F-SECURE CLIENT SECURITY 7.00 Administrator's Manual

Hide thumbs Also See for CLIENT SECURITY 7.00:

Table of Contents

Quick Links

Download this manual

F-Secure Client

Security

Administrator's Guide

Table of Contents

Chapters

Table of Contents

Summary of Contents for F-SECURE CLIENT SECURITY 7.00

Page 1 F-Secure Client Security Administrator’s Guide...
Page 2 Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.
Page 3: Table Of Contents
Contents About this Guide Overview ..........................11 Additional Documentation ....................13 Conventions Used in F-Secure Guides ................15 Symbols ........................15 Chapter 1 Introduction Overview ........................18 F-Secure Client Security Components and Features..........18 1.2.1 Virus and Spy Protection ................18 1.2.2 Internet Shield ....................21 1.2.3 Application Management ................22...
Page 4 Installation Steps......................33 Uninstalling F-Secure Policy Manager ...............55 Chapter 3 Introduction to F-Secure Policy Manager Anti-Virus Mode User Interface Overview ........................57 Policy Domains Tab ....................58 Management Tabs .....................58 3.3.1 Summary Tab ....................59 3.3.2 Outbreak Tab....................66 3.3.3 Settings Tab ....................68 3.3.4 Status Tab ....................102 3.3.5 Alerts Tab .....................110...
Page 5 Local Installation ......................156 4.5.1 Local Installation System Requirements ............157 4.5.2 Installation Instructions .................157 Installing on an Infected Host...................158 How to Check That the Management Connections Work ........159 Chapter 5 Configuring Virus and Spyware Protection Overview: What can Virus and Spyware Protection be Used for? ......161 Configuring Automatic Updates ................162 5.2.1 How do Automatic Updates Work?...............163 5.2.2 Automatic Updates Configuration Settings...........163...
Page 6 5.9.1 Setting all Virus Protection Settings Final.............189 5.10 Configuring F-Secure Client Security Alert Sending ..........190 5.10.1 Setting F-Secure Client Security to Send Virus Alerts to an E-mail Address190 5.10.2 Disabling F-Secure Client Security Alert Pop-ups ........192 5.11 Monitoring Viruses on the Network ................192 5.12 Testing your Antivirus Protection ................192...
Page 7 Logging and Log File Locations on Local Hosts ............237 9.5.1 LogFile.log ....................237 9.5.2 Packet Logging.....................238 9.5.3 Other Log Files .....................241 Connecting to F-Secure Policy Manager and Importing a Policy File Manually..241 Suspending Downloads and Updates ..............242 Allowing Users to Unload F-Secure Products ............242 Chapter 10 Virus Information 10.1 Virus Information on F-Secure Web Pages..............245...
Page 8 10.3 Viruses in the Wild ....................246 10.4 How to Send a Virus Sample to F-Secure ...............246 10.4.1 How to Package a Virus Sample ..............246 10.4.2 What Should Be Sent ...................247 10.4.3 Where to Send the Virus Sample ..............249 10.4.4 In What Language ..................250 10.4.5 Response Times...................250...
Page 9 Appendix B E-mail Scanning Alert and Error Messages B.1 Overview ......................... 293 Glossary Technical Support Overview .......................... 312 Web Club .........................312 Virus Descriptions on the Web ................312 Advanced Technical Support ...................312 F-Secure Technical Product Training ................313 Training Program ....................313 Contact Information ....................314 About F-Secure Corporation...
Page 10: About This Guide
BOUT THIS UIDE Overview..................11 Additional Documentation............13...
Page 11: Overview
This manual covers the configuration and operations that you can do with the F-Secure Policy Manager Anti-Virus Mode user interface and provides the information you need to get started with managing F-Secure Client Security applications centrally. The F-Secure Client Security Administrator’s Guide is divided into the following chapters.
Page 12 Appendix B. E-mail Scanning Alert and Error Messages. Describes the alert and error messages that E-mail Scanning can generate. Glossary — Explanation of terms Technical Support — Web Club and contact information for assistance. About F-Secure Corporation — Company background and products.
Page 13: Additional Documentation
F1. The online help always opens to a page that holds information about your current location in the F-Secure Client Security user interface. In the left pane of the online help, you can browse through the help using the...
Page 14 F-Secure Policy Manager Administrator’s Guide For more information on administering other F-Secure software products with F-Secure Policy Manager, see F-Secure Policy Manager Administrator’s Guide. It contains information on the Advanced Mode user interface and instructions on how you can configure and manage other F-Secure products.
Page 15: Conventions Used In F-Secure Guides
Conventions Used in F-Secure Guides This section describes the symbols, fonts, and terminology used in this manual. Symbols WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data. IMPORTANT: An exclamation mark provides important information that you need to consider.
Page 16 In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at documentation@f-secure.com.
Page 17: Introduction
NTRODUCTION Overview..................18 F-Secure Client Security Components and Features ....18 Introduction to F-Secure Policy Manager ........23 Basic Terminology ..............26...
Page 18: Overview
Overview This section describes the main components of F-Secure Client Security and F-Secure Policy Manager and provides an introduction to policy based management. F-Secure Client Security Components and Features F-Secure Client Security is used for protecting the computer against viruses, worms, spyware, rootkits and other malware, and against unauthorized access from the network.
Page 19 Manual Scanning You can use Manual Scanning, for example, after you have installed F-Secure Client Security, if you suspect that there might be a virus or spyware on the computer, or if a virus has been found in the local area network.
Page 20 The integrity of the delivered executable code is very important, and F-Secure scanning engines check that all update code is signed by F-Secure Anti-Virus Research. If the integrity is compromised, the code will not be executed. For more information, see “Configuring Automatic...
Page 21: Internet Shield
“Configuring Automatic Updates”, 162. Virus News F-Secure Virus News delivers instant notifications of serious security events around the world. The F-Secure Virus News service is delivered through F-Secure Automatic Update Agent. See theF-Secure Client Security online help for more information. 1.2.2...
Page 22: Application Management
1.2.3 Application Management SNMP Agent The F-Secure SNMP Agent is a Windows NT SNMP extension agent, which is loaded and unloaded with the master agent. The F-Secure SNMP Agent offers a subset of Policy Manager functionality, and it is meant primarily for alert and statistics monitoring.
Page 23: Introduction To F-Secure Policy Manager
“Setting Up Cisco NAC Support”, 253. Introduction to F-Secure Policy Manager This section contains a brief introduction to F-Secure Policy Manager. For more information, see F-Secure Policy Manager Administrator’s Guide. F-Secure Policy Manager provides a scalable way to manage the security of numerous applications on multiple operating systems from one central location.
Page 24: Main Components Of F-Secure Policy Manager
These policies are defined in F-Secure Policy Manager Console and then distributed to the workstations through the F-Secure Policy Manager Server. It can be used to remotely install F-Secure products on other workstations without the need for any intervention by the end user.
Page 25: F-Secure Policy Manager Features
It handles all management functions on the local workstations and provides a common interface for all F-Secure applications, and operates within the policy-based management infrastructure.
Page 26: Basic Terminology
A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. The management architecture of F-Secure software uses policies that are centrally configured by the administrator for optimum control of security in a corporate environment.
Page 27 Policy domains are groups of hosts or subdomains that have a similar security policy. Policy inheritance Policy inheritance simplifies the defining of a common policy. In F-Secure Policy Manager Console, each policy domain automatically inherits the settings of its parent domain, allowing for easy and efficient management of large networks.
Page 28: Installing F-Secure Policy Manager
NSTALLING ECURE OLICY ANAGER Overview..................29 System Requirements ..............30 Installation Steps ................ 33 Uninstalling F-Secure Policy Manager ........55...
Page 29: Overview
F-Secure Policy Manager Console. Instructions on how to install F-Secure Policy Manager Console and Server on the same computer. The F-Secure Policy Manager Console and Server setup is run from the F-Secure CD. For information on alternative installation scenarios as well as the...
Page 30: System Requirements
System Requirements 2.2.1 F-Secure Policy Manager Server In order to install F-Secure Policy Manager Server, your system must meet the following minimum requirements: Operating system: Microsoft Windows 2000 Server (SP 3 or higher); Windows 2000 Advanced Server (SP 3 or higher);...
Page 31 CHAPTER 2 Memory: 256 MB RAM When Web Reporting is enabled, 512 MB RAM. Disk space: Disk space: 200 MB of free hard disk space; 500 MB or more is recommended. The disk space requirements depend on the size of the installation.
Page 32: F-Secure Policy Manager Console
2.2.2 F-Secure Policy Manager Console In order to install F-Secure Policy Manager Console, your system must meet the following minimum requirements: Operating system: Microsoft Windows 2000 Professional (SP3 or higher); Windows 2000 Server (SP3 or higher); Windows 2000 Advanced Server (SP3 or higher) Windows XP Professional (SP2 or higher);...
Page 33: Installation Steps
1. Insert the F-Secure CD in your CD-ROM drive. 2. Select Corporate Use. Click Next to continue. 3. Select F-Secure Policy Manager from the Install or Update Management Software menu. Step 2. View the Welcome screen, and follow the setup instructions. Then select the installation language from the drop-down menu.
Page 34 Step 3. Read the license agreement information. If you agree, select I accept this agreement. Click Next to continue.
Page 35 F-Secure Policy Manager Server, F-Secure Policy Manager Console, F-Secure Policy Manager Update Server & Agent are installed on the same computer. The default ports are used for F-Secure Policy Manager Server modules. Only the F-Secure Policy Manager Console installed on the same computer is allowed access to F-Secure Policy Manager Server.
Page 36 Step 5. Select the following components to be installed: F-Secure Policy Manager Console F-Secure Policy Manager Server F-Secure Policy Manager Update Server & Agent F-Secure Installation Packages Click Next to continue.
Page 37 CHAPTER 2 Step 6. Choose the destination folder. It is recommended to use the default installation directory. Use the Browse feature to install F-Secure Policy Manager in a different directory. Click Next to continue.
Page 38 F-Secure Policy Manager Server will use as a repository. You can use the previous commdir as a backup, or you can delete it once you have verified that F-Secure Policy Manager Server is correctly installed.
Page 39 Step 8. Select whether you want to keep the existing settings or change them. This dialog is displayed only if a previous installation of F-Secure Policy Manager Server was detected on the computer. By default the setup keeps the existing settings. Select this option if you have manually updated the F-Secure Policy Manager Server configuration file (HTTPD.conf).
Page 40 Step 9. Select the F-Secure Policy Manager Server modules to enable: Host module is used for communication with the hosts. The default port is 80. Administration module is used for communication with F-Secure Policy Manager Console. The default HTTP port is 8080.
Page 41 CHAPTER 2 Click Next to continue.
Page 42 Step 10. Specify F-Secure Policy Manager Server address, and Administration port number. Click Next to continue. Depending on the installation method, this window is not always displayed...
Page 43 CHAPTER 2 Step 11. Select to add product installation package(s) from the list of available packages (if you selected F-Secure Installation Packages in Step 5. , 36). Click Next.
Page 44 Step 12. Review the changes that setup is about to make. Click Start to start the installation.
Page 45 CHAPTER 2 Step 13. When the setup is completed, the setup shows whether all components were installed successfully.
Page 46 Step 14. Click Finish to complete the F-Secure Policy Manager Server installation. After this you should run the F-Secure Policy Manager Console for the fist time.
Page 47 CHAPTER 2 Step 15. It is important to run F-Secure Policy Manager Console after the setup, because some connection properties will be collected during the initial console startup. You can find the shortcut from Start Programs F-Secure Policy Manager Console F-Secure Policy Manager Console. When F-Secure...
Page 48 Step 16. Select your user mode according to your needs: Administrator mode - enables all administrator features. Read-Only mode - allows you to view administrator data, but no changes can be made. If you select Read-only mode, you will not be able to administer hosts.
Page 49 CHAPTER 2 Step 17. Enter the address of the F-Secure Policy Manager Server that is used for communicating with the managed hosts.
Page 50 Step 18. Enter the path where the administrator’s public key and private key files will be stored. By default, key files are stored in the F-Secure Policy Manager Console installation directory: Program Files\F-Secure\Administrator. Click Next to continue. If the key-pair does not exist already, it will be created later in the...
Page 51 CHAPTER 2 Step 19. Move your mouse cursor around in the window to initialize the random seed used by the management key-pair generator. Using the path of the mouse movement ensures that the seed number for the key-pair generation algorithm has enough randomness. When the progress indicator has reached 100%, the Passphrase dialog box will open automatically.
Page 52 Step 20. Enter a passphrase, which will secure your private management key. Re-enter your passphrase in the Confirm Passphrase field. Click Next. Step 21. Click Finish to complete the setup process.
Page 53 CHAPTER 2 F-Secure Policy Manager Console will generate the management key-pair. For information on backing up the admin.pub key, see chapter Maintaining F-Secure Policy Manager Server in F-Secure Policy Manager Administrator’s Guide.
Page 54 “Creating the Domain Structure”, 130 and “Adding Hosts”, 132. If you decide to exit from F-Secure Policy Manager Console, and want to login again later, see “Logging in for the First Time”, 126. If you want to familiarize yourself with the F-Secure Policy Manager Console user interface, see “Introduction to F-Secure Policy Manager...
Page 55: Uninstalling F-Secure Policy Manager
Start to begin uninstallation. 4. When the uninstallation is complete, click Close. 5. Repeat steps 2-4, if you want to uninstall other F-Secure Policy Manager components. 6. When you have uninstalled the components, exit Add/Remove Programs. 7. It is recommended to reboot your computer after the uninstallation.
Page 56: Introduction To F-Secure Policy Manager Anti-Virus Mode User Interface
NTRODUCTION TO ECURE OLICY ANAGER IRUS NTERFACE Overview..................57 Policy Domains Tab..............58 Management Tabs ..............58 Toolbar..................116 Menu Commands ..............117 Settings Inheritance..............120...
Page 57: Overview
F-Secure Policy Manager also includes another user interface, the Advanced Mode user interface. It is used to manage products other than F-Secure Client Security and F-Secure Anti-Virus 5.40. It is also used when you need to change F-Secure Client Security advanced settings.
Page 58: Policy Domains Tab
Policy Domains Tab In the Policy Domains tab, you can do the following: Add a new policy domain by clicking the icon, which is located on the toolbar. A new policy domain can be created only when a parent domain is selected. Add a new host by clicking the icon.
Page 59: Summary Tab
CHAPTER 3 3.3.1 Summary Tab Figure 3-1 Summary Tab The Summary tab is designed to display the most important information concerning the selected domain(s) or host(s) at a glance. When a domain is selected, the Summary tab displays information about the whole domain.
Page 60 If some of the settings displayed on the Summary tab require your immediate attention or action, an icon is displayed beside the setting. The icons can be interpreted as follows: Warns of an error situation that requires your action. The error cannot be fixed automatically. The icon is displayed, for example, when the latest policies have not been distributed, or when virus definitions on hosts are outdated...
Page 61 CHAPTER 3 Policy Manager Figure 3-2 Policy Manager related information on Summary Tab In the Policy Manager section you can: See the current Policy distribution status (saved/unsaved, distributed/undistributed), and when necessary, save the policy data and distribute the new policies to hosts. See the status of the virus definitions on the server.
Page 62 Domain Figure 3-3 Domain related information on Summary Tab In the Domain section you can: See the number hosts that have the latest policy and access a summary of their latest policy update by clicking View hosts’s latest policy update..This takes you to the Status tab and Centralized Management page.
Page 63 Recent means that the virus definitions are not the latest ones. Outdated means that the virus definitions are older than the configured time limit. If you have F-Secure Anti-Virus 5.40 installed on some hosts, the virus definitions version on these hosts is displayed as ‘unknown’.
Page 64 If you need to update the virus definitions on some hosts, click Update virus definitions... that takes you to the Operations tab. Internet Shield Figure 3-5 Internet Shield related information on Summary tab In the Internet Shield section you can: See how many hosts in the domain have Internet Shield installed.
Page 65 CHAPTER 3 In the Host section you can: See the name of the selected host displayed beside Computer identity. You can also access more detailed information on the host by clicking View host properties..This takes you to the Status tab and Host Properties page. See what is the active protocol (HTTP or File Sharing), the address of the Policy Manager Server the host is connected to and the date and time of the last connection.
Page 66: Outbreak Tab
Outbreak Tab Figure 3-7 Outbreak Tab The Security News section shows security news from F-Secure. Security news are usually news about new virus outbreaks, and they state the virus definitions version required on the hosts to protect against this new virus outbreak.
Page 67 Policy Manager Server. If protection is not currently available, the Policy Manager Server will automatically download it from F-Secure when it is available. The security news show the alert level of the security threat:...
Page 68: Settings Tab
Update delta tells you how well the host's automatic updates were functioning when the host sent statistics to the F-Secure Policy Manager Server last time. If you have a host that is displayed as unprotected, but has a small value in the update delta column, the host is most likely ok and can be ignored.
Page 69 CHAPTER 3 For more information on the lock symbols and other items displayed on all Settings pages, see “Settings Inheritance”, 120. Context Menu on Settings Pages By right-clicking any setting on a Settings tab page you can access a context menu that contains the following options: Clear This option clears a setting that has been redefined on the current level.
Page 70 Show Domain The Show Domain Values menu item is Values available only when a Policy Domain is selected. You can view a list of all policy domains and hosts below the selected policy domain, together with the value of the selected field.
Page 71 Automatic Updates Figure 3-8 Settings > Automatic Updates Tab Automatic Updates for F-Secure Client Security 6.x and later In the Automatic Updates for F-Secure Client Security 6.x and later section you can: Enable or disable automatic updates. Note that deselecting this setting disables all ways for the host to get automatic updates.
Page 72 For configuration examples and more information, see “Configuring Automatic Updates”, 162. Automatic Updates for F-Secure Client Security 5.5x Clicking the Configure automatic updates for F-Secure Client Security 5.5x.. link opens a page that contains the Automatic Updates Settings for hosts running F-Secure Client Security 5.x.
Page 73 CHAPTER 3 Figure 3-9 Settings > Automatic Updates > Automatic Updates F-Secure Client Security 5. page Automatic Updates In the Automatic Updates section you can: • Enable or disable automatic updates.
Page 74 See what is the currently defined download timeout per Anti-Virus Proxy. The default value, 15 minutes, is suitable for most environments. For configuration examples and more information, see section Configuring Virus Definitions Updates in F-Secure Client Security 5.60 Administrator’s Guide.
Page 75 CHAPTER 3 Real-Time Scanning Figure 3-10 Settings > Real-Time Scanning page...
Page 76 General In the General section you can Enable or disable real-time scanning. File Scanning In the Files to Scan section you can: Select which files will be scanned and define the included extensions. Select whether real-time scanning is executed also inside compressed files.
Page 77 Select what is the action to take when an infection is found. From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected boot sector is detected. Choose one of the following actions:...
Page 78 Manual Scanning Figure 3-11 Settings > Manual Scanning...
Page 79 When Enable excluded objects is selected, the users can specify individual files or folders that will not be scanned. From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected file is detected.
Page 80 Choose one of the following actions: Action Definition Ask after scan Starts the F-Secure Disinfection Wizard when an infected file is detected. Disinfect Disinfects the file automatically when a virus is automatically detected. Rename Renames the file automatically when a virus is...
Page 81 Scanning”, 172. Scheduled Scanning Configure scheduled scanning in advanced mode link takes you to the F-Secure Policy Manager Console Advanced Mode user interface, where scheduled scanning can be configured. For more information, see “Configuring Scheduled Scanning”, 258. Manual Boot Sector Scanning...
Page 82 Spyware Control Figure 3-12 Settings > Spyware Control...
Page 83 CHAPTER 3 Spyware Scanning on File Access This section contains the same spyware scanning settings as the Spyware Scanning on File Access section on the Settings > Real-Time Scanning page. For more information, see “Spyware Scanning on File Access”, 76. Manual Spyware Scanning This section contains the same spyware scanning settings as the Manual Spyware Scanning section on the Settings >...
Page 84 E-mail Scanning Figure 3-13 Settings > E-mail Scanning page This page includes separate settings for incoming and outgoing E-mail Scanning. The settings in the General section are common for both.
Page 85 CHAPTER 3 Incoming E-mail Scanning In the Incoming E-mail Scanning section you can: Enable incoming e-mail scanning. Select the action to take on incoming infected attachment. Select the action to take on scanning failure. Select the action to take on malformed message parts. Outgoing E-mail Scanning In the Outgoing E-mail Scanning section you can: Enable outgoing e-mail scanning.
Page 86 Web Traffic Scanning Figure 3-14 Settings > Web Traffic Scanning General In the General section you can enable or disable HTTP scanning. HTTP Scanning Select the action to take on infection. Select the action to take on scanning failure. Select whether compressed files are included in scanning.
Page 87 CHAPTER 3 Trusted HTTP Sites The Trusted HTTP Sites table displays a list of HTTP sites from which are defined as trusted. Downloads from these sited are not scanned for viruses. For more information on Web Traffic Scanning and for practical configuration examples, see “Configuring Web Traffic (HTTP) Scanning”,...
Page 88 Firewall Security Levels Figure 3-15 Settings > Firewall Security Levels...
Page 89 CHAPTER 3 General In the General section you can: Select the Internet Shield security level at host. For more information, see “Global Firewall Security Levels”, 195 Configure security level autoselection by clicking Configure security level autoselection in advanced mode..This takes you to the Advanced Mode user interface.
Page 90 Intrusion Prevention In the Intrusion Prevention section you can: Enable and disable intrusion detection. Select the action on malicious packet. The options available are: Log and drop and Log without dropping. Define the centralized alert severity. Define the alert and performance level. For configuration examples and more information, see “Configuring the Intrusion...
Page 91 CHAPTER 3 Firewall Rules Figure 3-16 Settings > Firewall Rules...
Page 92 When the selected security level is changed, the rules associated with the new security level are displayed in the table. When the F-Secure Internet Shield Firewall is in use, the firewall rules are checked in the order in which they are displayed in the table, from top to bottom.
Page 93 CHAPTER 3 reply packets from the server applications. Outgoing packets from ordinary applications need to be allowed by the rules in the firewall rules table. For more information on how to create and modify firewall rules, see “Configuring Internet Shield Security Levels and Rules”, 198 and “Configuring Internet Shield Rule Alerts”, 205.
Page 94 Firewall Services Figure 3-17 Settings > Firewall Services Service, short for Network Service, means a service that is available on the network, e.g. file sharing, remote console access, or web browsing. It is most often described by what protocol and port it uses.
Page 95 CHAPTER 3 Firewall Services Table (Global) The Firewall Services Table displays a list of services that have been defined for the firewall. It is also possible to create or allow the end users to create new services for the firewall. For more information on how to add or modify firewall services, see “Adding New Services”, 269.
Page 96 Application Control Figure 3-18 Settings > Application Control Application Rules for Known Applications The Application Control page displays a list of known applications and the rules defined for them for inbound and outbound connection attempts. Unknown Applications Reported by Hosts The Unknown Applications Reported by Hosts list displays applications that the hosts have reported and for which no rules exist yet.
Page 97 CHAPTER 3 On this page you can also: Select the default action for client applications. Select the default action for server applications. Select whether new applications are reported to you by selecting the Report new unknown applications check box. Message for User The Message for Users section contains the following options: Show default messages for unknown applications can be used to select whether users see default messages on unknown...
Page 98 Alert Sending Figure 3-19 Settings > Alert Sending General In the General section you can: Select the alerting language. E-mail Alert Sending Define the E-mail server address (SMTP). Define the E-mail sender address and E-mail subject to be used when forwarding alerts by e-mail.
Page 99 The Alert Forwarding table can be used to configure where the alerts that are of certain severity are to be forwarded. For examples on how to configure Anti-Virus alert forwarding, see “Configuring F-Secure Client Security Alert Sending”, 190. For examples on how to configure Internet Shield alert forwarding see “Configuring Internet Shield Rule...
Page 100 The General section contains the following options: Allow users to change all settings... This option makes all the settings throughout the F-Secure Policy Manager Anti-Virus and Advanced Mode user interface non-final, which means that users are allowed to change any setting.
Page 101 CHAPTER 3 This option makes all the settings throughout the F-Secure Policy Manager Anti-Virus and Advanced Mode user interface final, which means that users are not allowed to change any setting. For more information on final settings, see “Settings Inheritance”, 120.
Page 102: Status Tab
Status Tab The different pages in Status tab display detailed information on the status of certain components of centrally managed F-Secure Client Security applications. If you select a domain in the Policy Domains tab, the Status tab displays the status of all hosts in that domain. If a single host is selected, the Status tab displays the status of that host.
Page 103 CHAPTER 3 Context Menu on Status Tab Figure 3-21 The context menu that you can open by right-clicking a row By right-clicking any row on Status tab page you can access a context menu that contains the following options: Copy as Text copies the currently selected row(s) and column headings from the table as text.
Page 104 The date and time when virus definitions were last updated Virus definitions version The date and time when virus definitions on F-Secure Gateway (GW) products were last updated Virus definitions version on F-Secure Gateway products The date and time when spyware definitions were last updated...
Page 105 F-Secure Policy Manager. The virus definitions date and version information is also displayed for hosts that have F-Secure Anti-Virus for Citrix Servers, F-Secure Anti-Virus for Windows Servers, F-Secure Internet Gatekeeper or F-Secure Anti-Virus for Microsoft Exchange installed.
Page 106 Internet Shield Figure 3-24 Status > Internet Shield page The Internet Shield page displays the following information Latest attack date and time in the Latest Attack Timestamp column Latest attack service Latest attack source Recent attacks (this column can be sorted by clicking on the column header) Recent attacks reset time.
Page 107 Figure 3-25 Status > Installed Software The Installed Software page displays a summary of the software installed on the host(s): F-Secure Client Security software version (including the build number and possible hotfixes) List of Anti-Spyware hotfixes Whether Internet Shield is installed...
Page 108 Policy file counter; this is the number of the policy file currently in use at the host. The date when the last statistics update has been sent to the F-Secure Policy Manager Whether the host is disconnected (this column can be sorted by clicking on the column header) The number of new security alerts The number of new fatal errors.
Page 109 CHAPTER 3 Host Properties Figure 3-27 Status > Host Properties The Host Properties page displays the following information for each host: The WINS name of the host The IP address of the host The DNS name of the host The operating system of the host.
Page 110: Alerts Tab
3.3.5 Alerts Tab Figure 3-28 Alerts tab The Alerts tab displays alerts from the selected host(s) and domain(s). It can also be used to manage the alert reports. The Alerts tab displays the following information for each alert: severity (see “Viewing Alerts”, 226 for more information) date and time...
Page 111 When an alert is selected in the alert list, the lower half of the page displays more specific information about the alert: product, severity, originating host, and so on. F-Secure Client Security scanning alerts may also have an attached report. This report will be displayed in the lower half of the page.
Page 112: Reports Tab
3.3.6 Reports Tab Figure 3-29 Reports tab The Reports tab displays virus scanning reports from the selected host(s) and domain(s). It can also be used to manage the scanning reports. The Reports tab displays the following information about each report: severity date and time description...
Page 113: Installation Tab
CHAPTER 3 For more information on how alerts can be used for monitoring, see “Viewing Scanning Reports”, 225. 3.3.7 Installation Tab Figure 3-30 Installation tab The Installation tab is the first one that opens when the Policy Manager Console is installed.
Page 114 NT domain browse list of the Autodiscover view. Import Hosts will send autoregistration messages to autoregistered F-Secure Policy Manager whenever the first hosts... product is installed to the hosts. These new hosts are taken under policy management by importing them to the policy domain tree.
Page 115: Operations Tab
CHAPTER 3 3.3.8 Operations Tab Figure 3-31 Operations tab The Operations tab contains two operations: Update Virus With this operation you can order the selected Definitions hosts or all hosts in the selected domain to get Operation new virus definitions at once. Scan for Viruses With this operation you can order the selected and Spyware...
Page 116: Toolbar
Toolbar The toolbar contains buttons for the most common F-Secure Policy Manager Console tasks. Saves the policy data. Distributes the policy. Go to the previous domain or host in the domain tree selection history. Go to the next domain or host in the domain tree selection history.
Page 117: Menu Commands
Displays available installation packages. Updates the virus definition database. Displays all alerts. The icon is highlighted if there are new alerts. When you start F-Secure Policy Manager Console, the icon is always highlighted. Menu Commands...
Page 118 Saves policy data with a specified name. Distribute Policies Distributes the policy files. Export Host Policy File Exports the policy files. Exit Exits F-Secure Policy Manager Console. Edit Cuts selected items. Paste Pastes items to selected location. Delete Deletes selected items.
Page 119 Manually refreshes all data affecting the interface: policy, status, alerts, reports, installation packages, and autoregistration requests. Tools Installation Packages Displays Installation Packages info in a dialog box. Change Passphrase Changes login passphrase (the passphrase protecting the F-Secure Policy Manager Console private key).
Page 120: Settings Inheritance
The settings in F-Secure Policy Manager Console can either be inherited from a higher level in the policy domain structure, or they may have been changed on the current level.
Page 121 CHAPTER 3 When necessary, settings can be defined as final, which means that the users are not allowed to change them. Final always forces the policy: the policy variable overrides any local host value, and the end user cannot change the value as long as the Final restriction is set. If the settings have not been defined as final, the users are allowed to change them.
Page 122: How Settings Inheritance Is Displayed On The User Interface
3.6.1 How Settings Inheritance is Displayed on the User Interface There inherited settings and settings that have been redefined on the current level are displayed in a different way on the Policy Manager user interface: Inherited inherited A closed lock means that the user cannot change the setting, because it has been defined as final.
Page 123: Locking And Unlocking All Settings On A Page At Once
Clears all the settings that have been redefined on the current page and restores the default or inherited values. For more information on locking and unlocking all settings throughout the F-Secure Policy Manager user interface, see also “Centralized Management”, 100 and “Preventing Users from Changing Settings”, 189.
Page 124: Settings Inheritance In Tables
3.6.3 Settings Inheritance in Tables The Firewall Security Levels Table and the Firewall Services Table are so-called global tables, which means that all computers in the domain have the same values. However, different subdomains and different hosts may have different security levels enabled. In tables the default values derived from MIBs are displayed as grey.
Page 125: Chapter 4 Setting Up The Managed Network
ETTING UP THE ANAGED ETWORK Overview................... 126 Logging in for the First Time............. 126 Creating the Domain Structure ..........130 Adding Hosts ................132 Local Installation............... 156 Installing on an Infected Host ........... 158 How to Check That the Management Connections Work..159...
Page 126: Overview
Overview This chapter describes how to plan the managed network and what are the best ways to deploy F-Secure Client Security in different types of environments. F-Secure Policy Manager offers you several ways to deploy F-Secure Client Security in your company:...
Page 127: Logging In
CHAPTER 4 4.2.1 Logging In When you start F-Secure Policy Manager Console, the following dialog box will open. Click Options to expand the dialog box to include more options. Figure 4-1 F-Secure Policy Manager Console Login dialog The dialog box can be used to select defined connections. Each connection has individual preferences, which makes it easier to manage many servers with a single F-Secure Policy Manager Console instance.
Page 128 2. Host connection status controls when hosts are considered disconnected from F-Secure Policy Manager. All hosts that have not contacted F-Secure Policy Manager Server within the defined interval are considered disconnected. The disconnected hosts will have a notification icon in the domain tree and they will appear beside the Disconnected Hosts in the Summary tab.
Page 129 CHAPTER 4 3. Note that it is possible to define an interval that is shorter than one day by simply typing in a floating point number in the setting field. For example, with a value of "0.5" all hosts that have not contacted the server within 12 hours are considered disconnected.
Page 130: Creating The Domain Structure
Creating the Domain Structure If you want to use different security policies for different types of hosts (laptops, desktops, servers), for users in different parts of the organization or users with different levels of computer knowledge, it is a good idea to plan the domain structure based on these criteria.
Page 131 Figure 4-4 An example of a policy domain: country offices as sub-domains A third possibility is to group the hosts into subdomains based on the installed F-Secure Client Security version. You could, for example, group hosts that have F-Secure Client Security 6.x installed into one sub-domain, and hosts that have F-Secure Client Security 7.x installed...
Page 132: Adding Policy Domains And Subdomains
The main methods of adding hosts to your policy domain, depending on your operating system are as follows: Import hosts directly from your Windows domain and install F-Secure Client Security on them remotely. Import hosts through autoregistration after F-Secure Client Security has been installed on them locally.
Page 133: Windows Domains
‘Autodiscover Windows hosts’ from the Installation tab in F-Secure Policy Manager Console. Note that this also installs F-Secure Client Security on the imported hosts. In order to import hosts from a Windows domain, select the target domain, and choose ‘Autodiscover Windows hosts’...
Page 134 Figure 4-5 Import Autoregistered Hosts dialog > Autoregistered Hosts tab The Autoregistration view offers a tabular view to the data which the host sends in the autoregistration message. This includes the possible custom autoregistration properties that were included in the remote installation package during installation (see step 6 in Using the Customized Remote Installation JAR Package...
Page 135 CHAPTER 4 Autoregistration Import Rules Figure 4-6 Import Autoregistered Hosts dialog > Import Rules tab...
Page 136 You can define the import rules for the autoregistered hosts on the Import Rules tab in the Import Autoregistered Hosts window. You can use the following as import criteria in the rules: WINS name, DNS name, Dynamic DNS name, Custom Properties These support * (asterisk) as a wildcard.
Page 137 ). This operation is useful in the following cases: NSERT Learning and testing – You can try out a subset of F-Secure Policy Manager Console features without actually installing any software in addition to F-Secure Policy Manager Console. For example, you can create test domains and hosts, and try out policy inheritance features.
Page 138: F-Secure Push Installations
You need to have administrative rights to push install applications on hosts. Before Installing the Hosts Before you start to install F-Secure Client Security on hosts, you should make sure that there are not conflicting antivirus or firewall applications installed on them.
Page 139 CHAPTER 4 McAfee Personal Firewall Express, version 4.5 McAfee VirusScan 4.05 NT McAfee VirusScan Enterprise 7.0 McAfee VirusScan Enterprise 7.1 McAfee VirusScan Home Edition 7.0.2.6000 McAfee VirusScan Professional Edition 7.0 McAfee VirusScan Professional/Personal Edition 7.02.6000 Microsoft AntiSpyware, beta 1.0 version NAI ePolicy Orchestrator Agent 2000, version 2.0.0.376 NAI ePolicy Orchestrator Agent 3000, versions 3.1.1.184 and 3.5.0.412...
Page 140 Symantec Live Update 1.8 (for Symantec AntiVirus Corporate Edition) Symantec Live Update 2.0.39.0 (for Symantec AntiVirus Corporate Edition) Symantec Live Update 2.6.18.0 (for Symantec AntiVirus Corporate Edition) Symantec Norton AntiVirus Corporate Edition 7.6.0.0000 Trend Micro Internet Security 2004, version 11.10.1299 Trend Micro Officescan Corporate Edition, version 5.5 Trend Micro Officescan, version 5.02 (only when installed on Windows 2000)
Page 141 CHAPTER 4 Autodiscover Windows Hosts To install: 1. Select the policy domain for the hosts to which you will install F-Secure Client Security. 2. Open the Edit menu and select Autodiscover Windows Hosts (alternatively, click the button). 3. From the NT Domains list, select one of the domains and click Refresh.
Page 142 F-Secure applications installed. Resolve hosts with all details (slower) With this selection, all details about the hosts are shown, such as the versions of the operating system and F-Secure Management Agent. Resolve host names and comments only (quicker) If all hosts are not shown in the detailed view or it takes too much time to retrieve the list, this selection can be used.
Page 143 Next to continue. You can click Browse to check the F-Secure Management Agent version(s) on the host(s). 4. After you have selected your target hosts, continue to “Push Installation After Target Host Selection”, 143 for instructions on push-installing the applications to hosts.
Page 144 1. Select the installation package, and click Next to continue. 2. Select the products to install. You can choose to force reinstallation if applications with the same version number already exist. Click Next to continue. 3. Choose to accept the default policy, or specify which host or domain policy should be used as an anonymous policy.
Page 145 CHAPTER 4 4. Choose the user account and password for the push installation. Push Installation requires administrator rights for the target machine during the installation. If the account you entered does not have administrator rights on one of the remote hosts, an “Access denied”...
Page 146 In the final dialog box, click Finish, and go to the next step. 6. F-Secure Policy Manager installs F-Secure Management Agent and the selected products on the hosts. During this process, the Status line will display the procedure in process. You can click...
Page 147: Policy-Based Installation
F-Secure Management Agent installed. F-Secure Policy Manager Console creates an operation-specific installation package, which it stores on the F-Secure Policy Manager Server, and writes an installation task to the base policy files (thus, policy distribution is required to start installations). Both base policy files and the installation package are signed by the management key-pair so that only genuine information is accepted by the hosts.
Page 148 The Installation Editor contains the following information about the products that are installed on your target policy domain or host: Product Name Name of the product, which is either installed on a host or domain, or which can be installed with an available installation package.
Page 149 Installation Editor launches the Installation Wizard, which queries the user for the installation parameters. The Installation Editor then prepares a distribution installation package that is customized for the specific installation operation. The new package is saved on F-Secure Policy Manager Server. Start button is used to start the installation operations selected in the Version to Install field.
Page 150 Because the installation operation uses policy-based triggering, you must distribute new policy files. The policy file will contain an entry that tells the host to fetch the installation package and perform the installation. Note that it may take a considerable length of time to carry out an installation operation.
Page 151: Local Installation And Updates With Pre-Configured Packages
For example, if uninstalling F-Secure Anti-Virus and F-Secure Management Agent: 1. Uninstall F-Secure Anti-Virus 2. Wait for F-Secure Policy Manager Console to report the success or failure of the uninstallation. 3. If F-Secure Anti-Virus was uninstalled successfully, uninstall F-Secure Management Agent.
Page 152 4. Specify the file format, JAR or MSI, and the location where you want to save the customized installation package. Click Export. 5. Select the products you want to install (F-Secure Management Agent will be installed by default). Click Next to continue.
Page 153 7. A summary page shows your choices for the installation. Review the summary and click Start to continue to the installation wizard. 8. F-Secure Policy Manager Console displays the Remote Installation Wizard that collects all necessary setup information for the selected products. a. Read the Remote Installation Wizard Welcome Screen.
Page 154 standard host identification properties in the Autoregistration view. The custom property name will be the column name, and the value will be presented as a cell value. One example of how to utilize custom properties is to create a separate installation package for different organizational units, which should be grouped under unit-specific policy domains.
Page 155 ILAUNCHR has the following command line parameters: /U — Unattended. No messages are displayed, even when a fatal error occurs. /F — Forced installation. Completes the installation even if F-Secure Management Agent is already installed. Enter ILAUNCHR /? at the command line to display complete help.
Page 156: Local Installation
If the parameter /checkFSMA is not used, the installation will be run every time runsetup.exe is executed. Local Installation This section contains system requirements for F-Secure Client Security and information on providing a copy of the Admin.pub key file to workstations.
Page 157: Local Installation System Requirements
Providing a Copy of the Admin.pub Key File to Workstations When setting up workstations, you must provide them with a copy of the Admin.pub key file (or access to it). If you install the F-Secure products on the workstations remotely with F-Secure Policy Manager, a copy of the...
Page 158: Installing On An Infected Host
Administrator’s Guide. Installing on an Infected Host If the host on which you are going to install F-Secure Client Security is infected with some variant of the Klez virus, you should run the Klez removal tool on the host before starting the installation. This is because the Ilaunchr.exe installation tool cannot be run on a computer that is...
Page 159: How To Check That The Management Connections Work
CHAPTER 4 How to Check That the Management Connections Work 1. Check the Policy Distribution Status on the Summary tab. Save and distribute the polices if necessary. 2. Go to the Status tab and select Centralized Management page. Check the timestamp and counter of the policy file currently in use.
Page 160: Chapter 5 Configuring Virus And Spyware Protection
Configuring E-mail Scanning............ 173 Configuring Web Traffic (HTTP) Scanning ....... 178 Configuring Spyware Scanning ..........181 Preventing Users from Changing Settings ....... 189 Configuring F-Secure Client Security Alert Sending....190 Monitoring Viruses on the Network........... 192 Testing your Antivirus Protection ..........192...
Page 161: Overview: What Can Virus And Spyware Protection Be Used For
CHAPTER 5 Overview: What can Virus and Spyware Protection be Used for? The Virus and Spyware Protection in F-Secure Client Security consists of Automatic Updates, Manual Scanning, Scheduled Scanning, Real-Time Scanning, Spyware Scanning, System Control, Rootkit Scanning, E-Mail Scanning, Web Traffic Scanning, Outbreak Management and the Virus News service.
Page 162: Configuring Automatic Updates
Configuring Automatic Updates This section explains the different configuration settings available for Automatic Updates in F-Secure Policy Manager, and gives some practical configuration examples for hosts with different protection needs. By following these instructions you can always keep the virus and spyware definitions on hosts up-to-date, and choose the best update source based on user needs.
Page 163: How Do Automatic Updates Work
Specify the update polling interval in the Interval for polling Updates from F-Secure Policy Manager field. Policy Manager Proxy is a list of F-Secure Policy Manager Proxy servers available to you. The Automatic Update Agent installed with F-Secure Client Security connects to them in the priority order specified in this...
Page 164: Configuring Automatic Updates From Policy Manager Server
3. Make sure that Enable automatic updates is selected. 4. Make sure that the polling interval defined in Interval for polling updates from F-Secure Policy Manager is suitable for your environment. 5. If you want to use HTTP Proxies, check that the Use HTTP Proxy and HTTP proxy address settings are suitable for your environment.
Page 165: Configuring Policy Manager Proxy
Policy Manager Proxy in the office where the host is normally located, and 20, 30 and so on for the other Proxies. 6. Enter the URL of the F-Secure Policy Manager Proxy in the Server address text box. Then click OK.
Page 166: Configuring Real-Time Scanning
10. Click to save the policy data. 11. Click to distribute the policy. End users can also add Policy Manager Proxies on the list in the local user interface, and the host uses a combination of these two lists when downloading virus and spyware definitions updates. Policy Manager Proxies added by end users are tried before those added by the administrator Configuring Real-Time Scanning...
Page 167 Scan network drives Select this check box to scan files that you access on network drives. IMPORTANT: In F-Secure Client Security 6.0 the Scan network drives setting is disabled by default. Scan when created or modified Normally files are scanned when they are opened for reading or executing.
Page 168 Quarantine repository. File Extension Handling F-Secure Client Security has a list of included extensions defined in the policy (this can be ‘all files’). ‘Included extensions’ can also be part of a virus definitions update. These included extensions are first combined by F-Secure Client Security, and then any ‘excluded extensions’...
Page 169: Enabling Real-Time Scanning For The Whole Domain
CHAPTER 5 Real-time Spyware Scanning For information on setting up Spyware scanning and examples of configuring Spyware Scanning, see “Configuring Spyware Scanning”, 181. 5.3.2 Enabling Real-Time Scanning for the Whole Domain In this example Real-Time Scanning is enabled for the whole domain. 1.
Page 170: Excluding Microsoft Outlooks's .Pst File From Real-Time Scanning
5. Select the action to take when an infected file is found from the File Scanning: Action on infection drop-down list. 6. Check that the other settings on this page are suitable for your system, and modify them if necessary. For more information on the other Real-Time Scanning settings, see “Configuring Real-Time Scanning”, 166...
Page 171: Configuring System Control
CHAPTER 5 Configuring System Control F-Secure System Control is a new, host-based intrusion prevention system that analyzes the behavior of files and programs. It can be used to block intrusive ad pop-ups and to protect important system settings, as well as Internet Explorer settings against unwanted changes.
Page 172: Configuring Rootkit Scanning
To enable ActiveX protection, select the Prevent all ActiveX from running check box. ActiveX protection prevents the users’ web browsers from running ActiveX web applications. Some web sites may use ActiveX to install unwanted software on computers. However, there are also web pages which the users cannot view without ActiveX.
Page 173: Configuring E-Mail Scanning
CHAPTER 5 3. In the Rootkit Scanning section, make sure that the Enable rootkit scanning check box is selected. 4. Select the Show suspicious items after full computer check check box. 5. Check that the other settings on this page are suitable, and modify them if necessary.
Page 174 You can select what to do when an infected e-mail message is detected. The following actions are available: Incoming e-mail scanning 1. Action on incoming infected attachment: Disinfect Attachment starts the disinfection wizard whenever an infected attachment is detected. Remove Attachment deletes the attachment. Report Only ignores the attachment but reports it to the administrator.
Page 175 CHAPTER 5 3. Action on malformed message parts: Drop Message Part deletes the message. Report Only ignores the malformed message part but reports it to the administrator. WARNING: The Report Only option is dangerous and should not be used in normal operation. To save the blocked e-mail messages in the end-users’...
Page 176: Enabling E-Mail Scanning For Incoming And Outgoing E-Mails
For more information on virus alert and scanning error messages that can be displayed to end users when e-mail scanning is enabled, see “E-mail Scanning Alert and Error Messages”, 292. 5.6.2 Enabling E-mail Scanning for Incoming and Outgoing E-mails In this example e-mail scanning is enabled for both incoming and outgoing e-mails.
Page 177 CHAPTER 5 Step 4. Check the General Settings Check that the other settings on this page are suitable for your system, and modify them if necessary. For more information on the other E-mail Scanning settings, see “Configuring E-mail Scanning”, 173. Step 5.
Page 178: Configuring Web Traffic (Http) Scanning
Configuring Web Traffic (HTTP) Scanning Web Traffic Scanning can be used to protect the computer against viruses in HTTP traffic. When enabled, it scans HTML files, image files, downloaded applications or executable files and other types of downloaded files. It removes viruses automatically from the downloads. You can also enable a notification flyer that is shown to the end-user every time Web Traffic Scanning has blocked viruses in web traffic and downloads.
Page 179: Enabling Web Traffic Scanning For The Whole Domain
CHAPTER 5 5.7.2 Enabling Web Traffic Scanning for the Whole Domain In this example HTTP scanning is enabled for the whole domain. 1. Select Root in the Policy Domains tab. 2. Go to the Settings tab and select the HTTP Scanning page. 3.
Page 180 1. Click the button under the Trusted Sites table. This creates a new line in the table. 2. Click on the line you just created so that it becomes active, and type http://*.example.com/* This excludes all the sub-domains. 3. Click the button under the Trusted Sites table.
Page 181: Configuring Spyware Scanning
Some spyware may be necessary to run ordinary applications, while most spyware is just malware and should not be allowed to run even once. By default, F-Secure Spyware Scanning is configured to allow all spyware to run. You can check whether you need to allow some spyware to run on your network before you tighten the security and prevent all new spyware from executing.
Page 182 From the Action on spyware drop-down list, you can select the action to take when spyware is detected. Choose one of the following actions Action Definition Report only The spyware is reported only, but no action is taken. Ask after scan The user is prompted to select what to do with the spyware.
Page 183 CHAPTER 5 Configure other spyware scanning options in advanced mode link takes you to the F-Secure Policy Manager Console Advanced Mode user interface, where other spyware scanning options can be configured. Manual Spyware Scanning To enable manual spyware scanning select the Scan for spyware during manual virus scanning check box.
Page 184 Spyware and Riskware Reported by Hosts The Spyware and Riskware Reported by Hosts table contains the following information: Spyware and Riskware Reported by Hosts Spyware or Riskware Displays the name of the spyware object or Name riskware. Type Displays the spyware type. The type can be adware, data miner, dialer, malware, monitoring tool, porn dialer, riskware, vulnerability, worm, cookie (tracking cookie) or misc...
Page 185: Setting Up Spyware Control For The Whole Domain
CHAPTER 5 The Spyware Reported by Hosts will be cleaned if you run a manual spyware scan on the hosts, as well as when quarantined spyware is removed periodically on the hosts. Default Spyware Handling If the Change spyware control to automatically quarantine all new spyware setting is selected, all new spyware that is not explicitly allowed by the administrator is quarantined automatically.
Page 186 Spyware Control also detects riskware. Riskware is any program that does not intentionally cause harm but can be dangerous if misused, especially if set up incorrectly. Examples of such programs are chat programs (IRC), or file transfer programs. If you want to allow the use of these programs in the managed domain, you should include them in the test environment and allow their use when you are checking and configuring rules for the applications in Spyware and Riskware Reported...
Page 187: Launching Spyware Scanning In The Whole Domain
CHAPTER 5 Step 3. Changing Spyware Scanning to Quarantine Automatically Configuration Configure the Default Spyware Handling settings: 1. If you want to make sure that users cannot allow any spyware or riskware to run on their computers, make sure that Permit users to allow spyware is set to Not allowed.
Page 188: Allowing The Use Of A Spyware Or Riskware Component
4. As the manual scanning task also includes manual virus scanning, check the settings in the Manual Virus Scanning section, and modify them if necessary. 5. Go to the Operations tab, and click the Scan for Viruses and Spyware button. Note, that you have to distribute the policy for the operation to start.
Page 189: Preventing Users From Changing Settings
CHAPTER 5 Preventing Users from Changing Settings If you want to make sure that the users cannot change some or any of the Virus Protection Settings, you can set these settings final. There are different possibilities for doing this: If you want to prevent users from changing a certain setting, click on the lock symbol beside it.
Page 190: Configuring F-Secure Client Security Alert Sending
5.10.1 Setting F-Secure Client Security to Send Virus Alerts to an E-mail Address In this example all the security alerts that the managed F-Secure Client Security clients generate are forwarded to e-mail. Step 1.
Page 191 CHAPTER 5 <host>[:<port>] where "host" is the DNS-name or IP-address of the SMTP server, and "port" is the SMTP server port number. 2. Enter the sender’s address for e-mail alert messages in the E-mail sender address (From): field. 3. Enter the e-mail alert message subject in the E-mail subject: field. See the MIB help text for a list of possible parameters to use in the message subject.
Page 192: Monitoring Viruses On The Network
Testing your Antivirus Protection To test whether F-Secure Client Security operates correctly, you can use a special test file that is detected by F-Secure Client Security as though it were a virus. This file, known as the EICAR Standard Anti-Virus Test File, is also detected by several other anti-virus programs.
Page 193 MS-DOS ASCII format. Note also that the third character of the extension is an upper-case O, not numeral 0. 3. Now you can use this file to see what it looks like when F-Secure Client Security detects a virus. Naturally, the file is not a virus. When executed without any virus protection, EICAR.COM displays the text...
Page 194 ONFIGURING NTERNET HIELD Overview: What can Internet Shield be Used for?....195 Configuring Internet Shield Security Levels and Rules .... 198 Configuring Network Quarantine ..........203 Configuring Internet Shield Rule Alerts ........205 Configuring Application Control ..........209 How to use Alerts for Checking that Internet Shield Works?..217 Configuring the Intrusion Prevention ........
Page 195: Overview: What Can Internet Shield Be Used For
For detailed explanations of different security levels, see “Global Firewall Security Levels”, 195. 6.1.1 Global Firewall Security Levels The Global Firewall Security levels that exist in the F-Secure Internet Shield are: Network quarantine If the Network Quarantine feature is enabled, this security level will be automatically selected when the network quarantine criteria on the host are met.
Page 196 Block all This security level blocks all network traffic. Mobile This security level allows normal web browsing and file retrievals (HTTP, HTTPS, FTP), as well as e-mail and Usenet news traffic. Encryption programs, such as VPN and SSH are also allowed. Everything else is denied and the denied inbound TCP traffic generates alerts.
Page 197: Security Level Design Principles
CHAPTER 6 In this security level all network traffic, inbound Disabled and outbound, is allowed and no alerts are generated. Local rules cannot be created. 6.1.2 Security Level Design Principles Each security level has a set of pre-configured Firewall Rules. In addition, you can create new rules for all security levels for which the Filtering Mode Normal is displayed in the Firewall Security Levels table.
Page 198: Configuring Internet Shield Security Levels And Rules
Configuring Internet Shield Security Levels and Rules This section explains how you can set and select the security levels based on the users' needs. In the practical configuration examples it is assumed that the managed hosts have been imported into the domain structure that was created in chapter 4, which means that, for example, laptops and desktops are located in their own subdomains.
Page 199: Configuring A Default Security Level For The Managed Hosts
CHAPTER 6 You can verify that the new security level change has become effective by going to the Status tab and selecting the Overall Protection window. If the selected security level cannot be used for some reason, the default security level is used instead. The current default security level can be seen in the Global Security Levels table on the Firewall Security levels page.
Page 200: Adding A New Security Level For A Certain Domain Only
6.2.3 Adding a New Security Level for a Certain Domain Only In this example a new security level with two associated rules is created. The new security level is added only for one subdomain and the hosts are forced to use the new security level. This subdomain contains computers that are used only for Internet browsing, and are not connected to the company LAN.
Page 201 CHAPTER 6 3. Click Add Before to add a rule that allows outbound HTTP traffic as the first one on the list. This opens the Firewall Rule Wizard. 4. In the Rule Type window select Allow as the rule type. 5.
Page 202 3. Disable the BrowserSecurity security level by clearing the Enabled check box beside it in the Firewall Security Levels table. 4. Select the subdomain where you want to use this security level in the Policy Domains tab. 5. Enable the BrowserSecurity security level by selecting the Enabled check box beside it in the Firewall Security Levels table.
Page 203: Configuring Network Quarantine
CHAPTER 6 Configuring Network Quarantine Network Quarantine is an Internet Shield feature that makes it possible to restrict the network access of hosts that have very old virus definitions and/or that have Real-time Scanning disabled. Their normal access rights are automatically restored once the virus definitions are updated and/or Real-time Scanning is enabled again.
Page 204: Fine-Tuning Network Quarantine
6. Click to save the policy data. 7. Click to distribute the policy. 6.3.3 Fine-Tuning Network Quarantine Network Quarantine is implemented by forcing hosts to the Network Quarantine security level, which has a restricted set of firewall rules. You can add new Allow rules to the firewall rules in the Network Quarantine security level to allow additional network access to hosts in Network Quarantine.
Page 205: Configuring Internet Shield Rule Alerts
CHAPTER 6 Configuring Internet Shield Rule Alerts Internet Shield rule alerts can be used to get notifications if certain types of malware try to access the computers. It is possible to issue an alert every time a rule is hit or when illegal datagrams are received, which makes it easy to see what kind of traffic is going on in your system.
Page 206 Step 3. Specify Affected Hosts Choose whether to apply this rule to all connections or to selected connections only. You can either: Check the Any remote host option to apply the rule to all Internet connections, Check the All hosts on locally connected networks option to apply the rule to all connections form the local network Check the Specified remote hosts option to apply the rule to an IP address, a range of IP addresses or DNS addresses.
Page 207 Network event: inbound service denied. 4. Enter a descriptive comment for the alert in the Alert comment: field. This comment is displayed in the F-Secure Client Security local user interface. 5. You can accept the default values for the rest of the fields in this window.
Page 208 You can also add a descriptive comment for the rule to help you understand the rule when it is displayed in the Firewall Rules Table. If you need to make any changes to the rule, click Back through the rule. If you are satisfied with your new rule, click Finish.
Page 209: Configuring Application Control
CHAPTER 6 1. Select the subdomain for which you created the rule in the Policy Domains tab. 2. Go to the Summary tab, and check if any new security alerts are displayed for the domain. 3. To see the alert details, click View alerts by severity..
Page 210 How Application Control and System Control Work Together? When Application Control detects an outbound connection attempt, and when it is set to prompt the user to decide whether to allow or deny the connection, you can set Application Control to check from System Control whether the connection should be allowed.
Page 211: Application Control Configuration Settings
CHAPTER 6 6.5.1 Application Control Configuration Settings The Application Control page displays the following information: Application Rules for Known Applications Application Displays the executable file name. Act as Client (out) The following actions are available: Deny, Allow, User Decision. See for explanations below. Act as Server (in) The following actions are available: Deny, Allow, User Decision.
Page 212: Setting Up Application Control For The First Time
You can decide what happens when the application tries to connect to the network with the Default Action for client applications and Default action for server applications selections. The possible actions are: Action Deny Denies all application’s connections to the network.
Page 213 CHAPTER 6 3. Select Report from the Send notifications for new applications drop-down list, so that the new applications will appear on the Unknown Applications Reported by Hosts list. 4. Define the allow rules for these applications. For more information, “Creating a Rule for an Unknown Application on Root Level”, 214.
Page 214: Creating A Rule For An Unknown Application On Root Level
4. Click to distribute the policy. 6.5.3 Creating a Rule for an Unknown Application on Root Level In this example a rule will be created to deny the use of Internet Explorer 4. In this case it is assumed that it already appears on the list of Unknown Applications Reported by Hosts list.
Page 215: Editing An Existing Application Control Rule
CHAPTER 6 Step 4. Select the Rule Target 1. Select the domain or host that the rule affects from the domains and hosts displayed in the window. If the target host or domain already has a rule defined for any of the applications affected by the rule, you are prompted to select whether to proceed and overwrite the existing rule at the host.
Page 216: Disabling Application Control Pop-Ups
Step 2. Edit the Application Rule Type 1. Select the action to take when the application acts as a client and tries to make an outbound connection. In this case select Allow for Act as Client (out). 2. Select the action to take when the application acts as a server and an inbound connection attempt is made.
Page 217: How To Use Alerts For Checking That Internet Shield Works
CHAPTER 6 1. Select Root in the Policy Domains tab. 2. Go to the Settings tab and select the Application Control page. On this page select: Allow from the Default action for server applications drop-down list. Allow from the Default action for client applications drop-down list.
Page 218: Configuring The Intrusion Prevention
3. To start the creation of the new rule, click Before. This starts the Firewall Rule Wizard. 4. In the Rule Type window select Allow. 5. In the Remote hosts window select Any remote host. 6. In the Services window select Ping from the Service drop-down list, and both from the Directions drop-down list.
Page 219: Intrusion Prevention Configuration Settings
CHAPTER 6 6.7.1 Intrusion Prevention Configuration Settings The Intrusion Prevention configuration settings can be found in the Intrusion Prevention section on the Firewall Security Levels page. Enable intrusion prevention If enabled, intrusion detection is used to monitor inbound traffic in order to find intrusion attempts.
Page 220: Configuring Ids For Desktops And Laptops
What is a False Positive? False positive is an alert that wrongly indicates that the related event has happened. In the F-Secure Client Security Internet Shield the alert text usually indicates this by using words like "probable" or "possible". These kind of alerts should be eliminated or minimized.
Page 221 CHAPTER 6 3. Select the Enable intrusion detection check box. 4. Select Log without dropping from the Action on malicious packet: drop-down list. 5. Select Warning from the Alert severity: drop-down list. 6. Select 25% from the Detection sensitivity: drop-down list. Step 2.
Page 222 OW TO HECK THAT NVIRONMENT IS ROTECTED Overview................... 223 How to Check the Protection Status from Outbreak Tab ..223 How to Check that all the Hosts Have the Latest Policy... 223 How to Check that the Server has the Latest Virus Definitions 224 How to Check that the Hosts have the Latest Virus Definitions 224 How to Check that there are no Disconnected Hosts....
Page 223: Overview
1. Select Root in the Policy Domains tab. 2. Go to the Outbreak tab. It displays a list of F-Secure Virus News items, and shows how many hosts are protected against each virus. When you select a news item, detailed information about that virus is displayed.
Page 224: How To Check That The Server Has The Latest Virus Definitions
4. On the Centralized Management page you can see which of the hosts do not have the latest policy. You can also see the possible reasons for this: for example, the host is disconnected or there has been a fatal error at the host. How to Check that the Server has the Latest Virus Definitions 1.
Page 225: How To Check That There Are No Disconnected Hosts
CHAPTER 7 How to Check that there are no Disconnected Hosts 1. Select Root in the Policy Domains tab. 2. Go to the Summary tab and check what is displayed in the Domain section beside Disconnected hosts. 3. If there are disconnected hosts, click View disconnected hosts..
Page 226: Viewing Alerts
Viewing Alerts If there has been a problem with a program or with an operation, the hosts can send alerts and reports about it. It is a good idea to check regularly that there are no new alerts, and also to acknowledge (and delete) the alerts the reasons of which you have already troubleshooted.
Page 227: Creating A Weekly Infection Report
If you want to create a weekly infection report (or some other report to be generated at regular intervals), you have two options: F-Secure Policy Manager Web Reporting, a web based tool with which you can generate a wide range of graphical reports from F-Secure Client Security alerts and status information.
Page 228: Monitoring A Possible Network Attack
7.10 Monitoring a Possible Network Attack If you suspect that there is a network attack going on in the local network, you can monitor it as follows: 1. Select the Root in the Policy Domains tab. 2. Go to the Summary tab. 3.
Page 229 PGRADING OFTWARE Overview: Upgrading Software..........230...
Page 230: Overview: Upgrading Software
Installation Editor creates policy-based installation tasks that each host in the target domain will carry out after the next policy update. It is also possible to upgrade F-Secure Client Security by using any other installation scheme explained in Adding Hosts”, 132...
Page 231 CHAPTER 8 Installed Version Version number of the product. If there are multiple versions of the product installed, all version numbers will be displayed. For hosts, this is always a single version number. Version to Install Version numbers of the available installation packages for the product.
Page 232 The Installation Editor then prepares a distribution installation package that is customized for the specific installation operation. The new package is saved on F-Secure Policy Manager Server. Start button is used to start the installation operations selected in the Version to Install field.
Page 233 CHAPTER 8 operation from the policy by clicking Stop All. This will cancel the installation operations defined for the selected policy domain or host. It is possible to stop all installation tasks in the selected domain and all subdomains by selecting the Recursively cancel installation for subdomains and hosts option in the confirmation dialog.
Page 234 Viewing the Latest Scanning Report on a Local Host ..236 Adding a Scheduled Scan from a Local Host ....236 Logging and Log File Locations on Local Hosts ....237 Connecting to F-Secure Policy Manager and Importing a Policy File Manually ............241 Suspending Downloads and Updates......242...
Page 235: Overview
Show report to view the report in your Web browser. When you perform a scan, F-Secure Client Security uses the manual scanning settings from the current Virus Protection level. You can see the scanning report also in the scanning report list on...
Page 236: Viewing The Latest Scanning Report On A Local Host
Viewing the Latest Scanning Report on a Local Host The Virus & Spy Protection tab in the F-Secure Client Security user interface displays the scanning report status. If you have an unread report waiting, the status is shown as “New report available”. You can access the report by clicking View..
Page 237: Logging And Log File Locations On Local Hosts
Advanced Mode user interface, see “Configuring Scheduled Scanning”, 258. Logging and Log File Locations on Local Hosts From the F-Secure Client Security local user interface you can access several log files that provide you with data about the network traffic. 9.5.1 LogFile.log LogFile.log contains all alerts that F-Secure Client Security has generated...
Page 238: Packet Logging
The log format is binary and is compatible with the tcpdump format. It can be read either with the packet log viewer provided by F-Secure or with a common packet logging application like Ethereal. 4. To view the packetlog file, double click it in the window.
Page 239 CHAPTER 9 Home users can use the packet logging to record evidence of intrusion attempts. The Logging Directory The logging directory is defined when installing the application. It can be changed by clicking Browse. Action log The action log is collecting data about the actions done by the firewall continuously.
Page 240 Receiving connection If the application has opened a LISTEN connection it is acting as an server and remote computers can connect to the port which the connection was opened for. Action log records these also these connections. 07/15/03 16:48:00 info appl control unknown allow...
Page 241: Other Log Files
Connecting to F-Secure Policy Manager and Importing a Policy File Manually If you need to initialize a connection from the local host to the F-Secure Policy Manager Server, you can do it as follows: 1. Go to the Central Management page, where you can see the date and time of last connection to the Policy Manager Server.
Page 242: Suspending Downloads And Updates
Suspending Downloads and Updates This option is configured from the F-Secure Policy Manager Console. It is useful for hosts that are sometimes used via a slow dial-up line. When this option is enabled, the user is allowed to suspend network communications, for example automatic polling of policies, sending statistics and Automatic Updates, temporarily.
Page 243 CHAPTER 9 3. Select one of the options from the Allow users to unload products drop-down menu. 4. Click to save the policy data. 5. Click to distribute the policy.
Page 244 IRUS NFORMATION Virus Information on F-Secure Web Pages ......245 Latest Threats................245 Viruses in the Wild..............246 How to Send a Virus Sample to F-Secure........ 246 What to Do in Case of a Virus Outbreak? ........ 250...
Page 245: Virus Information
The list of latest threats can be found at F-Secure Security Information Center: http://www.europe.f-secure.com/virus-info/virus-news/ The latest threats are also delivered to your desktop through F-Secure Client Security as F-Secure News. 10.2.1 F-Secure Radar F-Secure Radar delivers you instant notifications of serious security events around the world through a variety of media.
Page 246: Viruses In The Wild
73 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports have been excluded. F-Secure Corporation is an active member of the Wildlist Organization. The Wildlist is available on the Internet at: http://www.europe.f-secure.com/virus-info/wild.shtml.
Page 247: What Should Be Sent
CHAPTER 10 All ZIP packages should be named using only English letters or/and numbers. You can use long file names. If you send multiple archives (for example because of e-mail server limitations) please either send them in separate messages or add a counter to the archive parts, for example: sample_part1.zip sample_part2.zip sample_part18.zip...
Page 248 The GetMBR utility should be put on a clean system floppy, an infected computer should be booted from this floppy disk, and GetMBR should be run. Send the generated MBR.DAT in a ZIP archive to samples@f-secure.com. GetMBR can be downloaded from our ftp site: http://www.f-secure.com/download-purchase/tools.shtml 4.
Page 249: Where To Send The Virus Sample
If an infection or false alarm is on a CD, you can send the CD to our office in Finland. Please include a description of the problem, and a printed F-Secure Client Security report, if possible. We will return your CD if it has no infection.
Page 250: In What Language
Do not send the virus sample to any personal e-mail address at F-Secure Corporation -your messages will be deleted by our e-mail scanner. Send hoax samples and virus-related questions also to samples@f-secure.com If the virus sample is too big to send by e-mail, you can upload it (in ZIP archive) to our ftp site: ftp://ftp.europe.f-secure.com/incoming...
Page 251 F-Secure Anti-Virus Research Team (samples@f-secure.com). If you need urgent assistance, please point it out in your message. 4. If it is a new virus, try to locate a sample and send it to F-Secure Anti-Virus Research Team (samples@f-secure.com) according to the following guidelines: http://www.europe.f-secure.com/support/technical/general/...
Page 252 Keep F-Secure Client Security installations always updated with the latest virus definition databases. It is recommended to update F-Secure Client Security twice a day, when new updates are released by F-Secure Anti-Virus Research Team. 10. Warn your partners about the outbreak and recommend them to scan...
Page 253 ETTING ISCO NAC S UPPORT Introduction................254 Installing Cisco NAC Support ........... 254 Attributes to be Used for Application Posture Token ....255...
Page 254: Introduction
The installation package for F-Secure Client Security contains an option to install Cisco NAC Support. When you select this option, both the F-Secure NAC plug-in and the CTA will be installed. In addition to this, the ACS server must be configured to monitor F-Secure product related security attributes.
Page 255: Importing Posture Validation Attribute Definitions
For more information about CSUtil, see Cisco ACS documentation. 11.3 Attributes to be Used for Application Posture Token To configure the Cisco ACS server to monitor F-Secure product related security attributes, do the following: 1. Select the External User Databases button on the Cisco ACS server user interface.
Page 256 4. Click Configure. 5. Select Create New Local Policy. 6. You can use the following F-Secure Client Security related attributes in the rules for Application Posture Tokens: Posture Validation Attributes for Anti-Virus Attribute-name Type Example Software-Name string F-Secure Anti-Virus Software-Version version 7.0.0.0...
Page 257 DVANCED EATURES IRUS AND PYWARE ROTECTION Overview................... 258 Configuring Scheduled Scanning ..........258 Configuring Policy Manager Proxy ........... 260 Configuring Automatic Updates on Hosts from Policy Manager Proxy ..................261 Configuring a Host for SNMP Management ......262...
Page 258: Configuring Scheduled Scanning
2. Select Root in the Policy Domains pane. 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select: F-Secure/F-Secure Anti-Virus 5. On the Product View pane (on the right) select the Scheduling Table page.
Page 259 CHAPTER 12 9. Next click the Scheduling Parameters cell, and the click Edit. Now you can enter the parameters for the scheduled scan. A scheduled scan that is to be run weekly, every Monday starting at 8 p.m, from August 25, 2003 onwards, is configured as follows: ‘/t20:00 / b2003-08-25 /rweekly’...
Page 260: Configuring Policy Manager Proxy
F-Secure Update server or the corporate F-Secure Policy Manager Server. F-Secure Policy Manager Proxy resides in the same remote network as the hosts that use it as a database distribution point. There should be one F-Secure Policy Manager Proxy in every network that is behind slow...
Page 261: Configuring Automatic Updates On Hosts From Policy Manager Proxy
Manager Server in the main office, but this communication is restricted to remote policy management, status monitoring, and alerting. Since the heavy database update traffic is redirected through the F-Secure Policy Manager Proxy in the same local network, the network connection between managed workstations and F-Secure Policy Manager Server has a substantially lighter load.
Page 262: Configuring A Host For Snmp Management
6. When you have added all the proxies, click OK. 12.5 Configuring a Host for SNMP Management The F-Secure SNMP Management Extension is a Windows NT SNMP extension agent, which is loaded and unloaded with the master agent. The SNMP service normally starts on Windows start-up so the extension agent is always loaded.
Page 263 DVANCED EATURES NTERNET HIELD Overview................... 264 Managing Internet Shield Properties Remotely ......264 Configuring Security Level Autoselection......... 266 Troubleshooting Connection Problems ........268 Adding New Services ............... 269...
Page 264: Managing Internet Shield Properties Remotely
3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select: \F-Secure Internet Shield 5. Select the Logging tab in the Product View pane (on the right). This variable normally shows the status of the packet logging, Disabled means that it is not running, and Enabled that it is currently running on the host.
Page 265: Trusted Interface
Policy Domains pane. 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select the following path: \F-Secure Internet Shield\Settings\Firewall Engine\Allow Trusted Interface Select Enabled to enable Trusted Interface for the currently selected subdomain.
Page 266: Packet Filtering
3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select the following path: \F-Secure Internet Shield\Settings\Firewall Engine\Firewall Engine To make sure the packet filtering is always enabled, set this variable to Yes, and select the Final check box. Remember to distribute the policy to enforce the change.
Page 267 CHAPTER 13 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select the following path: \F-Secure\F-Secure Internet Shield 5. In the Product View pane (on the right) select the Security Level Autoselection page.
Page 268: Troubleshooting Connection Problems
9. The first security level is now ready. Click to add the second security level, in this example Mobile. 10. Enter the data in the cells by selecting a cell and clicking Edit. For the Mobile security level you should add the following data: Priority: The rules are checked in the order defined by the priority numbers, starting from the smallest number.
Page 269: Adding New Services
11. If nothing else helps, unload F-Secure products or set the Internet Shield to allow all mode. If even this does not help, it is likely that the problem is in routing or in some other component in the computer the user tries to connect to.
Page 270: Creating A New Internet Service Based On The Default Http
13.5.1 Creating a New Internet Service based on the Default HTTP In this example it is assumed that there is a web server running on a computer, and that web server is configured to use a non-standard web port. Normally a web server would serve TCP/IP port 80, but in this example it has been configured to serve port 8000.
Page 271 CHAPTER 13 Step 2. IP Protocol Number Select a protocol number for this service from the Protocol drop-down list. It contains the most commonly used protocols (TCP, UDP, ICMP). If your service uses any other protocol, refer to the table below and enter the respective number.
Page 272 Protocol Protocol Full Name Name Number ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IPIP IPIP Tunnels (IP in IP) Transmission Control Protocol Exterior Gateway Protocol Xerox PUP routing protocol User Datagram Protocol Xerox NS Internet Datagram Protocol IPV6 IP Version 6 encapsulation in IP version 4 RSVP...
Page 273 CHAPTER 13 Authentication Header protocol Protocol Independent Multicast COMP Compression Header protocol Raw IP packets Step 3. Initiator Ports If your service uses the TCP or UDP protocol, you need to define the initiator ports the service covers. The format for entering the ports and port ranges is as follows: “>port”...
Page 274 In this example, define the initiator port as >1023. Step 4. Responder Ports If your service uses the TCP or UDP protocol, you need to define the responder ports the service covers. In this example, define the responder port as 8000.
Page 275 CHAPTER 13 Step 5. Classification Number Select a classification number for the service from the drop down list. You can accept the default value. Step 6. Extra Filtering Select whether any extra filtering is to be applied for the traffic allowed by the service you are creating, in addition to the normal packet and stateful filtering.
Page 276 In this example you can accept the default, Disabled. When the service uses TCP protocol, and you do not have Application Control enabled, you can select Active mode FTP from the Extra Filtering drop-down menu. Active mode FTP requires special handling from the Firewall, as the information about the port that should be opened for the connection is included in the transferred data.
Page 277 CHAPTER 13 Step 7. Review and Accept the Rule 1. You can review your rule now. If you need to make any changes to the rule, click Back through the rule. 2. Click Finish to close the rule wizard. The rule you just created is now displayed in the Firewall Rules Table.
Page 278 APPENDIX: Modifying PRODSETT.INI Overview................... 279 Configurable Prodsett.ini Settings ..........279...
Page 279: A.1 Overview
The RequestInstallMode setting can override the selection for components, which have InstallMode=0. Configurable Prodsett.ini Settings You can edit edit the following settings in the prodsett.ini file. [F-Secure common] Common settings CD-Key=XXXX-XXXX-XXXX-XXXX-XXXX Enter the CD Key of the installation package here.
Page 280 [F-Secure common] Common settings SupportedLanguages=ENG FRA DEU FIN SVE List of languages supported by the installation package. You can make the set of languages smaller by leaving out some unnecessary languages and repacking the package. When you add support for a new language to the package you should add that language here to make it effective.
Page 281 APPENDIX A [F-Secure common] Common settings SecurityPolicy=0 | 1 | 2 The files and folders installed to NTFS and the product’s registry keys are protected with the NT security permissions according to the defined "SecurityPolicy": 0 = no special policy applied; files and folders inherit the security permissions from the parent.
Page 282 (default) 3 = Do not reboot after installation. [FSMAINST.DLL] Settings for F-Secure Management Agent RequestInstallMode=1 This component is always installed when you are installing a networked client. You do not need to edit the RequestInstallMode or InstallMode settings for this component.
Page 283 ServiceProviderMode=0 MibVersion= GatekeeperVersion= StatisticsFilterPattern1= UseOnlyUID= 0 = F-Secure Management Agent only uses all available identities (DNS name, IP address, WINS name, Unique Identity) to identify itself for the first time to the F-Secure Policy Manager Server. 1 = F-Secure Management Agent only uses its Unique Identity to identify itself to the F-Secure Policy Manager Server.
Page 284 This component is always installed when you are installing a networked client. You do not need to edit the RequestInstallMode or InstallMode settings for this component. FsmsServerUrl=http://fsmsserver URL to the F-Secure Policy Manager Server. FsmsExtensionUri=/fsms/fsmsh.dll Do not change this setting. FsmsCommdirUri=/commdir Do not change this setting.
Page 285 DeleteOldDirectory=0 0 = If F-Secure Anti-Virus 4.x is installed on the computer, then F-Secure Anti-Virus 5.x will not be installed, and the installation will be aborted. This applies in silent installation mode only (default).
Page 286 [FSAVINST.DLL] Settings for F-Secure Client Security - Virus Protection EnableRealTimeScanning=1 0 = Disable real-time scanning 1 = Enable real-time scanning (default). Debug=1 0 = Do not generate debug information. (default) 1 = Write debug information into the debug log during installation and uninstallation.
Page 287 APPENDIX A [MEHINST.DLL] Settings for SNMP Support RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting. 1 = Install this component if newer, or not installed (default). 2 = Install this component if there is no existing version of it installed, or if the same or an older version exists.
Page 288 0 = Do not install this component. (default) 1 = Install this component, except if a newer version already exists. [FWINST.DLL] Settings for F-Secure Client Security - Internet Shield RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting.
Page 289 APPENDIX A [FWINST.DLL] Settings for F-Secure Client Security - Internet Shield InstallDC=0 | 1 0 = Do not install Dial-up Control. (default) 1 = Install Dial-up Control InstallNetworkQuarantine=0 | 1 0 = Do not install Network Quarantine. (default) 1 = Install Network Quarantine.
Page 290 [FSPSINST.DLL] Settings for F-Secure Client Security - Network Scanner RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting. 1 = Install this component if newer, or not installed (default). 2 = Install this component if there is no existing version of it installed, or if the same or an older version exists.
Page 291 APPENDIX A [FSNACINS.DLL] Settings for Cisco NAC Support RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting. 1 = Install this component if newer, or not installed (default). 2 = Install this component if there is no existing version of it installed, or if the same or an older version exists.
Page 292 APPENDIX: E-mail Scanning Alert and Error Messages Overview................... 293...
Page 293: B.1 Overview
E-Mail Attachment Virus Alert Message ID: 620-623 Definition: When a virus is found the virus is treated based on the configuration set on F-Secure Client Security Advanced configuration. The options to handle the virus are: Report only, disinfect virus or drop virus.
Page 294 Message ID: 630-633 Definition: When a malformed message is found it is treated based on the configuration set on F-Secure Client Security Advanced configuration. The options to handle malformed message are: Malformed message part was only reported, Malformed message part was dropped, Malformed e-mail was blocked.
Page 295 APPENDIX B Message: Malformed E-Mail Alert! Description: <description of the malformation> Message part: <malformed message pert> Action: <Action taken> Message < Message ID> from: <Email header: sender filed email address> to: < Email header: recipient filed email addresses> subject: < Email header: The title subject filed of the message >...
Page 296 Message: E-Mail Attachment Scanning Failure Reason: <Description of the scanning failure> Attachment: <The attachment causing the scanning failure> Action: <Action Taken> Message < Message ID> from: <Email header: sender filed email address> to: < Email header: recipient filed email addresses> subject: <...
Page 297: Glossary
LOSSARY...
Page 298 Alert A message generated by an F-Secure product if there has been a problem with a program or with an operation. Alerts are also generated when a virus is found. The administrator and the user can define which alerts are generated, either by defining firewall rules or enabling or disabling specific alerts.
Page 299 Authorization The right to perform an action on an object. Also the act of proving this right. Backdoor A malicious application or plug-in that opens up a possibility for a remote user to access the compromised computer. This is very often an application that opens up one or more listening ports and waits for connections from the outside, but there are variations of this.
Page 300 Domain Name A unique name that identifies an Internet site (for example, F-Secure.com) The domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address.
Page 301 False positive False positive is an alert that wrongly indicates that the related event has happened. In the F-Secure Internet Shield the alert text usually indicates this by using words like "probable" or "possible". This kind of alerts should be eliminated or minimised.
Page 302 Hidden file Hidden files are not visible to users. It is possible that a rootkit is hiding the file from the normal file listings. Hidden process Hidden processes are not visible to users. It is possible that a rootkit is hiding the process from Windows Task Manager. Host Any computer on a network that is a repository for services available to other computers on the network.
Page 303 IPSec (IETF) The IP Security Protocol is designed to provide interoperable, high quality, cryptography-based security for IPv4 and IPv6. The set of security services offered includes access control, connection-less integrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
Page 304 Mbit Megabit. (SNMP terminology) Management Information Base. Detailed information about MIBs can be found from RFC1155-SMI, RFC1212-CMIB and RFC1213-MIB2. MIME Multipurpose Internet Mail Extension, a standard system for identifying the type of data contained in a file based on its extension. MIME is an Internet protocol that allows you to send binary files across the Internet as attachments to e-mail messages.
Page 305 A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. The management architecture of F-Secure software uses policies that are centrally configured by the administrator for optimum control of security in a corporate environment.
Page 306 You can add new applications to the Quarantine when Virus & Spy Protection detects them. Random Seed The seed value for the cryptographically strong random number generator, which is updated each time an F-Secure application closes. Riskware Riskware is any program that does not intentionally cause harm but can be dangerous if misused, especially if set up incorrectly.
Page 307 Simple Network Management Protocol. A standard TCP/IP protocol used for monitoring and setting network parameters and counters of LAN- and WAN-connected repeaters, bridges, routers, and other devices. In F-Secure Policy Manager it is used for sending and monitoring alerts and statistics. Spyware Spyware is a software, which tracks user information and reports it without your knowledge via the Internet to third parties.
Page 308 IP addresses that begin with the same two or three numbers. System Event Log A service that records events in the system, security, and application logs. F-Secure Client Security events are recorded in application logs. TAC Score The TAC score determines how likely the application is malware, 1being the least and 10 being the most problematic.
Page 309 Trojan A trojan is usually a standalone program that performs destructive or other malicious actions. Destructive actions can vary from erasing or modifying the contents of files on a hard drive to a complete destruction of data. A backdoor trojan is a remote access tool that can allow a hacker to get full control over the entire infected system.
Page 310 Worm A computer program capable of replication by inserting copies of itself in networked computers.
Page 311: Technical Support
Technical Support Overview................... 312 Web Club.................. 312 Advanced Technical Support............ 312 F-Secure Technical Product Training ........313...
Page 312: Web Club
The F-Secure Web Club provides assistance to users of F-Secure products. To enter, choose the Web Club command from the Help menu in the F-Secure application. The first time you use this option, enter the path and name of your Web browser and your location.
Page 313: F-Secure Technical Product Training
Or you should be ready to replicate the problem on the computer with minimum effort. After installing the F-Secure software, you may find a ReadMe file in the F-Secure folder in the Windows Start Programs menu. The ReadMe file contains late-breaking information about the product.
Page 314: Contact Information
The courses take place in modern and well-equipped classrooms. All of our courses consist of theory and hands-on parts. At the end of each course there is a certification exam. Contact your local F-Secure office or F-Secure Certified Training Partner to get information about the courses and schedules.
Page 315 F-Secure Corporation is the fastest growing publicly listed company in the antivirus and intrusion prevention industry with more than 50% revenue growth in 2004. Founded in 1988, F-Secure has been listed on the Helsinki Stock Exchange since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Italy, Sweden, the United Kingdom and Japan.

This manual is also suitable for:

Client security

F-SECURE CLIENT SECURITY 7.00 Administrator's Manual

Table of Contents

Chapter 1 Introduction

Chapter 2 Installing F-Secure Policy Manager

Chapter 3 Introduction to F-Secure Policy Manager Anti-Virus Mode User Interface

4 S Etting up the M N Anaged Etwork

Chapter 4 Setting up the Managed Network

5 C V Onfiguring Irus S and Pyware P Rotection

Chapter 5 Configuring Virus and Spyware Protection

6 C I Onfiguring Nternet S Hield

Chapter 6 Configuring Internet Shield

7 H C Ow to Heck that E the Nvironment Is P Rotected

Chapter 7 How to Check that the Environment Is Protected

Chapter 8 Upgrading Software

9 L H Ocal Ost O Perations

10 V Iirusnformation

Chapter 10 Virus Information

Chapter 11 Setting up Cisco NAC Support

Chapter 12 Advanced Features: Virus and Spyware Protection

Chapter 13 Advanced Features: Internet Shield

Chapter 9 Local Host Operations

Appendix A Modifying PRODSETT.INI

Appendix B E-Mail Scanning Alert and Error Messages

Quick Links

Chapters

Related Manuals for F-SECURE CLIENT SECURITY 7.00

Summary of Contents for F-SECURE CLIENT SECURITY 7.00