Page 1 F-Secure Client Security Administrator’s Guide...
Page 2 Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.
Page 3: Table Of Contents
1.2.1 Virus and Spy Protection ................18 1.2.2 Internet Shield ....................21 1.2.3 Application Management ................22 Introduction to F-Secure Policy Manager..............23 1.3.1 Main Components of F-Secure Policy Manager..........24 1.3.2 F-Secure Policy Manager Features..............25 Basic Terminology...................... 26 Chapter 2 Installing F-Secure Policy Manager Overview ........................29...
Page 4 Chapter 3 Introduction to F-Secure Policy Manager Anti-Virus Mode User Interface Overview ........................57 Policy Domains Tab ....................58 Management Tabs ..................... 58 3.3.1 Summary Tab ....................59 3.3.2 Outbreak Tab....................66 3.3.3 Settings Tab ....................68 3.3.4 Status Tab ....................100 3.3.5 Alerts Tab .....................108...
Page 5 4.5.2 Installation Instructions .................154 Installing on an Infected Host...................155 How to Check That the Management Connections Work ........156 Chapter 5 Configuring Virus and Spyware Protection Overview: What can Virus and Spyware Protection be Used for? ......158 Configuring Automatic Updates ................159 5.2.1 How do Automatic Updates Work?...............160 5.2.2 Automatic Updates Configuration Settings...........160 5.2.3 Configuring Automatic Updates from Policy Manager Server ......161...
Page 6 5.9.1 Setting all Virus Protection Settings Final.............187 5.10 Configuring F-Secure Client Security Alert Sending ..........188 5.10.1 Setting F-Secure Client Security to Send Virus Alerts to an E-mail Address188 5.10.2 Disabling F-Secure Client Security Alert Pop-ups ........190 5.11 Monitoring Viruses on the Network ................190 5.12 Testing your Antivirus Protection ................190...
Page 7 9.5.2 Packet Logging.....................236 9.5.3 The Action.log file ..................237 9.5.4 Other Log Files .....................239 Connecting to F-Secure Policy Manager and Importing a Policy File Manually..239 Suspending Downloads and Updates ..............240 Allowing Users to Unload F-Secure Products ............240 Chapter 10 Virus Information 10.1 Malware Information and Tools on the F-Secure Web Pages .........243...
Page 8 10.2.3 How to Send the Virus Sample..............247 10.2.4 In What Language ..................247 10.2.5 Response Times...................247 10.3 What to Do in Case of a Virus Outbreak? ..............248 Chapter 11 Setting Up the Cisco NAC Plugin 11.1 Introduction ......................251 11.2 Installing the Cisco NAC Plugin ................251 11.2.1 Importing Posture Validation Attribute Definitions ........252 11.3 Attributes to be Used for Application Posture Token ..........252 Chapter 12 Advanced Features: Virus and Spyware Protection...
Page 9 Appendix B E-mail Scanning Alert and Error Messages B.1 Overview ......................... 295 Appendix C Products Detected or Removed During Client Installation 299 C.1 Overview ......................... 300 Glossary Technical Support Overview .......................... 321 Web Club .........................321 Advanced Technical Support ...................321 F-Secure Technical Product Training ................322...
Page 10: About This Guide
BOUT THIS UIDE Overview..................11 Additional Documentation............13...
Page 11: Overview
This manual covers the configuration and operations that you can do with the F-Secure Policy Manager Anti-Virus Mode user interface and provides the information you need to get started with managing F-Secure Client Security applications centrally. The F-Secure Client Security Administrator’s Guide is divided into the following chapters.
Page 12: Technical Support
E-mail Scanning can generate. Appendix C. Products Detected or Removed During Client Installation. Lists all the products that the user is prompted to uninstall or are uninstalled automatically during F-Secure Client Security installation. Glossary — Explanation of terms Technical Support —...
Page 13: Additional Documentation
F1. The online help always opens to a page that holds information about your current location in the F-Secure Client Security user interface. In the left pane of the online help, you can browse through the help using the...
Page 14 F-Secure Policy Manager Proxy Administrator’s Guide For more information on installing and maintaining F-Secure Policy Manager Proxies, see the F-Secure Policy Manager Proxy Administrator’s guide. It contains detailed instructions on how you can use F-Secure Policy Manager Proxies to more efficiently deliver product updates.
Page 15: Conventions Used In F-Secure Guides
Conventions Used in F-Secure Guides This section describes the symbols, fonts, and terminology used in this manual. Symbols WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data. IMPORTANT: An exclamation mark provides important information that you need to consider.
Page 16 In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at documentation@f-secure.com.
Page 17: Introduction
NTRODUCTION Overview..................18 F-Secure Client Security Components and Features....18 Introduction to F-Secure Policy Manager ........23 Basic Terminology ..............26...
Page 18: Overview
Overview This section describes the main components of F-Secure Client Security and F-Secure Policy Manager and provides an introduction to policy based management. F-Secure Client Security Components and Features F-Secure Client Security is used for protecting the computer against viruses, worms, spyware, rootkits and other malware, and against unauthorized access from the network.
Page 19 Manual Scanning You can use Manual Scanning, for example, after you have installed F-Secure Client Security, if you suspect that there might be a virus or spyware on the computer, or if a virus has been found in the local area network.
Page 20 The integrity of the delivered executable code is very important, and F-Secure scanning engines check that all update code is signed by F-Secure Anti-Virus Research. If the integrity is compromised, the code will not be executed. For more information, see “Configuring Automatic...
Page 21: Internet Shield
“Configuring Automatic Updates”, 159. Virus News F-Secure Virus News delivers instant notifications of serious security events around the world. The F-Secure Virus News service is delivered through F-Secure Automatic Update Agent. See theF-Secure Client Security online help for more information. 1.2.2...
Page 22: Application Management
1.2.3 Application Management SNMP Agent The F-Secure SNMP Agent is a Windows NT SNMP extension agent, which is loaded and unloaded with the master agent. The F-Secure SNMP Agent offers a subset of Policy Manager functionality, and it is meant primarily for alert and statistics monitoring.
Page 23: Introduction To F-Secure Policy Manager
“Setting Up the Cisco NAC Plugin”, 250. Introduction to F-Secure Policy Manager This section contains a brief introduction to F-Secure Policy Manager. For more information, see F-Secure Policy Manager Administrator’s Guide. F-Secure Policy Manager provides a scalable way to manage the security of numerous applications on multiple operating systems from one central location.
Page 24: Main Components Of F-Secure Policy Manager
These policies are defined in F-Secure Policy Manager Console and then distributed to the workstations through the F-Secure Policy Manager Server. It can be used to remotely install F-Secure products on other workstations without the need for any intervention by the end user.
Page 25: F-Secure Policy Manager Features
F-Secure Policy Manager Update Server & Agent are used for updating virus and spyware definitions on the managed hosts. F-Secure Automatic Update Agent allows users to receive virus definition database updates and informational content without interrupting their work to wait for files to download from the Web.
Page 26: Basic Terminology
Policy domains are groups of hosts or subdomains that have a similar security policy. Policy inheritance Policy inheritance simplifies the defining of a common policy. In F-Secure Policy Manager Console, each policy domain automatically inherits the settings of its parent domain, allowing for easy and efficient management of large networks.
Page 27 CHAPTER 1 The policy can be further refined for subdomains or even individual hosts. The granularity of policy definitions can vary considerably among installations. Some administrators might want to define only a few different policies for large domains. Other administrators might attach policies directly to each host, achieving the finest granularity.
Page 28: Chapter 2 Installing F-Secure Policy Manager
NSTALLING ECURE OLICY ANAGER Overview..................29 System Requirements ..............30 Installation Steps ................ 33 Uninstalling F-Secure Policy Manager ........55...
Page 29: Overview
F-Secure Policy Manager Console. Instructions on how to install F-Secure Policy Manager Console and Server on the same computer. The F-Secure Policy Manager Console and Server setup is run from the F-Secure CD. For information on alternative installation scenarios as well as the...
Page 30: System Requirements
System Requirements 2.2.1 F-Secure Policy Manager Server In order to install F-Secure Policy Manager Server, your system must meet the following minimum requirements: Operating system: Microsoft Windows: Microsoft Windows 2000 Server (SP 4 or higher) Windows 2003 Server (32- and 64-bit)
Page 31 CHAPTER 2 Memory: 256 MB RAM When Web Reporting is enabled, 512 MB RAM. Disk space: Disk space: 200 MB of free hard disk space; 500 MB or more is recommended. The disk space requirements depend on the size of the installation.
Page 32: F-Secure Policy Manager Console
2.2.2 F-Secure Policy Manager Console In order to install F-Secure Policy Manager Console, your system must meet the following minimum requirements: Operating system: Microsoft Windows: Microsoft Windows 2000 Professional (SP4 or higher) Windows XP Professional (SP2 or higher) Windows Vista (32- and 64-bit) Windows 2000 Server SP4 Windows 2003 Server (32- and 64-bit).
Page 33: Installation Steps
1. Insert the F-Secure CD in your CD-ROM drive. 2. Select Corporate Use. Click Next to continue. 3. Select F-Secure Policy Manager from the Install or Update Management Software menu. Step 2. View the Welcome screen, and follow the setup instructions. Then select the installation language from the drop-down menu.
Page 35 CHAPTER 2 Step 3. Read the license agreement information. If you agree, select I accept this agreement. Click Next to continue.
Page 36 Step 4. Select the following components to be installed: F-Secure Policy Manager Console F-Secure Policy Manager Server F-Secure Policy Manager Update Server & Agent F-Secure Installation Packages Click Next to continue.
Page 37 CHAPTER 2 Step 5. Choose the destination folder. It is recommended to use the default installation directory. Use the Browse feature to install F-Secure Policy Manager in a different directory. Click Next to continue.
Page 38 F-Secure Policy Manager Server will use as a repository. You can use the previous commdir as a backup, or you can delete it once you have verified that F-Secure Policy Manager Server is correctly installed.
Page 39 Step 7. Select whether you want to keep the existing settings or change them. This dialog is displayed only if a previous installation of F-Secure Policy Manager Server was detected on the computer. By default the setup keeps the existing settings. Select this option if you have manually updated the F-Secure Policy Manager Server configuration file (HTTPD.conf).
Page 40 Step 8. Select the F-Secure Policy Manager Server modules to enable: Host module is used for communication with the hosts. The default port is 80. Administration module is used for communication with F-Secure Policy Manager Console. The default HTTP port is 8080.
Page 41 CHAPTER 2 Click Next to continue.
Page 42 Step 9. Specify F-Secure Policy Manager Server address, and Administration port number. Click Next to continue. Depending on the installation method, this window is not always displayed...
Page 43 CHAPTER 2 Step 10. Select to add product installation package(s) from the list of available packages (if you selected F-Secure Installation Packages in Step 4. , 36). Click Next.
Page 44 Step 11. Review the changes that setup is about to make. Click Start to start the installation.
Page 45 CHAPTER 2 Step 12. When the setup is completed, the setup shows whether all components were installed successfully.
Page 46 Step 13. Click Finish to complete the F-Secure Policy Manager Server installation. After this you should run the F-Secure Policy Manager Console for the fist time.
Page 47 CHAPTER 2 Step 14. It is important to run F-Secure Policy Manager Console after the setup, because some connection properties will be collected during the initial console startup. You can find the shortcut from Start Programs F-Secure Policy Manager Console F-Secure Policy Manager Console. When F-Secure...
Page 48 Step 15. Select your user mode according to your needs: Administrator mode - enables all administrator features. Read-Only mode - allows you to view administrator data, but no changes can be made. If you select Read-only mode, you will not be able to administer hosts.
Page 49 CHAPTER 2 Step 16. Enter the address of the F-Secure Policy Manager Server that is used for communicating with the managed hosts.
Page 50 Step 17. Enter the path where the administrator’s public key and private key files will be stored. By default, key files are stored in the F-Secure Policy Manager Console installation directory: Program Files\F-Secure\Administrator. Click Next to continue. If the key-pair does not exist already, it will be created later in the...
Page 51 CHAPTER 2 Step 18. Move your mouse cursor around in the window to initialize the random seed used by the management key-pair generator. Using the path of the mouse movement ensures that the seed number for the key-pair generation algorithm has enough randomness. When the progress indicator has reached 100%, the Passphrase dialog box will open automatically.
Page 52 Step 19. Enter a passphrase, which will secure your private management key. Re-enter your passphrase in the Confirm Passphrase field. Click Next. Step 20. Click Finish to complete the setup process.
Page 53 The setup wizard creates the user group FSPM users. The user who was logged in and ran the installer is automatically added to this group. To allow another user to run F-Secure Policy Manager you must manually add this user to the user group FSPM users.
Page 54 “Creating the Domain Structure”, 128 and “Adding Hosts”, 130. If you decide to exit from F-Secure Policy Manager Console, and want to login again later, see “Logging in for the First Time”, 124. If you want to familiarize yourself with the F-Secure Policy Manager Console user interface, see “Introduction to F-Secure Policy Manager...
Page 55: Uninstalling F-Secure Policy Manager
Start to begin uninstallation. 4. When the uninstallation is complete, click Close. 5. Repeat steps 2-4, if you want to uninstall other F-Secure Policy Manager components. 6. When you have uninstalled the components, exit Add/Remove Programs. 7. It is recommended to reboot your computer after the uninstallation.
Page 56: Introduction To F-Secure Policy Manager Anti-Virus Mode User Interface
NTRODUCTION TO ECURE OLICY ANAGER IRUS NTERFACE Overview..................57 Policy Domains Tab..............58 Management Tabs..............58 Toolbar..................114 Menu Commands ..............115 Settings Inheritance..............118...
Page 57: Overview
Mode in the View menu. For more information on the Advanced Mode user interface, see F-Secure Policy Manager Administrator’s Guide. The main components of the F-Secure Policy Manager Anti-Virus Mode user interface are: Policy Domains tab that displays the structure of the managed...
Page 58: Policy Domains Tab
Policy Domains Tab In the Policy Domains tab, you can do the following: Add a new policy domain by clicking the icon, which is located on the toolbar. A new policy domain can be created only when a parent domain is selected. Add a new host by clicking the icon.
Page 59: Summary Tab
CHAPTER 3 3.3.1 Summary Tab Figure 3-1 Summary Tab The Summary tab is designed to display the most important information concerning the selected domain(s) or host(s) at a glance. When a domain is selected, the Summary tab displays information about the whole domain.
Page 60 If some of the settings displayed on the Summary tab require your immediate attention or action, an icon is displayed beside the setting. The icons can be interpreted as follows: Warns of an error situation that requires your action. The error cannot be fixed automatically. The icon is displayed, for example, when the latest policies have not been distributed, or when virus definitions on hosts are outdated...
Page 61 CHAPTER 3 Policy Manager Figure 3-2 Policy Manager related information on Summary Tab In the Policy Manager section you can: See the current Policy distribution status (saved/unsaved, distributed/undistributed), and when necessary, save the policy data and distribute the new policies to hosts. See the status of the virus definitions on the server.
Page 62 Domain Figure 3-3 Domain related information on Summary Tab In the Domain section you can: See the number hosts that have the latest policy and access a summary of their latest policy update by clicking View hosts’s latest policy update..This takes you to the Status tab and Centralized Management page.
Page 63 Recent means that the virus definitions are not the latest ones. Outdated means that the virus definitions are older than the configured time limit. If you have F-Secure Anti-Virus 5.40 installed on some hosts, the virus definitions version on these hosts is displayed as ‘unknown’.
Page 64 If you need to update the virus definitions on some hosts, click Update virus definitions... that takes you to the Operations tab. Internet Shield Figure 3-5 Internet Shield related information on Summary tab In the Internet Shield section you can: See how many hosts in the domain have Internet Shield installed.
Page 65 CHAPTER 3 In the Host section you can: See the name of the selected host displayed beside Computer identity. You can also access more detailed information on the host by clicking View host properties..This takes you to the Status tab and Host Properties page. See what is the active protocol (HTTP or File Sharing), the address of the Policy Manager Server the host is connected to and the date and time of the last connection.
Page 66: Outbreak Tab
Outbreak Tab Figure 3-7 Outbreak Tab The Security News section shows security news from F-Secure. Security news are usually news about new virus outbreaks, and they state the virus definitions version required on the hosts to protect against this new virus outbreak.
Page 67 Policy Manager Server. If protection is not currently available, the Policy Manager Server will automatically download it from F-Secure when it is available. The security news show the alert level of the security threat:...
Page 68: Settings Tab
Update delta tells you how well the host's automatic updates were functioning when the host sent statistics to the F-Secure Policy Manager Server last time. If you have a host that is displayed as unprotected, but has a small value in the update delta column, the host is most likely ok and can be ignored.
Page 69 CHAPTER 3 For more information on the lock symbols and other items displayed on all Settings pages, see “Settings Inheritance”, 118. Context Menu on Settings Pages By right-clicking any setting on a Settings tab page you can access a context menu that contains the following options: Clear This option clears a setting that has been redefined on the current level.
Page 70 Show Domain The Show Domain Values menu item is Values available only when a Policy Domain is selected. You can view a list of all policy domains and hosts below the selected policy domain, together with the value of the selected field.
Page 71 Automatic Updates In the Automatic Updates section you can: Enable or disable automatic updates. Note that deselecting this setting disables all ways for the host to get automatic updates. Specify the time interval for polling updates from F-Secure Policy Manager Server.
Page 72 See a list of Policy Manager Proxy Servers. You can also add new servers on the list, delete servers from the list and edit their addresses and priorities. Select whether an HTTP Proxy can be used and specify the HTTP Proxy address. Select whether clients should download updates from each other in addition to any servers or proxies.
Page 73 CHAPTER 3 Real-Time Scanning Figure 3-9 Settings > Real-Time Scanning page...
Page 74 General In the General section you can Enable or disable real-time scanning. File Scanning In the Files to Scan section you can: Select which files will be scanned and define the included extensions. Select whether real-time scanning is executed also inside compressed files.
Page 75 Select what is the action to take when an infection is found. From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected boot sector is detected. Choose one of the following actions:...
Page 76 Manual Scanning Figure 3-10 Settings > Manual Scanning...
Page 77 When Enable excluded objects is selected, the users can specify individual files or folders that will not be scanned. From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected file is detected.
Page 78 Choose one of the following actions: Action Definition Ask after scan Starts the F-Secure Disinfection Wizard when an infected file is detected. Disinfect Disinfects the file automatically when a virus is automatically detected. Rename Renames the file automatically when a virus is...
Page 79 (Blacklight)”, 170. Scheduled Scanning Configure scheduled scanning in advanced mode link takes you to the F-Secure Policy Manager Console Advanced Mode user interface, where scheduled scanning can be configured. For more information, see “Configuring Scheduled Scanning”, 255. Manual Boot Sector Scanning...
Page 80 Spyware Control Figure 3-11 Settings > Spyware Control...
Page 81 CHAPTER 3 Spyware Scanning on File Access This section contains the same spyware scanning settings as the Spyware Scanning on File Access section on the Settings > Real-Time Scanning page. For more information, see “Spyware Scanning on File Access”, 74. Manual Spyware Scanning This section contains the same spyware scanning settings as the Manual Spyware Scanning section on the Settings >...
Page 82 E-mail Scanning Figure 3-12 Settings > E-mail Scanning page This page includes separate settings for incoming and outgoing E-mail Scanning. The settings in the General section are common for both.
Page 83 CHAPTER 3 Incoming E-mail Scanning In the Incoming E-mail Scanning section you can: Enable incoming e-mail scanning. Select the action to take on incoming infected attachment. Select the action to take on scanning failure. Select the action to take on malformed message parts. Outgoing E-mail Scanning In the Outgoing E-mail Scanning section you can: Enable outgoing e-mail scanning.
Page 84 Web Traffic Scanning Figure 3-13 Settings > Web Traffic Scanning General In the General section you can enable or disable HTTP scanning. HTTP Scanning Select the action to take on infection. Select the action to take on scanning failure. Select whether compressed files are included in scanning.
Page 85 CHAPTER 3 Trusted HTTP Sites The Trusted HTTP Sites table displays a list of HTTP sites from which are defined as trusted. Downloads from these sited are not scanned for viruses. For more information on Web Traffic Scanning and for practical configuration examples, see “Configuring Web Traffic (HTTP) Scanning”,...
Page 86 Firewall Security Levels Figure 3-14 Settings > Firewall Security Levels...
Page 87 CHAPTER 3 General In the General section you can: Select the Internet Shield security level at host. For more information, see “Global Firewall Security Levels”, 193 Configure security level autoselection by clicking Configure security level autoselection in advanced mode..This takes you to the Advanced Mode user interface.
Page 88 Intrusion Prevention In the Intrusion Prevention section you can: Enable and disable intrusion prevention. Select the action on malicious packet. The options available are: Log and drop and Log without dropping. Define the centralized alert severity. Define the alert and performance level. For configuration examples and more information, see “Configuring the Intrusion...
Page 89 CHAPTER 3 Firewall Rules Figure 3-15 Settings > Firewall Rules...
Page 90 When the selected security level is changed, the rules associated with the new security level are displayed in the table. When the F-Secure Internet Shield Firewall is in use, the firewall rules are checked in the order in which they are displayed in the table, from top to bottom.
Page 91 CHAPTER 3 reply packets from the server applications. Outgoing packets from ordinary applications need to be allowed by the rules in the firewall rules table. For more information on how to create and modify firewall rules, see “Configuring Internet Shield Security Levels and Rules”, 196 and “Configuring Internet Shield Rule Alerts”, 203.
Page 92 Firewall Services Figure 3-16 Settings > Firewall Services Service, short for Network Service, means a service that is available on the network, e.g. file sharing, remote console access, or web browsing. It is most often described by what protocol and port it uses.
Page 93 CHAPTER 3 Firewall Services Table (Global) The Firewall Services Table displays a list of services that have been defined for the firewall. It is also possible to create or allow the end users to create new services for the firewall. For more information on how to add or modify firewall services, see “Adding New Services”, 269.
Page 94 Application Control Figure 3-17 Settings > Application Control Application Rules for Known Applications The Application Control page displays a list of known applications and the rules defined for them for inbound and outbound connection attempts. Unknown Applications Reported by Hosts The Unknown Applications Reported by Hosts list displays applications that the hosts have reported and for which no rules exist yet.
Page 95 CHAPTER 3 On this page you can also: Select the default action for client applications. Select the default action for server applications. Select whether new applications are reported to you by selecting the Report new unknown applications check box. Select whether if Application Control should prompt the user when System Control has already identified the application as trusted or not.
Page 96 Alert Sending Figure 3-18 Settings > Alert Sending General In the General section you can: Select the alerting language. E-mail Alert Sending Define the E-mail server address (SMTP). Define the E-mail sender address and E-mail subject to be used when forwarding alerts by e-mail.
Page 97 The Alert Forwarding table can be used to configure where the alerts that are of certain severity are to be forwarded. For examples on how to configure Anti-Virus alert forwarding, see “Configuring F-Secure Client Security Alert Sending”, 188. For examples on how to configure Internet Shield alert forwarding see “Configuring Internet Shield Rule...
Page 98 The General section contains the following options: Allow users to change all settings... This option makes all the settings throughout the F-Secure Policy Manager Anti-Virus and Advanced Mode user interface non-final, which means that users are allowed to change any setting.
Page 99 CHAPTER 3 This option makes all the settings throughout the F-Secure Policy Manager Anti-Virus and Advanced Mode user interface final, which means that users are not allowed to change any setting. For more information on final settings, see “Settings Inheritance”, 118.
Page 100: Status Tab
Status Tab The different pages in Status tab display detailed information on the status of certain components of centrally managed F-Secure Client Security applications. If you select a domain in the Policy Domains tab, the Status tab displays the status of all hosts in that domain. If a single host is selected, the Status tab displays the status of that host.
Page 101 CHAPTER 3 Context Menu on Status Tab Figure 3-20 The context menu that you can open by right-clicking a row By right-clicking any row on Status tab page you can access a context menu that contains the following options: Copy as Text copies the currently selected row(s) and column headings from the table as text.
Page 102 The date and time when virus definitions were last updated Virus definitions version The date and time when virus definitions on F-Secure Gateway (GW) products were last updated Virus definitions version on F-Secure Gateway products The date and time when spyware definitions were last updated...
Page 103 F-Secure Policy Manager. The virus definitions date and version information is also displayed for hosts that have F-Secure Anti-Virus for Citrix Servers, F-Secure Anti-Virus for Windows Servers, F-Secure Internet Gatekeeper or F-Secure Anti-Virus for Microsoft Exchange installed.
Page 104 Internet Shield Figure 3-23 Status > Internet Shield page The Internet Shield page displays the following information Latest attack date and time in the Latest Attack Timestamp column Latest attack service Latest attack source Recent attacks (this column can be sorted by clicking on the column header) Recent attacks reset time.
Page 105 Figure 3-24 Status > Installed Software The Installed Software page displays a summary of the software installed on the host(s): F-Secure Client Security software version (including the build number and possible hotfixes) List of Anti-Spyware hotfixes Whether Internet Shield is installed...
Page 106 Policy file counter; this is the number of the policy file currently in use at the host. The date when the last statistics update has been sent to the F-Secure Policy Manager Whether the host is disconnected (this column can be sorted by clicking on the column header) The number of new security alerts The number of new fatal errors.
Page 107 CHAPTER 3 Host Properties Figure 3-26 Status > Host Properties The Host Properties page displays the following information for each host: The WINS name of the host The IP address of the host The DNS name of the host The operating system of the host.
Page 108: Alerts Tab
3.3.5 Alerts Tab Figure 3-27 Alerts tab The Alerts tab displays alerts from the selected host(s) and domain(s). It can also be used to manage the alert reports. The Alerts tab displays the following information for each alert: severity (see “Viewing Alerts”, 224 for more information) date and time...
Page 109 When an alert is selected in the alert list, the lower half of the page displays more specific information about the alert: product, severity, originating host, and so on. F-Secure Client Security scanning alerts may also have an attached report. This report will be displayed in the lower half of the page.
Page 110: Reports Tab
3.3.6 Reports Tab Figure 3-28 Reports tab The Reports tab displays virus scanning reports from the selected host(s) and domain(s). It can also be used to manage the scanning reports. The Reports tab displays the following information about each report: severity date and time description...
Page 111: Installation Tab
CHAPTER 3 For more information on how alerts can be used for monitoring, see “Viewing Scanning Reports”, 223. 3.3.7 Installation Tab Figure 3-29 Installation tab The Installation tab is the first one that opens when the Policy Manager Console is installed.
Page 112 NT domain browse list of the Autodiscover view. Import Hosts will send autoregistration messages to autoregistered F-Secure Policy Manager whenever the first hosts... product is installed to the hosts. These new hosts are taken under policy management by importing them to the policy domain tree.
Page 113: Operations Tab
CHAPTER 3 3.3.8 Operations Tab Figure 3-30 Operations tab The Operations tab contains two operations: Update Virus With this operation you can order the selected Definitions hosts or all hosts in the selected domain to get Operation new virus definitions at once. Scan for Viruses With this operation you can order the selected and Spyware...
Page 114: Toolbar
Toolbar The toolbar contains buttons for the most common F-Secure Policy Manager Console tasks. Saves the policy data. Distributes the policy. Go to the previous domain or host in the domain tree selection history. Go to the next domain or host in the domain tree selection history.
Page 115: Menu Commands
Green signifies that the host has sent an autoregistration request. Displays available installation packages. Displays all alerts. The icon is highlighted if there are new alerts. When you start F-Secure Policy Manager Console, the icon is always highlighted. Menu Commands...
Page 116 Distribute Policies Distributes the policy files. Export Host Policy File Exports the policy files. Exit Exits F-Secure Policy Manager Console. Edit Cuts selected items. Paste Pastes items to selected location. Delete Deletes selected items. New Policy Domain Adds a new domain.
Page 117 CHAPTER 3 Embedded Restriction Editors Toggles between the embedded restriction editor and the restrictions dialog box. Messages Pane Shows/hides the Messages pane at bottom of screen. Open on New Messages Shows/hides the Messages pane at bottom of screen. Back Takes you to the previous domain or host in the domain tree selection history.
Page 118: Settings Inheritance
The settings in F-Secure Policy Manager Console can either be inherited from a higher level in the policy domain structure, or they may have been changed on the current level.
Page 119 CHAPTER 3 When necessary, settings can be defined as final, which means that the users are not allowed to change them. Final always forces the policy: the policy variable overrides any local host value, and the end user cannot change the value as long as the Final restriction is set. If the settings have not been defined as final, the users are allowed to change them.
Page 120: How Settings Inheritance Is Displayed On The User Interface
3.6.1 How Settings Inheritance is Displayed on the User Interface There inherited settings and settings that have been redefined on the current level are displayed in a different way on the Policy Manager user interface: Inherited inherited A closed lock means that the user cannot change the setting, because it has been defined as final.
Page 121: Locking And Unlocking All Settings On A Page At Once
Clears all the settings that have been redefined on the current page and restores the default or inherited values. For more information on locking and unlocking all settings throughout the F-Secure Policy Manager user interface, see also “Centralized Management”, 98 and “Preventing Users from Changing Settings”, 187.
Page 122: Settings Inheritance In Tables
3.6.3 Settings Inheritance in Tables The Firewall Security Levels Table and the Firewall Services Table are so-called global tables, which means that all computers in the domain have the same values. However, different subdomains and different hosts may have different security levels enabled. In tables the default values derived from MIBs are displayed as grey.
Page 123: Chapter 4 Setting Up The Managed Network
ETTING UP THE ANAGED ETWORK Overview................... 124 Logging in for the First Time............. 124 Creating the Domain Structure..........128 Adding Hosts ................130 Local Installation............... 152 Installing on an Infected Host ........... 155 How to Check That the Management Connections Work..156...
Page 124: Overview
Overview This chapter describes how to plan the managed network and what are the best ways to deploy F-Secure Client Security in different types of environments. F-Secure Policy Manager offers you several ways to deploy F-Secure Client Security in your company:...
Page 125: Logging In
CHAPTER 4 4.2.1 Logging In When you start F-Secure Policy Manager Console, the following dialog box will open. Click Options to expand the dialog box to include more options. Figure 4-1 F-Secure Policy Manager Console Login dialog The dialog box can be used to select defined connections. Each connection has individual preferences, which makes it easier to manage many servers with a single F-Secure Policy Manager Console instance.
Page 126 2. Host connection status controls when hosts are considered disconnected from F-Secure Policy Manager. All hosts that have not contacted F-Secure Policy Manager Server within the defined interval are considered disconnected. The disconnected hosts will have a notification icon in the domain tree and they will appear beside the Disconnected Hosts in the Summary tab.
Page 127 CHAPTER 4 3. Note that it is possible to define an interval that is shorter than one day by simply typing in a floating point number in the setting field. For example, with a value of "0.5" all hosts that have not contacted the server within 12 hours are considered disconnected.
Page 128: Creating The Domain Structure
Creating the Domain Structure If you want to use different security policies for different types of hosts (laptops, desktops, servers), for users in different parts of the organization or users with different levels of computer knowledge, it is a good idea to plan the domain structure based on these criteria.
Page 129 Figure 4-4 An example of a policy domain: country offices as sub-domains A third possibility is to group the hosts into subdomains based on the installed F-Secure Client Security version. You could, for example, group hosts that have F-Secure Client Security 6.x installed into one sub-domain, and hosts that have F-Secure Client Security 7.x installed...
Page 130: Adding Policy Domains And Subdomains
The main methods of adding hosts to your policy domain, depending on your operating system are as follows: Import hosts directly from your Windows domain and install F-Secure Client Security on them remotely. Import hosts through autoregistration after F-Secure Client Security has been installed on them locally.
Page 131: Windows Domains
‘Autodiscover Windows hosts’ from the Installation tab in F-Secure Policy Manager Console. Note that this also installs F-Secure Client Security on the imported hosts. In order to import hosts from a Windows domain, select the target domain, and choose ‘Autodiscover Windows hosts’...
Page 132 Figure 4-5 Import Autoregistered Hosts dialog > Autoregistered Hosts tab The Autoregistration view offers a tabular view to the data which the host sends in the autoregistration message. This includes the possible custom autoregistration properties that were included in the remote installation package during installation (see step 6 in Using the Customized Remote Installation JAR Package...
Page 133 CHAPTER 4 Autoregistration Import Rules Figure 4-6 Import Autoregistered Hosts dialog > Import Rules tab...
Page 134 You can define the import rules for the autoregistered hosts on the Import Rules tab in the Import Autoregistered Hosts window. You can use the following as import criteria in the rules: WINS name, DNS name, Dynamic DNS name, Custom Properties These support * (asterisk) as a wildcard.
Page 135 ). This operation is useful in the following cases: NSERT Learning and testing – You can try out a subset of F-Secure Policy Manager Console features without actually installing any software in addition to F-Secure Policy Manager Console. For example, you can create test domains and hosts, and try out policy inheritance features.
Page 136: F-Secure Push Installations
You need to have administrative rights to push install applications on hosts. Before Installing the Hosts Before you start to install F-Secure Client Security on hosts, you should make sure that there are not conflicting antivirus or firewall applications installed on them.
Page 137 CHAPTER 4 Autodiscover Windows Hosts To install: 1. Select the policy domain for the hosts to which you will install F-Secure Client Security. 2. Open the Edit menu and select Autodiscover Windows Hosts (alternatively, click the button). 3. From the NT Domains list, select one of the domains and click Refresh.
Page 138 F-Secure applications installed. Resolve hosts with all details (slower) With this selection, all details about the hosts are shown, such as the versions of the operating system and F-Secure Management Agent. Resolve host names and comments only (quicker) If all hosts are not shown in the detailed view or it takes too much time to retrieve the list, this selection can be used.
Page 139 Next to continue. You can click Browse to check the F-Secure Management Agent version(s) on the host(s). 4. After you have selected your target hosts, continue to “Push Installation After Target Host Selection”, 139 for instructions on push-installing the applications to hosts.
Page 140 1. Select the installation package, and click Next to continue. 2. Select the products to install. You can choose to force reinstallation if applications with the same version number already exist. Click Next to continue. 3. Choose to accept the default policy, or specify which host or domain policy should be used as an anonymous policy.
Page 141 CHAPTER 4 4. Choose the user account and password for the push installation. Push Installation requires administrator rights for the target machine during the installation. If the account you entered does not have administrator rights on one of the remote hosts, an “Access denied”...
Page 142 In the final dialog box, click Finish, and go to the next step. 6. F-Secure Policy Manager installs F-Secure Management Agent and the selected products on the hosts. During this process, the Status line will display the procedure in process. You can click...
Page 143: Policy-Based Installation
F-Secure Management Agent installed. F-Secure Policy Manager Console creates an operation-specific installation package, which it stores on the F-Secure Policy Manager Server, and writes an installation task to the base policy files (thus, policy distribution is required to start installations). Both base policy files and the installation package are signed by the management key-pair so that only genuine information is accepted by the hosts.
Page 144 The Installation Editor contains the following information about the products that are installed on your target policy domain or host: Product Name Name of the product, which is either installed on a host or domain, or which can be installed with an available installation package.
Page 145 Installation Editor launches the Installation Wizard, which queries the user for the installation parameters. The Installation Editor then prepares a distribution installation package that is customized for the specific installation operation. The new package is saved on F-Secure Policy Manager Server. Start button is used to start the installation operations selected in the Version to Install field.
Page 146 Because the installation operation uses policy-based triggering, you must distribute new policy files. The policy file will contain an entry that tells the host to fetch the installation package and perform the installation. Note that it may take a considerable length of time to carry out an installation operation.
Page 147: Local Installation And Updates With Pre-Configured Packages
For example, if uninstalling F-Secure Anti-Virus and F-Secure Management Agent: 1. Uninstall F-Secure Anti-Virus 2. Wait for F-Secure Policy Manager Console to report the success or failure of the uninstallation. 3. If F-Secure Anti-Virus was uninstalled successfully, uninstall F-Secure Management Agent.
Page 148 4. Specify the file format, JAR or MSI, and the location where you want to save the customized installation package. Click Export. 5. Select the products you want to install (F-Secure Management Agent will be installed by default). Click Next to continue.
Page 149 7. A summary page shows your choices for the installation. Review the summary and click Start to continue to the installation wizard. 8. F-Secure Policy Manager Console displays the Remote Installation Wizard that collects all necessary setup information for the selected products. a. Read the Remote Installation Wizard Welcome Screen.
Page 150 standard host identification properties in the Autoregistration view. The custom property name will be the column name, and the value will be presented as a cell value. One example of how to utilize custom properties is to create a separate installation package for different organizational units, which should be grouped under unit-specific policy domains.
Page 151 ILAUNCHR has the following command line parameters: /U — Unattended. No messages are displayed, even when a fatal error occurs. /F — Forced installation. Completes the installation even if F-Secure Management Agent is already installed. Enter ILAUNCHR /? at the command line to display complete help.
Page 152: Local Installation
Admin.pub key file to workstations. 4.5.1 Local Installation System Requirements In order to install F-Secure Client Security, your system must meet the following minimum requirements. For Microsoft Vista: Processor: A processor capable of running Micorsoft...
Page 153 CHAPTER 4 Processor: A processor capable of running Micorsoft Vista 32-bit or 64-bit (2GHz or faster processor recommended) Free hard disk space: 200MB of free hard drive space (300MB recommended) Internet connection: An Internet connection is required to validate your subscription and to receive updates Internet Browser: Internet Explorer 7 or newer...
Page 154: Installation Instructions
Providing a Copy of the Admin.pub Key File to Workstations When setting up workstations, you must provide them with a copy of the Admin.pub key file (or access to it). If you install the F-Secure products on the workstations remotely with F-Secure Policy Manager, a copy of the...
Page 155: Installing On An Infected Host
Administrator’s Guide. Installing on an Infected Host If the host on which you are going to install F-Secure Client Security is infected with some variant of the Klez virus, you should run the Klez removal tool on the host before starting the installation. This is because the Ilaunchr.exe installation tool cannot be run on a computer that is...
Page 156: How To Check That The Management Connections Work
How to Check That the Management Connections Work 1. Check the Policy Distribution Status on the Summary tab. Save and distribute the polices if necessary. 2. Go to the Status tab and select Centralized Management page. Check the timestamp and counter of the policy file currently in use.
Page 157: Configuring Virus And Spyware Protection
Configuring E-mail Scanning............ 172 Configuring Web Traffic (HTTP) Scanning ....... 176 Configuring Spyware Scanning ..........179 Preventing Users from Changing Settings ....... 187 Configuring F-Secure Client Security Alert Sending....188 Monitoring Viruses on the Network........... 190 Testing your Antivirus Protection ..........190...
Page 158: Overview: What Can Virus And Spyware Protection Be Used For
Overview: What can Virus and Spyware Protection be Used for? The Virus and Spyware Protection in F-Secure Client Security consists of Automatic Updates, Manual Scanning, Scheduled Scanning, Real-Time Scanning, Spyware Scanning, System Control, Rootkit Scanning, E-Mail Scanning, Web Traffic Scanning, Outbreak Management and the Virus News service.
Page 159: Configuring Automatic Updates
Configuring Automatic Updates This section explains the different configuration settings available for Automatic Updates in F-Secure Policy Manager, and gives some practical configuration examples for hosts with different protection needs. By following these instructions you can always keep the virus and spyware definitions on hosts up-to-date, and choose the best update source based on user needs.
Page 160: How Do Automatic Updates Work
5.2.1 How do Automatic Updates Work? The Automatic Update Agent installed with F-Secure Client Security tries to download the automatic updates from the configured update sources in the following order: a. If there are Policy Manager Proxies in use in the company network, the client tries to connect to F-Secure Policy Manager Server through each Policy Manager Proxy in turn.
Page 161: Configuring Automatic Updates From Policy Manager Server
CHAPTER 5 Policy Manager Proxy is a list of F-Secure Policy Manager Proxy servers available to you. The Automatic Update Agent installed with F-Secure Client Security connects to them in the priority order specified in this table. If you want to use HTTP Proxy, select From Browser settings or User-defined from the use HTTP Proxy drop-down menu.
Page 162: Configuring Policy Manager Proxy
Policy Manager Proxy in the office where the host is normally located, and 20, 30 and so on for the other Proxies. 6. Enter the URL of the F-Secure Policy Manager Proxy in the Server address text box. Then click OK.
Page 163: Configuring Clients To Download Updates From Each Other
Configuring Clients to Download Updates from Each Other You can configure F-Secure Automatic Update Agent so that updates are downloaded from each other in addition to any existing servers or proxies. This feature is known as neighborcast. In this way updates may be...
Page 164: Configuring Real-Time Scanning
Configuring Real-Time Scanning Real-Time Scanning keeps the computer protected all the time, as it is scanning the files when they are accessed, opened or closed. It is running on the background, which means that once it has been set up, it is basically transparent to the user.
Page 165 From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected file is detected. Choose one of the following actions: Action...
Page 166: Enabling Real-Time Scanning For The Whole Domain
Quarantine repository. File Extension Handling F-Secure Client Security has a list of included extensions defined in the policy (this can be ‘all files’). ‘Included extensions’ can also be part of a virus definitions update. These included extensions are first combined by F-Secure Client Security, and then any ‘excluded extensions’...
Page 167: Forcing All Hosts To Use Real-Time Scanning
CHAPTER 5 1. Select Root in the Policy Domains tab. 2. Go to the Settings tab and select the Real-Time Scanning page. 3. Select the Real-time scanning enabled check box. 4. Select Files with These Extensions from the Files to scan: drop-down list.
Page 168: Excluding Microsoft Outlooks's .Pst File From Real-Time Scanning
8. Click to save the policy data. 9. Click to distribute the policy. 5.3.4 Excluding Microsoft Outlooks's .pst File from Real-Time Scanning If you have set real-time scanning to scan all files, you might want to exclude Microsoft Outlook’s .PST file from the scanning in order not to slow down the system unnecessarily, as PST files are typically very large and take a long time to scan.
Page 169: Configuring System Control
CHAPTER 5 Configuring System Control F-Secure System Control is a new, host-based intrusion prevention system that analyzes the behavior of files and programs. It can be used to block intrusive ad pop-ups and to protect important system settings, as well as Internet Explorer settings against unwanted changes.
Page 170: System Control Server Queries (Deepguard 2.0)
System Control Server Queries (DeepGuard 2.0) Select Use server queries to improve detection accuracy to check with F-Secure servers when System Control detects an unknown application. We recommend that you enable server queries for two reasons: a computer with server queries enabled has a higher level of protection.
Page 171: Rootkit Scanning Configuration Settings
CHAPTER 5 5.5.1 Rootkit Scanning Configuration Settings Select Enable rootkit scanning to enable scanning for files and drives hidden by rootkits. This option also enables users to run local quick scans for rootkits and other hidden items. Select Include rootkit scanning in full computer check to scan for items hidden by rootkits when a full computer check is started from the local host, or when a manual scanning operation is launched from Policy Manager Console.
Page 172: Configuring E-Mail Scanning
9. After the scanning operation on the local hosts has finished, you can view from the Scan Reports on Reports tab whether any rootkits were detected. Configuring E-mail Scanning E-mail Scanning can be used to keep both inbound and outbound e-mails protected against viruses.
Page 173 CHAPTER 5 2. Action if scanning fails: Remove Attachment deletes the attachment. Report Only ignores the attachment but reports it to the administrator. 3. Action on malformed message parts: Drop Message Part deletes the message. Report Only ignores the malformed message part but reports it to the administrator.
Page 174: Enabling E-Mail Scanning For Incoming And Outgoing E-Mails
All attachments will be scanned, regardless of their file extension. Attachments with These Extensions: Attachments with specified extensions will be scanned. To specify files that have no extension, type ‘.’ You can use the wildcard ‘?’ to represent any letter. Enter each file extension separated by a space.
Page 175 CHAPTER 5 Step 2. Configure Incoming E-mail Scanning 1. Select Enable Incoming E-mail Scanning. 2. Select the action to take from the Action on incoming infected attachment drop-down list. For explanations on the different actions, “E-mail Scanning Configuration Settings”, 172. 3.
Page 176: Configuring Web Traffic (Http) Scanning
Configuring Web Traffic (HTTP) Scanning Web Traffic Scanning can be used to protect the computer against viruses in HTTP traffic. When enabled, it scans HTML files, image files, downloaded applications or executable files and other types of downloaded files. It removes viruses automatically from the downloads. You can also enable a notification flyer that is shown to the end-user every time Web Traffic Scanning has blocked viruses in web traffic and downloads.
Page 177: Enabling Web Traffic Scanning For The Whole Domain
CHAPTER 5 5.7.2 Enabling Web Traffic Scanning for the Whole Domain In this example HTTP scanning is enabled for the whole domain. 1. Select Root in the Policy Domains tab. 2. Go to the Settings tab and select the HTTP Scanning page. 3.
Page 178 1. Click the button under the Trusted Sites table. This creates a new line in the table. 2. Click on the line you just created so that it becomes active, and type http://*.example.com/* This excludes all the sub-domains. 3. Click the button under the Trusted Sites table.
Page 179: Configuring Spyware Scanning
Some spyware may be necessary to run ordinary applications, while most spyware is just malware and should not be allowed to run even once. By default, F-Secure Spyware Scanning is configured to allow all spyware to run. You can check whether you need to allow some spyware to run on your network before you tighten the security and prevent all new spyware from executing.
Page 180 From the Action on spyware drop-down list, you can select the action to take when spyware is detected. Choose one of the following actions Action Definition Report only The spyware is reported only, but no action is taken. Ask after scan The user is prompted to select what to do with the spyware.
Page 181 CHAPTER 5 Configure other spyware scanning options in advanced mode link takes you to the F-Secure Policy Manager Console Advanced Mode user interface, where other spyware scanning options can be configured. Manual Spyware Scanning To enable manual spyware scanning select the Scan for spyware during manual virus scanning check box.
Page 182 Spyware and Riskware Reported by Hosts The Spyware and Riskware Reported by Hosts table contains the following information: Spyware and Riskware Reported by Hosts Spyware or Riskware Displays the name of the spyware object or Name riskware. Type Displays the spyware type. The type can be adware, data miner, dialer, malware, monitoring tool, porn dialer, riskware, vulnerability, worm, cookie (tracking cookie) or misc...
Page 183: Setting Up Spyware Control For The Whole Domain
CHAPTER 5 The Spyware Reported by Hosts will be cleaned if you run a manual spyware scan on the hosts, as well as when quarantined spyware is removed periodically on the hosts. Default Spyware Handling If the Change spyware control to automatically quarantine all new spyware setting is selected, all new spyware that is not explicitly allowed by the administrator is quarantined automatically.
Page 184 Spyware Control also detects riskware. Riskware is any program that does not intentionally cause harm but can be dangerous if misused, especially if set up incorrectly. Examples of such programs are chat programs (IRC), or file transfer programs. If you want to allow the use of these programs in the managed domain, you should include them in the test environment and allow their use when you are checking and configuring rules for the applications in Spyware and Riskware Reported...
Page 185: Launching Spyware Scanning In The Whole Domain
CHAPTER 5 Step 3. Changing Spyware Scanning to Quarantine Automatically Configuration Configure the Default Spyware Handling settings: 1. If you want to make sure that users cannot allow any spyware or riskware to run on their computers, make sure that Permit users to allow spyware is set to Not allowed.
Page 186: Allowing The Use Of A Spyware Or Riskware Component
4. As the manual scanning task also includes manual virus scanning, check the settings in the Manual Virus Scanning section, and modify them if necessary. 5. Go to the Operations tab, and click the Scan for Viruses and Spyware button. Note, that you have to distribute the policy for the operation to start.
Page 187: Preventing Users From Changing Settings
CHAPTER 5 Preventing Users from Changing Settings If you want to make sure that the users cannot change some or any of the Virus Protection Settings, you can set these settings final. There are different possibilities for doing this: If you want to prevent users from changing a certain setting, click on the lock symbol beside it.
Page 188: Configuring F-Secure Client Security Alert Sending
5.10.1 Setting F-Secure Client Security to Send Virus Alerts to an E-mail Address In this example all the security alerts that the managed F-Secure Client Security clients generate are forwarded to e-mail. Step 1.
Page 189 CHAPTER 5 <host>[:<port>] where "host" is the DNS-name or IP-address of the SMTP server, and "port" is the SMTP server port number. 2. Enter the sender’s address for e-mail alert messages in the E-mail sender address (From): field. 3. Enter the e-mail alert message subject in the E-mail subject: field. See the MIB help text for a list of possible parameters to use in the message subject.
Page 190: 5.10.2 Disabling F-Secure Client Security Alert Pop-Ups
Testing your Antivirus Protection To test whether F-Secure Client Security operates correctly, you can use a special test file that is detected by F-Secure Client Security as though it were a virus. This file, known as the EICAR Standard Anti-Virus Test File, is also detected by several other anti-virus programs.
Page 191 MS-DOS ASCII format. Note also that the third character of the extension is an upper-case O, not numeral 0. 3. Now you can use this file to see what it looks like when F-Secure Client Security detects a virus. Naturally, the file is not a virus. When executed without any virus protection, EICAR.COM displays the text...
Page 192: Configuring Internet Shield
ONFIGURING NTERNET HIELD Overview: What can Internet Shield be Used for?....193 Configuring Internet Shield Security Levels and Rules .... 196 Configuring Network Quarantine ..........201 Configuring Internet Shield Rule Alerts ........203 Configuring Application Control..........207 How to use Alerts for Checking that Internet Shield Works?..215 Configuring the Intrusion Prevention ........
Page 193: Overview: What Can Internet Shield Be Used For
For detailed explanations of different security levels, see “Global Firewall Security Levels”, 193. 6.1.1 Global Firewall Security Levels The Global Firewall Security levels that exist in the F-Secure Internet Shield are: Network quarantine If the Network Quarantine feature is enabled, this security level will be automatically selected when the network quarantine criteria on the host are met.
Page 194 Block all This security level blocks all network traffic. Mobile This security level allows normal web browsing and file retrievals (HTTP, HTTPS, FTP), as well as e-mail and Usenet news traffic. Encryption programs, such as VPN and SSH are also allowed.
Page 195: Security Level Design Principles
CHAPTER 6 In this security level all network traffic, inbound Disabled and outbound, is allowed and no alerts are generated. Local rules cannot be created. 6.1.2 Security Level Design Principles Each security level has a set of pre-configured Firewall Rules. In addition, you can create new rules for all security levels for which the Filtering Mode Normal is displayed in the Firewall Security Levels table.
Page 196: Configuring Internet Shield Security Levels And Rules
Configuring Internet Shield Security Levels and Rules This section explains how you can set and select the security levels based on the users' needs. In the practical configuration examples it is assumed that the managed hosts have been imported into the domain structure that was created in chapter 4, which means that, for example, laptops and desktops are located in their own subdomains.
Page 197: Configuring A Default Security Level For The Managed Hosts
CHAPTER 6 You can verify that the new security level change has become effective by going to the Status tab and selecting the Overall Protection window. If the selected security level cannot be used for some reason, the default security level is used instead. The current default security level can be seen in the Global Security Levels table on the Firewall Security levels page.
Page 198: Adding A New Security Level For A Certain Domain Only
6.2.3 Adding a New Security Level for a Certain Domain Only In this example a new security level with two associated rules is created. The new security level is added only for one subdomain and the hosts are forced to use the new security level. This subdomain contains computers that are used only for Internet browsing, and are not connected to the company LAN.
Page 199 CHAPTER 6 3. Click Add Before to add a rule that allows outbound HTTP traffic as the first one on the list. This opens the Firewall Rule Wizard. 4. In the Rule Type window select Allow as the rule type. 5.
Page 200 3. Disable the BrowserSecurity security level by clearing the Enabled check box beside it in the Firewall Security Levels table. 4. Select the subdomain where you want to use this security level in the Policy Domains tab. 5. Enable the BrowserSecurity security level by selecting the Enabled check box beside it in the Firewall Security Levels table.
Page 201: Configuring Network Quarantine
CHAPTER 6 Configuring Network Quarantine Network Quarantine is an Internet Shield feature that makes it possible to restrict the network access of hosts that have very old virus definitions and/or that have Real-time Scanning disabled. Their normal access rights are automatically restored once the virus definitions are updated and/or Real-time Scanning is enabled again.
Page 202: Fine-Tuning Network Quarantine
6. Click to save the policy data. 7. Click to distribute the policy. 6.3.3 Fine-Tuning Network Quarantine Network Quarantine is implemented by forcing hosts to the Network Quarantine security level, which has a restricted set of firewall rules. You can add new Allow rules to the firewall rules in the Network Quarantine security level to allow additional network access to hosts in Network Quarantine.
Page 203: Configuring Internet Shield Rule Alerts
CHAPTER 6 Configuring Internet Shield Rule Alerts Internet Shield rule alerts can be used to get notifications if certain types of malware try to access the computers. It is possible to issue an alert every time a rule is hit or when illegal datagrams are received, which makes it easy to see what kind of traffic is going on in your system.
Page 204 Step 3. Specify Affected Hosts Choose whether to apply this rule to all connections or to selected connections only. You can either: Check the Any remote host option to apply the rule to all Internet connections, Check the All hosts on locally connected networks option to apply the rule to all connections form the local network Check the Specified remote hosts option to apply the rule to an IP address, a range of IP addresses or DNS addresses.
Page 205 Network event: inbound service denied. 4. Enter a descriptive comment for the alert in the Alert comment: field. This comment is displayed in the F-Secure Client Security local user interface. 5. You can accept the default values for the rest of the fields in this window.
Page 206 You can also add a descriptive comment for the rule to help you understand the rule when it is displayed in the Firewall Rules Table. If you need to make any changes to the rule, click Back through the rule. If you are satisfied with your new rule, click Finish.
Page 207: Configuring Application Control
CHAPTER 6 1. Select the subdomain for which you created the rule in the Policy Domains tab. 2. Go to the Summary tab, and check if any new security alerts are displayed for the domain. 3. To see the alert details, click View alerts by severity..
Page 208 How Application Control and System Control Work Together? When Application Control detects an outbound connection attempt, and when it is set to prompt the user to decide whether to allow or deny the connection, you can set Application Control to check from System Control whether the connection should be allowed.
Page 209: Application Control Configuration Settings
CHAPTER 6 6.5.1 Application Control Configuration Settings The Application Control page displays the following information: Application Rules for Known Applications Application Displays the executable file name. Act as Client (out) The following actions are available: Deny, Allow, User Decision. See for explanations below. Act as Server (in) The following actions are available: Deny, Allow, User Decision.
Page 210: Setting Up Application Control For The First Time
You can decide what happens when the application tries to connect to the network with the Default Action for client applications and Default action for server applications selections. The possible actions are: Action Deny Denies all application’s connections to the network.
Page 211 CHAPTER 6 3. Select Report from the Send notifications for new applications drop-down list, so that the new applications will appear on the Unknown Applications Reported by Hosts list. 4. Define the allow rules for these applications. For more information, “Creating a Rule for an Unknown Application on Root Level”, 212.
Page 212: Creating A Rule For An Unknown Application On Root Level
4. Click to distribute the policy. 6.5.3 Creating a Rule for an Unknown Application on Root Level In this example a rule will be created to deny the use of Internet Explorer 4. In this case it is assumed that it already appears on the list of Unknown Applications Reported by Hosts list.
Page 213: Editing An Existing Application Control Rule
CHAPTER 6 Step 4. Select the Rule Target 1. Select the domain or host that the rule affects from the domains and hosts displayed in the window. If the target host or domain already has a rule defined for any of the applications affected by the rule, you are prompted to select whether to proceed and overwrite the existing rule at the host.
Page 214: Disabling Application Control Pop-Ups
Step 2. Edit the Application Rule Type 1. Select the action to take when the application acts as a client and tries to make an outbound connection. In this case select Allow for Act as Client (out). 2. Select the action to take when the application acts as a server and an inbound connection attempt is made.
Page 215: How To Use Alerts For Checking That Internet Shield Works
CHAPTER 6 1. Select Root in the Policy Domains tab. 2. Go to the Settings tab and select the Application Control page. On this page select: Allow from the Default action for server applications drop-down list. Allow from the Default action for client applications drop-down list.
Page 216: Configuring The Intrusion Prevention
3. To start the creation of the new rule, click Before. This starts the Firewall Rule Wizard. 4. In the Rule Type window select Allow. 5. In the Remote hosts window select Any remote host. 6. In the Services window select Ping from the Service drop-down list, and both from the Directions drop-down list.
Page 217: Intrusion Prevention Configuration Settings
CHAPTER 6 6.7.1 Intrusion Prevention Configuration Settings The Intrusion Prevention configuration settings can be found in the Intrusion Prevention section on the Firewall Security Levels page. Enable intrusion prevention If enabled, intrusion prevention is used to monitor inbound traffic in order to find intrusion attempts. If disabled, intrusion prevention does not monitor traffic.
Page 218: Configuring Ips For Desktops And Laptops
What is a False Positive? False positive is an alert that wrongly indicates that the related event has happened. In the F-Secure Client Security Internet Shield the alert text usually indicates this by using words like "probable" or "possible". These kind of alerts should be eliminated or minimized.
Page 219 CHAPTER 6 3. Select the Enable intrusion prevention check box. 4. Select Log without dropping from the Action on malicious packet: drop-down list. 5. Select Warning from the Alert severity: drop-down list. 6. Select 25% from the Detection sensitivity: drop-down list. Step 2.
Page 220: How To Check That The Environment Is Protected
OW TO HECK THAT NVIRONMENT IS ROTECTED Overview................... 221 How to Check the Protection Status from Outbreak Tab..221 How to Check that all the Hosts Have the Latest Policy... 221 How to Check that the Server has the Latest Virus Definitions 222 How to Check that the Hosts have the Latest Virus Definitions 222 How to Check that there are no Disconnected Hosts....
Page 221: Overview
1. Select Root in the Policy Domains tab. 2. Go to the Outbreak tab. It displays a list of F-Secure Virus News items, and shows how many hosts are protected against each virus. When you select a news item, detailed information about that virus is displayed.
Page 222: How To Check That The Server Has The Latest Virus Definitions
4. On the Centralized Management page you can see which of the hosts do not have the latest policy. You can also see the possible reasons for this: for example, the host is disconnected or there has been a fatal error at the host. How to Check that the Server has the Latest Virus Definitions 1.
Page 223: How To Check That There Are No Disconnected Hosts
CHAPTER 7 How to Check that there are no Disconnected Hosts 1. Select Root in the Policy Domains tab. 2. Go to the Summary tab and check what is displayed in the Domain section beside Disconnected hosts. 3. If there are disconnected hosts, click View disconnected hosts..
Page 224: Viewing Alerts
Viewing Alerts If there has been a problem with a program or with an operation, the hosts can send alerts and reports about it. It is a good idea to check regularly that there are no new alerts, and also to acknowledge (and delete) the alerts the reasons of which you have already troubleshooted.
Page 225: Creating A Weekly Infection Report
If you want to create a weekly infection report (or some other report to be generated at regular intervals), you have two options: F-Secure Policy Manager Web Reporting, a web based tool with which you can generate a wide range of graphical reports from F-Secure Client Security alerts and status information.
Page 226 3. Check what is displayed beside Most common recent attack. If there has been an attack, you can access more detailed information by clicking View Internet Shield Status..This takes you to the Status tab and Internet Shield page, where you can see detailed information on the latest and recent attacks on different hosts.
Page 227: Upgrading Software
PGRADING OFTWARE Overview: Upgrading Software..........228...
Page 228: Overview: Upgrading Software
Installation Editor creates policy-based installation tasks that each host in the target domain will carry out after the next policy update. It is also possible to upgrade F-Secure Client Security by using any other installation scheme explained in Adding Hosts”, 130...
Page 229 CHAPTER 8 Installed Version Version number of the product. If there are multiple versions of the product installed, all version numbers will be displayed. For hosts, this is always a single version number. Version to Install Version numbers of the available installation packages for the product.
Page 230 The Installation Editor then prepares a distribution installation package that is customized for the specific installation operation. The new package is saved on F-Secure Policy Manager Server. Start button is used to start the installation operations selected in the Version to Install field.
Page 231 CHAPTER 8 operation from the policy by clicking Stop All. This will cancel the installation operations defined for the selected policy domain or host. It is possible to stop all installation tasks in the selected domain and all subdomains by selecting the Recursively cancel installation for subdomains and hosts option in the confirmation dialog.
Page 232: Local Host Operations
Viewing the Latest Scanning Report on a Local Host ..234 Adding a Scheduled Scan from a Local Host ....234 Logging and Log File Locations on Local Hosts ....235 Connecting to F-Secure Policy Manager and Importing a Policy File Manually ............239 Suspending Downloads and Updates......240...
Page 233: Overview
Show report to view the report in your Web browser. When you perform a scan, F-Secure Client Security uses the manual scanning settings from the current Virus Protection level. You can see the scanning report also in the scanning report list on...
Page 234: Viewing The Latest Scanning Report On A Local Host
Viewing the Latest Scanning Report on a Local Host The Virus & Spy Protection tab in the F-Secure Client Security user interface displays the scanning report status. If you have an unread report waiting, the status is shown as “New report available”. You can access the report by clicking View..
Page 235: Logging And Log File Locations On Local Hosts
Advanced Mode user interface, see “Configuring Scheduled Scanning”, 255. Logging and Log File Locations on Local Hosts From the F-Secure Client Security local user interface you can access several log files that provide you with data about the network traffic. 9.5.1 The LogFile.log file LogFile.log contains all alerts that F-Secure Client Security has generated...
Page 236: Packet Logging
The log format is binary and is compatible with the tcpdump format. It can be read either with the packet log viewer provided by F-Secure or with a common packet logging application like Wireshark. 4. To view the packetlog file, double click it in the window.
Page 237: The Action.log File
CHAPTER 9 Home users can use the packet logging to record evidence of intrusion attempts. The Logging Directory The logging directory is defined when installing the application. It can be changed by clicking Browse. 9.5.3 The Action.log file The action log is collecting data about the actions done by the firewall continuously.
Page 238 Receiving connection If the application has opened a LISTEN connection it is acting as an server and remote computers can connect to the port which the connection was opened for. Action log records these also these connections. 07/15/03 16:48:00 info appl control unknown allow...
Page 239: Other Log Files
Connecting to F-Secure Policy Manager and Importing a Policy File Manually If you need to initialize a connection from the local host to the F-Secure Policy Manager Server, you can do it as follows: 1. Go to the Central Management page, where you can see the date and time of last connection to the Policy Manager Server.
Page 240: Suspending Downloads And Updates
Suspending Downloads and Updates This option is configured from the F-Secure Policy Manager Console. It is useful for hosts that are sometimes used via a slow dial-up line. When this option is enabled, the user is allowed to suspend network communications, for example automatic polling of policies, sending statistics and Automatic Updates, temporarily.
Page 241 CHAPTER 9 3. Select one of the options from the Allow users to unload products drop-down menu. 4. Click to save the policy data. 5. Click to distribute the policy.
Page 242: Chapter 10 Virus Information
IRUS NFORMATION Malware Information and Tools on the F-Secure Web Pages .. 243 How to Send a Virus Sample to F-Secure........ 244 What to Do in Case of a Virus Outbreak? ........ 248...
Page 243: Malware Information And Tools On The F-Secure Web
CHAPTER 10 10.1 Malware Information and Tools on the F-Secure Web Pages You can find a list of sources of information about malware and useful tools at: http://www.f-secure.com/security_center/ For information of the latest security threats you can check these sources: The F-Secure blog: http://www.f-secure.com/weblog/...
Page 244: How To Send A Virus Sample To F-Secure
10.2 How to Send a Virus Sample to F-Secure This section is for advanced users. This section covers the following topics for sending a virus sample to F-Secure Security Lab: How to package a virus sample What files to send...
Page 245 2. A false alarm from one of our antivirus products If you receive a missed or incorrect detection, or a false alarm with F-Secure Client Security, try to send us the following: the file in question the F-Secure Client Security version number...
Page 246 If an infection or false alarm is on a CD, you can send the CD to our office in Finland. For the address, see below. Please include a description of the problem, and a printed F-Secure Client Security report, if possible. We will return your CD if it has no...
Page 247: How To Send The Virus Sample
3. If the sample is on some physical media, for example a CD, DVD or USB drive, you can send the physical media to us at: Security Labs F-Secure Corporation Tammasaarenkatu 7 PL 24 00181 Helsinki Finland 10.2.4 In What Language...
Page 248: What To Do In Case Of A Virus Outbreak
Support through our support web page: http://support.f-secure.com If you need urgent assistance, please point it out in your message. 4. If it is a new virus, try to locate a sample and send it to F-Secure Security Labs through the sample submission webform at: http://www.f-secure.com/samples Provide as much information about the problem as possible.
Page 249 7. When provided with a disinfection solution, test it on one computer first. If it works, it can be applied to all infected computers. Scan the cleaned computers with F-Secure Client Security and the latest virus definitions updates to ensure that no infected files are left.
Page 250 ETTING P THE ISCO NAC P LUGIN Introduction................251 Installing the Cisco NAC Plugin..........251 Attributes to be Used for Application Posture Token ....252...
Page 251: Introduction
F-Secure NAC plug-in communicates with Cisco® Trust Agent (CTA), a client software on the hosts that collects the security related information from the host and communicates the data to Cisco Secure Access Control Server (ACS).
Page 252: Importing Posture Validation Attribute Definitions
For more information about CSUtil, see Cisco ACS documentation. 11.3 Attributes to be Used for Application Posture Token To configure the Cisco ACS server to monitor F-Secure product related security attributes, do the following: 1. Select the External User Databases button on the Cisco ACS server user interface.
Page 253 CHAPTER 11 Posture Validation Attributes for Anti-Virus Attribute-name Type Example Software-Name string F-Secure Anti-Virus Software-Version version 8.0.0.0 Dat-Date date [the date of database] Protection-Enabled unsigned integer 1=enabled, 0=disabled Posture Validation Attributes for Firewall Attribute-name Type Example Software-Name string F-Secure Internet...
Page 254 DVANCED EATURES IRUS AND PYWARE ROTECTION Overview................... 255 Configuring Scheduled Scanning ..........255 Advanced System Control Settings.......... 257 Configuring Policy Manager Proxy ........... 260 Configuring Automatic Updates on Hosts from Policy Manager Proxy ..................260 Configuring a Host for SNMP Management ......261 Excluding an Application from the Web Traffic Scanner...
Page 255: Overview
2. Select Root in the Policy Domains pane. 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select: F-Secure/F-Secure Anti-Virus 5. On the Product View pane (on the right) select the Scheduling Table page.
Page 256 9. Next click the Scheduling Parameters cell, and the click Edit. Now you can enter the parameters for the scheduled scan. A scheduled scan that is to be run weekly, every Monday starting at 8 p.m, from August 25, 2003 onwards, is configured as follows: ‘/t20:00 / b2003-08-25 /rweekly’...
Page 257: Advanced System Control Settings
2. Select Root in the Policy Domains pane. 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select: F-Secure > F-Secure System Control > Settings > Show Notification Flyer on Deny Events...
Page 258: Let An Administrator Allow Or Deny Events From Other Users Programs
2. Select Root in the Policy Domains pane. 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select: F-Secure > F-Secure System Control > Settings > Local Administrator Control 5. Select All processes in the Product View pane.
Page 259 3. Select Root in the Policy Domains pane. 4. Select the Policy tab in the Properties pane (the middle pane). 5. On the Policy tab, select: F-Secure > F-Secure System Control > Settings > Applications 6. Click to add a new rule.
Page 260: Configuring Policy Manager Proxy
F-Secure Update server or the corporate F-Secure Policy Manager Server. F-Secure Policy Manager Proxy resides in the same remote network as the hosts that use it as a database distribution point. There should be one F-Secure Policy Manager Proxy in every network that is behind slow network lines.
Page 261: Configuring A Host For Snmp Management
6. When you have added all the proxies, click OK. 12.6 Configuring a Host for SNMP Management The F-Secure SNMP Management Extension is a Windows NT SNMP extension agent, which is loaded and unloaded with the master agent. The SNMP service normally starts on Windows start-up so the extension agent is always loaded.
Page 262: Excluding An Application From The Web Traffic Scanner
Mode. 2. Select the Policy tab in the Properties pane. 3. On the Policy tab select F-Secure Client Security > Select Protocol Scanner > Trusted Applications > List of Trusted Processes. 4. Type the name of the process to exclude from the Web Traffic Scanner.
Page 263 DVANCED EATURES NTERNET HIELD Overview................... 264 Managing Internet Shield Properties Remotely......264 Configuring Security Level Autoselection......... 266 Troubleshooting Connection Problems ........268 Adding New Services ............... 269...
Page 264: Overview
3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select: \F-Secure Internet Shield 5. Select the Logging tab in the Product View pane (on the right). This variable normally shows the status of the packet logging, Disabled means that it is not running, and Enabled that it is currently running on the host.
Page 265: Trusted Interface
Policy Domains pane. 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select the following path: \F-Secure Internet Shield\Settings\Firewall Engine\Allow Trusted Interface Select Enabled to enable Trusted Interface for the currently selected subdomain.
Page 266: Packet Filtering
3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select the following path: \F-Secure Internet Shield\Settings\Firewall Engine\Firewall Engine To make sure the packet filtering is always enabled, set this variable to Yes, and select the Final check box. Remember to distribute the policy to enforce the change.
Page 267 CHAPTER 13 3. Select the Policy tab in the Properties pane (the middle pane). 4. On the Policy tab, select the following path: \F-Secure\F-Secure Internet Shield 5. In the Product View pane (on the right) select the Security Level Autoselection page.
Page 268: Troubleshooting Connection Problems
9. The first security level is now ready. Click to add the second security level, in this example Mobile. 10. Enter the data in the cells by selecting a cell and clicking Edit. For the Mobile security level you should add the following data: Priority: The rules are checked in the order defined by the priority numbers, starting from the smallest number.
Page 269: Adding New Services
11. If nothing else helps, unload F-Secure products or set the Internet Shield to allow all mode. If even this does not help, it is likely that the problem is in routing or in some other component in the computer the user tries to connect to.
Page 270: Creating A New Internet Service Based On The Default Http
13.5.1 Creating a New Internet Service based on the Default HTTP In this example it is assumed that there is a web server running on a computer, and that web server is configured to use a non-standard web port. Normally a web server would serve TCP/IP port 80, but in this example it has been configured to serve port 8000.
Page 271 CHAPTER 13 Step 2. IP Protocol Number Select a protocol number for this service from the Protocol drop-down list. It contains the most commonly used protocols (TCP, UDP, ICMP). If your service uses any other protocol, refer to the table below and enter the respective number.
Page 272 Protocol Protocol Full Name Name Number ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IPIP IPIP Tunnels (IP in IP) Transmission Control Protocol Exterior Gateway Protocol Xerox PUP routing protocol User Datagram Protocol Xerox NS Internet Datagram Protocol IPV6 IP Version 6 encapsulation in IP version 4 RSVP...
Page 273 CHAPTER 13 Authentication Header protocol Protocol Independent Multicast COMP Compression Header protocol Raw IP packets Step 3. Initiator Ports If your service uses the TCP or UDP protocol, you need to define the initiator ports the service covers. The format for entering the ports and port ranges is as follows: “>port”...
Page 274 In this example, define the initiator port as >1023. Step 4. Responder Ports If your service uses the TCP or UDP protocol, you need to define the responder ports the service covers. In this example, define the responder port as 8000.
Page 275 CHAPTER 13 Step 5. Classification Number Select a classification number for the service from the drop down list. You can accept the default value. Step 6. Extra Filtering Select whether any extra filtering is to be applied for the traffic allowed by the service you are creating, in addition to the normal packet and stateful filtering.
Page 276 In this example you can accept the default, Disabled. When the service uses TCP protocol, and you do not have Application Control enabled, you can select Active mode FTP from the Extra Filtering drop-down menu. Active mode FTP requires special handling from the Firewall, as the information about the port that should be opened for the connection is included in the transferred data.
Page 277 CHAPTER 13 Step 7. Review and Accept the Rule 1. You can review your rule now. If you need to make any changes to the rule, click Back through the rule. 2. Click Finish to close the rule wizard. The rule you just created is now displayed in the Firewall Rules Table.
Page 278: Setting Up Dialup Control
Advanced mode user interface. 2. From the Policy tab Select F-Secure > F-Secure Internet Shield > Settings > Dialup Control > Dialup Control. 3. Select enabled to switch Dialup Control on. 4. Click to save the policy data.
Page 279: Call Logging
6. Select to Allow or Deny to allow or block the modem from calling the matching phone numbers. 7. Double-click the new row in the Comment column and add a description to explain the purpose of the rule to other F-Secure Policy Manager users. 8. Select Yes to enable the new rule.
Page 280 5. Click to distribute the policy.
Page 281 APPENDIX: ODIFYING PRODSETT.INI Overview................... 282 Configurable Prodsett.ini Settings ..........282...
Page 282: Overview
The RequestInstallMode setting can override the selection for components, which have InstallMode=0. Configurable Prodsett.ini Settings You can edit edit the following settings in the prodsett.ini file. [F-Secure common] Common settings CD-Key=XXXX-XXXX-XXXX-XXXX-XXXX Enter the CD Key of the installation package here.
Page 283 APPENDIX A [F-Secure common] Common settings SupportedLanguages=ENG FRA DEU FIN SVE List of languages supported by the installation package. You can make the set of languages smaller by leaving out some unnecessary languages and repacking the package. When you add support for a new language to the package you should add that language here to make it effective.
Page 284 [F-Secure common] Common settings SecurityPolicy=0 | 1 | 2 The files and folders installed to NTFS and the product’s registry keys are protected with the NT security permissions according to the defined "SecurityPolicy": 0 = no special policy applied; files and folders inherit the security permissions from the parent.
Page 285 (default) 3 = Do not reboot after installation. [FSMAINST.DLL] Settings for F-Secure Management Agent RequestInstallMode=1 This component is always installed when you are installing a networked client. You do not need to edit the RequestInstallMode or InstallMode settings for this component.
Page 286 ServiceProviderMode=0 MibVersion= GatekeeperVersion= StatisticsFilterPattern1= UseOnlyUID= 0 = F-Secure Management Agent only uses all available identities (DNS name, IP address, WINS name, Unique Identity) to identify itself for the first time to the F-Secure Policy Manager Server. 1 = F-Secure Management Agent only uses its Unique Identity to identify itself to the F-Secure Policy Manager Server.
Page 287 This component is always installed when you are installing a networked client. You do not need to edit the RequestInstallMode or InstallMode settings for this component. FsmsServerUrl=http://fsmsserver URL to the F-Secure Policy Manager Server. FsmsExtensionUri=/fsms/fsmsh.dll Do not change this setting. FsmsCommdirUri=/commdir Do not change this setting.
Page 288 [FSAVINST.DLL] Settings for F-Secure Client Security - Virus Protection EnableRealTimeScanning=1 0 = Disable real-time scanning 1 = Enable real-time scanning (default). Debug=1 0 = Do not generate debug information. (default) 1 = Write debug information into the debug log during installation and uninstallation.
Page 289 APPENDIX A [MEHINST.DLL] Settings for SNMP Support RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting. 1 = Install this component if newer, or not installed (default). 2 = Install this component if there is no existing version of it installed, or if the same or an older version exists.
Page 290 0 = Do not install this component. (default) 1 = Install this component, except if a newer version already exists. [FWINST.DLL] Settings for F-Secure Client Security - Internet Shield RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting.
Page 291 APPENDIX A [FWINST.DLL] Settings for F-Secure Client Security - Internet Shield InstallDC=0 | 1 0 = Do not install Dial-up Control. (default) 1 = Install Dial-up Control InstallNetworkQuarantine=0 | 1 0 = Do not install Network Quarantine. (default) 1 = Install Network Quarantine.
Page 292 [FSPSINST.DLL] Settings for F-Secure Client Security - Network Scanner RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting. 1 = Install this component if newer, or not installed (default). 2 = Install this component if there is no existing version of it installed, or if the same or an older version exists.
Page 293 APPENDIX A [FSNACINS.DLL] Settings for Cisco NAC Plugin RequestInstallMode=1 0 = Install this component as defined in the InstallMode setting. 1 = Install this component if newer, or not installed (default). 2 = Install this component if there is no existing version of it installed, or if the same or an older version exists.
Page 294: Appendix B E-Mail Scanning Alert And Error Messages
APPENDIX: MAIL CANNING LERT AND RROR ESSAGES Overview................... 295...
Page 295: B.1 Overview
E-Mail Attachment Virus Alert Message ID: 620-623 Definition: When a virus is found the virus is treated based on the configuration set on F-Secure Client Security Advanced configuration. The options to handle the virus are: Report only, disinfect virus or drop virus.
Page 296 Message ID: 630-633 Definition: When a malformed message is found it is treated based on the configuration set on F-Secure Client Security Advanced configuration. The options to handle malformed message are: Malformed message part was only reported, Malformed message part was dropped, Malformed e-mail was blocked.
Page 297 APPENDIX B Message: Malformed E-Mail Alert! Description: <description of the malformation> Message part: <malformed message pert> Action: <Action taken> Message < Message ID> from: <Email header: sender filed email address> to: < Email header: recipient filed email addresses> subject: < Email header: The title subject filed of the message >...
Page 298 Message: E-Mail Attachment Scanning Failure Reason: <Description of the scanning failure> Attachment: <The attachment causing the scanning failure> Action: <Action Taken> Message < Message ID> from: <Email header: sender filed email address> to: < Email header: recipient filed email addresses> subject: <...
Page 299: Appendix C Products Detected Or Removed During Client Installation
APPENDIX: RODUCTS ETECTED EMOVED URING LIENT NSTALLATION Overview................... 300...
Page 300: C.1 Overview
Overview During the F-Secure Client Security installation process these products are either detected so that the user can manually uninstall them or automatically uninstalled: Agnitum Outpost Firewall Pro 1.0 AOL Safety and Security Center avast! Antivirus AVG Anti-Virus 7.0 AVG Free Edition AVG Anti-Virus 7.1...
Page 301 EarthLink Toolbar EMBARQ Toolbar (Powered by EarthLink) PC Antivirus F-PROT Antivirus for Windows FortiClient F-Secure Anti-spyware F-Secure Anti-Virus Client Security Incompatible F-Secure product F-Secure Anti-spyware Broken or incompletely uninstalled product F-Secure VPN+ Client G DATA AntiVirenKit (German version only) G DATA InternetSecurity (German version only)
Page 302 Kaspersky(TM) Anti-Virus Personal 4.5 Kaspersky Anti-Virus Personal Pro Kaspersky Anti-Virus Personal Kerio Personal Firewall Kingsoft Internet Security (English version only) McAfee SecurityCenter McAfee VirusScan McAfee VirusScan Enterprise McAfee VirusScan Home Edition McAfee Internet Security McAfee Uninstall Wizard McAfee Personal Firewall McAfee Personal Firewall Plus McAfee Privacy Service McAfee SecurityCenter...
Page 303 APPENDIX C Norman Personal Firewall 1.42 Norman Virus Control NOD32 antivirus system (English, French, German, Hungarian, Romanian and Spanish, simplified Chinese, traditional Chinese, Czech, Croatian, Italian, Japanese, Dutch, Polish, Portuguese Russian and Slovenian versions only) PureSight Parental Control Radialpoint Security Services Radialpoint Servicepoint Agent 1.5.11 Sophos Anti-Virus Sophos Anti-Virus...
Page 304 Symantec AntiVirus Client Symantec Client Security Symantec Client Security Symantec Endpoint Protection LiveUpdate 1.7 (Symantec Corporation) LiveUpdate 1.80 (Symantec Corporation) LiveUpdate 2.6 (Symantec Corporation) LiveUpdate 1.6 (Symantec Corporation) LiveUpdate LiveUpdate 2.0 (Symantec Corporation) LiveUpdate 3.3 (Symantec Corporation) Panda Antivirus 2007 Panda Antivirus + Firewall 2007 Panda ClientShield Panda Internet Security 2008...
Page 305 APPENDIX C Trend Micro AntiVirus 2007 Trend Micro PC-cillin Internet Security 2007 Trend Micro Internet Security Pro ZoneAlarm ZoneAlarm Security Suite ZoomTownInternetSecurity v.4.5...
Page 306: Glossary
LOSSARY...
Page 307 Alert A message generated by an F-Secure product if there has been a problem with a program or with an operation. Alerts are also generated when a virus is found. The administrator and the user can define which alerts are generated, either by defining firewall rules or enabling or disabling specific alerts.
Page 308 Authorization The right to perform an action on an object. Also the act of proving this right. Backdoor A malicious application or plug-in that opens up a possibility for a remote user to access the compromised computer. This is very often an application that opens up one or more listening ports and waits for connections from the outside, but there are variations of this.
Page 309 Domain Name A unique name that identifies an Internet site (for example, F-Secure.com) The domain name system (DNS) is the way that Internet domain names are located and translated into Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address.
Page 310 False positive False positive is an alert that wrongly indicates that the related event has happened. In the F-Secure Internet Shield the alert text usually indicates this by using words like "probable" or "possible". This kind of alerts should be eliminated or minimised.
Page 311 CHAPTER D Hidden file Hidden files are not visible to users. It is possible that a rootkit is hiding the file from the normal file listings. Hidden process Hidden processes are not visible to users. It is possible that a rootkit is hiding the process from Windows Task Manager.
Page 312 IPSec (IETF) The IP Security Protocol is designed to provide interoperable, high quality, cryptography-based security for IPv4 and IPv6. The set of security services offered includes access control, connection-less integrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
Page 313 CHAPTER D Mbit Megabit. (SNMP terminology) Management Information Base. Detailed information about MIBs can be found from RFC1155-SMI, RFC1212-CMIB and RFC1213-MIB2. MIME Multipurpose Internet Mail Extension, a standard system for identifying the type of data contained in a file based on its extension. MIME is an Internet protocol that allows you to send binary files across the Internet as attachments to e-mail messages.
Page 314 A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. The management architecture of F-Secure software uses policies that are centrally configured by the administrator for optimum control of security in a corporate environment.
Page 315 You can add new applications to the Quarantine when Virus & Spy Protection detects them. Random Seed The seed value for the cryptographically strong random number generator, which is updated each time an F-Secure application closes. Riskware Riskware is any program that does not intentionally cause harm but can be dangerous if misused, especially if set up incorrectly.
Page 316 Simple Network Management Protocol. A standard TCP/IP protocol used for monitoring and setting network parameters and counters of LAN- and WAN-connected repeaters, bridges, routers, and other devices. In F-Secure Policy Manager it is used for sending and monitoring alerts and statistics. Spyware Spyware is a software, which tracks user information and reports it without your knowledge via the Internet to third parties.
Page 317 IP addresses that begin with the same two or three numbers. System Event Log A service that records events in the system, security, and application logs. F-Secure Client Security events are recorded in application logs. TAC Score The TAC score determines how likely the application is malware, 1 being the least and 10 being the most problematic.
Page 318 Trojan A trojan is usually a standalone program that performs destructive or other malicious actions. Destructive actions can vary from erasing or modifying the contents of files on a hard drive to a complete destruction of data. A backdoor trojan is a remote access tool that can allow a hacker to get full control over the entire infected system.
Page 319 CHAPTER D Worm A computer program capable of replication by inserting copies of itself in networked computers.
Page 320 ECHNICAL UPPORT Overview................... 321 Web Club.................. 321 Advanced Technical Support............ 321 F-Secure Technical Product Training ........322...
Page 321: Web Club
The F-Secure Web Club provides assistance to users of F-Secure products. To enter, choose the Web Club command from the Help menu in the F-Secure application. The first time you use this option, enter the path and name of your Web browser and your location.
Page 322: F-Secure Technical Product Training
After installing the F-Secure software, you may find a ReadMe file in the F-Secure folder in the Windows Start > Programs menu. The ReadMe file contains late-breaking information about the product.
Page 323 The courses take place in modern and well-equipped classrooms. All of our courses consist of theory and hands-on parts. At the end of each course there is a certification exam. Contact your local F-Secure office or F-Secure Certified Training Partner to get information about the courses and schedules.
Page 324 They include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999, and has been consistently growing faster than all its publicly listed competitors.

This manual is also suitable for:

Client security

F-SECURE CLIENT SECURITY 8.00 Administrator's Manual

Table of Contents

Chapter 1 Introduction

2 I F-S Nstalling Ecure P M Olicy Anager

Chapter 2 Installing F-Secure Policy Manager

Chapter 3 Introduction to F-Secure Policy Manager Anti-Virus Mode User Interface

4 S Etting up the M N Anaged Etwork

Chapter 4 Setting up the Managed Network

5 C V Onfiguring Irus S and Pyware P Rotection

Chapter 5 Configuring Virus and Spyware Protection

6 C I Onfiguring Nternet S Hield

Chapter 6 Configuring Internet Shield

7 H C Ow to Heck that E the Nvironment Is P Rotected

Chapter 7 How to Check that the Environment Is Protected

Chapter 8 Upgrading Software

Chapter 9 Local Host Operations

Chapter 10 Virus Information

Chapter 11 Setting up the Cisco NAC Plugin

12 A F : Dvanced Eatures V S Irus and Pyware P Rotection

Chapter 12 Advanced Features: Virus and Spyware Protection

13 A F : Dvanced Eatures I S Nternet Hield

Chapter 13 Advanced Features: Internet Shield

Appendix A Modifying PRODSETT.INI

Appendix B E-Mail Scanning Alert and Error Messages

Appendix C Products Detected or Removed During Client Installation

Quick Links

Chapters

Need help?

Questions and answers

Related Manuals for F-SECURE CLIENT SECURITY 8.00

Summary of Contents for F-SECURE CLIENT SECURITY 8.00