Pre-installation checklist for F-Secure Linux Security version 11.x Some Linux distributions and Linux installations may require certain software packages to be installed or workarounds to be applied before the F-Secure Linux Security product can be installed successfully. This article describes the most common configurations and the relevant solutions. Distributions using Prelink Prelinking can reduce the startup time of binaries, but it conflicts with the Integrity Checker in the product. To disable prelinking, locate the configuration file in your operating system (for example /etc/sysconfig/prelink) and change the line: PRELINKING=yes to PRELINKING=noand run /etc/cron.daily/prelink before you install the product. You should disable automatic prelink runs from cron. Some distributions run prelink periodically from cron to reduce the startup time of binaries which use dynamic libraries. Prelinking modifies binaries and dynamic libraries on the disk. This conflicts with the purpose of the Integrity Checker, which detects modifications to system files. If you have already installed F-Secure Linux Security, follow these instructions: Run /opt/f-secure/fsav/bin/fsims on from the command line to turn on the software installation mode. In the software installation mode, the product allows modifications to system files. Edit /etc/sysconfig/prelink and change the line: PRELINKING=yes to PRELINKING=no. Run /etc/cron.daily/prelink. Run /opt/f-secure/fsav/bin/fsims off from the command line to turn off the software installation mode. When the software installation mode is turned off, the state of system files is stored in the Integrity Checker baseline. To use prelinking, you have to turn on the software installation mode before prelinking and turn it off when prelinking is finished. This allows the prelink to make the changes in system files in a controlled way. For example: # /opt/f-secure/fsav/bin/fsims on # prelink -a # /opt/f-secure/fsav/bin/fsims off Note: This operation cannot be automated easily - Turning off the software installation mode creates a new baseline, which needs to be signed with a passphrase that the administrator has to enter. Pre-installation requirements The following packages must be installed before installing the product. In 64-bit environments, you may have to enable the Multiarch support before installing the 32-bit runtime support. For distributions that use the Dazuko kernel driver, kernel headers and compiler tools must also be installed. In order to compile the kernel driver successfully, package versions of currently used kernel, kernel-devel and kernel-headers need to be matched. CentOS/RHEL 6 (32-bit) gcc glibc-devel glibc-headers kernel-devel make pam patch perl Debian 7 (32-bit) gcc libc6-dev libpam-modules linux-headers-$(uname -r) make patch perl rpm Debian 8 (32-bit) rpm pam perl Ubuntu 12.04, 12.04.1, 12.04.2 (32-bit) gcc linux-headers-$(uname -r) perl rpm Ubuntu 12.04.3, 12.04.4, 12.04.5 (32-bit) rpm SUSE Linux Enterprise Server 11 (32-bit) gcc kernel-default-devel make patch perl Oracle Linux 6 RHCK (32-bit) gcc glibc-devel kernel-devel make patch perl CentOS/RHEL 6 (64-bit) gcc glibc-devel glibc-headers glibc.i686 glibc.x86_64 kernel-devel libstdc++.i686 libstdc++.x86_64 make pam.i686 pam.x86_64 patch perl zlib.i686 zlib.x86_64 CentOS/RHEL 7 (64-bit) glibc.i686 glibc.x86_64 libstdc++.i686 libstdc++.x86_64 pam.i686 pam.x86_64 perl zlib.i686 zlib.x86_64 Debian 7 (64-bit) Enable Multiarch support: dpkg --add-architecture i386 apt-get update Install following packages: gcc libc6-dev libpam-modules:i386 libstdc++6:i386 linux-headers-$(uname -r) make patch perl rpm zlib1g:i386 Debian 8 (64-bit) Enable Multiarch support: dpkg --add-architecture i386 apt-get update Install following packages: libpam-modules:i386 libstdc++6:i386 perl rpm zlib1g:i386 Ubuntu 12.04, 12.04.1, 12.04.2 (64-bit) gcc libpam-modules:i386 libstdc++6:i386 linux-headers-$(uname -r) perl rpm zlib1g:i386 Ubuntu 12.04.3, 12.04.4, 12.04.5 (64-bit) libpam-modules:i386 libstdc++6:i386 rpm zlib1g:i386 Ubuntu 14.04, 16.04 (64-bit) libc6-dev:i386 libpam-modules:i386 libstdc++6:i386 rpm zlib1g:i386 SUSE Linux Enterprise Server 11 SP1, SP2, SP3 (64-bit) gcc kernel-default-devel libgcc43-32bit libstdc++43-32bit make pam-modules-32bit patch perl SUSE Linux Enterprise Server 11 SP4 (64-bit) gcc kernel-default-devel libgcc_s1-32bit libstdc++6-32bit make pam-modules-32bit patch perl SUSE Linux Enterprise Server 12 (64-bit) libstdc++6-32bit libz1-32bit pam-32bit Oracle Linux 6 RHCK (64-bit) gcc glibc-devel glibc-devel.i686 kernel-devel libstdc++.i686 make pam.i686 patch perl zlib.i686 Oracle Linux 7 UEK (64-bit) libstdc++.i686 pam.i686 zlib.i686 Initializing Linux Security If some package dependencies were missing before the product was installed, execute the following command to properly initialize all F-Secure modules after installing the packages: /etc/init.d/fsma restart If the Linux Security kernel interceptor could not be compiled, execute: /opt/f-secure/fsav/bin/fsav-compile-drivers Note that fsav-compile-drivers also executes "fsma restart".
This article lists down all the current known issues for F-Secure Linux Security 11.10. Updates to the operating system kernel may cause compiling issues or malfunction of the Dazuko kernel driver (either due to updates including backports from upstream kernel, or significant kernel version upgrades). The following operating systems are known to be affected by this issue: Ubuntu 12.04, where minor OS upgrades introduce new kernel versions, which are incompatible with the current Dazuko implementation. RHEL/CentOS 6, where minor OS upgrade can contain a backported kernel patch, incompatible with Dazuko.For deployments that include any of the above-mentioned OS versions, we highly recommend that you verify the on-access scanning functionality in a separate testing environment before upgrading the product on any production machine. Issue with Scheduled Scanning Tasks for the Scheduled Scanning that are configured via Web UI may sometimes not run at the given times. This behavior has been observed at least with Ubuntu 14.04 and is due to Unix "cron" service scheduling being inconsistent with the system time changes. To solve this issue, restart cron. Extending license of an expired PSB subscription Requires running convert_to_full_installation.sh; from the expired installation: Revert the installation to standalone: /opt/f-secure/fsav/sbin/convert_to_full_installation.sh Provide an empty key (press Enter on key request) Re-convert the installation to be PSB-managed via convert_to_full_installation.sh: /opt/f-secure/fsav/sbin/convert_to_full_installation.sh --fspsbs= --keycode= WebUI, Manual scanning: The maximum length of text in "Files and directories excluded from scanning" cannot exceed 4096 bytes. WebUI, Known Files: The "Protect" option is not effective under FANotify and has been deprecated; it might be removed from the WebUI in future releases. WebUI displays an error when entering Advanced mode > General > Communications and upgrading to PSB managed mode. The issue occurs only in the Web server and does not affect the upgrade operation. Reloading the Web page clears the error. Policy Manager's Policy Value 90 ("90. Scan on EXE") and "Scan on execution" will not trigger if both "scanning on open" and "scanning on close" options are disabled (FANotify only). Installer attempts to compile Dazuko kernel module on newer operating systems where FANotify should be used. This issue occurs only if a kernel version older than 3.8 has been left to the system by a distribution upgrade. For example, upgrading from Ubuntu 12.04 to 14.04 may leave 3.2 kernel installed while the system runs kernel 3.16 or newer. The solution is to uninstall the old kernel versions using the operating system package manager. Policy Manager / Linux Security: "Disallow user changes" setting can be set only globally under the Settings directory. Any "Disallow user changes" under individual policy setting has no effect. To solve this issue, disallow all local changes for specific hosts. From Policy Manager Console: Select the machine. Go to the Policy tab, and select F-Secure Linux Security 11.10. Click Settings. Select the first setting called Local settings changed. Set the value to Disallow. Creating new files on Common Internet File System (CIFS) mounted volumes may hang the system for 30 seconds. This is a bug in fanotify kernel module https://bugzilla.kernel.org/show_bug.cgi?id=62221. To work around this issue, add the mount point to the excluded directories list. WebUI, Scheduled scanning tasks: The validation error text, which is displayed upon saving incorrect input values, will not disappear until a logout is performed. Product fails on systems with very large disk partitions due to 32-bit stat() system call in 64-bit file system. The only workaround is to reduce the partition size to avoid having inode numbers larger than 2^32 - 1. In the PSB portal, the client IP address is "0.0.0.0". The workaround is to install "net-tools" package that provides the missing "ifconfig" tool.
Symptoms After initialing a manual scan, the server/system experiences noticeable degradation in performance causing the server/system to hang. Diagnosis Scanning large archives may cause the CPU usage to increase by 50% - 100%. Solution To overcome this issue, set an archive nesting limit for manual scanning: Start Windows Registry Editor (regedit.exe). Set the following registry on the server: If you have a 32-bit system: [HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\GKH2] "MaxArchiveNesting"=dword:00000001 (1) If you have a 64-bit system: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\GKH2]"MaxArchiveNesting"=dword:00000001 (1) Restart the FSGKHS service for the change to take effect.
The API is designed to enhance the security of applications and services that allow users to submit text and links to external content. For example: Discussion board: Prevent users from posting links to unwanted sites, for example gambling, adult or hate sites. Intranet: Prevent employees from posting or accessing links to malicious sites that contain, for example, ransomware or phishing. Service portal: Prevent targeted attacks that exploit links to malicious content that comes through the customer support portal or chat.
F-Secure Security Cloud API for AWS is designed to improve security by providing real-time threat intelligence to any application or service. The API is cost-efficient and easy to integrate through the AWS API Marketplace. The API provides easy access to F-Secure Security Cloud, our cloud-based threat analysis and detection service. It provides real-time threat intelligence that is gathered at all times from our tens of millions of security sensors around the globe. The same technology forms the cornerstone of F‑Secure's award-winning and visionary products. The API supports URL threat intelligence and category information requests. Related information F-Secure Security Cloud API for AWS F-Secure Security Cloud API for URLs (Video)
The API is designed to be integrated into any application or service. It provides real-time threat intelligence that applications can use, for example for content filtering and threat prevention, and also for incident response, auditing and analytics, depending upon the need.
Symptoms Policy Manager Console prompts an error message: "Cannot connect to the server: localhost:8080. Check that the host name and port number are correct. Port number 8080 is used by default." Diagnosis This may be a TCP port conflict. Policy Manager 12.10 introduces a new port for the client and Policy Manager communication which is supported by newer clients (e.g. Server Security 12.00, Client Security 12.10). The default listening port is 443. If you already have a service running on this port, this prevents Policy Manager Server from starting, thus not allowing you to login using Policy Manager. Solution If you suspect that you have a service running on port 443, run the following command in command prompt (run as administrator) to check: netstat -anb > ports.txt. This redirects the output to a file called ports.txt. Open the file to view the information. Below is a partial sample of the output. Proto Local Address Foreign Address StateTCP 0.0.0.0:135 0.0.0.0:0 LISTENINGRpcSsSystem]TCP 0.0.0.0:443 0.0.0.0:0 LISTENINGsomeapplication.exe] In this case, we already have an application listening on port 443 (someapplication.exe). Note that the default listening process in Policy Manager is java.exe. As both applications are configured to use the same port, there is a conflict. To fix the issue, two options are available. Change the conflicting port used by someapplication.exe Consult the documentation for someapplication.exe to find out how to change the port. Once the port is changed, restart Policy Manager server using an elevated command prompt; net stop fsms net start fsms Change the conflicting port in Policy Manager Server In this example, we are changing the port from TCP 443 to TCP 444. Open Registry Editor. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5. On the right pane, locate HttpsPortNum. Change the value from decimal 443 to 444. Restart Policy Manager Server using an elevated command prompt: net stop fsms net start fsms Start Status monitor in the Policy Manager program group, and change the default HTTPS port from 443 to 444. Go to the Advanced mode in Policy Manager Console, and navigate to F-Secure Managerment Agent > Settings > Communications > Protocols > HTTP > HTTPS Port. Change the default value from 443 to 444, and click the Force value to lock the settings.
This page lists down all the current known issues for F-Secure Linux Security 11.00: Updates to the operating system kernel may cause compiling issues or malfunction of the Dazuko kernel driver (either due to updates including backports from upstream kernel, or significant kernel version upgrades). The following operating systems are known to be affected by this issue: Ubuntu 12.04, where minor OS upgrades introduce new kernel versions, which are incompatible with the current Dazuko implementation. RHEL/CentOS 6, where minor OS upgrade can contain a backported kernel patch, incompatible with Dazuko. For deployments that include any of the above-mentioned OS versions, we highly recommend that you verify the on-access scanning functionality in a separate testing environment before upgrading the product on any production machine. Issue with Scheduled Scanning Tasks for the Scheduled Scanning that are configured via Web UI may sometimes not run at the given times. This behavior has been observed at least with Ubuntu 14.04 and is due to Unix "cron" service scheduling being inconsistent with the system time changes. To solve this issue, restart cron. Extending license of an expired PSB subscription Requires running convert_to_full_installation.sh; from the expired installation: Revert the installation to standalone: /opt/f-secure/fsav/sbin/convert_to_full_installation.sh Provide an empty key (press Enter on key request) Re-convert the installation to be PSB-managed via convert_to_full_installation.sh: /opt/f-secure/fsav/sbin/convert_to_full_installation.sh --fspsbs= --keycode= fsavd reports "compression-bomb" for archives that contain incorrect archive header information. WebUI, Manual scanning: The maximum length of text in "Files and directories excluded from scanning" cannot exceed 4096 bytes. WebUI, Known Files: The "Protect" option is not effective under FANotify and has been deprecated; it might be removed from the WebUI in future releases. WebUI displays an error when entering Advanced mode > General > Communications and upgrading to PSB managed mode. The issue occurs only in the Web server and does not affect the upgrade operation. Reloading the Web page clears the error. Policy Manager's Policy Value 90 ("90. Scan on EXE") and "Scan on execution" will not trigger if both "scanning on open" and "scanning on close" options are disabled (FANotify only). Installer attempts to compile Dazuko kernel module on newer operating systems where FANotify should be used. This issue occurs only if a kernel version older than 3.8 has been left to the system by a distribution upgrade. For example, upgrading from Ubuntu 12.04 to 14.04 may leave 3.2 kernel installed while the system runs kernel 3.16 or newer. The solution is to uninstall the old kernel versions using the operating system package manager. Policy Manager / Linux Security: "Disallow user changes" setting can be set only globally under the Settings directory. Any "Disallow user changes" under individual policy setting has no effect. To solve this issue, disallow all local changes for specific hosts. From Policy Manager Console: Select the machine. Go to the Policy tab, and select F-Secure Linux Security 11.0. Click Settings. Select the first setting called "Local settings changed". Set the value to "Disallow". This article in other languages: Japanese
Symptoms Linux Security 11.00 on RHEL/CentOS 7.x causes processes to hang when on-access scanning is turned on. The system log warns about one or more processes being blocked for more than 120 seconds. Diagnosis The Linux kernel version (3.10) used by RHEL/CentOS 7.x suffers from a subtle but serious bug that has been fixed in later kernel versions. Specifically, the function fanotify_merge() has a faulty logic that replaces fsnotify_event when test_event->refcnt is 2. The original test_event is replaced with a clone and then removed from the notification queue. If the original test_event was carrying an OPEN_PERM event, it has no chance of being woken up again because only the clone of the event will get a response. Solution The bug has been fixed in RHEL/CentOS 7.x. Simply run yum update to get a current kernel (3.10.0-327.36.1.el7 or later) and reboot.
Symptoms When you upgrade F-Secure Internet Gatekeeper from version 5.xx to version 5.40, services may not be automatically started. Diagnosis The following operating systems are affected: CentOS/RHEL 7, Debian 8, Ubuntu 16.04 and SLES 12. Internet Gatekeeper 5.40 introduces native support for systemd. In the previous releases, the services were managed by SysV-style init scripts. Systemd attempts to provide backward compatibility with the SysV init scripts. While systemd is aware of the product services, it may not be able to report the correct status when the services are started or stopped after a restart. This may cause that the enabled services are not automatically started when the product is upgraded. Solution There are two optional ways to solve the issue: Restart the machine. This allows systemd to load the configuration and manage the services automatically according to the product configuration set in the Internet Gatekeeper Web UI. Start the services manually and refresh systemd service statuses. Login to the system and enter the following command as a root user: # systemctl daemon-reload # /opt/f-secure/fsigk/libexec/fsigk-reload.sh Note: This command must be run outside the product installer directory (fsigk-5.40.73)! Note: CentOS/RHEL 7.2 users and other platforms using systemd version 219-19.el7 or similar: Due to a change (see https://bugzilla.redhat.com/show_bug.cgi?id=1285492) how systemd handles SysV-style init scripts, the product services were not starting automatically at restart. If you have added a workaround, for example by replacing the init script symlinks in /etc/init.d/ by regular files, or by starting the services via /etc/rc.local, it should be removed after upgrading to product version 5.40.
Definition database update servers The global F-Secure content delivery network used by the definition database update services uses dynamic addressing and traffic routing. The content delivery network operates on both HTTP and HTTPS protocols. In order to provide a faster response and download time, F-Secure also uses third-party content delivery networks. Due to the above, the F-Secure network ranges below will not cover all the possible addresses in the content delivery network. F-Secure is not able to provide a complete and accurate list of the IP addresses used in the network. For customers wishing to control their outbound network traffic, F-Secure recommends the use of a web proxy server, and setting up the access control policies using hostnames (for example, *.f-secure.com) rather than IP addresses. Policy Manager, Internet Gatekeeper and Anti-Virus Linux Gateway customers that require the ability to restrict the outbound access by using IP addresses may follow these instructions to configure their installation to use an alternative update server address. Registration and licensing Registration and licensing backends are operated from within the networks in the F-Secure network ranges listed above. HTTP and HTTPS access is required for these addresses. Online reputation Service The F-Secure Object Reputation Service Platform (ORSP) is a component in F-Secure's reputation technologies, and is hosted within the networks in the F-Secure network ranges listed above. HTTP access is required for these addresses. F-Secure network ranges (except for Definition database update servers) F-Secure operates its services in the following network ranges: 22.214.171.124/20 126.96.36.199/24 188.8.131.52/22 184.108.40.206/23 220.127.116.11/25
Install and configure the new Scanning and Reputation Server (SRS) instances (refer to the Deployment guide Virtual Security - Chapter 2.2) with different IP addresses than the existing instances. This is to ensure both the current and new instances can work simultaneously during the transitional period. Once installed and configured, in Policy Manager Console, go to F-Secure > F-Secure Offload Scanning Agent > Settings > Connection > Primary servers and replace the IP addresses to the new addresses that you have set for the new instances, and distribute policies. Allow all hosts to update to the new configuration. To verify, go to the Status tab in Policy Manager Console and check whether the hosts are connected and having the latest policy in use (Centralized management). Once all hosts are updated and the new servers appear to work as should, you may shut down the old SRS instances and remove them from the Policy Manager Console.
Symptoms The user is unable to access F-Secure Web Console when trying to access it from a different host. Diagnosis You are not able to access F-Secure Web Console. Instead, the following error message is displayed: https://127.0.0.1:25023/common/main.php: The page cannot be displayed. Solution To resolve the issue, you should first try to access Web Console by using the name or IP address of the server (e.g. on cluster MS Exchange server). To work around the issue, you can change access to Web Console by using the configuration file as follows: Stop the FS WebUI Daemon service. Open Notepad, and drag and drop the webui file from the \program files\f-secure\web user interface\bin\ folder to Notepad. Instead of the local IP address (127.0.0.1), add, e.g. your workstation IP address to the Allowed1 field and save the file. Start the FS WebUI Daemon service again.
Symptoms You have F-Secure Client Security 12 installed on your Windows 7 computer. After upgrading your ARCHICAD software to version 19, it stops working. Diagnosis The ARCHICAD software's copy-protection feature uses CodeMeter technology. It seems that Client Security 12 is incompatible with ARCHICAD version 19. Solution To be able to use ARCHICAD 19 on your computer running Client Security 12, exclude the folder containing the CodeMeter software from real-time protection: On the main page, click Settings. Select Computer > Virus and spyware scanning. Click Open excluded items list. To exclude a folder: Select the Objects tab. Select Exclude objects (files, folders, ...). Click Add. Select the folder that you want to exclude from virus scanning. Note: Usually, the folder is located at C:\Program Files (x86)\CodeMeter\Runtime\bin. Click OK. Click OK to close the Exclude from scanning dialog box. Click OK to apply the new settings.ARCHICAD should now work again.
Symptoms The customer has been using a trial version of F-Secure Client Security (CS). After having tried out CS, the customer decides to start using PSB Workstation Security instead. The customer uninstalls CS and installs PSB Workstation Security. The installation is completed without issues, but a notification that the trial period has ended or will expire in 30 days is shown to the user. Diagnosis After the uninstallation of the CS trial version, there are still some remaining items left from the previous installation. When the customer installs PSB Workstation Security, the sidegrade does not detect anything as CS has been already removed by the customer. Solution To get rid of the trial period notification: Remove the Client Security registry key from HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\TNB. Restart the F-Secure Management Agent (FSMA) service.The notification about the trial period should now have disappeared. If you have not yet installed PSB Workstation Security on the client, you can proceed to install it now.
Symptoms Creating a new file on CIFS (Samba) file share blocks the operation and the system for 30 seconds before finishing. Other file operations and malware detection work normally. Only the CIFS clients that mount the file share are affected. The CIFS file servers where the product is installed work normally. Diagnosis The issue is caused by a design limitation in the Linux kernel fanotify module. For further information, refer to the kernel bug report at https://bugzilla.kernel.org/show_bug.cgi?id=62221. Solution There is no workaround available. However, we recommend that you avoid running on-access scanning when creating new files on CIFS file shares.
Command name fspms-db-recover Usage Depending on which recovery information you want to use: Recovery DB with all data from default DB directory of PM (%F_SECURE_DIR%\Management Server 5\data\h2db) fspms-db-recover.bat Recovery DB with all data from specific corrupt DB directory fspms-db-recover.bat -curDir= Recovery DB without Scanning Reports fspms-db-recover.bat -noReports Recovery DB without Alerts fspms-db-recover.bat -noAlerts Recovery DB without Scanning Reports and Alerts from the custom database directory fspms-db-recover.bat -noReports -noAlerts -curDir= Recovery DB without Scanning Reports and Alerts from default DB directory of PM (%F_SECURE_DIR%\Management Server 5\data\h2db) fspms-db-recover.bat -noReports -noAlerts Output At the output, the contains: Valid H2 database files; Management key-pair admin.pub/admin.prv with the password 'password'. The result of recovery operation is written into the file named 'recovery.log' in the current directory. Example: fspms-db-recover.bat c:\temp\h2db-recovered fspms-db-recover.bat -curDir=c:\temp\h2db c:\temp\h2db-recovered fspms-db-recover.bat -noAlerts -curDir=c:\temp\h2db c:\temp\h2db-recovered Notes and issues This version of recovery tool can be used for Policy Manager version 10.00 and later. The version of Policy Manager is identified automatically by recovery tool. If recovery tool is unable to identify version of Policy Manager and recover the database, please contact F-Secure support. When recovering the database from the default directory (no -curDir parameter is specified), Policy Manager Server must be stopped before running the tool. In some cases, the database is broken so badly that it can't be opened at all. In this case, the 'recovery.log' file will contain the error messages like below: org.springframework.jdbc.CannotGetJdbcConnectionException: Could not get JDBC Connection; Unfortunately, this indicates that there's no way to recover this database. In other cases, some of vital tables cannot be recovered automatically, but still there's a chance to rescue the data from those tables manually. In this case, please contact F-Secure support. Contact information Please submit any issues you might be facing to F-Secure support, according to support contact information available in your License Agreement.
Command name fspms-db-recover Usage Depending on which recovery information you want to use: Recovery DB with all data from default DB directory of PM (/var/opt/f-secure/fspms/data/h2db) fspms-db-recover Recovery DB with all data from specific corrupt DB directory fspms-db-recover -curDir= Recovery DB without Scanning Reports fspms-db-recover -noReports Recovery DB without Alerts fspms-db-recover -noAlerts Recovery DB without Scanning Reports and Alerts from the custom database directory fspms-db-recover -noReports -noAlerts -curDir= Recovery DB without Scanning Reports and Alerts from default DB directory of PM (/var/opt/f-secure/fspms/data/h2db) fspms-db-recover -noReports -noAlerts Output At the output, the contains: Valid H2 database files; Management key-pair admin.pub/admin.prv with the password 'password'. The result of the recovery operation is written into the file named 'recovery.log' in the current directory. Example fspms-db-recover /tmp/h2db-recovered fspms-db-recover -curDir=/tmp/h2db /tmp/h2db-recovered fspms-db-recover -noAlerts -curDir=/tmp/h2db /tmp/h2db-recovered Notes and issues This version of recovery tool can be used for Policy Manager version 10.00 and later. The version of Policy Manager is identified automatically by recovery tool. If recovery tool is unable to identify version of Policy Manager and recover the database, please contact F-Secure support. When recovering the database from the default directory (no -curDir parameter is specified), Policy Manager Server must be stopped before running the tool. In some cases, the database is broken so badly that it can't be opened at all. In this case, the 'recovery.log' file will contain the error messages like below: org.springframework.jdbc.CannotGetJdbcConnectionException: Could not get JDBC Connection; Unfortunately, this indicates that there's no way to recover this database. In other cases, some of vital tables cannot be recovered automatically, but still there's a chance to rescue the data from those tables manually. In this case, please contact F-Secure support. Contact information Please submit any issues you might be facing to F-Secure support, according to support contact information available in your License Agreement.
Question If e-mail gets quarantined in E-mail and Server Security, how can I get a notification message? Answer To receive notifications for all types of threats, configure your settings in the E-mail and Server Security web console as follows: Prerequisite: To be able to select items in the drop-down menus in Notifications, first go to Internal Mail, and select the "Strip attachments from internal e-mail messages" default. Expand the Transport Protection view, and select Inbound Mail. In the Attachments tab, go to the Notifications section. In the drop-down menu next to "Send alert to administrator", select the type of alert you want. Click Apply. For Spam Control, configure your settings as follows: Expand the Transport Protection view, and select Spam Control. In Settings, select More options. In the notification window, you can type in an e-mail address in the field under "Forward spam messages to e-mail address". Click OK. Note: By default, Spam Control only checks the inbound e-mail, not the outbound.
Symptoms The quarantine database of F-Secure Anti-Virus for Microsoft Exchange is not available for a some reason. Diagnosis It might occasionally happen that the quarantine database is not available, e.g. due to a network problem or it may have run out of space. It is important that e-mails, stripped attachments, and notifications that have been quarantined according to the product settings, will not be lost. Solution When the quarantine database is not available or it is full, F-Secure Anti-Virus for Microsoft Exchange will put all the quarantined items (e-mails, stripped attachments and notifications) to Microsoft Exchange queue until the quarantine database has more space to take them. This means also that no notification is sent to the recipients, e.g. in the case of stripped attachments. Note that F-Secure Anti-Virus for Microsoft Exchange will quarantine based on the quarantine settings. MS Exchange will send (interval of 15 minutes) the e-mail items from the MS Exchange queue to the quarantine database as soon as the quarantine database is able to take them. F-Secure Anti-Virus for Microsoft Exchange will work similarly in case the quarantine database is not working as it is supposed to work.
Symptoms The user is displayed the following warning during virus scanning: EcProcessVirusScanQueueItem. Diagnosis The user receives the below error on a regular basis on his Microsoft Exchange 2007 Server with SP1. The user has F-Secure Anti-Virus for Microsoft Exchange installed but not F-Secure for File Servers. Error message: Unexpected error 0x8004010f occurred in "EcProcessVirusScanQueueItem" during virus scanning. Mailbox Database: /o=XXX LLP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=LFEX1/cn=Microsoft Private MDB Folder ID: a-1A6A4F2F Message ID: 1-1093784CC Solution This is a Microsoft issue which can occur on a Microsoft Exchange Server running any antivirus program which integrates with Microsoft Exchange. As this issue is not caused by F-Secure Anti-Virus for MS Exchange, contact Microsoft in order to resolve this issue. For more information, see the following Microsoft knowledgebase article: http://support.microsoft.com/kb/952778/
This article describes how you can export Internet headers and message body properly in Microsoft Outlook 2003 and 2007. Occasionally, users encounter problems with their e-mail messages. For our support to be able to help, it is recommended that you send a sample e-mail with Internet headers and message body to the support. The simplest way to export Outlook 2003 and 2007 Internet headers and message body is to save them in Outlook Message Format (*.msg). However, quite often when you open the e-mail message in a newer or older Outlook version or in an e-mail client of another vendor, you might not be able to view the Internet Headers and parts of the message body because it is not in readable format. Exporting Internet headers and message body in Outlook 2003 If you want that the receiving end is able to read your Outlook 2003 e-mail sample properly, do as follows: Save the message body into text format: Open the e-mail message whose message body you want to export. Select Save as from the File menu. In the Save as type field, select Text Only (*.txt) and click Save to save it to the desired location. Save the Internet headers into text format: Open the e-mail message whose Internet headers you want to export. Select Options from the View menu. The Message Options dialog is displayed. Right-click on the Internet headers text field and select Select all. Right-click on the selected text and select Copy. Save the Internet headers to the same text file with the message body. Exporting Internet headers and message body in Outlook 2007 If you want that the receiving end is able to read your Outlook 2007 e-mail sample properly, do as follows: Save the message body into text format: Open the e-mail message whose message body you want to export. Click the Office button in the upper left-hand corner of the message window and select Save as. In the Save as type field, select Text Only (*.txt) and click Save to save it to the desired location. Save the Internet headers into text format: Open the e-mail message whose Internet headers you want to export. Open the Message Options dialog by clicking the small arrow on the Options box. The Message Options dialog is displayed. Right-click on the Internet headers text field and select Select all. Right-click on the selected text and select Copy. Save the Internet headers to the same text file with the message body.
Symptoms In F-Secure Anti-Virus for Microsoft Exchange, the spam scanning is not working. Diagnosis You have installed and configured F-Secure Anti-Virus for MS Exchange. E-mail scanning is working well since it is blocking e-mails, quarantining them and rejecting them correctly. However, you have an issue in spam scanning (known as Spam Control) because it does not seem to work. It suddenly stopped working and currently states that the "number of processed messages is 0". Solution To solve the problem, you should check that Content Filtering (the setting on Intelligent Message Filtering in MS Exchange) does not include the sender or recipient IP addresses. If the sender or recipient address has been added to the "IP Allow List'", MS Exchange Content Filtering sets a value -1 to its e-mail, and the e-mail is not going through F-Secure's spam scanning. If the Content Filtering includes any of the IP addresses, MS Exchange, F-Secure or any of the third-party tools are not performing the content filtering against the e-mail messages. Otherwise, if FSAV for MS Exchange detects flag -1, Spam Control will not check the e-mail. Note, however, that the e-mail is still checked against viruses on Transport/Storage levels.
Symptoms This article describes an issue in F-Secure Anti-Virus for Microsoft Exchange where database cannot be accessed. Diagnosis When you try to make a query for the database or test database connection (by clicking the test database connection link on the database tab) on Web Console, the following message is displayed to you: Database could not be accessed. Source: Microsoft SQL Native Client. Description: Invalid connection string attribute. Also, you were able to install the product properly and it seems that the product is able to write data to the quarantine database. However, you are not able to make a quarantine query due to the above problem. Solution To resolve the issue, check that you are not using any special characters in the password of fqmuser username. If you are, change the password of fqmuser to one without any special characters. This can be done either by reinstalling F-Secure Anti-Virus for MS Exchange or by using MS SQL Server Management Studio.
This article describes the circumstances under which disclaimers may not be added to outgoing e-mails. General about disclaimers If F-Secure Anti-Virus for Microsoft Exchange has been configured to add a disclaimer to the outbound e-mails, typically all the e-mails will have this disclaimer appended to the bottom of the e-mail before they are sent out from the Microsoft Exchange Server. When are disclaimers not added to the exceptions Disclaimers are not added to the e-mail messages under the following circumstances: If, for any reason, the e-mail was quarantined by F-Secure Anti-Virus for Microsoft Exchange and the administrator decides to release it from the quarantine, the disclaimer will not be added to it. On Microsoft Exchange 2007, a disclaimer will not be added to an empty TNEF-coded e-mail which has no body nor attachments. If the e-mail sender or recipient is in the Trusted Senders or Trusted Recipients lists, a disclaimer will not be added.
Symptoms The number of spam messages remains unchanged for a long time. Diagnosis You notice that the amount of spam messages remains the same even though it should grow steadily. This indicates a problem in the Network Configuration settings. Solution To solve the problem, you should check that you have specified the Internal Domains and Internal SMTP Senders settings: Go to Web Console > General > Network Configuration. For more information about how you should change the settings, click Help in the user interface.
This page lists and describes all the E-mail and Server Security 11.x client services and processes that are running on your server (applicable for both SS/ESS and PSB ESS). Process Service Description AV4SPSVC.exe F-Secure Anti-Virus for Microsoft SharePoint Configuration Service F-Secure Anti-Virus for Microsoft SharePoint Configuration Service FIH32.exe F-Secure Installation Handler FNRB32.exe F-Secure Network Request Broker FNRB32 communicates with F-Secure Policy Manager Server (PM). It is responsible for: Base policies Incremental policies Alerts & reports FQM.exe F-Secure Quarantine Manager Provides the quarantine interface and takes care of reprocessing, release, and cleaning items from the quarantine database storage FSAUA.exe F-Secure Automatic Update Agent This service takes care of fetching updates from FSPM or FS Update server FSAV32.exe Antivirus handler FSAVMSED.exe F-Secure Anti-Virus for Microsoft Exchange Daemon (in Microsoft Exchange 2007/2010) The main service that takes care of other product components and implements/exposes COM-based interfaces for reading and writing policy settings/statistics, and sending alerts FSAVSD.exe F-Secure Content Scanner Server Daemon Provides anti-virus scanning service for Simple Content Inspection Protocol (SCIP) compliant agents FSBLSRV.exe F-Secure Backlight Sensor Service Part of ODS services FSCSSUPD.exe F-Secure Content Scanner Server updater FSDBUH.exe F-Secure Database Update Handler This process verifies and checks the integrity of virus definition and spam control database updates FSGK32.exe Gatekeeper Handler: Implements API for checking binaries if they can be trusted, suspicious or malicious Communicates with Gatekeeper kernel-site drivers (FSGK.sys). Processes real-time scan requests Manages and uses Scanning Manager (FSSM32.exe) FSGK32T.exe F-Secure Gatekeeper Handler Starter Responsible for FSGK32.exe (re)starting FSHDLL32.exe Part of FSMA which hosts one or several 32-bit components (plugins) to minimise created processes FSHDLL64.exe Part of FSMA which hosts one or several 64-bit components (plugins) to minimise created processes FSHKMNGR.exe F-Secure Anti-Virus for Microsoft Exchange Daemon (in Microsoft Exchange 2003) The main service that takes care of other product components and implements/exposes COM-based interfaces for reading and writing policy settings/statistics, and sending alerts FSM32.exe F-Secure Manager, displays the "F"-tray icon FSMA32.exe FSMA F-Secure Management Agent. Core component which is responsible for components loading or intercommunication FSORSP.exe F-Secure ORSP Client F-Secure Object Reputation Service Platform FSSM32.exe Scanner Manager. Manages scanning engines FSSUA.exe F-Secure Software Updater Agent Provides scanning and installation of Software updates FSWEBUID.exe F-Secure WebUI Daemon HTTP server that hosts the Web Console. Supports HTTP/1.0, HTTP/1.1, and HTTPS
Symptoms In all of the supported F-Secure Anti-Virus for Microsoft Exchange versions, the SA account is used during installation. This article explains why this is the case. Note: This article assumes deep technical understanding of both F-Secure's products and the relevant operating system. If you are unsure, please contact F-Secure support for assistance. Diagnosis During the SQL server installation, which provides quarantine management, the SA account is used. This user account has been the source of security issues in the past. Solution Windows authentication for the Microsoft SQL Server cannot be used during installation because of differing deployment scenarios which need to be supported. Mixed authentication mode is used in order to provide both centralized quarantine management and to make it possible to access the quarantine database from a server that might not belong to the Windows domain. It is not possible to use a different account. Microsoft discourage using SA, but when it is used, it is possible to force strong password usage and also to apply the Windows password/security policy. F-Secure Anti-Virus for Microsoft Exchange does not use SA as such and the SA credentials are used only to create the F-Secure Quarantine Manager (less-privileged) user account during installation. After the installation the SA account can be disabled if you wish to do so.
This article describes how you can disable or enable the content management features of Microsoft Exchange 2007 Transport Agent. It is possible that the content filtering features of Microsoft Exchange Server 2007 drop e-mails that are considered spam or contain potentially malicious attachments. This is a feature of the Transport Agent included in Microsoft Exchange 2007. You can disable content filtering functionality in individual computer configurations by using Exchange Management Console or Exchange Management Shell. To disable the content management features of Microsoft Exchange 2007 Transport Agent, see the following Microsoft knowledgebase article in Microsoft Technet Exchange Server TechCenter: http://technet.microsoft.com/en-us/library/aa995953.aspx.
Symptoms Software Updater does not show that there is a missing update for Foxit Reader and does not update it to the latest version. Diagnosis The Foxit Reader installed is a Consumer version, not the Enterprise version. Software Updater only detects the Enterprise version. Solution You need to uninstall your current Foxit Reader and reinstall using the Enterprise version installer.
Symptoms F-Secure Software Updater (SWUP) does not patch JRE. Diagnosis Even though Java Development Kit (JDK) is listed as a product supported by SWUP, we want to emphasize that SWUP does not patch JRE (32-bit and 64-bit) whenever Java Development Kit (JDK) is installed on the same system. The reason for this is that, by design, JDK is a scan-only product and it does not support patching JDK. Nor will it offer updates even for JRE in this instance because applying the JRE update would break the JDK on the system. Solution To allow SWUP to patch JRE on a system with JDK installed, you will need to remove JDK manually.
Symptoms When the administrator enables the Active Directory (AD) import, this locks the entire domain, preventing the importing of non-AD hosts to the policy domain. These hosts get stuck in the "import hosts" list because all the domains are read-only. Diagnosis If you select root as the target policy domain, the entire policy tree becomes read-only. Solution Important:We recommend that you create or use a separate subtree for the Active Directory structure. For example, if partial synchronization is required, do as follows: Create Root > AD policy subdomain. Link the subdomain to the AD root. While the Root > AD subtree is read-only, the administrator can create another subtree, such as Root > Linux, where he can then import hosts that are not part of AD.
Summary This article provides information on how you can exclude files from scanning by using wildcard characters in the F-Secure antivirus products. Conditions to be met when using wildcards Whenever wildcards are used in an exclusion, you have to type backslash twice: "\\" (as an escape character). All slashes in the path need to be escaped in this way. The path is not case-sensitive. For real-time scanning, use device names, e.g. *\\HarddiskVolume1\\*\\eicar.com. When using wildcards, real-time scanning does not see the drive letters (legacy exclusions with drive letters are still supported in real-time scanning, assuming wildcards are not used in the exclusion). To map drive letters to device names, run fltmc volumes from command line as an administrator. The fltmc utility ships with your operating system. Using \\Device\\HarddiskVolume1 will collide with the network exclusion where server is "Device" and share is "HarddiskVolume1". Hence, start the local exclusion with an asterisk (*). For manual scanning, use only drive letters, e.g. C:\\*\\eicar.com. The device names will not work here. If you use the single character wildcard (?), always start the exclusion with an asterisk, e.g. *\\eica?.com. Examples of usage Some examples of using wildcards to exclude all *.ini files for real-time scanning in the following folder structure: C:\Documents and Settings\User1\MyApplication\ C:\Documents and Settings\User2\MyApplication\ ... C:\Documents and Settings\UserNN\MyApplication\ Solution A: *\\HarddiskVolume1\\documents and settings\\*\\MyApplication\\*.ini Solution B: *\\documents and settings\\*\\MyApplication\\*.ini Working example 1: *eicar* *\\MyFolder\\* *\\MyFolder\\Subfolder\\* *eica?.com *car.com Note: *eicar* matches any folder or file with string "eicar" in it. If it matches the folder name, everything inside that folder will be excluded, including its subfolders. Working example 2: When using wildcards, manual scanning does not understand device names, only real-time scanning does. Real-time scanning: *\\harddiskvolume1\\virus*\\eicar.com*\\harddiskvolume1\\documents and settings\\*\\CADS\\*.ini Manual scanning only: C:\\*\\eicar.com Working example 3: Wrong: *\\MyFolder\MySecondFolder\MyFiles*.exeMyFile12?.exe Correct: *\\MyFolder\\MySecondFolder\\MyFiles*.exe*MyFile12?.exe All slashes need to be escaped, and if you use the single character wildcard (?), always start the exclusion with an asterisk. DeepGuard and real-time exclusions DeepGuard supports exclusions configured for real-time protection but they need to meet the following criteria: wildcards are not supported device names are not supported; use standard paths with drive letters: Wrong: \\Device\\HarddiskVolume1\\CodeMeter\\* Correct: c:\Program files (x86)\CodeMeter\ Related information Excluding objects from Real-Time scanning
Symptoms When administrators make changes to the match list content at the below locations in F-Secure Web Console, they are not prompted to save the changes. Any changes made in the match list will be lost as they will not be saved when the administrator logs out from F-Secure Web Console. Transport Protection > Inbound, Outbound or Internal Mail General > Lists and Templates Diagnosis Not available. Solution This issue will be fixed in the next maintenance release of E-mail and Server Security. The estimated time of the release is November 2016. Meanwhile, you can use the following workaround to save the changes made in the Web Console: Go to General > Administration. Select the Web Console tab. Under Language, select any of the languages available. You will be prompted to save the changes. Click Save and Apply. Any changes made in the Web Console will be saved. Repeat Steps 3 and 4 to switch back to your preferred language of F-Secure Web Console.
If you want to exclude an object (file or folder) from being scanned by Real-Time scanning, add the filename or the full path of the object into the excluded objects list in Policy Manager or PSB portal. For example: Filename: text.txt (all text.txt file is excluded from Real-Time scanning) Full path with filename: C:\test\test.txt (only text.txt in the C:\test folder is excluded from Real-Time scanning) Folder full path: C:\test (everything in C:\test folder is excluded from Real-Time scanning) Via Policy Manager (Advanced mode) Select the domain or computer you want to apply the exclusion to from the Policy domains panel. Under the Policy tab, expand F-Secure Anti-Virus X.XX > Settings > Settings for Real-Time Protection > Scanning Options > File Scanning > Inclusions and Exclusions. Click Excluded Objects Enabled, and change the setting to Enabled. Click on the Lock icon. This enforces the setting and disallows users from making changes to the setting. Click Excluded Objects. Type in the filename or the full path of the object that you want to exclude, and press Enter. Tick the Disallow user changes box on the top-left side of the Excluded Objects interface panel. This locks and enforces the settings you have made, and it will disallow the user to make changes to the settings. Click on the Distribute policies (Ctrl+D) button to distribute. Via PSB Portal Log in to your PSB Portal. Go to the Profiles tab. Under Computer profiles, select the profile you want to apply the exclusion to. Click on Scanning exclusions. On the right-pane, click on the Excluded objects from real-time scanning slider to green to enable the function. Click on the Lock icon to the right of the Excluded objects from real-time scanning setting. This enforces the setting and disallows users from making changes to the setting. To add an object to the list, click Add object, then type in the filename or the full path of the object you want to exclude. Click the Tick icon to apply. Click on the Lock icon to the right of the Objects excluded from real-time scanning setting. This enforces the setting and disallows users from making changes to the setting. Click Save and Publish. Related information Using wildcards in exclusions
Question What are the system requirements for Policy Manager 12? Answer For Policy Manager Server Supported platforms This release can be installed on the following platforms: Windows Server 2008 SP1 32-bit, editions: Standard, Enterprise, Web Server Windows Server 2008 SP1 64-bit, editions: Standard, Enterprise, Web Server, Small Business Server, Essential Business Server Windows Server 2008 R2 with or without SP1, editions: Standard, Enterprise, Web Server Windows Server 2012, editions: Essentials, Standard, Datacenter Windows Server 2012 R2, editions: Essentials, Standard, Datacenter Windows Server 2016 ready Recommended hardware requirements P4 2 GHz, 1GB RAM. Managing more than 5000 hosts requires at least P4 3 GHz multi-core processor and 2GB RAM Minimum of 6 GB of free hard disk space; 10 GB or more is recommended Supported browsers Firefox 3.6 or newer Internet Explorer 9 or newer Google Chrome For Policy Manager Console Supported platforms This release can be installed on the following platforms: Windows Vista with or without SP1 32/64-bit, editions: Business, Enterprise, Ultimate Windows 7 32/64-bit with or without SP1, editions: Professional, Enterprise, Ultimate Windows 8 32/64-bit, all editions Windows 8.1 32/64-bit, all editions Windows Server 2008 SP1 32-bit, editions: Standard, Enterprise, Web Server Windows Server 2008 SP1 64-bit, editions: Standard, Enterprise, Web Server, Small Business Server, Essential Business Server Windows Server 2008 R2 with or without SP1, editions: Standard, Enterprise, Web Server Windows Server 2012, editions: Essentials, Standard, Datacenter Windows Server 2012 R2, editions: Essentials, Standard, Datacenter Windows Server 2016 ready Recommended hardware requirements P4 2 GHz, 512MB RAM. Managing more than 5000 hosts requires at least P4 3 GHz multi-core processor and 1GB RAM Minimum 16-bit color display with resolution of 1024x768, 1280x1024 or higher resolution with 32-bit color recommended 200 MB of free hard disk space
Applies to: Protection Service for Email, Messaging Security Gateway 8.x Simple Mail Transfer Protocol (SMTP) is responsible for sending out email messages. Therefore, if you get an SMTP error message, it means that for some reason your emails were not sent. It is very important to understand why this has happened so that you can fix the problem. All SMTP codes consist of three digits, e.g. 550, 221, 354, etc. However, not all of them indicate an error. To understand how these codes work, you have to know that each digit (the first, the second and the third) have a specific meaning of their own. SMTP return codes The first digit indicates whether your command was accepted and processed. It can have one of the following five values: Mail server has accepted the command but does not yet take any action. A confirmation message is required. Mail server has completed the task successfully without errors. Mail server has understood the request, but requires further information to complete it. Mail server has encountered a temporary failure. If the command is repeated without any change, it might be completed. Try again, it may help. Mail server has encountered a fatal error. Your request cannot be processed. As you can see, the codes that start with values 4 and 5 are the ones that indicate that your message will not be sent until you find and fix the problem. The second digit can have one of the following values: Syntax error Information reply, for example to HELP request Refers to the connection status Refers to the status of the mail server Values 3 and 4 are not used. The third (last) digit of the code indicates the details of the mail transferring status. The following lists the most important SMTP error codes: 421 Service not available, closing transmission channel (This may be a reply to any command if the service knows it must shut down.) 450 Requested mail action not taken: mailbox unavailable (E.g. mailbox busy) 451 Requested action aborted: local error in processing 452 Requested action not taken: insufficient system storage 500 Syntax error, command unrecognized (This may include errors, such as 'command line too long') 501 Syntax error in parameters or arguments 502 Command not implemented 503 Bad sequence of commands 504 Command parameter not implemented 550 Requested action not taken: mailbox unavailable (E.g. mailbox not found, no access) 551 User not local; please try 552 Requested mail action aborted: exceeded storage allocation 553 Requested action not taken: mailbox name not allowed (E.g. mailbox syntax incorrect) 554 Transaction failed Other codes that provide you with helpful information about what is happening with the email messages are as follows: 211 System status, or system help reply 214 Help message (Information on how to use the receiver or the meaning of a particular non-standard command. This reply is useful only to a human user.) 220 Service ready 221 Service closing transmission channel 250 Requested mail action okay, completed 251 User not local; will forward to 354 Start mail input; end with a dot (.)
This article describes how you can check whether a mail server is responding or not. It explains how to do this in principle and provides links to more extensive troubleshooting material. Note: This article assumes some technical knowledge of the relevant operating system. If you are unsure, please contact F-Secure support for assistance. Sometimes it may be necessary to test that a mail server is actually accepting mail and forwarding it on to the correct recipients. Testing the mail server You can test if the network connection to the mail server is working properly by opening a telnet connection to the server. The standard SMTP port is 25. The command to do this is identical on both Linux and Windows operating systems: root@server $ telnet yourmailserver.com 25 If you get a textual response, such as the one below, it means that the network connection is working and the SMTP service is running on that mail server. Trying 10.4.1.234.... Connected to yourmailserver.com. Escape character is '^]'. 220 mx.yourmailserver.com ESMTP Sendmail 8.12.9/8.12.9; Thu, 12 Jun 2009 10:06:19 +0200 Connection to the host lost or similar error messages mean that the connection was unsuccessful, and you should start troubleshooting by testing the network connectivity. More information Extensive troubleshooting information relevant specifically to Microsoft Exchange can be found in Microsoft's Knowledge Base at http://support.microsoft.com/kb/153119.
Applies to: Protection Service for Email, Messaging Security Gateway 8.x This article explains how you can send false spam positives and false spam negatives to Proofpoint for further analysis. About false negatives and positives Both administrators and end users can report false positives and false negatives. For end users, the administrator must first enable end user digests. End users can then report false positives and false negatives from the digest. Reporting false negatives requires the use of the Audit folder in the Quarantine. It also requires setting up a Spam Reporting Group. False negatives False negatives are messages that are considered spam by the end user, but since they were scored below 50 by the MLX engine, they were delivered to the end user. By reporting these messages to the Proofpoint Attack Response Center (PARC), you can help improve spam effectiveness against that specific type of message. In order to fully examine the reported message, PARC requires the entire original/unaltered message. Since the best way to capture the original message is in the quarantine (before it arrives at your mail server), we use the "Audit Messages" feature to store Not Spam messages in the Audit folder. There are two steps required to enable the reporting of false negatives: Enable Auditing in all Spam Policies Enable Audit Messages for users Enable Auditing in all Spam Policies This option will quarantine (into the Audit folder) any message (<200K) marked as Not Spam that is also not being quarantined by any other rule. Click Spam Detection -> Policies. Edit the "Default" policy. Edit the "Not Spam" rule. Place a checkmark in the "Include in Audit folder" box. Click Save Changes. Repeat these steps for all other spam policies. Note: "Not Spam" messages will not be copied into the Audit folder until the "Audit Message" feature is actually enabled for one or more users (next step). Enable Audit Messages for users Navigate to Groups and Users / Users and place checkmarks next to each user who will use this feature. Click the Groups button. Under "Available Groups" column, click Spam Reporting, then click the >> to move it under the "Add" column. Click Save Changes. Once these two steps have been completed, mail marked as Not Spam will begin appearing in the Audit folder in the quarantine. For performance reasons, we do not recommend enabling Audit Messages for all users. If you do decide to enable it for all users, do so on Groups and Users / Global. False positives False positives are messages are scored as spam but are considered valid e-mail by the end user. False positives are very rare and are treated with the highest priority by Proofpoint. Digests allow for the reporting of false positives in the default configuration. Users click the "Not Spam" link next to an individual message and that e-mail is then delivered directly from the Quarantine to the Proofpoint Attack Response Center. If this link does not appear in your digest, check the following: Click Digest / Commands / Display Spam False-Positive Link (on). Click Digest / Filters / Modules. Click Spam, Options and then Digest Commands. "Report False Positive Spam" should be on the right-hand side. Digest / Content / Labels. Verify the name assigned to "Report False Positive Spam". Reporting directly from the Quarantine An administrator can perform the same reporting function, but directly from the Quarantine: Navigate to Quarantine / Messages. Search for message by Subject, Sender, Recipient, etc. Click the checkmark next to the message and click Options / Report. If you do not want your users to be able to report messages directly from their digest, and wish to only have administrators report directly from the quarantine, change the following options: Digest -> Commands. Disable "Report False Positive Spam". Digest -> Commands. Disable "Report False Negative Spam". Groups and Users -> Groups. Click the checkbox next to Spam Reporting and click Attributes. Set "Include Audit Messages in Digest" to "Default" and save. These changes will still store both spam and not spam in the quarantine, but the end users will no longer see the Audit section in their digest and they will no longer see the "Not Spam" option in the Quarantine section.
This article explains how you can add a footer, such as a disclaimer, to all outbound mail of an F-Secure Messaging Security Gateway (MSG) Server. Note: This article assumes understanding of and access to the MSG server. If you are not sure, contact F-Secure support for assistance. Adding a disclaimer to an MSG box To add a disclaimer, you need to create a policy route (or use an existing one) to define the outbound mail and then create an Email Firewall rule to apply the disclaimer (including checking for a previously added disclaimer). To add a disclaimer: Go to System > Policy Routes. There should already exist a policy route named "outbound". If it does not exist, create one. Note: If the policy route has already been defined, proceed to step 3. Define the policy route to include the IP address(es) which send outbound mail through the F-Secure MSG Server (i.e. Sender IP = 18.104.22.168 or Sender IP in Network = 22.214.171.124/16). Go to Email Firewall > Rules and click Add Rule. Give the new rule an alphanumeric ID and a description. Click Add Condition. Select Condition: Policy Route. Select Operator: Equals. Select Value: Outbound. Click Add and New Condition. This keeps you on the Add Condition screen. Select Add condition as: And. Select Condition: Message Body Only. Select Operator: Does Not Contain. Select Value (Choose keyword(s) from disclaimer carefully, as replies may format text differently). Click Add Condition. This takes you back to the original rule screen. Select Delivery Method: Continue. Check on Annotate message... Select Add Message. Select Annotate Location: Bottom of the message. Enter the disclaimer text in the text box. In version 5.0 and newer, you can use HTML tags and text in the field as long as you begin the text with the tag and end it with the tag. Scroll to the top and click Add Rule.
This article describes how you can create a rule to block e-mails with a specific character set. Rule for blocking e-mails with specific character set If you want to create an e-mail firewall rule to block e-mails with a specific character set, you just need to reference the appropriate character encoding. For example, you wish to block e-mails that are in Russian and use the Cyrillic alphabet. The common character encodings for Cyrillic are Windows-1251 and KOI8-R. When you look in the original message header, you might see something like the following: Content-Type: text/plain; charset="koi8-r" By creating an e-mail firewall rule that keys off the above header, you can block the e-mails. To do this, create a rule matching the e-mail header > Message Headers > Attribute > Content Type > Operator > Contains > Value: “koi8-r”. Note that similar rules can be created for other character sets as well. For example, if you wanted to block all e-mail messages in simplified Chinese, a rule to block "gb2312" should be created. Note also that the rules described above will only block the messages that actually specify the character set in the Content-Type message headers. Some foreign character set e-mails will specify the character set in the MIME boundaries rather than the message headers. To catch these, you must create a rule to look for the character set anywhere in the message. This would also catch any e-mails that discuss the character set in the body of the e-mail.
This article describes how to change the evaluation license to a full license in F-Secure Messaging Security Gateway. If the F-Secure Messaging Security Gateway has been in evaluation with an evaluation activation key, it must be activated with a real activation key after the evaluation period is over. This can be done with a handful of easy steps and no reboots are required. Activating product with license key To activate the product with the real license key, the evaluation key must first be deactivated. After that the real key must be activated. If you have not received the real key after the purchase, contact F-Secure. Note: Do not proceed without the real activation key. To activate the key: On the web user interface, go to the System > License and Updates > Licenses page. Make sure the F-Secure Activation Status shows as "Activated" and the F-Secure Activation ID has the current evaluation key. Click the Deactivate button. In the resulting pop-up window, confirm the deactivation by clicking the Deactive ID button. Once the ID has been deactivated, click the Activate button. In the pop-up window, replace the default activation key (pps_customer) with your real activation key and click the Activate ID button. The product has now been activated with the proper, non-evaluation key.
Question How to add a new domain/customer for inbound mail? Answer To add a new domain/customer for inbound mail Make sure that the SMTP connection works with the target email server. Go to settings, they are located under System > Inbound Mail. Select Add, define the domain and enter the destination server for emails to be routed. To apply settings to servers (in clustered environments select ”All”), select OK.
Question How can I add a new domain/customer for outbound mail? Answer To add a new domain/customer for outbound mail Outbound mail setting specifies which hosts can send email through the system. Settings are located under System > Outbound Mail > Allow Relay. Note: Allow relay only to your internal mail servers.
Question How can I add new domain/customer policy routes? Answer To add new domain/customer policy routes Go to System > Policy Routes. Add the email server address to the outbound policy route. Create a domain specific route for inbound mail (Recipient email address ends with). Optionally, you can create policy routes for both inbound and outbound mail.