- DL manuals
- F-SECURE
- Other
- ANTI-VIRUS FOR MICROSOFT EXCHANGE 9.00
- Administrator's Manual
F-SECURE ANTI-VIRUS FOR MICROSOFT EXCHANGE 9.00 Administrator's Manual
Summary of ANTI-VIRUS FOR MICROSOFT EXCHANGE 9.00
Page 1
F-secure client security administrator's guide.
Page 3: Contents
Contents chapter 1: introduction.......................................................................9 system requirements..............................................................................................................10 policy manager server.............................................
Page 4
Connection properties..................................................................................................46 changing communication preferences........................................................................46 managing domains and hosts..............................................
Page 5
Setting up spyware control for the whole domain........................................................78 launching spyware scanning in the whole domain.....................................................79 allowing the use of a spyware or riskware component............................................
Page 6
Viewing alerts.......................................................................................................................111 creating a weekly infection report........................................................................................112 monitoring a possible network attack....
Page 7
Allowing or denying events requested by a specific application automatically..........143 configuring policy manager proxy.......................................................................................145 configuring automatic updates on hosts from policy manager proxy..........................
Page 9: Chapter
Chapter 1 introduction policy manager can be used for: topics: • defining security policies, • system requirements • distributing security policies, • main components • installing application software to local and remote systems, • features • monitoring the activities of all systems in the enterpris...
Page 10: System Requirements
System requirements this section provides the system requirements for both policy manager server and policy manager console. Policy manager server in order to install policy manager server, your system must meet the minimum requirements given here. Microsoft windows: operating system: • microsoft wi...
Page 11
Microsoft windows: operating system: • windows xp professional (sp2 or higher) • windows vista (32-bit or 64-bit) with or without sp1; business, enterprise or ultimate editions • windows 7 (32-bit or 64-bit); professional, enterprise or ultimate editions • microsoft windows server 2003 sp1 or higher...
Page 12: Main Components
Main components the power of policy manager lies in the f-secure management architecture, which provides high scalability for a distributed, mobile workforce. Policy manager console provides a centralized management console for the security of the managed hosts in the network. It enables the adminis...
Page 13: Features
Features some of the main features of policy manager are described here. Software distribution • installation of f-secure products on hosts from one central location, and updating of executable files and data files, including virus definitions updates. • updates can be provided in several ways: • fr...
Page 14: Product Registration
Product registration you have the option of providing f-secure with information regarding the use of policy manager by registering your product. The following questions and answers provide some more information about registering your installation of policy manager. You should also view the f-secure ...
Page 15: Application Management
Application management policy manager includes various components to manage applications within your network. Management agent the management agent enforces the security policies set by the administrator on the managed hosts. It acts as a central configuration component on the hosts, and for example...
Page 16: Basic Terminology
Basic terminology here you will find descriptions for some of the commonly used terms in this guide. Host refers to a computer that is centrally managed with policy manager. Host a security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed,...
Page 17: Chapter
Chapter 2 installing the product here you will find instructions for installing the main product components; policy manager server and policy manager console. Topics: • installation steps • changing the web browser path • uninstalling the product.
Page 18: Installation Steps
Installation steps follow these steps in the order given here to install policy manager server and policy manager console on the same machine. Download and run the installation package the first stage in installing policy manager is to download and run the installation package. To begin installing t...
Page 19
Note: this dialog is displayed only if a previous installation of policy manager server was detected on the computer. • by default the setup keeps the existing settings. Select this option if you have manually updated the policy manager server configuration. This option automatically keeps the exist...
Page 20
Administrator mode - enables all administrator features. • • read-only mode - allows you to view administrator data, but no changes can be made. If you select read-only mode , you will not be able to administer hosts. To change to administrator mode , you will need the admin.Pub and admin.Prv admini...
Page 22: Uninstalling The Product
Uninstalling the product follow these steps to uninstall policy manager components. To uninstall any policy manager components: 1. Open the windows start menu and go to control panel . 2. Select add/remove programs . 3. Select the component you want to uninstall (policy manager console or policy man...
Page 23: Chapter
Chapter 3 anti-virus mode user interface this section provides a reference of the settings available on the various pages of the anti-virus mode user interface. Topics: • policy domains tab note: policy manager also includes another user interface, the advanced mode user interface. It is used to man...
Page 24: Policy Domains Tab
Policy domains tab you can perform actions for policy domains and hosts within the policy domains tab. In the policy domains tab, you can do the following: • add a new policy domain by clicking the icon, which is located on the toolbar. A new policy domain can be created only when a parent domain is...
Page 25: Management Tabs
Management tabs this section describes the management tabs ( summary , settings , status , alerts , reports , installation and operations ), and the different pages on each of these tabs. Summary tab the summary tab is designed to display the most important information concerning the selected domain...
Page 26
• see the number of hosts that have the latest policy and access a summary of their latest policy update by clicking view hosts’s latest policy update... . This takes you to the status tab and centralized management page. • see the number of disconnected hosts. You can also access a detailed list di...
Page 27
Host in the host section you can: • see the name of the selected host displayed beside computer identity . You can also access more detailed information on the host by clicking view host properties... . This takes you to the status tab and host properties page. • see what is the active protocol (htt...
Page 28
Automatic updates the automatic updates page is divided into two sections; automatic updates and neighborcast . Automatic updates in the automatic updates section you can: • enable or disable automatic updates. Note that deselecting this setting disables all ways for the host to get automatic update...
Page 29
Manual scanning the settings displayed on this page affect the scans that are run manually by the host users. Manual file scanning in this section, the following options are available for selecting what to scan: • select which files will be scanned and define the included extensions. • all files : a...
Page 30
Scheduled scanning the configure scheduled scanning in advanced mode... Link takes you to the advanced mode user interface, where scheduled scanning can be configured. Manual boot sector scanning in this section you can: • turn manual scanning for floppy disk boot sectors on or off. • select the act...
Page 31
• select the action to take when an incoming infected attachment is detected. • select the action to take when scanning fails. • select the action to take when malformed message parts are detected. Outgoing e-mail scanning in this section you can: • turn outgoing e-mail scanning on or off. • select ...
Page 32
Firewall security levels table (global) this table displays the security levels that are available globally in the system. The security levels table is the same for all policy domains, but enabling and disabling individual security levels can be done per policy domain. Network quarantine in this sec...
Page 33
And the firewall then allows outgoing reply packets from the server applications. Outgoing packets from ordinary applications need to be allowed by the rules in the firewall rules table. Firewall services service, short for network service, means a service that is available on the network, e.G. File...
Page 34
Download intentionally and may contain malware; that type of security threat is covered by virus and spyware scanning. Reputation based protection the settings in this section define how ratings for web sites are shown and whether web sites rated as harmful are blocked for users. These safety rating...
Page 35
• allow users to uninstall f-secure products deselecting this option prevents end-users from uninstalling f-secure software from their computer. Uninstallation always requires administrative rights. This applies to all windows operating systems, even to windows nt/2000/xp where the end-user has admi...
Page 36
• whether real-time scanning is enabled or disabled. • internet shield security level currently in use. • whether incoming e-mail scanning and outgoing e-mail scanning are enabled or disabled. • whether reputation-based protection is in use. • whether exploit shields are in use. Automatic updates th...
Page 37
• policy manager proxy version. Centralized management the centralized management page displays a summary of information relating to central management: • policy file timestamp. • policy file counter; this is the number of the policy file currently in use on the host. • the date when the last statis...
Page 38
Installation tab the installation tab is the first one that opens when policy manager console is installed. The installation tab contains shortcuts to all installation-related features. It also displays a list of available software installation packages. Autodiscover will automatically discover wind...
Page 39: The Toolbar
The toolbar the toolbar contains buttons for the most common policy manager console tasks saves the policy data. Distributes the policy. Go to the previous domain or host in the domain tree selection history. Go to the next domain or host in the domain tree selection history. Go to the parent domain...
Page 40: Menu Commands
Menu commands this section provides a reference of the available menu commands in policy manager console. Action command menu creates a new policy data instance with the management information base (mib) defaults. This command is rarely needed new policy file because existing policy data will usuall...
Page 41
Action command menu changes to the anti-virus mode user interface, which is optimized for centrally managing client security. Anti-virus mode manually refreshes the status, alert, or report view. The menu item changes according to the selected page or tab. Refresh manually refreshes all data affecti...
Page 42: Settings Inheritance
Settings inheritance this section explains how settings inheritance works and how inherited settings and settings that have been redefined on the current level are displayed in the user interface. The settings in policy manager console can either be inherited from a higher level in the policy domain...
Page 43
Description inherited not inherited inherited values are displayed as dimmed on a grey background. Check boxes values that are not inherited are displayed on a white background. Locking and unlocking all settings on a page at once you can choose to lock or unlock all of the settings on a page. The f...
Page 45: Chapter
Chapter 4 setting up the managed network policy manager offers you several ways to deploy client security in your company: topics: • logging in • in a windows domain you can use the autodiscover and autoregistration features to automate the creation of the managed domain. • managing domains and host...
Page 46: Logging In
Logging in when you start policy manager console, the login dialog box will open. Tip: you can click options to expand the dialog box to include more options. The login dialog box can be used to select defined connections. Each connection has individual preferences, which makes it easier to manage m...
Page 47
3. Click polling period options to change the polling intervals. The polling period dialog box opens. 4. Modify the polling intervals to suit your environment. The communication protocol selection affects the default polling intervals. If you are not interested in certain management information, you...
Page 48
Managing domains and hosts if you want to use different security policies for different types of hosts (laptops, desktops, servers), for users in different parts of the organization or users with different levels of computer knowledge, it is a good idea to plan the domain structure based on these cr...
Page 49: Adding Hosts
Adding hosts this section describes different ways of adding hosts to a policy domain. The main methods of adding hosts to your policy domain, depending on your operating system, are as follows: • import hosts directly from your windows domain. • import hosts through autoregistration (requires that ...
Page 50
Using autoregistration import rules you can define the import rules for the autoregistered hosts on the import rules tab in the import autoregistered hosts window. You can use the following as import criteria in the rules: • wins name, dns name, dynamic dns name, custom properties • these support * ...
Page 51
Creating hosts manually this topic describes how to create hosts manually. To create a host manually: 1. Select the target domain. 2. Select edit ➤ new host from the menu. Alternatively: • click in the toolbar. • press insert. This operation is useful in the following cases: • learning and testing –...
Page 52
• hide already managed hosts . Select this check box to show only those hosts, which do not have f-secure applications installed. • resolve hosts with all details (slower) . With this selection, all details about the hosts are shown, such as the versions of the operating system and management agent....
Page 53
Note: push installation requires administrator rights for the target machine during the installation. If the account you entered does not have administrator rights on one of the remote hosts, an access denied error message will be indicated for that host, while installation will continue on the othe...
Page 54
Using the installation editor the installation editor must be used on those hosts that already have management agent installed. To use the installation editor: 1. Open the policy tab and select the root node (the f-secure sub-tree). Alternatively, open the install tab. The installation editor opens....
Page 55
The installation editor launches the installation wizard , which queries the user for the installation parameters. The installation editor then prepares a distribution installation package that is customized for the specific installation operation. The new package is saved on policy manager server. ...
Page 56
Using the customized remote installation package there are two ways of using the login script on windows platforms: by using a customized remote installation jar package or by using a customized msi package. To use the customized remote installation jar package: 1. Run policy manager console. 2. Sel...
Page 57
Enter ilaunchr /? On the command line to display complete help. When installing on windows xp and newer you can also use the following parameters: • /user:domain\username (variation: /user:username ) — specifies the user account and the domain name. The domain name can be optionally left out. • /pas...
Page 58
Local installation and policy manager local installation is recommended if you need to install client security locally on a workstation that is otherwise centrally managed by policy manager. You must have policy manager already installed before you can continue with the installation. Note: when inst...
Page 59
Installation steps you need the product cd, a valid subscription key and an internet connection. If multiple users share and use the computer, log on with administrator privileges to install this product. To install the software: 1. Insert the installation cd. The installation should start automatic...
Page 60
Installing on an infected host if the host on which you are going to install client security is infected with some variant of the klez virus, you should run the klez removal tool on the host before starting the installation. The ilaunchr.Exe installation tool cannot be run on a computer that is infe...
Page 61
Checking that the management connections work you can check that the management connections are working by following the steps given here. 1. Check the policy distribution status on the summary tab. 2. Save and distribute the polices if necessary. 3. Go to the status tab and select the centralized m...
Page 63: Chapter
Chapter 5 configuring virus and spyware protection virus and spyware protection keeps computers protected against file viruses, spyware, riskware, rootkits and viruses that are spreading by e-mail attachments and in web traffic. Topics: • configuring automatic updates • configuring real-time scannin...
Page 64
Configuring automatic updates this section explains the different configuration settings available for automatic updates in policy manager, and gives some practical configuration examples for hosts with different protection needs. By following these instructions you can always keep the virus and spy...
Page 65
5. If you want to use http proxies, check that the use http proxy and http proxy address settings are suitable for your environment. 6. If you want to enable the system to use policy manager server or the f-secure update server as a fall back when no policy manager proxy can be accessed, select allo...
Page 66
• another automatic update agent (for example client security) with neighborcast enabled. To enable neighborcast: 1. Select the target domain. 2. Select the settings tab and the automatic updates page. A) to set clients in the selected domain to download updates from other clients, select enable nei...
Page 67
Configuring real-time scanning real-time scanning keeps the computer protected all the time, as it is scanning files when they are accessed, opened or closed. It runs in the background, which means that once it has been set up, it is basically transparent to the user. Real-time scanning settings the...
Page 68
Definition action starts the disinfection wizard when an infected file is detected. Ask after scan disinfects the file automatically when a virus is detected. Disinfect automatically renames the file automatically when a virus is detected. Rename automatically deletes the file automatically when a v...
Page 69
Forcing all hosts to use real-time scanning in this example, real-time scanning is configured so that users cannot disable it; this ensures that all hosts stay protected in any circumstances. 1. Select root on the policy domains tab. 2. Go to the settings tab and select the real-time scanning page. ...
Page 70: Configuring Deepguard
Configuring deepguard deepguard is a host-based intrusion prevention system that analyzes the behavior of files and programs. Deepguard can be used to block intrusive ad pop-ups and to protect important system settings, as well as internet explorer settings against unwanted changes. If an applicatio...
Page 72
Configuring rootkit scanning (blacklight) rootkit scanning can be used to scan for files and drives hidden by rootkits. Rootkits are typically used to hide malicious software, such as spyware, from users, system tools and traditional antivirus scanners. The items hidden by rootkits are often infecte...
Page 73
Configuring e-mail scanning e-mail scanning can be used to keep both inbound and outbound e-mails protected against viruses. Enabling it for outbound e-mails also ensures that you do not accidentally send out infected e-mail attachments. This section describes the e-mail scanning settings and also p...
Page 74
To save the blocked e-mail messages in the end-users’ outbox folder, select save blocked e-mails in outbox . The user must move, delete or modify the blocked message in their outbox to be able to send more messages. The file types that are included and excluded from e-mail scanning are based on the ...
Page 75
Configuring web traffic (http) scanning web traffic scanning can be used to protect the computer against viruses in http traffic. When enabled, web traffic scanning scans html files, image files, downloaded applications or executable files and other types of downloaded files. It removes viruses auto...
Page 76
In this configuration example, one whole domain (www.Example.Com) and a sub-directory from another domain (www.Example2.Com/news) are excluded from http scanning. 1. Select root on the policy domains tab. 2. Go to the settings tab and select the web traffic scanning page. 3. Exclude a domain from ht...
Page 77
Configuring spyware scanning spyware scanning protects the hosts against different types of spyware, such as data miners, monitoring tools and dialers. In centrally managed mode, spyware scanning can be set, for example, to report the spyware items found on hosts to the administrator or to quarantin...
Page 78
Spyware and riskware reported by hosts removed - the spyware item has been removed from the host. Quarantined - the spyware item was quarantined on the host. Currently in quarantine - the spyware item is currently in quarantine on the host. Displays the date and time when the spyware item was found ...
Page 79
4. Check that the manual scanning settings are valid for the managed domain. 5. Click to save and distribute the policy. Launching spyware scanning in the whole domain in this example, a manual scan is launched in the whole domain. This will partially clean out the spyware and riskware reported by h...
Page 80
Managing quarantined objects quarantine management gives you the possiblity to process objects that have been quarantined on host machines in a centralized manner. All infected files and spyware or riskware that have been quarantined on host machines are displayed on the settings ➤ quarantine manage...
Page 82
Preventing users from changing settings if you want to make sure that the users cannot change some or any of the virus protection settings, you can make these settings final. There are different possibilities for doing this: • if you want to prevent users from changing a certain setting, click on th...
Page 83: Configuring Alert Sending
Configuring alert sending this section describes how to configure the product to send client security virus alerts to an e-mail address and how to disable the alert pop-ups. It is a good idea to have all virus alerts sent to administrators by e-mail to ensure that they are informed of any porential ...
Page 84
Monitoring viruses on the network policy manager offers different ways and levels of detail for monitoring infections on your network. The best way to monitor whether there are viruses on the network is to check the virus protection section of the summary tab. If it displays new infections, you can ...
Page 85
Testing your antivirus protection to test that client security operates correctly, you can use a special test file that is detected by client security as though it were a virus. This file, known as the eicar standard anti-virus test file, is also detected by several other antivirus programs. You can...
Page 87: Chapter
Chapter 6 configuring internet shield internet shield protects the computers against unauthorized access from the internet as well as against attacks originating from inside the lan. Topics: • global firewall security levels internet shield provides protection against information theft, because unau...
Page 88
Global firewall security levels if you do not need to customize the firewall settings for your network, there are several pre-configured security levels to choose from. The global firewall security levels that exist in internet shield are: if network quarantine is turned on, this security level will...
Page 89
Design principles for security levels the basic principles of design behind security levels are described here. Each security level has a set of pre-configured firewall rules. In addition, you can create new rules for all security levels for which the filtering mode ➤ normal is displayed in the fire...
Page 90
Configuring security levels and rules this section explains how you can set and select the security levels based on the users' needs. In the practical configuration examples it is assumed that the managed hosts have been imported into a domain structure where, for example, laptops and desktops are l...
Page 91
To add a new security level for a certain domain only, you first have to disable that security level on root level, and then enable it again on the appropriate lower level. Create the new security level the first step in adding a new security level is to create the new security level. This is done a...
Page 92
G) click finish . Take the new security level into use the next step is to take the new security level into use. To take the new security level into use only in the selected subdomain(s), you first have to turn it off on root level and then turn it on on a lower level in the policy domain hierarchy....
Page 93
Configuring network quarantine network quarantine is an internet shield feature that makes it possible to restrict the network access of hosts that have very old virus definitions and/or that have real-time scanning turned off. The normal access rights of such hosts are automatically restored once t...
Page 94: Configuring Rule Alerts
Configuring rule alerts internet shield rule alerts can be used to get notifications if certain types of malware try to access the computers. It is possible to issue an alert every time a rule is hit or when illegal datagrams are received, which makes it easy to see what kind of traffic is going on ...
Page 95
Explanation direction the service will be allowed/denied if coming from the defined remote hosts or networks to your computer. The service will be allowed/denied if going from your computer to the defined remote hosts or networks. => for this rule, select: • icmp from the service drop-down list • fr...
Page 96
To do this: 1. Make sure that you have the correct subdomain selected on the policy domains tab. 2. Select the firewall security levels page on the settings tab. 3. Set the security level for which you created the rule as the active security level by selecting it from the internet shield security le...
Page 97
Configuring application control application control allows for safe browsing and is an excellent defence against malicious computer programs. Application control is also an excellent tool for fighting trojans and other network malware as it does not allow them to send any information to the network....
Page 98
Application rules for known applications displays the internal description of the executable, usually the name of the application. You can also modify the description. Description displays the associated message (if any) which was created together with the rule. Message displays the publisher of the...
Page 99
2. Configure the basic application control settings that will be used when application control is running: a) select the default action to take when an unknown application tries to make an outbound connection from the default action for client applications drop-down list. B) select the default actio...
Page 100
In this example select root . B) when the rule is ready, click finish . The new rule is now displayed in the application rules for known applications table. The unknown applications reported by hosts table has been refreshed. 5. Click to save and distribute the policy. Editing an existing applicatio...
Page 102
Using alerts to check that internet shield works in normal use you should not get any alerts from internet shield; if you suddenly start to receive a lot of alerts it means that there is either a configuration mistake or then there is a problem. When configuring alerting you should also remember tha...
Page 103
Configuring intrusion prevention intrusion prevention monitors inbound traffic and tries to find intrusion attempts. Intrusion prevention (ips) can also be used to monitor viruses that try to attack computers in the lan. Intrusion prevention analyses the payload (the contents) and the header informa...
Page 104
It is assumed that desktops and laptops are located in their own subdomains, desktops/eng and laptops/eng . It is assumed that the desktops are also protected by the company firewall, and therefore the alert performance level selected for them is lower. The laptops are regularly connected to network...
Page 105: Chapter
Chapter 7 how to check that the network environment is protected as part of the monitoring and system administration processes, you can regularly perform the tasks listed here to ensure that your network environment is protected. Topics: • checking that all the hosts have the latest policy • checkin...
Page 106
Checking that all the hosts have the latest policy you can ensure that all hosts have the correct settings by checking that they have the latest policy. 1. Select root on the policy domains tab. 2. Go to the summary tab and check how many hosts of the entire domain have the latest policy. 3. If all ...
Page 107
Checking that the server has the latest virus definitions you should check that the virus definitions are up to date on the server. 1. Select root on the policy domains tab. 2. Go to the summary tab and check that the virus definitions on the server are the latest available. F-secure client security...
Page 108
Checking that the hosts have the latest virus definitions you should regularly check that the virus definitions are up to date on all hosts within the domain. 1. Select root on the policy domains tab. 2. Go to the summary tab and check what is displayed in the virus protection for workstations secti...
Page 109
Checking that there are no disconnected hosts you can ensure that all hosts are getting the latest updates by checking that there are no disconnected hosts. 1. Select root on the policy domains tab. 2. Go to the summary tab and check what is displayed in the domain section beside disconnected hosts ...
Page 110: Viewing Scanning Reports
Viewing scanning reports you can view the scanning reports from hosts to check if there have been any problems. If you want to see a scanning report from certain hosts, do as follows: 1. Select the hosts in the policy domains tab. 2. Go to the reports tab. The scanning information from the selected ...
Page 111: Viewing Alerts
Viewing alerts if there has been a problem with a program or with an operation, the hosts can send alerts and reports about it. It is a good idea to check regularly that there are no new alerts, and also to acknowledge (and delete) the alerts that you have already handled. When an alert is received,...
Page 112
Creating a weekly infection report if you want to create a weekly infection report (or some other report to be generated at regular intervals), you have two options. • web reporting, a web-based tool with which you can generate a wide range of graphical reports from client security alerts and status...
Page 113
Monitoring a possible network attack if you suspect that there is a network attack going on in the local network, you can monitor it by following these steps. 1. Select root on the policy domains tab. 2. Go to the summary tab. 3. Check what is displayed beside most common recent attack . 4. If there...
Page 115: Chapter
Chapter 8 upgrading software you can remotely upgrade f-secure anti-virus software already installed on hosts by using the installation editor . The editor creates policy-based topics: • using the installation editor installation tasks that each host in the target domain will carry out after the nex...
Page 116
Using the installation editor the installation editor must be used on those hosts that already have management agent installed. To use the installation editor: 1. Open the policy tab and select the root node (the f-secure sub-tree). Alternatively, open the install tab. The installation editor opens....
Page 117
3. When all required version numbers are selected, click start . The installation editor launches the installation wizard , which queries the user for the installation parameters. The installation editor then prepares a distribution installation package that is customized for the specific installati...
Page 119: Chapter
Chapter 9 local host operations you might need to perform the operations listed in this section when you suspect that there is a virus on a local host or if you need to perform some other administrative tasks locally. Topics: • scan manually • scan at set times • where to find firewall alerts and lo...
Page 120: Scan Manually
Scan manually you can scan your computer manually, if you suspect that you have malware on your computer. How to select the type of manual scan you can scan your whole computer or scan for a specific type of malware or a specific location. If you are suspicious of a certain type of malware, you can ...
Page 121
When to use this type what is scanned scan type check whether your computer is clean, because it is able to efficiently find and remove any active malware on your computer. When you suspect that a rootkit may be installed on your computer. For example, if malware was recently detected in important s...
Page 122: Scan At Set Times
Scan at set times you can scan your computer for malware at regular intervals, for example daily, weekly or monthly. Scanning for malware is an intensive process. It requires the full power of your computer and takes some time to complete. For this reason, you might want to set the program to scan y...
Page 123
3. Click close . The scheduled scan is canceled. The next scheduled scan will start as usual. View the results of scheduled scan when a scheduled scan finishes you can check if malware were found. To check the results of a scheduled scan: 1. Click the scheduled scan has finished on the virus and spy...
Page 124
Where to find firewall alerts and log files by viewing the firewall alerts and log files, you can find out how network connections are protected on your computer. View firewall alerts you can view a list of all generated firewall alerts. The list contains alerts that the firewall and intrusion preve...
Page 125
Description field shows the firewall services to which this traffic matched. Services the ip address of the remote computer. Remote address the port on the remote computer. Remote port the ip address of your own computer. Local address the port on your own computer. Local port view the action log if...
Page 126
3. Use the recommended logging time and file size that are shown in the logging time and max log file size fields. You can also change them if you want to. 4. Click start logging . A new file is added to the log files list. The size of the file increases as information is gathered in the file. If th...
Page 128
Connecting to policy manager and importing a policy file manually if you need to initialize a connection from the local host to policy manager server, you can do it by following these steps. 1. On the local host, go to the central management page, where you can see the date and time of the last conn...
Page 129
Suspending downloads and updates you can allow users to suspend network communications, for example if they are sometimes using a dial-up connection. This option is configured from policy manager console. It is useful for hosts that sometimes use a slow dial-up connection. When this option is enable...
Page 130
Allowing users to unload f-secure products you can allow users to unload products, for example to free up memory. This option is configured from the policy manager console. It specifies whether the user is allowed to unload all f-secure products temporarily, for example in order to free memory for g...
Page 131: Chapter
Chapter 10 virus information this section provides information on where to find out about viruses and how to handle viruses you encounter. Topics: • malware information and tools on the f-secure web pages • how to send a virus sample to f-secure • what to do in case of a virus outbreak?.
Page 132
Malware information and tools on the f-secure web pages you can find a list of sources of information about malware and useful tools at http://www.F-secure.Com/security_center/. For information of the latest security threats you can check these sources: • the f-secure blog: http://www.F-secure.Com/w...
Page 133
How to send a virus sample to f-secure this section covers information on sending a virus sample to the f-secure security lab. Note: this section is for advanced users. Please send detailed descriptions of the problem, symptoms or any questions you have in english whenever possible. Our usual respon...
Page 134
2. Type msinfo32 and click ok . 3. While viewing the system summary node select file ➤ save . • some windows configuration files ( win.Ini , system.Ini ) and dos configuration files ( autoexec.Bat , config.Sys ). • a full or partial export from a system registry (this can be done with the regedit ut...
Page 136
What to do in case of a virus outbreak? You can use this checklist of what you should do and remember in case there is a virus outbreak in the company network. 1. Disconnect the infected computer from the network immediately. If the infection keeps spreading, the whole network should be taken down w...
Page 137: Chapter
Chapter 11 setting up the cisco nac plugin f-secure participates in the network admission control (nac) collaboration led by cisco systems ® . Nac can be used to restrict the topics: • installing the cisco nac plugin network access of hosts that have too old virus definition databases, or anti-virus...
Page 138
Installing the cisco nac plugin the cisco nac plugin can be installed on hosts both locally and remotely. 1. Local installations: when installing client security locally, select cisco nac plugin in the components to install dialog. 2. Remote installations: when installing client security remotely, s...
Page 139
Importing posture validation attribute definitions you need to add posture validation attribute definitions related to f-secure products to the cisco secure acs posture validation attributes definition file. 1. Use the csutil tool on the cisco secure acs server. 2. Use the following command: csutil....
Page 140
Using attributes for the application posture token here you will find details on how to configure the cisco acs server to monitor product-related security attributes. To configure the cisco acs server to monitor f-secure product-related security attributes, do the following: 1. Click the external us...
Page 141: Chapter
Chapter 12 advanced features: virus and spyware protection this section contains instructions for some advanced virus protection administration tasks, such as configuring scheduled scanning from the advanced mode user interface and configuring the anti-virus proxy. Topics: • configuring scheduled sc...
Page 142
Configuring scheduled scanning a scheduled scanning task can be added from the advanced mode user interface. In this example, a scheduled scanning task is added in a policy for the whole policy domain. The scan is to be run weekly, every monday at 8 p.M, starting from august 25, 2009. 1. Select view...
Page 143
Advanced deepguard settings this section covers the advanced settings relating to deepguard. Notifying user on a deny event you can configure the product to notify users when deepguard denies an event they have initiated. To notify the user when deepguard automatically denies an event: 1. Select vie...
Page 144
8. Double-click the trusted cell for the new entry: • select yes to allow all events for the application. • select no to deny all events for the application. 9. Double-click the enabled cell for the new entry. 10. Select yes to enable to the rule. 11. Click to save and distribute the policy. The app...
Page 145
Configuring policy manager proxy policy manager offers a solution to bandwidth problems in distributed installations by significantly reducing load on networks with slow connections. Policy manager proxy caches automatic updates retrieved from the central f-secure update server or the corporate poli...
Page 146
Configuring automatic updates on hosts from policy manager proxy a list of proxies through which the hosts fetch updates can be configured on the settings tab. If you need to configure this from a managed host’s local user interface, you can do it as follows: 1. Go to the automatic updates page and ...
Page 147
Excluding an application from the web traffic scanner if web traffic scanning causes problems with a program that is common in your organization you can exclude this application from the web traffic scanner. 1. Select view ➤ advanced mode from the menu. 2. On the policy tab select f-secure client se...
Page 149: Chapter
Chapter 13 advanced features: internet shield this section covers some advanced internet shield features and also contains some troubleshooting information. Topics: • managing internet shield properties remotely • configuring security level autoselection • troubleshooting connection problems • addin...
Page 150
Managing internet shield properties remotely this section describes how you can manage internet shield properties remotely. Using packet logging packet logging is a very useful debugging tool to find out what is happening on the local network. Packet logging is also a powerful tool that can be abuse...
Page 151
1. Select view ➤ advanced mode from the menu. The advanced mode user interface opens. 2. Select root on the policy domains tab. 3. On the policy tab, select f-secure internet shield ➤ settings ➤ firewall engine ➤ firewall engine . 4. To make sure packet filtering is always turned on, set this variab...
Page 152
Configuring security level autoselection in this example, security level autoselection is configured for a subdomain that contains only laptops in such a way that when the computers are connected to company lan, the office security level is used; when a dialup connection is used, the security level ...
Page 153
Troubleshooting connection problems if there are connection problems, for example a host cannot access the internet, and you suspect that internet shield might cause these problems, you can use the steps given here as a check list. 1. Check that the computer is properly connected. 2. Check that the ...
Page 154: Adding New Services
Adding new services service, short for network service, means a service that is available on the network, e.G. File sharing, remote console access, or web browsing. Services are most often described by what protocol and port they use. Creating a new internet service based on the default http in this...
Page 155
Full name protocol number protocol name cisco generic routing encapsulation (gre) tunnel 47 gre encapsulation security payload protocol 50 esp authentication header protocol 51 ah protocol independent multicast 103 pim compression header protocol 108 comp raw ip packets 255 raw 6. Select the initiat...
Page 156: Setting Up Dialup Control
Setting up dialup control dialup control lets you create lists of phone numbers allowed and blocked from the users dialup modem. To turn on dialup control: 1. Select view ➤ advanced mode from the menu to switch to the advanced mode user interface. 2. From the policy tab select f-secure ➤ f-secure in...
Page 159: Chapter
Chapter 14 modifying prodsett.Ini this section contains a list of the settings that can be edited in prodsett.Ini . Topics: • configurable prodsett.Ini settings caution: do not edit any prodsett.Ini settings in that are not included in this section. Note: dependency between requestinstallmode and in...
Page 160
Configurable prodsett.Ini settings you can edit edit the settings described here in the prodsett.Ini file. Common settings [f-secure common] enter the subscription key of the installation package here. Cd-key=xxxx-xxxx-xxxx-xxxx-xxxx enforced installation language. Setuplanguage=eng if the setting i...
Page 161
Common settings [f-secure common] users and administrators, and read-only access to everyone. 2 = strict policy; files and folders are protected with permissions granting full access to administrators, read-write access to power users, read-only access to users, and no access to everyone. Note: when...
Page 163
Settings for policy manager support [pmsuinst.Dll] the requestinstallmode or installmode settings for this component. Settings for client security - virus protection [fsavinst.Dll] 0 = install this component as defined in the installmode setting. Requestinstallmode=1 1 = install this component if ne...
Page 166
Settings for client security - network scanner [fspsinst.Dll] 1 = http scanning enabled this setting defines which executables should start http scanning immediately. Other processes will go startimmediatelyforapps= iexplore.Exe,firefox.Exe, netscape.Exe,opera.Exe, msimn.Exe,outlook.Exe, mozilla.Exe...
Page 167: Chapter
Chapter 15 e-mail scanning alert and error messages this section provides a list of the alert and error messages that e-mail scanning can generate. Topics: • alert and error messages.
Page 168: Alert And Error Messages
Alert and error messages a list of the messages generated by e-mail scanning is given below. Message content definition message id message title connection to the server 602 e-mail scanning session failed: system error was terminated by e-mail scanning due to a system error. E-mail scanning continue...
Page 169
Message content definition message id message title header: recipient filed email • infected e-mail was blocked addresses> subject: header: the title subject filed of the message > malformed e-mail alert! When a malformed message is found it is 630-633 malformed e-mail alert description: treated bas...
Page 171: Chapter
Chapter 16 products detected or removed during client installation the products listed in this section are either detected so that the user can manually uninstall them or automatically uninstalled during the f-secure client security installation process. Topics: • product list.
Page 172: Product List
Product list a list of the products that are detected and removed during installation is given below. • agnitum outpost firewall pro 1.0 • aol safety and security center • avast! Antivirus • avg anti-virus 7.0 • avg free edition • avg anti-virus 7.1 • avg 7.5 • avira antivir personaledition classic ...
Page 173
• iprotectyou 7.09 • jiangmin antivirus software (english version only) • k7 totalsecurity 2006 • kaspersky anti-spam personal • kaspersky anti-virus 6.0 (english version only) • kaspersky internet security 6.0 (english version only) • kaspersky internet security 7.0 (english version only) • kaspers...
Page 174
• norton antivirus 2004 (symantec corporation) • norton antivirus • norton antivirus corporate edition • norton internet security • norton internet security 2005 • norton internet security 2006 (symantec corporation) • norton internet security 2007 • norton internet security 2008 • norton security o...