DL manuals
F-SECURE
Other
CLIENT SECURITY 7.00
Administrator's Manual

F-SECURE CLIENT SECURITY 7.00 Administrator's Manual

Other manuals for CLIENT SECURITY 7.00: Getting Started

Page of 315

Download

Print this page

Bookmark us

F-Secure Client

Security

Administrator’s Guide

1 2 3 4 5 6 7 Next › »

Summary of CLIENT SECURITY 7.00

Page 1
F-secure client security administrator’s guide.
Page 2
"f-secure" and the triangle symbol are registered trademarks of f-secure corporation and f-secure product names and symbols/logos are either trademarks or registered trademarks of f-secure corporation. All product names referenced herein are trademarks or registered trademarks of their respective co...
Page 3
Iii contents about this guide 10 overview ............................................................................................................................ 11 additional documentation .................................................................................................. 13 con...
Page 4
Iv 2.3 installation steps........................................................................................................ 33 2.4 uninstalling f-secure policy manager ....................................................................... 55 chapter 3 introduction to f-secure policy manager a...
Page 5
V 4.5 local installation ...................................................................................................... 156 4.5.1 local installation system requirements ...................................................... 157 4.5.2 installation instructions ...................................
Page 6
Vi 5.9 preventing users from changing settings ............................................................... 189 5.9.1 setting all virus protection settings final..................................................... 189 5.10 configuring f-secure client security alert sending .........................
Page 7
Vii chapter 7 how to check that the environment is protected 222 7.1 overview .................................................................................................................. 223 7.2 how to check the protection status from outbreak tab ......................................... 223 ...
Page 8
Viii 10.3 viruses in the wild ................................................................................................... 246 10.4 how to send a virus sample to f-secure ............................................................... 246 10.4.1 how to package a virus sample ....................
Page 9
Ix appendix a modifying prodsett.Ini 278 a.1 overview ................................................................................................................. 279 a.2 configurable prodsett.Ini settings............................................................................ 279 appendix ...
Page 10
10 a bout this g uide overview..................................................................................... 11 additional documentation.......................................................... 13.
Page 11
11 overview this manual covers the configuration and operations that you can do with the f-secure policy manager anti-virus mode user interface and provides the information you need to get started with managing f-secure client security applications centrally. The f-secure client security administrat...
Page 12
12 chapter 10. Virus information . Describes where you can get more information about viruses and how you can send a virus sample to f-secure. Chapter 11. Setting up cisco nac support . Describes how to install and set up cisco network access control (nac) support. Chapter 12. Advanced features: vir...
Page 13
13 additional documentation f-secure policy manager online help the f-secure policy manager online help contains information on both the anti-virus mode as well as the advanced mode user interfaces. The online help is accessible from the help menu by selecting help contents , or by pressing f1 . Inf...
Page 14
14 f-secure policy manager administrator’s guide for more information on administering other f-secure software products with f-secure policy manager, see f-secure policy manager administrator’s guide. It contains information on the advanced mode user interface and instructions on how you can configu...
Page 15
15 conventions used in f-secure guides this section describes the symbols, fonts, and terminology used in this manual. Symbols ⇒ an arrow indicates a one-step procedure. Fonts arial bold (blue) is used to refer to menu names and commands, to buttons and other items in a dialog box. Arial italics (bl...
Page 16
16 courier new bold is used for information that you must type. Small caps ( black ) is used for a key or key combination on your keyboard. Arial underlined (blue) is used for user interface links. Arial italics is used for window and dialog box names. Pdf document this manual is provided in pdf (po...
Page 17
17 1 i ntroduction overview..................................................................................... 18 f-secure client security components and features................. 18 introduction to f-secure policy manager ................................... 23 basic terminology .....................
Page 18
18 1.1 overview this section describes the main components of f-secure client security and f-secure policy manager and provides an introduction to policy based management. 1.2 f-secure client security components and features f-secure client security is used for protecting the computer against viruse...
Page 19
Chapter 1 19 e-mail scanning e-mail scanning can be used for scanning both incoming and outgoing e-mail messages and attachments. It prevents viruses from getting inside the company network and it also prevents you from accidentally sending infected attachments outside. E-mail scanning can be config...
Page 20
20 system control system control is a new, host-based intrusion prevention system that analyzes the behavior of files and programs. It provides an extra-layer of protection by blocking undiscovered viruses, worms, and other malicious code that try to perform harmful actions on your computer. For mor...
Page 21
Chapter 1 21 since the last download. If the transfer is interrupted for some reason, the next session will start from the point where the previous session ended. For more information, see “ configuring automatic updates ” , 162 . Virus news f-secure virus news delivers instant notifications of seri...
Page 22
22 application control application control can be used to prevent unauthorized applications from getting access to the network. In addition, application launch control and application manipulation control protect computers against malicious applications that try to launch or use other applications o...
Page 23
Chapter 1 23 f-secure management agent the f-secure management agent enforces the security policies set by the administrator on the managed hosts. It acts as a central configuration component on the hosts, and for example, interprets the policy files, sends autoregistration requests and host status ...
Page 24
24 protection settings when necessary. You can also restrict the users from making changes to the security settings, and be sure that the protection is always up-to-date. 1.3.1 main components of f-secure policy manager the power of the f-secure policy manager lays in the f-secure management archite...
Page 25
Chapter 1 25 create graphical reports based on historical trend data, identify computers that are unprotected or vulnerable to virus outbreaks. For more information, see the f-secure policy manager administrator’s guide. F-secure policy manager reporting option is an optional f-secure policy manager...
Page 26
26 c onfiguration and policy management centralized configuration of security policies. The policies are distributed from f-secure policy manager server to the user’s workstation. Integrity of the policies is ensured through the use of digital signatures. E vent management reporting to the event vie...
Page 27
Chapter 1 27 policy domain policy domains are groups of hosts or subdomains that have a similar security policy. Policy inheritance policy inheritance simplifies the defining of a common policy. In f-secure policy manager console, each policy domain automatically inherits the settings of its parent ...
Page 28
28 2 i nstalling f-s ecure p olicy m anager overview..................................................................................... 29 system requirements ................................................................ 30 installation steps .......................................................
Page 29
Chapter 2 29 2.1 overview this chapter contains the system requirements for f-secure policy manager server and f-secure policy manager console. Instructions on how to install f-secure policy manager console and server on the same computer. The f-secure policy manager console and server setup is run ...
Page 30
30 2.2 system requirements 2.2.1 f-secure policy manager server in order to install f-secure policy manager server, your system must meet the following minimum requirements: operating system: microsoft windows 2000 server (sp 3 or higher); windows 2000 advanced server (sp 3 or higher); windows serve...
Page 31
Chapter 2 31 memory: 256 mb ram when web reporting is enabled, 512 mb ram. Disk space: disk space: 200 mb of free hard disk space; 500 mb or more is recommended. The disk space requirements depend on the size of the installation. In addition to this it is recommended to allocate about 1 mb per host ...
Page 32
32 2.2.2 f-secure policy manager console in order to install f-secure policy manager console, your system must meet the following minimum requirements: operating system: microsoft windows 2000 professional (sp3 or higher); windows 2000 server (sp3 or higher); windows 2000 advanced server (sp3 or hig...
Page 33
Chapter 2 33 2.3 installation steps step 1. 1. Insert the f-secure cd in your cd-rom drive. 2. Select corporate use . Click next to continue. 3. Select f-secure policy manager from the install or update management software menu. Step 2. View the welcome screen, and follow the setup instructions. The...
Page 34
34 step 3. Read the license agreement information. If you agree, select i accept this agreement . Click next to continue..
Page 35
Chapter 2 35 step 4. Select the type of installation: typical - setup installs the product with default options: f-secure policy manager server, f-secure policy manager console, f-secure policy manager update server & agent are installed on the same computer. The default ports are used for f-secure ...
Page 36
36 step 5. Select the following components to be installed: f-secure policy manager console f-secure policy manager server f-secure policy manager update server & agent f-secure installation packages click next to continue..
Page 37
Chapter 2 37 step 6. Choose the destination folder. It is recommended to use the default installation directory. Use the browse feature to install f-secure policy manager in a different directory. Click next to continue..
Page 38
38 step 7. Setup requests confirmation if a previous installation of f-secure policy manager exists. 1. If yes , select i have existing f-secure policy manager installation . Enter the communication directory path of the installed f-secure policy manager. The contents of this directory will be copie...
Page 39
Chapter 2 39 step 8. Select whether you want to keep the existing settings or change them. By default the setup keeps the existing settings. Select this option if you have manually updated the f-secure policy manager server configuration file ( httpd.Conf ). This option automatically keeps the exist...
Page 40
40 step 9. Select the f-secure policy manager server modules to enable: host module is used for communication with the hosts. The default port is 80. Administration module is used for communication with f-secure policy manager console. The default http port is 8080. By default the access to the admi...
Page 41
Chapter 2 41 click next to continue..
Page 42
42 step 10. Specify f-secure policy manager server address, and administration port number. Click next to continue. Depending on the installation method, this window is not always displayed.
Page 43
Chapter 2 43 step 11. Select to add product installation package(s) from the list of available packages (if you selected f-secure installation packages in step 5. , 36). Click next ..
Page 44
44 step 12. Review the changes that setup is about to make. Click start to start the installation..
Page 45
Chapter 2 45 step 13. When the setup is completed, the setup shows whether all components were installed successfully..
Page 46
46 step 14. Click finish to complete the f-secure policy manager server installation. After this you should run the f-secure policy manager console for the fist time..
Page 47
Chapter 2 47 step 15. It is important to run f-secure policy manager console after the setup, because some connection properties will be collected during the initial console startup. You can find the shortcut from start Æ programs Æ f-secure policy manager console Æ f-secure policy manager console ....
Page 48
48 step 16. Select your user mode according to your needs: administrator mode - enables all administrator features. Read-only mode - allows you to view administrator data, but no changes can be made. If you select read-only mode , you will not be able to administer hosts. To change to administrator ...
Page 49
Chapter 2 49 step 17. Enter the address of the f-secure policy manager server that is used for communicating with the managed hosts..
Page 50
50 step 18. Enter the path where the administrator’s public key and private key files will be stored. By default, key files are stored in the f-secure policy manager console installation directory: program files\f-secure\administrator. Click next to continue. If the key-pair does not exist already, ...
Page 51
Chapter 2 51 step 19. Move your mouse cursor around in the window to initialize the random seed used by the management key-pair generator. Using the path of the mouse movement ensures that the seed number for the key-pair generation algorithm has enough randomness. When the progress indicator has re...
Page 52
52 step 20. Enter a passphrase, which will secure your private management key. Re-enter your passphrase in the confirm passphrase field. Click next. Step 21. Click finish to complete the setup process..
Page 53
Chapter 2 53 f-secure policy manager console will generate the management key-pair. For information on backing up the admin.Pub key, see chapter maintaining f-secure policy manager server in f-secure policy manager administrator’s guide..
Page 54
54 step 22. After the key-pair is generated, f-secure policy manager console will start. From here, it is possible to continue by creating policy domains and installing hosts. For more information, see “ creating the domain structure ” , 130 and “ adding hosts ” , 132 . If you decide to exit from f-...
Page 55
Chapter 2 55 changing the web browser path the f-secure policy manager console acquires the file path to the default web browser during setup. If you want to change the web browser path, open the tools menu, and select preferences . Select the locations tab and enter the new file path. 2.4 uninstall...
Page 56
56 3 i ntroduction to f-s ecure p olicy m anager a nti -v irus m ode u ser i nterface overview..................................................................................... 57 policy domains tab.................................................................... 58 management tabs...............
Page 57
Chapter 3 57 3.1 overview this section introduces the f-secure policy manager anti-virus mode user interface. It also describes some generic features and visual elements used throughout the user interface to indicate how the settings inheritance works. The main components of the f-secure policy mana...
Page 58
58 3.2 policy domains tab in the policy domains tab, you can do the following: add a new policy domain by clicking the icon, which is located on the toolbar. A new policy domain can be created only when a parent domain is selected. Add a new host by clicking the icon. Find a host. View the propertie...
Page 59
Chapter 3 59 3.3.1 summary tab figure 3-1 summary tab the summary tab is designed to display the most important information concerning the selected domain(s) or host(s) at a glance. When a domain is selected, the summary tab displays information about the whole domain. When a single host is selected...
Page 60
60 if some of the settings displayed on the summary tab require your immediate attention or action, an icon is displayed beside the setting. The icons can be interpreted as follows: for more information on how the summary tab can be used for checking quickly that the domain is protected, see “ how t...
Page 61
Chapter 3 61 policy manager figure 3-2 policy manager related information on summary tab in the policy manager section you can: see the current policy distribution status ( saved/unsaved, distributed/undistributed ), and when necessary, save the policy data and distribute the new policies to hosts. ...
Page 62
62 domain figure 3-3 domain related information on summary tab in the domain section you can: see the number hosts that have the latest policy and access a summary of their latest policy update by clicking view hosts’s latest policy update... . This takes you to the status tab and centralized manage...
Page 63
Chapter 3 63 virus protection for workstations figure 3-4 virus protection related information on summary tab in the virus protection for workstations section you can: see how many hosts in the domain have virus protection installed. See how many hosts in the domain have real-time scanning enabled. ...
Page 64
64 if you need to update the virus definitions on some hosts, click update virus definitions... That takes you to the operations tab. Internet shield figure 3-5 internet shield related information on summary tab in the internet shield section you can: see how many hosts in the domain have internet s...
Page 65
Chapter 3 65 in the host section you can: see the name of the selected host displayed beside computer identity . You can also access more detailed information on the host by clicking view host properties... . This takes you to the status tab and host properties page. See what is the active protocol ...
Page 66
66 3.3.2 outbreak tab figure 3-7 outbreak tab the security news section shows security news from f-secure. Security news are usually news about new virus outbreaks, and they state the virus definitions version required on the hosts to protect against this new virus outbreak. They can also be more ge...
Page 67
Chapter 3 67 the security news section shows you how many of your hosts are protected, and whether protection is available on the policy manager server. If protection is not currently available, the policy manager server will automatically download it from f-secure when it is available. The security...
Page 68
68 the table in the security news details section lists all the hosts in the currently selected domain. For each host the following information is provided: the protected column shows if the host is protected against the virus referred to by the currently selected virus news. The disconnected column...
Page 69
Chapter 3 69 for more information on the lock symbols and other items displayed on all settings pages, see “ settings inheritance ” , 120 . Context menu on settings pages by right-clicking any setting on a settings tab page you can access a context menu that contains the following options: clear thi...
Page 70
70 show domain values the show domain values menu item is available only when a policy domain is selected. You can view a list of all policy domains and hosts below the selected policy domain, together with the value of the selected field. Click any domain or host name to quickly select the domain o...
Page 71
Chapter 3 71 automatic updates figure 3-8 settings > automatic updates tab automatic updates for f-secure client security 6.X and later in the automatic updates for f-secure client security 6.X and later section you can: enable or disable automatic updates. Note that deselecting this setting disable...
Page 72
72 see a list of policy manager proxy servers. You can also add new servers on the list, delete servers from the list and edit their addresses and priorities. Select whether an http proxy can be used and specify the http proxy address. For configuration examples and more information, see “ configuri...
Page 73
Chapter 3 73 figure 3-9 settings > automatic updates > automatic updates f-secure client security 5. X page automatic updates in the automatic updates section you can: • enable or disable automatic updates..
Page 74
74 • select the primary and secondary updates sources to be used. • define the number of days after which the use of secondary updates source is enabled. Manual updates in the manual updates section you can: select whether to allow manual updates. Select whether a reminder is displayed to users when...
Page 75
Chapter 3 75 real-time scanning figure 3-10 settings > real-time scanning page.
Page 76
76 general in the general section you can enable or disable real-time scanning. File scanning in the files to scan section you can: select which files will be scanned and define the included extensions. Select whether real-time scanning is executed also inside compressed files. Select whether certai...
Page 77
Chapter 3 77 system control in the system control section you can: enable or disable system control. Select what is the action to take when a system modification attempt is detected. Select whether activex is prevented from running on the managed hosts. For configuration example, explanation of the ...
Page 78
78 manual scanning figure 3-11 settings > manual scanning.
Page 79
Chapter 3 79 manual file scanning in the manual file scanning section the following options are available for selecting what to scan: all files all files will be scanned, regardless of their file extension. Forcing this option is not recommended because it might slow down system performance consider...
Page 80
80 choose one of the following actions: manual spyware scanning in the manual spyware scanning section you can: enable or disable manual scanning for spyware during virus scanning. Select what is the action to take when spyware is found. Access manual spyware scanning targets settings by clicking th...
Page 81
Chapter 3 81 rootkit scanning in the rootkit scanning section you can: enable or disable rootkit scanning. Include or exclude rootkit scanning from full computer check. Specify whether detected suspicious items are shown in the disinfection wizard and in the scanning report after a full computer che...
Page 82
82 spyware control figure 3-12 settings > spyware control.
Page 83
Chapter 3 83 spyware scanning on file access this section contains the same spyware scanning settings as the spyware scanning on file access section on the settings > real-time scanning page. For more information, see “ spyware scanning on file access ” , 76 . Manual spyware scanning this section co...
Page 84
84 e-mail scanning figure 3-13 settings > e-mail scanning page this page includes separate settings for incoming and outgoing e-mail scanning. The settings in the general section are common for both..
Page 85
Chapter 3 85 incoming e-mail scanning in the incoming e-mail scanning section you can: enable incoming e-mail scanning. Select the action to take on incoming infected attachment. Select the action to take on scanning failure. Select the action to take on malformed message parts. Outgoing e-mail scan...
Page 86
86 web traffic scanning figure 3-14 settings > web traffic scanning general in the general section you can enable or disable http scanning. Http scanning select the action to take on infection. Select the action to take on scanning failure. Select whether compressed files are included in scanning..
Page 87
Chapter 3 87 trusted http sites the trusted http sites table displays a list of http sites from which are defined as trusted. Downloads from these sited are not scanned for viruses. For more information on web traffic scanning and for practical configuration examples, see “ configuring web traffic (...
Page 88
88 firewall security levels figure 3-15 settings > firewall security levels.
Page 89
Chapter 3 89 general in the general section you can: select the internet shield security level at host. For more information, see “ global firewall security levels ” , 195 configure security level autoselection by clicking configure security level autoselection in advanced mode... . This takes you t...
Page 90
90 intrusion prevention in the intrusion prevention section you can: enable and disable intrusion detection. Select the action on malicious packet. The options available are: log and drop and log without dropping . Define the centralized alert severity. Define the alert and performance level. For co...
Page 91
Chapter 3 91 firewall rules figure 3-16 settings > firewall rules.
Page 92
92 firewall rules table the firewall rules page contains the firewall rules table , that lists the rules defined for different security levels. You can select the internet shield security level from the internet shield security level being edited drop-down menu. When the selected security level is c...
Page 93
Chapter 3 93 reply packets from the server applications. Outgoing packets from ordinary applications need to be allowed by the rules in the firewall rules table. For more information on how to create and modify firewall rules, see “ configuring internet shield security levels and rules ” , 198 and “...
Page 94
94 firewall services figure 3-17 settings > firewall services service, short for network service, means a service that is available on the network, e.G. File sharing, remote console access, or web browsing. It is most often described by what protocol and port it uses..
Page 95
Chapter 3 95 firewall services table (global) the firewall services table displays a list of services that have been defined for the firewall. It is also possible to create or allow the end users to create new services for the firewall. For more information on how to add or modify firewall services,...
Page 96
96 application control figure 3-18 settings > application control application rules for known applications the application control page displays a list of known applications and the rules defined for them for inbound and outbound connection attempts. Unknown applications reported by hosts the unknow...
Page 97
Chapter 3 97 on this page you can also: select the default action for client applications. Select the default action for server applications. Select whether new applications are reported to you by selecting the report new unknown applications check box. Message for user the message for users section...
Page 98
98 alert sending figure 3-19 settings > alert sending general in the general section you can: select the alerting language. E-mail alert sending define the e-mail server address (smtp). Define the e-mail sender address and e-mail subject to be used when forwarding alerts by e-mail..
Page 99
Chapter 3 99 for information on how to set up alert sending, see “ e-mail alert sending ” , 98 . Alert forwarding the alert forwarding table can be used to configure where the alerts that are of certain severity are to be forwarded. For examples on how to configure anti-virus alert forwarding, see “...
Page 100
100 centralized management figure 3-20 settings > centralized management general the general section contains the following options: allow users to change all settings... This option makes all the settings throughout the f-secure policy manager anti-virus and advanced mode user interface non-final, ...
Page 101
Chapter 3 101 this option makes all the settings throughout the f-secure policy manager anti-virus and advanced mode user interface final, which means that users are not allowed to change any setting. For more information on final settings, see “ settings inheritance ” , 120 . Clear all settings... ...
Page 102
102 this variable defines which network connections are regarded as slow. The unit used is kilobits per second. Note, that the nominal speed of the connection is not relevant, but the actual speed of the connection is measured. The default value, 0 (zero), means that all connections are regarded as ...
Page 103
Chapter 3 103 context menu on status tab figure 3-21 the context menu that you can open by right-clicking a row by right-clicking any row on status tab page you can access a context menu that contains the following options: copy as text copies the currently selected row(s) and column headings from t...
Page 104
104 overall protection figure 3-22 status > overall protection page the overall protection page displays a summary of the protection status of each host: the date and time when virus definitions were last updated virus definitions version the date and time when virus definitions on f-secure gateway ...
Page 105
Chapter 3 105 update on the host and the last time the host has sent statistics to f-secure policy manager. The virus definitions date and version information is also displayed for hosts that have f-secure anti-virus for citrix servers, f-secure anti-virus for windows servers, f-secure internet gate...
Page 106
106 internet shield figure 3-24 status > internet shield page the internet shield page displays the following information latest attack date and time in the latest attack timestamp column latest attack service latest attack source recent attacks (this column can be sorted by clicking on the column h...
Page 107
Chapter 3 107 installed software figure 3-25 status > installed software the installed software page displays a summary of the software installed on the host(s): f-secure client security software version (including the build number and possible hotfixes) list of anti-spyware hotfixes whether interne...
Page 108
108 centralized management figure 3-26 status > centralized management the centralized management page displays a summary of central management related information: policy file timestamp policy file counter; this is the number of the policy file currently in use at the host. The date when the last s...
Page 109
Chapter 3 109 host properties figure 3-27 status > host properties the host properties page displays the following information for each host: the wins name of the host the ip address of the host the dns name of the host the operating system of the host..
Page 110
110 3.3.5 alerts tab figure 3-28 alerts tab the alerts tab displays alerts from the selected host(s) and domain(s). It can also be used to manage the alert reports. The alerts tab displays the following information for each alert: severity (see “ viewing alerts ” , 226 for more information) date and...
Page 111
Chapter 3 111 when an alert is selected in the alert list, the lower half of the page displays more specific information about the alert: product, severity, originating host, and so on. F-secure client security scanning alerts may also have an attached report. This report will be displayed in the lo...
Page 112
112 3.3.6 reports tab figure 3-29 reports tab the reports tab displays virus scanning reports from the selected host(s) and domain(s). It can also be used to manage the scanning reports. The reports tab displays the following information about each report: severity date and time description host and...
Page 113
Chapter 3 113 for more information on how alerts can be used for monitoring, see “ viewing scanning reports ” , 225 . 3.3.7 installation tab figure 3-30 installation tab the installation tab is the first one that opens when the policy manager console is installed..
Page 114
114 the installation tab contains shortcuts to all installation related features. It also displays a list of available software installation packages. Autodiscover windows hosts... Autodiscover will automatically discover windows domains and hosts, push install software and import new hosts into the...
Page 115
Chapter 3 115 3.3.8 operations tab figure 3-31 operations tab the operations tab contains two operations: both of these operations are recommended to be used if there has been a virus outbreak in the lan. For more information, see “ what to do in case of a virus outbreak? ” , 250 . Update virus defi...
Page 116
116 3.4 toolbar the toolbar contains buttons for the most common f-secure policy manager console tasks. Saves the policy data. Distributes the policy. Go to the previous domain or host in the domain tree selection history. Go to the next domain or host in the domain tree selection history. Go to the...
Page 117
Chapter 3 117 3.5 menu commands launches the autodiscover windows hosts tool. New hosts will be added to the currently selected policy domain. Starts push installation to windows hosts. Imports autoregistered hosts to the currently selected domain. Green signifies that the host has sent an autoregis...
Page 118
118 save policy as saves policy data with a specified name. Distribute policies distributes the policy files. Export host policy file exports the policy files. Exit exits f-secure policy manager console. Edit cut cuts selected items. Paste pastes items to selected location. Delete deletes selected i...
Page 119
Chapter 3 119 embedded restriction editors toggles between the embedded restriction editor and the restrictions dialog box. Open on new messages shows/hides the messages pane at bottom of screen. Previous domain/host takes you to the previous domain or host in the domain tree selection history. Next...
Page 120
120 3.6 settings inheritance this section explains how the settings inheritance works and how inherited settings and settings that have been redefined on the current level are displayed in the user interface. The settings in f-secure policy manager console can either be inherited from a higher level...
Page 121
Chapter 3 121 when necessary, settings can be defined as final, which means that the users are not allowed to change them. Final always forces the policy: the policy variable overrides any local host value, and the end user cannot change the value as long as the final restriction is set. If the sett...
Page 122
122 3.6.1 how settings inheritance is displayed on the user interface there inherited settings and settings that have been redefined on the current level are displayed in a different way on the policy manager user interface: not inherited inherited a closed lock means that the user cannot change the...
Page 123
Chapter 3 123 3.6.2 locking and unlocking all settings on a page at once the following links can be used to lock and unlock all settings on a page: for more information on locking and unlocking all settings throughout the f-secure policy manager user interface, see also “ centralized management ” , ...
Page 124
124 3.6.3 settings inheritance in tables the firewall security levels table and the firewall services table are so-called global tables, which means that all computers in the domain have the same values. However, different subdomains and different hosts may have different security levels enabled. In...
Page 125
125 4 s etting up the m anaged n etwork overview................................................................................... 126 logging in for the first time..................................................... 126 creating the domain structure...................................................
Page 126
126 4.1 overview this chapter describes how to plan the managed network and what are the best ways to deploy f-secure client security in different types of environments. F-secure policy manager offers you several ways to deploy f-secure client security in your company: in a windows domain you can us...
Page 127
Chapter 4 127 4.2.1 logging in when you start f-secure policy manager console, the following dialog box will open. Click options to expand the dialog box to include more options. Figure 4-1 f-secure policy manager console login dialog the dialog box can be used to select defined connections. Each co...
Page 128
128 figure 4-2 the connection properties dialog the name field specifies what the connection will be called in the connection: field in the login dialog. If the name field is left empty, the url or the directory path is displayed. Public key file and private key file paths specify what management ke...
Page 129
Chapter 4 129 3. Note that it is possible to define an interval that is shorter than one day by simply typing in a floating point number in the setting field. For example, with a value of "0.5" all hosts that have not contacted the server within 12 hours are considered disconnected. Values less than...
Page 130
130 4.3 creating the domain structure if you want to use different security policies for different types of hosts (laptops, desktops, servers), for users in different parts of the organization or users with different levels of computer knowledge, it is a good idea to plan the domain structure based ...
Page 131
Chapter 4 131 figure 4-3 an example of a policy domain structure all domains and hosts must have a unique name in this structure. Another possibility is to create the different country offices as subdomains. Figure 4-4 an example of a policy domain: country offices as sub-domains a third possibility...
Page 132
132 4.3.1 adding policy domains and subdomains 1. From the edit menu, select new policy domain (a parent domain must be selected), or click in the toolbar (alternatively press ctrl + insert ). The new policy domain will be a subdomain of the selected parent domain. 2. You will be prompted to enter a...
Page 133
Chapter 4 133 4.4.1 windows domains in a windows domain, the most convenient method of adding hosts to your policy domain is to import them to the policy domain by choosing ‘autodiscover windows hosts’ from the installation tab in f-secure policy manager console. Note that this also installs f-secur...
Page 134
134 figure 4-5 import autoregistered hosts dialog > autoregistered hosts tab the autoregistration view offers a tabular view to the data which the host sends in the autoregistration message. This includes the possible custom autoregistration properties that were included in the remote installation p...
Page 135
Chapter 4 135 autoregistration import rules figure 4-6 import autoregistered hosts dialog > import rules tab.
Page 136
136 you can define the import rules for the autoregistered hosts on the import rules tab in the import autoregistered hosts window. You can use the following as import criteria in the rules: wins name , dns name , dynamic dns name , custom properties these support * (asterisk) as a wildcard. * can r...
Page 137
Chapter 4 137 3. The new custom property now appears in the table, and you can create new autoregistration import rules in which it is used as import criteria. To create a new autoregistration import rule, do as follows: 4. Click add on the import rules tab. The select target policy domain for rule ...
Page 138
138 4.4.3 f-secure push installations the only difference between the autodiscover windows hosts and the push install to windows hosts features is how the target hosts are selected: autodiscover browses the nt domains and user can select the target hosts from a list of hosts, push install to windows...
Page 139
Chapter 4 139 mcafee personal firewall express, version 4.5 mcafee virusscan 4.05 nt mcafee virusscan enterprise 7.0 mcafee virusscan enterprise 7.1 mcafee virusscan home edition 7.0.2.6000 mcafee virusscan professional edition 7.0 mcafee virusscan professional/personal edition 7.02.6000 microsoft a...
Page 140
140 symantec live update 1.8 (for symantec antivirus corporate edition) symantec live update 2.0.39.0 (for symantec antivirus corporate edition) symantec live update 2.6.18.0 (for symantec antivirus corporate edition) symantec norton antivirus corporate edition 7.6.0.0000 trend micro internet securi...
Page 141
Chapter 4 141 autodiscover windows hosts to install: 1. Select the policy domain for the hosts to which you will install f-secure client security. 2. Open the edit menu and select autodiscover windows hosts (alternatively, click the button). 3. From the nt domains list, select one of the domains and...
Page 142
142 select the hide managed hosts check box to show only those hosts, which do not have f-secure applications installed. Resolve hosts with all details (slower) with this selection, all details about the hosts are shown, such as the versions of the operating system and f-secure management agent. Res...
Page 143
Chapter 4 143 push install to windows hosts to install: 1. Select the policy domain for the hosts to which you will install f-secure client security. 2. Open the edit menu and select push install to windows hosts (alternatively, click the button). 3. Enter the target host names of those hosts to whi...
Page 144
144 1. Select the installation package, and click next to continue. 2. Select the products to install. You can choose to force reinstallation if applications with the same version number already exist. Click next to continue. 3. Choose to accept the default policy, or specify which host or domain po...
Page 145
Chapter 4 145 4. Choose the user account and password for the push installation. Select either this account (the current account) or another account . This account — when you select “this account”, you will use the security rights of the account currently logged on. Use this option in the following ...
Page 146
146 when completing the installation to the trusted and non-trusted domains with a domain account, make sure you enter the account in format domain\account. When using a local administrator account, use format account. (do not enter the host name as part of the account, otherwise the account is acce...
Page 147
Chapter 4 147 4.4.4 policy-based installation base policy files are used to start installations on hosts that already have f-secure management agent installed. F-secure policy manager console creates an operation-specific installation package, which it stores on the f-secure policy manager server, a...
Page 148
148 the installation editor contains the following information about the products that are installed on your target policy domain or host: if a host is selected, the progress field displays one of the following messages: product name name of the product, which is either installed on a host or domain...
Page 149
Chapter 4 149 if a domain is selected, the progress field displays one of the following: when all required version numbers are selected, click start . The installation editor launches the installation wizard, which queries the user for the installation parameters. The installation editor then prepar...
Page 150
150 because the installation operation uses policy-based triggering, you must distribute new policy files. The policy file will contain an entry that tells the host to fetch the installation package and perform the installation. Note that it may take a considerable length of time to carry out an ins...
Page 151
Chapter 4 151 choosing reinstall will reinstall the current version. This option should only be used for troubleshooting. Most of the time, there is no reason to reinstall a product. F-secure management agent when uninstalling f-secure management agent, no statistical information will be sent statin...
Page 152
152 login script on windows platforms there are three ways of doing this: by using a customized remote installation jar package, by using a customized msi package, or by using the non-jar approach. Using the customized remote installation jar package 1. Run f-secure policy manager console. 2. Choose...
Page 153
Chapter 4 153 7. A summary page shows your choices for the installation. Review the summary and click start to continue to the installation wizard. 8. F-secure policy manager console displays the remote installation wizard that collects all necessary setup information for the selected products. A. R...
Page 154
154 standard host identification properties in the autoregistration view. The custom property name will be the column name, and the value will be presented as a cell value. One example of how to utilize custom properties is to create a separate installation package for different organizational units...
Page 155
Chapter 4 155 10. You can install the exported jar to the hosts by running the ilaunchr.Exe tool. The ilaunchr.Exe tool is located in policy manager console installation directory under ...\administrator\bin directory. To do this: a. Copy ilaunchr.Exe and the exported jar to a location where the log...
Page 156
156 /password:secret (variation: /password:"secret with spaces ") — specifies the password of the user account. The ilaunchr functionality stays the same if neither of these two parameters is given. If only one of the parameters is given, ilaunchr returns an error code. If both parameters are given,...
Page 157
Chapter 4 157 4.5.1 local installation system requirements in order to install f-secure client security, your system must meet the following minimum requirements: 4.5.2 installation instructions the instructions for installing f-secure client security can be found in the getting started with f-secur...
Page 158
158 however, if you run the setup from a cd, you must transfer a copy of the admin.Pub key file manually to the workstations: the best and most secure method is to copy the admin.Pub file to a diskette and use this diskette for workstation installations. Alternatively, you can put the admin.Pub file...
Page 159
Chapter 4 159 4.7 how to check that the management connections work 1. Check the policy distribution status on the summary tab. Save and distribute the polices if necessary. 2. Go to the status tab and select centralized management page. Check the timestamp and counter of the policy file currently i...
Page 160
160 5 c onfiguring v irus and s pyware p rotection overview: what can virus and spyware protection be used for? ............................................................................ 161 configuring automatic updates................................................ 162 configuring real-time sca...
Page 161
Chapter 5 161 5.1 overview: what can virus and spyware protection be used for? The virus and spyware protection in f-secure client security consists of automatic updates, manual scanning, scheduled scanning, real-time scanning, spyware scanning, system control, rootkit scanning, e-mail scanning, web...
Page 162
162 when a virus is found on a computer, one of the following actions will be taken: the infected file is disinfected the infected file is renamed the infected file is deleted the infected file is quarantined the user is prompted to decide what action to take with the infected file the infected file...
Page 163
Chapter 5 163 5.2.1 how do automatic updates work? The automatic update agent installed with f-secure client security tries to download the automatic updates from the configured update sources in the following order: a. If there are policy manager proxies in use in the company network, the client tr...
Page 164
164 if you want to use http proxy, select from browser settings or user-defined from the use http proxy drop-down menu. Then specify the http proxy address . 5.2.3 configuring automatic updates from policy manager server when centralized management is used, all hosts can fetch their virus and spywar...
Page 165
Chapter 5 165 5.2.4 configuring policy manager proxy if the different offices of a company have their own policy manager proxies, it is often a good idea to configure the laptops that the user takes from one office to another to use a policy manager proxy as the updates source. In this configuration...
Page 166
166 10. Click to save the policy data. 11. Click to distribute the policy. 5.3 configuring real-time scanning real-time scanning keeps the computer protected all the time, as it is scanning the files when they are accessed, opened or closed. It is running on the background, which means that once it ...
Page 167
Chapter 5 167 new file extensions are also added to the list automatically when the virus definition databases are updated. Scan inside compressed files select this check box to scan inside compressed zip, arj, lzh, rar, cab, tar, bz2, gz, jar and tgz files. Scanning inside large compressed files mi...
Page 168
168 from the action on infection drop-down list, you can select the action f-secure client security will take when an infected file is detected. Choose one of the following actions: file extension handling f-secure client security has a list of included extensions defined in the policy (this can be ...
Page 169
Chapter 5 169 real-time spyware scanning for information on setting up spyware scanning and examples of configuring spyware scanning, see “ configuring spyware scanning ” , 181 . 5.3.2 enabling real-time scanning for the whole domain in this example real-time scanning is enabled for the whole domain...
Page 170
170 5. Select the action to take when an infected file is found from the file scanning: action on infection drop-down list. 6. Check that the other settings on this page are suitable for your system, and modify them if necessary. For more information on the other real-time scanning settings, see “ c...
Page 171
Chapter 5 171 5.4 configuring system control f-secure system control is a new, host-based intrusion prevention system that analyzes the behavior of files and programs. It can be used to block intrusive ad pop-ups and to protect important system settings, as well as internet explorer settings against...
Page 172
172 to enable activex protection, select the prevent all activex from running check box. Activex protection prevents the users’ web browsers from running activex web applications. Some web sites may use activex to install unwanted software on computers. However, there are also web pages which the us...
Page 173
Chapter 5 173 3. In the rootkit scanning section, make sure that the enable rootkit scanning check box is selected. 4. Select the show suspicious items after full computer check check box. 5. Check that the other settings on this page are suitable, and modify them if necessary. 6. Go to the operatio...
Page 174
174 you can select what to do when an infected e-mail message is detected. The following actions are available: incoming e-mail scanning 1. Action on incoming infected attachment: disinfect attachment starts the disinfection wizard whenever an infected attachment is detected. Remove attachment delet...
Page 175
Chapter 5 175 3. Action on malformed message parts: drop message part deletes the message. Report only ignores the malformed message part but reports it to the administrator. To save the blocked e-mail messages in the end-users’ outbox folder, select the save blocked e-mails in outbox check box. The...
Page 176
176 for more information on virus alert and scanning error messages that can be displayed to end users when e-mail scanning is enabled, see “ e-mail scanning alert and error messages ” , 292 . 5.6.2 enabling e-mail scanning for incoming and outgoing e-mails in this example e-mail scanning is enabled...
Page 177
Chapter 5 177 step 4. Check the general settings check that the other settings on this page are suitable for your system, and modify them if necessary. For more information on the other e-mail scanning settings, see “ configuring e-mail scanning ” , 173 . Step 5. 1. Click to save the policy data. 2....
Page 178
178 5.7 configuring web traffic (http) scanning web traffic scanning can be used to protect the computer against viruses in http traffic. When enabled, it scans html files, image files, downloaded applications or executable files and other types of downloaded files. It removes viruses automatically ...
Page 179
Chapter 5 179 5.7.2 enabling web traffic scanning for the whole domain in this example http scanning is enabled for the whole domain. 1. Select root in the policy domains tab. 2. Go to the settings tab and select the http scanning page. 3. Select the enable http scanning check box. 4. Make sure that...
Page 180
180 1. Click the add button under the trusted sites table. This creates a new line in the table. 2. Click on the line you just created so that it becomes active, and type http://*.Example.Com/* this excludes all the sub-domains. 3. Click the add button under the trusted sites table. This creates ano...
Page 181
Chapter 5 181 5.8 configuring spyware scanning spyware scanning protects the hosts against different types of spyware, such as data miners, monitoring tools and dialers. In centrally managed mode spyware scanning can be set, for example, to report the spyware items found on hosts to the administrato...
Page 182
182 from the action on spyware drop-down list, you can select the action to take when spyware is detected. Choose one of the following actions to prevent users from accessing quarantined spyware, select the deny access to spyware check box. Note that access to to detected spyware is prevented by def...
Page 183
Chapter 5 183 the configure other spyware scanning options in advanced mode link takes you to the f-secure policy manager console advanced mode user interface, where other spyware scanning options can be configured. Manual spyware scanning to enable manual spyware scanning select the scan for spywar...
Page 184
184 spyware and riskware reported by hosts the spyware and riskware reported by hosts table contains the following information: spyware and riskware reported by hosts spyware or riskware name displays the name of the spyware object or riskware. Type displays the spyware type. The type can be adware,...
Page 185
Chapter 5 185 the spyware reported by hosts will be cleaned if you run a manual spyware scan on the hosts, as well as when quarantined spyware is removed periodically on the hosts. Default spyware handling if the change spyware control to automatically quarantine all new spyware setting is selected,...
Page 186
186 spyware control also detects riskware. Riskware is any program that does not intentionally cause harm but can be dangerous if misused, especially if set up incorrectly. Examples of such programs are chat programs (irc), or file transfer programs. If you want to allow the use of these programs in...
Page 187
Chapter 5 187 step 3. Changing spyware scanning to quarantine automatically configuration configure the default spyware handling settings: 1. If you want to make sure that users cannot allow any spyware or riskware to run on their computers, make sure that permit users to allow spyware is set to not...
Page 188
188 4. As the manual scanning task also includes manual virus scanning, check the settings in the manual virus scanning section, and modify them if necessary. 5. Go to the operations tab, and click the scan for viruses and spyware button. Note, that you have to distribute the policy for the operatio...
Page 189
Chapter 5 189 5.9 preventing users from changing settings if you want to make sure that the users cannot change some or any of the virus protection settings, you can set these settings final. There are different possibilities for doing this: if you want to prevent users from changing a certain setti...
Page 190
190 8. Check that all the settings on this page are defined as they should be. Then click disallow user changes . 9. Select the e-mail scanning page. 10. Check that all the settings on this page are defined as they should be. Then click disallow user changes . 11. Click to save the policy data. 12. ...
Page 191
Chapter 5 191 [:] where "host" is the dns-name or ip-address of the smtp server, and "port" is the smtp server port number. 2. Enter the sender’s address for e-mail alert messages in the e-mail sender address (from): field. 3. Enter the e-mail alert message subject in the e-mail subject: field. See ...
Page 192
192 5.10.2 disabling f-secure client security alert pop-ups in this example f-secure client security alerting is configured in such a way that no alert pop-ups are displayed to users. 1. Select the root in the policy domains tab. 2. Go to the settings tab and select the alert sending page. 3. Clear ...
Page 193
Chapter 5 193 1. You can download the eicar test file from http://www.Europe.F-secure.Com/virus-info/eicar_test_file.Shtml alternatively, use any text editor to create the file with the following single line in it: x5o!P%@ap[4\pzx54(p^)7cc)7}$eicar-standard-antivirus -test-file!$h+h* 2. Save this fi...
Page 194
194 6 c onfiguring i nternet s hield overview: what can internet shield be used for?.................... 195 configuring internet shield security levels and rules ............ 198 configuring network quarantine .............................................. 203 configuring internet shield rule alert...
Page 195
Chapter 6 195 6.1 overview: what can internet shield be used for? Internet shield protects the computers against unauthorized access from the internet as well as against attacks originating from inside the lan. It provides protection against information theft, because unauthorized access attempts ca...
Page 196
196 block all this security level blocks all network traffic. Mobile this security level allows normal web browsing and file retrievals (http, https, ftp), as well as e-mail and usenet news traffic. Encryption programs, such as vpn and ssh are also allowed. Everything else is denied and the denied i...
Page 197
Chapter 6 197 6.1.2 security level design principles each security level has a set of pre-configured firewall rules. In addition, you can create new rules for all security levels for which the filtering mode normal is displayed in the firewall security levels table. The rules in the firewall securit...
Page 198
198 6.2 configuring internet shield security levels and rules this section explains how you can set and select the security levels based on the users' needs. In the practical configuration examples it is assumed that the managed hosts have been imported into the domain structure that was created in ...
Page 199
Chapter 6 199 you can verify that the new security level change has become effective by going to the status tab and selecting the overall protection window. 6.2.2 configuring a default security level for the managed hosts default security level is a global setting, and it is used only if the otherwi...
Page 200
200 6.2.3 adding a new security level for a certain domain only in this example a new security level with two associated rules is created. The new security level is added only for one subdomain and the hosts are forced to use the new security level. This subdomain contains computers that are used on...
Page 201
Chapter 6 201 3. Click add before to add a rule that allows outbound http traffic as the first one on the list. This opens the firewall rule wizard . 4. In the rule type window select allow as the rule type. 5. In the remote hosts window select any remote host to apply the rule to all internet conne...
Page 202
202 3. Disable the browsersecurity security level by clearing the enabled check box beside it in the firewall security levels table. 4. Select the subdomain where you want to use this security level in the policy domains tab. 5. Enable the browsersecurity security level by selecting the enabled chec...
Page 203
Chapter 6 203 6.3 configuring network quarantine network quarantine is an internet shield feature that makes it possible to restrict the network access of hosts that have very old virus definitions and/or that have real-time scanning disabled. Their normal access rights are automatically restored on...
Page 204
204 6. Click to save the policy data. 7. Click to distribute the policy. 6.3.3 fine-tuning network quarantine network quarantine is implemented by forcing hosts to the network quarantine security level, which has a restricted set of firewall rules. You can add new allow rules to the firewall rules i...
Page 205
Chapter 6 205 6.4 configuring internet shield rule alerts internet shield rule alerts can be used to get notifications if certain types of malware try to access the computers. It is possible to issue an alert every time a rule is hit or when illegal datagrams are received, which makes it easy to see...
Page 206
206 step 3. Specify affected hosts choose whether to apply this rule to all connections or to selected connections only. You can either: check the any remote host option to apply the rule to all internet connections, check the all hosts on locally connected networks option to apply the rule to all c...
Page 207
Chapter 6 207 for the chosen services, select the direction in which the rule will apply by clicking on the arrow in the direction column. Repeated clicks cycle between the available choices. See the table below for examples. For this rule, select: icmp from the service drop-down list from the direc...
Page 208
208 you can also add a descriptive comment for the rule to help you understand the rule when it is displayed in the firewall rules table . If you need to make any changes to the rule, click back through the rule. If you are satisfied with your new rule, click finish . Your new rule will be added to ...
Page 209
Chapter 6 209 1. Select the subdomain for which you created the rule in the policy domains tab. 2. Go to the summary tab, and check if any new security alerts are displayed for the domain. 3. To see the alert details, click view alerts by severity... . This takes you to the alerts tab that displays ...
Page 210
210 how application control and system control work together? When application control detects an outbound connection attempt, and when it is set to prompt the user to decide whether to allow or deny the connection, you can set application control to check from system control whether the connection ...
Page 211
Chapter 6 211 6.5.1 application control configuration settings the application control page displays the following information: unknown applications reported by hosts for unknown applications the information displayed is the same as for known applications (see above), except that the unknown applica...
Page 212
212 you can decide what happens when the application tries to connect to the network with the default action for client applications and default action for server applications selections. The possible actions are: if you want to let the end users to decide what to do with outbound connection attempt...
Page 213
Chapter 6 213 3. Select report from the send notifications for new applications drop-down list, so that the new applications will appear on the unknown applications reported by hosts list. 4. Define the allow rules for these applications. For more information, see “ creating a rule for an unknown ap...
Page 214
214 4. Click to distribute the policy. 6.5.3 creating a rule for an unknown application on root level in this example a rule will be created to deny the use of internet explorer 4. In this case it is assumed that it already appears on the list of unknown applications reported by hosts list. Step 1. ...
Page 215
Chapter 6 215 step 4. Select the rule target 1. Select the domain or host that the rule affects from the domains and hosts displayed in the window. If the target host or domain already has a rule defined for any of the applications affected by the rule, you are prompted to select whether to proceed ...
Page 216
216 step 2. Edit the application rule type 1. Select the action to take when the application acts as a client and tries to make an outbound connection. In this case select allow for act as client (out) . 2. Select the action to take when the application acts as a server and an inbound connection att...
Page 217
Chapter 6 217 1. Select root in the policy domains tab. 2. Go to the settings tab and select the application control page. On this page select: allow from the default action for server applications drop-down list. Allow from the default action for client applications drop-down list. 3. When creating...
Page 218
218 3. To start the creation of the new rule, click add before . This starts the firewall rule wizard. 4. In the rule type window select allow . 5. In the remote hosts window select any remote host . 6. In the services window select ping from the service drop-down list, and both from the directions ...
Page 219
Chapter 6 219 6.7.1 intrusion prevention configuration settings the intrusion prevention configuration settings can be found in the intrusion prevention section on the firewall security levels page. Enable intrusion prevention if enabled, intrusion detection is used to monitor inbound traffic in ord...
Page 220
220 detection sensitivity this parameter is used for two purposes: it reduces the number of alerts and it also affects the performance of the local machine. If you use a smaller value, the number of false positives is reduced. 10 = maximum network performance, minimum alerts 50 = only 50% (the most ...
Page 221
Chapter 6 221 3. Select the enable intrusion detection check box. 4. Select log without dropping from the action on malicious packet: drop-down list. 5. Select warning from the alert severity: drop-down list. 6. Select 25% from the detection sensitivity: drop-down list. Step 2. Configuring ids for l...
Page 222
222 7 h ow to c heck that the e nvironment is p rotected overview................................................................................... 223 how to check the protection status from outbreak tab.......... 223 how to check that all the hosts have the latest policy........... 223 how to che...
Page 223
Chapter 7 223 7.1 overview this section contains a list things you can check to make sure that the environment is protected. 7.2 how to check the protection status from outbreak tab the outbreak tab provides you a new method to monitor whether all hosts in the managed domain are protected against th...
Page 224
224 4. On the centralized management page you can see which of the hosts do not have the latest policy. You can also see the possible reasons for this: for example, the host is disconnected or there has been a fatal error at the host. 7.4 how to check that the server has the latest virus definitions...
Page 225
Chapter 7 225 7.6 how to check that there are no disconnected hosts 1. Select root in the policy domains tab. 2. Go to the summary tab and check what is displayed in the domain section beside disconnected hosts . 3. If there are disconnected hosts, click view disconnected hosts... . This takes you t...
Page 226
226 7.8 viewing alerts if there has been a problem with a program or with an operation, the hosts can send alerts and reports about it. It is a good idea to check regularly that there are no new alerts, and also to acknowledge (and delete) the alerts the reasons of which you have already troubleshoo...
Page 227
Chapter 7 227 when an alert is selected from the list, the alert view under the alerts table displays more specific information about the alert. You can use the ack button to mark the alerts that you have seen and are planning to troubleshoot. The alert summary displayed on the summary tab is not au...
Page 228
228 7.10 monitoring a possible network attack if you suspect that there is a network attack going on in the local network, you can monitor it as follows: 1. Select the root in the policy domains tab. 2. Go to the summary tab. 3. Check what is displayed beside most common recent attack . If there has...
Page 229
229 8 u pgrading s oftware overview: upgrading software................................................. 230
Page 230
230 8.1 overview: upgrading software you can remotely upgrade the f-secure anti-virus software already installed on hosts by using the installation editor.The installation editor creates policy-based installation tasks that each host in the target domain will carry out after the next policy update. ...
Page 231
Chapter 8 231 if a host is selected, the progress field displays one of the following messages: installed version version number of the product. If there are multiple versions of the product installed, all version numbers will be displayed. For hosts, this is always a single version number. Version ...
Page 232
232 if a domain is selected, the progress field displays one of the following: 3. When all required version numbers are selected, click start . The installation editor launches the installation wizard, which queries the user for the installation parameters. The installation editor then prepares a di...
Page 233
Chapter 8 233 operation from the policy by clicking stop all . This will cancel the installation operations defined for the selected policy domain or host. It is possible to stop all installation tasks in the selected domain and all subdomains by selecting the recursively cancel installation for sub...
Page 234
234 9 l ocal h ost o perations overview ....................................................................... 235 scanning file viruses manually ...................................... 235 viewing the latest scanning report on a local host ...... 236 adding a scheduled scan from a local host .........
Page 235
Chapter 9 235 9.1 overview this chapter contains instructions for performing operations and troubleshooting locally on hosts. You might need to do these operations when you suspect that there is a virus on a local host or if you need to perform some other administrative tasks locally. 9.2 scanning f...
Page 236
236 9.3 viewing the latest scanning report on a local host the virus & spy protection tab in the f-secure client security user interface displays the scanning report status. If you have an unread report waiting, the status is shown as “ new report available ”. You can access the report by clicking v...
Page 237
Chapter 9 237 4. To set the scanning schedule, select either daily , weekly or monthly under scan performed . Select daily to perform the scan every day at the scheduled time. The weekdays on the right are all selected and greyed out. Select weekly to perform the scan every week at the scheduled wee...
Page 238
238 1. Go to the advanced settings page and select general Æ central management . 2. Click show log file . 9.5.2 packet logging the packet log collects very detailed information of network traffic, therefore it is by default switched off. If malicious network activity is suspected, then the packet l...
Page 239
Chapter 9 239 the logging directory the logging directory is defined when installing the application. It can be changed by clicking browse . Action log the action log is collecting data about the actions done by the firewall continuously. It is a normal text file with the maximum size of 10 mb, and ...
Page 240
240 receiving connection if the application has opened a listen connection it is acting as an server and remote computers can connect to the port which the connection was opened for. Action log records these also these connections. The fields are: dynamic rule entry if an application opens a listeni...
Page 241
Chapter 9 241 9.5.3 other log files local system log you can also access the local system log by clicking open event viewer on the advanced centralized management settings page. 9.6 connecting to f-secure policy manager and importing a policy file manually if you need to initialize a connection from...
Page 242
242 policy file importing is meant primarily for troubleshooting purposes. In normal operation policy files are always transferred automatically. Policy export and import operations can be used to restore the connection to f-secure policy manager if the managed host has become disconnected because o...
Page 243
Chapter 9 243 3. Select one of the options from the allow users to unload products drop-down menu. 4. Click to save the policy data. 5. Click to distribute the policy..
Page 244
244 10 v irus i nformation virus information on f-secure web pages .............................. 245 latest threats........................................................................... 245 viruses in the wild.................................................................... 246 how to send ...
Page 245
Chapter 10 245 10.1 virus information on f-secure web pages f-secure corporation maintains a comprehensive database of computer virus information, which documents the various symptoms of numerous viruses. The database is available on the internet at http://www.F-secure.Com/virus-info/ . 10.2 latest ...
Page 246
246 10.3 viruses in the wild the wildlist is a cooperative listing of viruses reported as being in the wild by 73 virus information professionals. The basis for these reports are virus incidents where a sample was received, and positively identified by the participant. Rumors and unverified reports ...
Page 247
Chapter 10 247 all zip packages should be named using only english letters or/and numbers. You can use long file names. If you send multiple archives (for example because of e-mail server limitations) please either send them in separate messages or add a counter to the archive parts, for example: sa...
Page 248
248 3. Boot sector virus create a dcf image or teledisk of the infected diskette. Try to get a 1.44mb infected diskette first (note: some of the viruses do not infect this type of diskette). Do not use compression, or the fast save option, because it can leave out some of the important areas of the ...
Page 249
Chapter 10 249 if you receive a missed or incorrect detection, or a false alarm with f-secure client security, try to send us the following: the file in question the f-secure client security version number the last virus definition updates date a description of the system configuration a description...
Page 250
250 do not send the virus sample to any personal e-mail address at f-secure corporation -your messages will be deleted by our e-mail scanner. Send hoax samples and virus-related questions also to samples@f-secure.Com if the virus sample is too big to send by e-mail, you can upload it (in zip archive...
Page 251
Chapter 10 251 virus ', ' could be an image of a boot sector virus ' and so on, send a sample together with the f-secure client security scan report to f-secure anti-virus research team ( samples@f-secure.Com ) according to the following guidelines: http://www.Europe.F-secure.Com/support/technical/g...
Page 252
252 7. When provided with a disinfection solution, test it on one computer first. If it works, it can be applied to all infected computers. Scan the cleaned computers with f-secure client security and the latest virus definitions updates to ensure that no infected files are left. 8. Re-enable the ne...
Page 253
253 11 s etting u p c isco nac s upport introduction............................................................................... 254 installing cisco nac support ................................................... 254 attributes to be used for application posture token ................ 255.
Page 254
254 11.1 introduction f-secure corporation participates in the network admission control (nac) collaboration led by cisco systems®. Nac can be used to restrict the network access of hosts that have too old virus definition databases, or anti-virus or firewall module disabled. F-secure nac plug-in co...
Page 255
Chapter 11 255 remote installations 1. When installing f-secure client security remotely, select cisco nac support in the components to install dialog. 2. Later on in the remote installation wizard the cisco aaa server certificate selection dialog will be displayed. Enter the path to the cisco aaa s...
Page 256
256 4. Click configure . 5. Select create new local policy . 6. You can use the following f-secure client security related attributes in the rules for application posture tokens: posture validation attributes for anti-virus posture validation attributes for firewall attribute-name type example softw...
Page 257
257 12 a dvanced f eatures : v irus and s pyware p rotection overview................................................................................... 258 configuring scheduled scanning ............................................. 258 configuring policy manager proxy ................................
Page 258
258 12.1 overview this section contains instructions for some advanced virus protection administration tasks, such as configuring scheduled scanning from the advanced mode user interface and configuring the anti-virus proxy. 12.2 configuring scheduled scanning a scheduled scanning task can be added ...
Page 259
Chapter 12 259 9. Next click the scheduling parameters cell, and the click edit . Now you can enter the parameters for the scheduled scan. A scheduled scan that is to be run weekly, every monday starting at 8 p.M, from august 25, 2003 onwards, is configured as follows: ‘/t20:00 / b2003-08-25 /rweekl...
Page 260
260 running scheduled scans on specific weekdays and days of month when you are configuring a weekly scheduled scan, you can also define specific weekdays when the scan is to be run. Similarly, when you are configuring a monthly scheduled scan, you can define specific days of month when the scan is ...
Page 261
Chapter 12 261 hosts running f-secure client security or f-secure anti-virus for workstations fetch virus definition updates through f-secure policy manager proxy. F-secure policy manager proxy contacts f-secure policy manager server and f-secure's distribution server when needed. Workstations in th...
Page 262
262 5. Repeat this for the other proxies you want to add. To change the order of the servers, select the one you wish to move and click the up or down arrows on the right to move it. 6. When you have added all the proxies, click ok . 12.5 configuring a host for snmp management the f-secure snmp mana...
Page 263
263 13 a dvanced f eatures : i nternet s hield overview................................................................................... 264 managing internet shield properties remotely........................ 264 configuring security level autoselection................................. 266 troubl...
Page 264
264 13.1 overview this section covers some advanced internet shield features. It also contains some troubleshooting information. 13.2 managing internet shield properties remotely this section describes how you can manage internet shield properties remotely. 13.2.1 packet logging packet logging is a ...
Page 265
Chapter 13 265 to later undo this change, clear the final check box and distribute the new policy. 13.2.2 trusted interface the trusted interface mechanism is used to allow use of the firewalled host as a connection sharing server. Firewall rules are not applied to traffic going through the trusted ...
Page 266
266 13.2.3 packet filtering this is one of the basic security mechanisms in the firewall, it filters all the ip network traffic based on information in the protocol headers of each packet. The packet filtering can be enabled or disabled from the advanced tab in the network protection settings . Disa...
Page 267
Chapter 13 267 3. Select the policy tab in the properties pane (the middle pane). 4. On the policy tab, select the following path: \f-secure\f-secure internet shield 5. In the product view pane (on the right) select the security level autoselection page. 6. Make sure that security level autoselectio...
Page 268
268 9. The first security level is now ready. Click add to add the second security level, in this example mobile . 10. Enter the data in the cells by selecting a cell and clicking edit . For the mobile security level you should add the following data: priority: the rules are checked in the order def...
Page 269
Chapter 13 269 3. Check that the dhcp address is a valid one. You can do this by giving the command ipconfig in command prompt. 4. Next you should ping the default gateway. If you do not know the address, you can find it out by issuing the command ipconfig -all in command prompt. Then ping the defau...
Page 270
270 13.5.1 creating a new internet service based on the default http in this example it is assumed that there is a web server running on a computer, and that web server is configured to use a non-standard web port. Normally a web server would serve tcp/ip port 80, but in this example it has been con...
Page 271
Chapter 13 271 step 2. Ip protocol number select a protocol number for this service from the protocol drop-down list. It contains the most commonly used protocols (tcp, udp, icmp). If your service uses any other protocol, refer to the table below and enter the respective number. In this example, sel...
Page 272
272 protocol name protocol number full name icmp 1 internet control message protocol igmp 2 internet group management protocol ipip 4 ipip tunnels (ip in ip) tcp 6 transmission control protocol egp 8 exterior gateway protocol pup 12 xerox pup routing protocol udp 17 user datagram protocol idp 22 xer...
Page 273
Chapter 13 273 step 3. Initiator ports if your service uses the tcp or udp protocol, you need to define the initiator ports the service covers. The format for entering the ports and port ranges is as follows: “ >port ” all ports higher than port “ >=port ” all ports equal and higher than port “ ” al...
Page 274
274 in this example, define the initiator port as >1023 . Step 4. Responder ports if your service uses the tcp or udp protocol, you need to define the responder ports the service covers. In this example, define the responder port as 8000 ..
Page 275
Chapter 13 275 step 5. Classification number select a classification number for the service from the drop down list. You can accept the default value. Step 6. Extra filtering select whether any extra filtering is to be applied for the traffic allowed by the service you are creating, in addition to t...
Page 276
276 in this example you can accept the default, disabled . When the service uses tcp protocol, and you do not have application control enabled, you can select active mode ftp from the extra filtering drop-down menu. Active mode ftp requires special handling from the firewall, as the information abou...
Page 277
Chapter 13 277 step 7. Review and accept the rule 1. You can review your rule now. If you need to make any changes to the rule, click back through the rule. 2. Click finish to close the rule wizard. The rule you just created is now displayed in the firewall rules table . Step 8. Take the new rule in...
Page 278
278 a appendix: modifying prodsett.Ini overview................................................................................... 279 configurable prodsett.Ini settings ............................................ 279.
Page 279
Appendix a 279 a.1 overview prodsett.Ini informs the setup program which modules to install and where to install them (the target directory) on workstations. This appendix contains a list of the settings that can be edited in prodsett.Ini . A.2 configurable prodsett.Ini settings you can edit edit th...
Page 280
280 supportedlanguages=eng fra deu fin sve ita list of languages supported by the installation package. You can make the set of languages smaller by leaving out some unnecessary languages and repacking the package. When you add support for a new language to the package you should add that language h...
Page 282
282 [silent setup] settings for unattended automatic installation destinationdirunderprogramfiles=f-secure default destination path. Do not change this setting unless your company follows a specific installation policy. Reboot=2 1 = reboot automatically after installation. Attention: this option exe...
Page 284
284 [pmsuinst.Dll] settings for f-secure policy manager support requestinstallmode=0 this component is always installed when you are installing a networked client. You do not need to edit the requestinstallmode or installmode settings for this component. Fsmsserverurl=http://fsmsserver url to the f-...
Page 285
Appendix a 285 [fsavinst.Dll] settings for f-secure client security - virus protection requestinstallmode=1 0 = install this component as defined in the installmode setting. 1 = install this component if newer, or not installed (default). 2 = install this component if there is no existing version of...
Page 287
Appendix a 287 [mehinst.Dll] settings for snmp support requestinstallmode=1 0 = install this component as defined in the installmode setting. 1 = install this component if newer, or not installed (default). 2 = install this component if there is no existing version of it installed, or if the same or...
Page 288
288 [fwesinst.Dll] settings for internal common component fwes. Requestinstallmode=1 0 = install this component as defined in the installmode setting. 1 = install this component if newer, or not installed (default). 2 = install this component if there is no existing version of it installed, or if th...
Page 290
290 [fspsinst.Dll] settings for f-secure client security - network scanner requestinstallmode=1 0 = install this component as defined in the installmode setting. 1 = install this component if newer, or not installed (default). 2 = install this component if there is no existing version of it installe...
Page 291
Appendix a 291 [fsnacins.Dll] settings for cisco nac support requestinstallmode=1 0 = install this component as defined in the installmode setting. 1 = install this component if newer, or not installed (default). 2 = install this component if there is no existing version of it installed, or if the s...
Page 292
292 b appendix: e-mail scanning alert and error messages overview................................................................................... 293.
Page 293
Appendix b 293 b.1 overview this section includes a list of the alert and error messages that e-mail scanning can generate. E-mail scanning session failed: system error message id: 602 message : “connection to the server was terminated by e-mail scanning due to a system error. E-mail scanning contin...
Page 294
294 action taken options: • infection was only reported • attachment was disinfected • attachment was dropped • infected e-mail was blocked message : e-mail virus alert! Infection: attachment: infected> action: message from: to: subject: message > malformed e-mail alert message id: 630-633 definitio...
Page 295
Appendix b 295 message: malformed e-mail alert! Description: message part: action: message from: to: subject: message > e-mail attachment scanning failure message id: 640-643 definition : when a scan fails, the message is treated based on the configuration set in advanced configuration. The options ...
Page 296
296 message : e-mail attachment scanning failure reason: attachment: action: message from: to: subject: message >.
Page 297
297 g lossary.
Page 298
298 activex activex is a set of technologies from microsoft that enables interactive content for the world wide web. As activex security settings in internet explorer can allow web pages to secretly install activex controls automatically, they can be a significant security threat. Activex controls c...
Page 299
299 authorization the right to perform an action on an object. Also the act of proving this right. Backdoor a malicious application or plug-in that opens up a possibility for a remote user to access the compromised computer. This is very often an application that opens up one or more listening ports...
Page 300
300 connection short for network connection, describes either the connection the computer has to the network, or individual connections made to remote hosts from the local computer, or from remote hosts to the local computer. For tcp this corresponds to a "tcp connection", for the other tcp/ip proto...
Page 301
301 e-mail scanning scanning and cleaning e-mail messages for viruses and malicious content on local host network stack. Preventing viruses and other malicious content from infecting the e-mail client of the host. Event viewer event viewer maintains logs about program, security, and system events on...
Page 302
302 hidden file hidden files are not visible to users. It is possible that a rootkit is hiding the file from the normal file listings. Hidden process hidden processes are not visible to users. It is possible that a rootkit is hiding the process from windows task manager. Host any computer on a netwo...
Page 303
303 ipsec (ietf) the ip security protocol is designed to provide interoperable, high quality, cryptography-based security for ipv4 and ipv6. The set of security services offered includes access control, connection-less integrity, data origin authentication, protection against replays, confidentialit...
Page 304
304 mbit megabit. Mib (snmp terminology) management information base. Detailed information about mibs can be found from rfc1155-smi, rfc1212-cmib and rfc1213-mib2. Mime multipurpose internet mail extension, a standard system for identifying the type of data contained in a file based on its extension...
Page 305
305 packet logging packet logging is a tool used to analyse network traffic, gather evidence of illicit behavior etc. It consists of copying the payload and headers of all the network traffic the computer sees to a file, which can be viewed later. The internet shield logs the packets in the tcpdump ...
Page 306
306 protocol protocol, short for network protocol, is a formal, detailed specification of a communication format. Its purpose is to ensure that all communication participants can decode and understand the communication. In this document it most often refers to tcp/ip (transmission control protocol/i...
Page 307
307 rootkit rootkits are typically used to hide malicious software from users, system tools and antivirus scanners. Not all rootkits are malicious by themselves but they are often used to hide viruses, worms, trojans and spyware. Server a computer, or a piece of software, that provides a specific ki...
Page 308
308 subnet short for "subnetwork", it is a section of a network. Usually, computers within the same subnet will be physically near to each other and will have ip addresses that begin with the same two or three numbers. System event log a service that records events in the system, security, and appli...
Page 309
309 trojan a trojan is usually a standalone program that performs destructive or other malicious actions. Destructive actions can vary from erasing or modifying the contents of files on a hard drive to a complete destruction of data. A backdoor trojan is a remote access tool that can allow a hacker ...
Page 310
310 worm a computer program capable of replication by inserting copies of itself in networked computers..
Page 311
311 technical support overview................................................................................... 312 web club.................................................................................. 312 advanced technical support.................................................... 312 f-se...
Page 312
312 overview f-secure technical support is available from the f-secure web site. You can access our web site from within your f-secure application or from your web browser. Web club the f-secure web club provides assistance to users of f-secure products. To enter, choose the web club command from th...
Page 313
313 1. Name and version number of your f-secure software program (including the build number). 2. Name and version number of your operating system (including the build number). 3. A detailed description of the problem, including any error messages displayed by the program, and any other details, whi...
Page 314
314 http://www.F-secure.Com/products/training/ the courses take place in modern and well-equipped classrooms. All of our courses consist of theory and hands-on parts. At the end of each course there is a certification exam. Contact your local f-secure office or f-secure certified training partner to...
Page 315
About f-secure corporation f-secure corporation is the fastest growing publicly listed company in the antivirus and intrusion prevention industry with more than 50% revenue growth in 2004. Founded in 1988, f-secure has been listed on the helsinki stock exchange since 1999. We have our headquarters i...