PMC) is not recommended. It is possible that even with these 'low' numbers, the PMC machine will be unusable for an hour or more. For major rollouts use a batch calling ilaunchr and use preconfigured JAR package or a MSI installer exported using Policy Manager Console Use System Center Configuration Manager (SCCM) or other similar tools for deploying the JAR or MSI installation. Deploy the installation to a test environment ("beta group) with at least 10 as "different as possible" clients before running the rollout batch. Test specifically for failing sidegrade, where used; create a brute force removal tool if necessary and test it before the rollout Roll out small groups of computers at once and then thoroughly test them before continuing; fixing 50 clients is significantly easier than 500.
View full article
This article describes the following additional Ilauncher parameters: /user:domain\username /passwordsecret Additional parameters   The following optional command line parameters are added to Ilauncher:   /user:domain\username (variation: /user:username) – Specifies the user account and the domain name. The domain name can be optionally left out. /passwordsecret (variation: /password:"secret with spaces") – Specifies the password of the user account. The Ilauncher functionality remains the same if neither of these two parameters is given. If only one of the parameters is given, Ilauncher returns an error code. If both parameters are given, Ilauncher starts the setup program by using CreateProcessWithLoginW instead of CreateProcess.   Ilauncher is located in the \F-Secure\Common folder in case you want to see all other parameters that can be used. When you double-click ilaunchr.exe, a window will open, listing all the parameters. Or you can open the window by typing the following command in the command prompt in the common directory: Ilaunchr /help.  
View full article
This article provides information about the firewall rules needed for Microsoft ActiveSync.   Configuring firewall to allow Microsoft ActiveSync   Microsoft ActiveSync uses the following applications for the communication:   Wcesmgr.exe Wcescomm.exe Rapimgr.exe Go to the Application Control settings and allow these applications to act as a client and a server to allow connections between your computer and the mobile device.   Microsoft ActiveSync uses the following ports for the communication:   Inbound TCP: 990 999 5678 5721 26675 Outbound UDP: 5679 Make sure that these ports are not blocked before the dynamic Application Control rules in your firewall rule list. ActiveSync creates a private personal area network 169.254.2.0/24 for the device and the virtual network adapter so you can limit open connections to this range.   Note that the connection might not work if the active firewall ruleset specifically denies something that ActiveSync needs. For example, the incoming TCP and UDP traffic is denied separately in home and mobile profiles before Application Control rules.   To make ActiveSync work in a profile which denies TCP/UDP traffic, you need to create rules that allow the necessary TCP in (990, 999, 5678, 5721, 26675) and UDP out (5679) network traffic in the ActiveSync network (169.254.2.0/24).
View full article
There are various malware monitoring opportunities available provided both by F-Secure and the operating system.   Means provided by F-Secure   Remotely Policy Manager Console Policy Manager Web Reporting Alert Forwarding Syslog forwarding (configured through Console > Server configuration > Syslog page) On host Local User Interface Logfiles Logfile.log Application.evt Means provided by third parties   Active Directory - Computer Management / Application Event Log SNMP Solutions Note: For AD alert management to work correctly, TCP/445 and 135 must be open on the workstations to and from the management server.   Protection status monitoring is possible through the Policy Manager Console's Outbreak Manager tab. Information presented there includes:   Overall domain protection status Threat specific information (e.g. protection status against MYDOOM.F) Key host information (updated automatically): Connection Status Protection Status AV Update Delta - the time between the last definition update and the last successful connection to PM. This is critical if the status is connected and the update delta value is high.
View full article
Question How do I minimize bandwidth usage using Neighborcast for PSB installation and updates? Answer If you have slow or limited broadband connection, downloading and installing PSB Workstation Security database updates on several windows computers can take significant number of hours. To avoid this, you can use Neighborcast to allow the clients to download the database updates from each other via LAN instead of from F-Secure Service Center via the Internet. Install PSB Workstation on one computer, and make sure the installation is complete with up-to-date database updates. On the PSB Portal, set a profile with Neighborcast enabled as your default profile. You can use a pre-created default profile Office (Open with Neighborcast) as is. It has Neighborcast enabled for client and server by default. Or you can create your own profile, and enable Neighborcast manually (see image below). Then go to Profiles tab, select the profile by clicking the radio button next to it and click Set default profiles to make it your default profile. Install PSB Workstation on a second computer. This PSB Workstation should take the default profile into use during install. Note that when a new PSB Workstation download its updates, it will still download smaller updates (approximately 20-30MB) from the F-Secure update server via the Internet due to staged (or phased) Neighborcast use. However, the bigger Aquarius update (approximately 260MB) is downloaded from the first PSB Workstation via LAN. Allow the database updates to download finish. The next database and all upcoming updates after this will be downloaded via Neighborcast. Install the rest of the PSB Workstations on the remaining computers. During the installation, these computers will download all database updates via Neighborcast, as described in step 3. To verify that the updates are downloaded via Neighborcast, you can check the PSB Workstation Update Agent logs (PSB Workstation: Settings > Other settings > Downloads > View log file). Example below: IP address 10.132.2.54 is in the same LAN: --- [ 1860]Tue Apr 07 13:32:03 2015(3): Database 'aquawin32' version '1428394369' db_size '251468950', free '1500635136' [ 1860]Tue Apr 07 13:32:03 2015(3): Downloaded 'F-Secure Aquarius Update 2015-04-07_03' - 'aquawin32' version '1428394369' from 10.132.2.54, 251468950 bytes (249298216 bytes downloaded via neighborcast) [ 3724]Tue Apr 07 13:32:03 2015(2): Update check completed successfully. [ 1368]Tue Apr 07 13:36:22 2015(3): Installation of 'F-Secure Aquarius Update 2015-04-07_03' : Success ---
View full article
Symptoms The system is or has previously been infected by a virus or spyware, and restoring the system may fail when you try to restore the system to a previous restore point. Diagnosis If the system is or has previously been infected by a virus or spyware, restoring the system may occationally fail when you try to restore the system to a previous restore point.   This can happen because real-time scanning blocks any access to the infected files. This applies to situations where the System Restore tries to delete an existing infected file, and where an attempt is made to restore an infected file from the previous restore point. Because System Restore fails to open the infected file, it treats this error condition as a fatal error and aborts the restore process. Solution A workaround for the problem:   Before you start to restore the systems, turn off real-time scanning. Use System Restore to restore your system to the desired restore point. Turn real-time scanning on.   Additional information   More information about how System Restore is affected by antivirus products can be found on the following Microsoft Support article: http://support.microsoft.com/kb/831829.
View full article
Symptoms The F-Secure product is not completely removed during a system restore and the reinstallation, therefore, fails.   About System Restore   System Restore is a feature of Windows which enables a return to a previous system state. It can be used, for example, to change back to a previous version of a driver if the new one causes problems. System Restore is designed to affect executable files and certain configuration files, such as .exe, .dll and .ini files. Data files are unaffected by System Restore.   System Restore creates "restore points" and these contain information about the versions of files in use at the time when they were created. F-Secure creates a restore point when it is installed. Diagnosis The F-Secure product will not be removed completely if a System Restore point is used to roll back changes. After using a restore point, reinstallation may succeed but the installation of downloaded updates will fail. Solution To resolve the issue, uninstall and reinstall the product.   If you have used System Restore to remove the product, deleting the F-Secure folder can resolve the problem and enable reinstallation. The installation folder is normally C:\Program Files\F-Secure.
View full article
Software Updater is a feature that ensures the operating systems and applications used in your organization are always up-to-date. This lowers the security risks of using vulnerable or unpatched software. Software Updater proactively scans the computer for missing security patches, software updates and service packs, and deploys them automatically. Users can receive notifications when updates are installed on the computer.   For more information on how to use the Software Updater, refer to the F-Secure Policy Manager Administrator's Guide, Chapter 15.
View full article
Applies to: Anti-Virus for PC,  Client Security 11.x, Client Security 11.x Premium, Client Security 12.x, Client Security 12.x Premium, Internet Security   Advanced removal options   Manual uninstallation   Removing products after an unsuccessful installation may require manual interaction. To manually remove the software completely: Stop F-Secure services. Remove the following registry keys: # HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows # HKEY_LOCAL_MACHINE\SOFTWARE\BackWeb (if present) # HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure Restart the computer. After the restart, delete the F-Secure installation folder. Reinstall the product (if desired). Removing by using fsuninst   The fsuninst.exe program can be used to remove the software module by module. You can find this program in the F-Secure\uninstall directory.   The required command lines for F-Secure Internet Security 2010 and PSC 9x are: fsuninst.exe /UninstRegKey:"F-Secure Anti-Virus" -a fsuninst.exe /UninstRegKey:"F-Secure NAC Support" -a fsuninst.exe /UninstRegKey:"F-Secure HIPS" -a fsuninst.exe /UninstRegKey:"F-Secure Gemini" -a fsuninst.exe /UninstRegKey:"F-Secure ORSP Client" -a fsuninst.exe /UninstRegKey:"F-Secure Gadget" -a fsuninst.exe /UninstRegKey:"F-Secure ISP News " -a fsuninst.exe /UninstRegKey:"F-Secure NRS" -a fsuninst.exe /UninstRegKey:"F-Secure ExploitShield" -a fsuninst.exe /UninstRegKey:"F-Secure Internet Shield" -a fsuninst.exe /UninstRegKey:"F-Secure E-mail Scanning" -a fsuninst.exe /UninstRegKey:"F-Secure Spam Scanner" -a fsuninst.exe /UninstRegKey:"F-Secure Spam Control" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware Scanner" -a fsuninst.exe /UninstRegKey:"F-Secure Protocol Scanner" -a The required command lines for F-Secure Internet Security 2009 and PSC 8 are: fsuninst.exe /UninstRegKey:"F-Secure Anti-Virus" -a fsuninst.exe /UninstRegKey:"F-Secure HIPS" -a fsuninst.exe /UninstRegKey:"F-Secure Pegasus Engine" -a fsuninst.exe /UninstRegKey:"F-Secure Gemini" -a fsuninst.exe /UninstRegKey:"F-Secure Internet Shield" -a fsuninst.exe /UninstRegKey:"F-Secure E-mail Scanning" -a fsuninst.exe /UninstRegKey:"F-Secure Web Filter" -a fsuninst.exe /UninstRegKey:"F-Secure Spam Scanner" -a fsuninst.exe /UninstRegKey:"F-Secure Spam Control" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware Scanner" -a fsuninst.exe /UninstRegKey:"F-Secure Protocol Scanner" -a fsuninst.exe /UninstRegKey:"News Service" -a The required lines for F-Secure Client Security products (version 8.x) are: fsuninst.exe /UninstRegKey:"F-Secure Anti-Virus" -a fsuninst.exe /UninstRegKey:"F-Secure HIPS" -a fsuninst.exe /UninstRegKey:"F-Secure Pegasus Engine" -a fsuninst.exe /UninstRegKey:"F-Secure Gemini" -a fsuninst.exe /UninstRegKey:"F-Secure Internet Shield" -a fsuninst.exe /UninstRegKey:"F-Secure E-mail Scanning" -a fsuninst.exe /UninstRegKey:"F-Secure Web Filter" -a fsuninst.exe /UninstRegKey:"F-Secure Spam Scanner" -a fsuninst.exe /UninstRegKey:"F-Secure Spam Control" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware Scanner" -a fsuninst.exe /UninstRegKey:"F-Secure Protocol Scanner" -a fsuninst.exe /UninstRegKey:"News Service" -a The required lines for F-Secure Anti-Virus for Server and Workstation products (version 8.x) are: fsuninst.exe /UninstRegKey:"F-Secure Anti-Virus" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware" -a fsuninst.exe /UninstRegKey:"F-Secure Anti-Spyware Scanner" -a fsuninst.exe /UninstRegKey:"News Service" -a Removing by using F-Secure uninstallation tool   Use the F-Secure uninstallation tool with extreme care, and note the following with its use:   The tool will not remove F-Secure software if it was installed directly into an unsafe location, such as c:\, c:\windows or c:\program files. This is because it will delete the directory into which F-Secure was installed and, as such, it would also delete the rest of the files. The tool will remove all installed F-Secure products, and should therefore be used with extreme caution on F-Secure Policy Manager, F-Secure Anti-Virus for Microsoft Exchange and F-Secure Anti-Virus for Windows Server installations. Running the uninstallation tool on a Policy Manager server without a backup means that you will have to reinstall all clients. The reason for this is that the tool will also delete the keys, domain setup and all other aspects of the Policy Manager implementation while removing the other products. Since all policies are digitally signed and the signature is checked before taking them into use, a backup of the keys and the commdir directory is essential. Only use the uninstallation tool as a last resort when everything else has failed. It is not without risk.   You can download the uninstallation tool package from ftp://ftp.f-secure.com/support/tools/uitool/UninstallationTool.zip .   Removing from Linux using rpm   Use this appoach when you have removed the F-Secure installation folders without using a package manager (rpm, dpkg). Uninstalling in this way may prevent reinstallation, because the package manager still believes that the product is installed. To resolve this:   Find out which rpm packages are installed: rpm -qa | grep f-secure rpm -qa | grep fsav Remove the packages by running rpm -e --noscripts on each package. Finally, remove all the product installation directories: rm -rf /var/opt/f-secure/fsav rm -rf /var/opt/f-secure/fsma rm -rf /etc/opt/f-secure/fsav rm -rf /etc/opt/f-secure/fsma rm -rf /opt/f-secure/fsav rm -rf /opt/f-secure/fsma This article in other languages: Finnish, Swedish, German, French, Japanese, Italian, Danish, Norwegian, Dutch, Polish
View full article
This article describes how you can use ilauncher.exe with a limited user account to install F-Secure software.   Using the runas command   There are no built-in parameters for bypassing credentials within ilaunchr.exe, but you can use the runas command to run the executable. Examples:   runas /user:domain\admin "c:\ilaunchr.exe c:\cs.jar" runas /user:domain\admin "c:\ilaunchr.exe c:\cs.jar /f"   If there is an existing F-Secure installation, you need to use /f to force the installation.   You will be prompted for a password immediately after running the command. It is not possible to run the installation completely silent.
View full article
Symptoms Windows login is taking exceptionally long after installing the F-Secure product. Diagnosis After having installed the F-Secure product on several workstations in the network, you notice that the Windows login is taking longer than usual, even up to several minutes before it is completed.   You are using a centrally-managed installation. The problematic setting which had been changed to a non-default value is the following:   F-secure anti-virus // settings // settings for real-time protection // scanning options // limit scanning time.   By default, this setting is 25 seconds and it has been changed to 3 minutes. The setting controls the maximum time the on-access scanning spends scanning any particular file. The setting is per scanner engine.   F-Secure does not recommend that you change the default value as this has an adverse impact on the performance. Solution To resolve this issue, change the non-default value back to the default value - i.e. 25 seconds - and distribute the new policies.
View full article
This article describes the meaning of the F-Secure Automatic Update Agent (AUA) connection settings. AUA is the component in the product that is responsible for the update service of for example the malware definition databases.   AUA settings explained   Assume always connected means that AUA just tries to connect to the update server (bwserver) without any checks to connection-related issues.   Detect connection means that AUA checks that there is an operational and connected network interface (loopbacks are not an operational interface) available.   Detect traffic means that AUA checks if there has been any network traffic after the previous AUA connection. This is done so that AUA tries to get information on how much data has been transferred since the last check.
View full article
  About the quarantine recovery tool   The main purpose of the advanced quarantine recovery tool (unquar.exe) is to recover from a situation where an important file or files have been placed into quarantine due to a false positive detection. The tool also provides means for deleting a given quarantine repository. This is intended for cleaning up the quarantine repository after a product has been removed with the uninstallation tool.   Recovering files from quarantine after a false positive incident   If the F-Secure product is still installed and real-time scanning is turned on, make sure you have the latest definition updates downloaded and installed before you begin. Unquar.exe can be downloaded from ftp://ftp.f-secure.com/support/tools/unquar/unquar.exe.   Copy unquar.exe, for example to c:\temp\. Open Command Prompt in one of the following ways: In Windows XP, click the Start menu, select Run, type cmd in the Open field in the Run window and finally click OK . In Windows Vista/7, click the Start menu, type cmd and press Enter. In Command Prompt, change to the desired folder. For example, to change to folder c:\temp\ , type cd c:\temp\ and press Enter. To list the quarantined items from the quarantine repository, use a) Detection name: unquar.exe -m recovery -i Trojan:W32/F-Secure_testfile.A This option lists all the items in the quarantine with the given malware family name (in this example Trojan:W32/F-Secure_testfile.A) b) Quarantine date: unquar.exe -m recovery -d 2011.04.15-2011.04.16 This option lists all the items in the quarantine with the given quarantine date (in this example from 15th of April through 16th of April, 2011). The range is specified in the following format: YYYY.MM.DD-YYYY.MM.DD. To restore the items from the quarantine, use Note: Make sure you are restoring the correct files from the quarantine. There is a chance that the quarantine contains malware and you might risk real infection by releasing these items. If you are not sure, contact support to get the malware family name or the date information. a) Detection name: unquar.exe -m recovery -i Trojan:W32/F-Secure_testfile.A --doit This option releases all the items in the quarantine with the given malware family name (in this example Trojan:W32/F-Secure_testfile.A). b) Quarantine date: unquar.exe -m recovery -d 2011.04.15-2011.04.16 --doit This option releases all the items in the quarantine with the given quarantine date (in this example from 15th of April through 16th of April, 2011). The range is specified in the following format: YYYY.MM.DD-YYYY.MM.DD. The tool moves the files to their original location and restores all relevant registry settings. Note: If you are not sure how to use the script, contact support for further details! Delete mode   The tool also provides means for deleting a given repository. This might not be possible otherwise since the repository contains folders protected by a strict ACL. The tool drops the ACL and recursively deletes the contents.   To delete a repository: Copy unquar.exe, for example to c:\temp\. Open Command Prompt in one of the following ways: In Windows XP, click the Start menu, select Run, type cmd in the Open field in the Run window and finally click OK . In Windows Vista/7, click the Start menu, type cmd and press Enter. In Command Prompt, change to the desired folder. For example, to change to folder c:\temp\ , type cd c:\temp\ and press Enter. Run unquar.exe -del   More information   Running the unquar.exe tool from command prompt without additional command line parameters will print out the extra parameters for using the tool.
View full article
To remotely install Client Security or AV for Workstations to Windows 8 host from Policy Manager Console, set the following registry at the host to enable access to 'admin$' share:   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "LocalAccountTokenFilterPolicy"=dword:00000001
View full article
Symptoms NAP Health Validator is not removed from configured health policies during uninstallation. Diagnosis During uninstallation, references to F-Secure System Health Validator (SHV) are not automatically removed from health policies. Computers that use these policies are considered as non-compliant with health policies and they are quarantined. Solution To fix broken references to F-Secure SHV, open the health policies properties in the Network Policy Server console (nps.msc) and confirm the automatic update.
View full article
Symptoms Policies are not received immediately after reboot. Diagnosis In some cases, the installed client may not receive policies immediately after the reboot. Solution Usually, the client receives the new policy after some time and recovers automatically. If this does not happen, restart the computer.
View full article
Symptoms System might be slow for several minutes after the first reboot while the installation finishes. Diagnosis The system may start up slowly during the initial restart after the installation. After the restart, the product downloads and installs various updates to finalize the installation in the background.   The effect is more noticeable after a fresh installation, as more updates need to be downloaded. The local user interface has a blue status indicator and a “Completing Installation” status until the installation is complete. Solution This is normal behaviour. Subsequent restarts are not affected.
View full article
Symptoms Installation of Client Security 11.x or AV for Workstations 11.x removes McAfee Agents. Diagnosis During the installation, the product removes 3rd-party software that may be incompatible (including McAfee Agent and McAfee NAI ePolicy Orchestrator Agent). Solution If you need 3rd-party software that would be removed, submit a support ticket to F-Secure customer support to request a special build that does not remove software that you need.
View full article
Symptoms Incorrect engine versions are shown in policy statistics. Diagnosis After a clean installation, the Status tab of Policy Manager Console (F-Secure Anti-Virus > Plug-ins table) and scanning reports show incorrect engine versions. Solution To solve this issue, restart the FSGKHS service.
View full article
Symptoms Unused databases are still visible after upgrade. Diagnosis When upgrading from a previous version, some database and engine updates that were used in the previous version may not be needed anymore. They are still visible in Settings > Other settings > Downloads marked as Not Installed. Solution This is normal and entries will disappear automatically after 7 days.
View full article
Network Access Protection (NAP) is a Microsoft® technology that was first introduced in Windows Server 2008. It allows you to better protect network assets by enforcing compliance with system health requirements. With NAP, you can create customized health requirement policies to validate computer health before allowing access or communication, automatically update compliant computers to ensure ongoing compliance, and optionally confine noncompliant computers to a restricted network until they become compliant.   Microsoft NAP includes client and server components.   The NAP Health Policy Server is a computer running the Network Policy Server (NPS) service that stores health requirement policies and provides health evaluation for NAP clients. This role is supported by Windows® Server 2008 and Windows® Server 2008 R2. NAP policy compliance can be specified for different enforcement methods like DHCP, 802.1, IPSec, TS Gateway, VPN, or Direct-Access.   The NAP client is built into the following operating systems: Windows® XP Service Pack 3, Windows® Vista, and Windows® 7. It is managed via Group Policy from NPS and includes System Health Agent (SHA), which monitors the health status on the client to generate a health claim that can be interpreted by the corresponding System Health Validator (SHV) on the NAP Health Policy Server.   When a client attempts to access or communicate on the network, it must present its system health or proof of the health compliance. If a client cannot prove it is compliant with the system health requirements, it can be limited to a restricted network that contains server resources for fixing the health compliance issues. After the issues are fixed, the client requests access to the network or attempts the communication again. If compliant, the client is granted unlimited access to the network or the communication is allowed.   For more information about Microsoft NAP and how it works, please refer to the Microsoft NAP platform web site.   Microsoft NAP support in F-Secure products   Support for Microsoft NAP is provided with the following F-Secure products:   F-Secure Client Security 9.x and later Microsoft NAP support is provided by two components: the Microsoft NAP Plug-in included in the products above and F-Secure System Health Validator, which is provided as a separate server component with own installer.   F-Secure System Health Validator has to be installed on a NAP Health Policy Server. It allows you to configure F-Secure-specific network health requirements. For example, it could check that client computers are running F-Secure antivirus, that the latest antivirus database updates are received, or that hosts have recent policies from F-Secure Policy Manager Server.   The Microsoft NAP Plug-in is to be installed on NAP-capable client computers. It includes F-Secure System Health Agent (SHA), which monitors the client health status and reports it to the NAP Health Policy Server, where the status is validated against the corresponding network health requirements.   System requirements   Before F-Secure NAP components are installed, the corporate network has to be configured with the Microsoft NAP platform, NPS should manage health policies for the preferred enforcement clients, and the remediation server group (if any) should be connected to the restricted network. For detailed step-by-step instructions on this, see the Microsoft NAP Technet page.   If you plan on installing F-Secure products on client computers in centralized administration mode, the computer with Policy Manager Server should be added to the remediation server group.   Installation of F-Secure System Health Validator   The F-Secure System Health Validator installation package can be downloaded from here.   The package must be installed on the server with the NPS role. Local administrative rights are required to install the software. The installation procedure is quite simple and habitual for those who installed any F-Secure product in the interactive mode.   After F-Secure System Health Validator is installed, you should configure desired F-Secure-specific network health requirements and add them to the corresponding enforcement health policies.   F-Secure health requirements configuration   To configure network health requirements with F-Secure System Health Validator:   Click Start, click Run, type nps.msc, and then press ENTER to start the Network Policy Server console. (Or click Start, click Administrative Tools, click Network Policy Server) In the Network Policy Server console tree, open Network Access Protection, then System Health Validators. If NPS is running on Windows® Server 2008: Under Name, double-click F-Secure System Health Validator. In the F-Secure System Health Validator Properties dialog box, click Configure. If NPS is running on Windows® Server 2008 R2: In the Network Policy Server console tree, open F-Secure System Health Validator, then Settings. Under Name, double-click Default Configuration or create a new one. After that, the F-Secure System Health Configuration dialog opens so that you can edit the F-Secure network health requirements. The following policy health requirements can be defined and validated with F-Secure System Health Validator: F-Secure antivirus is running - checks if all F-Secure services installed on a client computer are running. Real-time protection is turned on - checks if the Real-time protection is turned on in F-Secure antivirus on a client. F-Secure firewall is turned on - checks if F-Secure Firewall is installed on a client computer and both Firewall and Application Control are turned on. Maximum number of days since the last anti-virus database update - if enabled, checks if F-Secure Antivirus on a client was updated not later than the specified number of days. Maximum number of days since the last connection to Policy Manager Server - if enabled, checks if F-Secure product on a client is installed in the Central management mode and was connected to Policy Manager Server not later than the specified number of days. Click OK to save the configuration Adding F-Secure requirements check to network health policies   After F-Secure network health requirements are configured, they can be taken into use with any enforcement client configured in the network:   In the Network Policy Server console tree, open Policies, and then click Health Policies. In the details pane, double-click a health policy for any enforcement method that should check the F-Secure health requirements. For example, to check F-Secure requirements when a client requests for an IP-addess from a DHCP server, the DHCP compliance health policies should be opened: In the chosen health policy Properties box under SHVs used in this health policy table, check F-Secure System Health Validator and optionally select the proper configuration other than Default Configuration (available on Windows® Server 2008 R2). Then click OK to close the policy Properties dialog. After you have added the F-Secure requirements check to enforcement health policies, it will be taken into use for any client computer that attempts to access the network via the corresponding enforcement method. For the client to be compliant with F-Secure network health requirements, F-Secure plug-in for Microsoft NAP has to be installed on the client computer, present its health status to the F-Secure validator on NPS server, and prove the client's compliance.   Installation of Microsoft NAP Plug-in   F-Secure System Health Agent (SHA) is provided with the Microsoft NAP Plug-in component, which is included in F-Secure Client Security or F-Secure Anti-Virus for Workstations that support Microsoft NAP technology. It is an optional component, i.e. it will not be installed by default.   If you are interactively installing the product on a client computer, choose Custom installation and select Microsoft NAP Plug-in component in the list of components to be installed. No additional configuration is required. If you are centrally deploying the product from F-Secure Policy Manager in the remote mode, select Microsoft NAP Plug-in component in the corresponding Remote installation wizard. Troubleshooting   How to check if F-Secure SHA is installed and the client is compliant   To verify that the F-Secure SHA is properly installed on a client computer:   Click Start, click Run, type cmd, and then press ENTER. In the command window, type netsh nap client show state, and then press ENTER. In the command output, verify that F-Secure System Health Agent is listed and initialized. The output also reports the results of the compliance check for the client. If the client does not comply with a requirement in F-Secure System Health Validator, the corresponding reason will be mentioned in the Compliance results section of the command output. Remediate the client computer to fix the problem and try to access the network again.   Reinstallation of F-Secure System Health Validator sometimes requires to restart the NPS server Note that the reinstallation may require that the NPS server be restarted. If other F-Secure products, e.g. F-Secure Anti-Virus for Servers, are installed on the same server, the reinstallation always requires a restart.   Take this into account and plan the reinstallation accordingly.   Uninstallation of F-Secure System Health Validator leaves broken links in health policies at the NPS server   After the F-Secure System Health Validator is uninstalled, some health policies keep to referring to the validator that is no longer available.   To repair such policies, open the NPS console, select each of the broken policies (usually marked with the exclamation mark), just open it and close (you will be asked to select at least one validator before closing). If you do not want to select any validator, delete the policy.   F-Secure NAP Plug-in debug logging   To enable debug logging in the NAP plug-in, create the following registry key and settings: On Windows 32-bit platform: [HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\FSNAP\Debug\fsnapsha] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 [HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\FSNAP\Debug\fsnapinfo] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 On Windows 64-bit platform: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\FSNAP\Debug\fsnapsha] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\FSNAP\Debu\fsnapinfo] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 Note: fsnapsha debug logs are created in the FSNAP component's installation directory (typically, C:\Program Files\F-Secure\FSNAP).   F-Secure System Health Validator debug logging   To enable debug logging in F-Secure System Health Validator, create the following registry key and settings: On Windows 32-bit platform: [HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure Corporation\F-Secure NAP Validator\Debug\fsnapshv] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 On Windows 64-bit platform: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\F-Secure Corporation\F-Secure NAP Validator\Debug\fsnapshv] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 Note: fsnapshv debug logs are created in the Windows' temporary folder (typically, C:\Windows\Temp). To enable debug logging in F-Secure System Health Configuration, create the following registry key and settings: On Windows 32-bit platform: [HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure Corporation\F-Secure NAP Validator\Debug\fsnapshvui] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 On Windows 64-bit platform: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\F-Secure Corporation\F-Secure NAP Validator\Debug\fsnapshvui] "DebugOutput"=dword:00000001 "DebugLevel"=dword:00000010 "DebugSeverity"=dword:00000007 Note: fsnapshvui debug logs are created in the FSNAPSHV component's installation directory (typically, C:\Program Files\F-Secure\FSNAPSHV).
View full article
Symptoms Software Updater does not show that there is a missing update for Foxit Reader and does not update it to the latest version. Diagnosis The Foxit Reader installed is a Consumer version, not the Enterprise version. Software Updater only detects the Enterprise version. Solution You need to uninstall your current Foxit Reader and reinstall using the Enterprise version installer.
View full article
DeepGuard analyzes the behavior of programs, and blocks new and undiscovered viruses, worms, and other malicious programs that try to make potentially...
View full article
Symptoms F-Secure Software Updater (SWUP) does not patch JRE.   Diagnosis Even though Java Development Kit (JDK) is listed as a product supported by SWUP, we want to emphasize that SWUP does not patch JRE (32-bit and 64-bit) whenever Java Development Kit (JDK) is installed on the same system.   The reason for this is that, by design, JDK is a scan-only product and it does not support patching JDK. Nor will it offer updates even for JRE in this instance because applying the JRE update would break the JDK on the system. Solution To allow SWUP to patch JRE on a system with JDK installed, you will need to remove JDK manually.
View full article