F-secure CLIENT SECURITY Administrator’s Guide

F-Secure Client
Security
Administrator’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233
GB2374260
Copyright © 2008 F-Secure Corporation. All rights reserved. 12000060-7A10
Contents
About this Guide 10
Overview ............................................................................................................................ 11
Additional Documentation .................................................................................................. 13
Conventions Used in F-Secure Guides .............................................................................. 15
Chapter 1 Introduction 17
1.1 Overview .................................................................................................................... 18
1.2 F-Secure Client Security Components and Features.................................................18
1.2.1 Virus and Spy Protection................................................................................ 18
1.2.2 Internet Shield ................................................................................................ 21
1.2.3 Application Management................................................................................ 22
1.3 Introduction to F-Secure Policy Manager...................................................................23
1.3.1 Main Components of F-Secure Policy Manager............................................. 24
1.3.2 F-Secure Policy Manager Features................................................................ 25
1.4 Basic Terminology......................................................................................................26
Chapter 2 Installing F-Secure Policy Manager 28
2.1 Overview .................................................................................................................... 29
2.2 System Requirements................................................................................................ 30
2.2.1 F-Secure Policy Manager Server ................................................................... 30
2.2.2 F-Secure Policy Manager Console................................................................. 32
2.3 Installation Steps........................................................................................................33
2.4 Uninstalling F-Secure Policy Manager ....................................................................... 55
iii
Chapter 3 Introduction to F-Secure Policy Manager Anti-Virus Mode
User Interface 56
3.1 Overview .................................................................................................................... 57
3.2 Policy Domains Tab ................................................................................................... 58
3.3 Management Tabs ..................................................................................................... 58
3.3.1 Summary Tab.................................................................................................59
3.3.2 Outbreak Tab..................................................................................................66
3.3.3 Settings Tab ................................................................................................... 68
3.3.4 Status Tab .................................................................................................... 100
3.3.5 Alerts Tab ..................................................................................................... 108
3.3.6 Reports Tab..................................................................................................110
3.3.7 Installation Tab .............................................................................................111
3.3.8 Operations Tab.............................................................................................113
3.4 Toolbar .....................................................................................................................114
3.5 Menu Commands.....................................................................................................115
3.6 Settings Inheritance ................................................................................................. 118
3.6.1 How Settings Inheritance is Displayed on the User Interface....................... 120
3.6.2 Locking and Unlocking all Settings on a Page at Once................................121
3.6.3 Settings Inheritance in Tables ......................................................................122
Chapter 4 Setting up the Managed Network 123
4.1 Overview .................................................................................................................. 124
4.2 Logging in for the First Time .................................................................................... 124
4.2.1 Logging In.....................................................................................................125
4.3 Creating the Domain Structure................................................................................. 128
4.3.1 Adding Policy Domains and Subdomains.....................................................130
4.4 Adding Hosts............................................................................................................130
4.4.1 Windows Domains........................................................................................131
4.4.2 Autoregistered Hosts....................................................................................131
4.4.3 F-Secure Push Installations.......................................................................... 136
4.4.4 Policy-Based Installation ..............................................................................143
4.4.5 Local Installation and Updates with Pre-Configured Packages....................147
4.5 Local Installation ...................................................................................................... 152
4.5.1 Local Installation System Requirements ...................................................... 152
iv
4.5.2 Installation Instructions................................................................................. 154
4.6 Installing on an Infected Host................................................................................... 155
4.7 How to Check That the Management Connections Work ........................................ 156
Chapter 5 Configuring Virus and Spyware Protection 157
5.1 Overview: What can Virus and Spyware Protection be Used for? ........................... 158
5.2 Configuring Automatic Updates ...............................................................................159
5.2.1 How do Automatic Updates Work?............................................................... 160
5.2.2 Automatic Updates Configuration Settings...................................................160
5.2.3 Configuring Automatic Updates from Policy Manager Server ...................... 161
5.2.4 Configuring Policy Manager Proxy ............................................................... 162
5.2.5 Configuring Clients to Download Updates from Each Other ........................163
5.3 Configuring Real-Time Scanning .............................................................................164
5.3.1 Real-Time Scanning Configuration Settings.................................................164
5.3.2 Enabling Real-Time Scanning for the Whole Domain ..................................166
5.3.3 Forcing all Hosts to Use Real-Time Scanning.............................................. 167
5.3.4 Excluding Microsoft Outlooks's .pst File from Real-Time Scanning .............168
5.4 Configuring System Control .....................................................................................169
5.4.1 System Control Configuration Settings......................................................... 169
5.4.2 System Control Server Queries (DeepGuard 2.0)........................................ 170
5.5 Configuring Rootkit Scanning (Blacklight)................................................................ 170
5.5.1 Rootkit Scanning Configuration Settings......................................................171
5.5.2 Launching a Rootkit Scan for the Whole Domain.........................................171
5.6 Configuring E-mail Scanning.................................................................................... 172
5.6.1 E-mail Scanning Configuration Settings.......................................................172
5.6.2 Enabling E-mail Scanning for Incoming and Outgoing E-mails....................174
5.7 Configuring Web Traffic (HTTP) Scanning...............................................................176
5.7.1 HTTP Scanning Configuration Settings........................................................176
5.7.2 Enabling Web Traffic Scanning for the Whole Domain ................................177
5.7.3 Excluding a Web Site from HTTP Scanning.................................................177
5.8 Configuring Spyware Scanning................................................................................ 179
5.8.1 Spyware Control Settings............................................................................. 179
5.8.2 Setting up Spyware Control for the Whole Domain ...................................... 183
5.8.3 Launching Spyware Scanning in the Whole Domain....................................185
5.8.4 Allowing the Use of a Spyware or Riskware Component .............................186
v
5.9 Preventing Users from Changing Settings ............................................................... 187
5.9.1 Setting all Virus Protection Settings Final..................................................... 187
5.10 Configuring F-Secure Client Security Alert Sending ................................................ 188
5.10.1 Setting F-Secure Client Security to Send Virus Alerts to an E-mail Address188
5.10.2 Disabling F-Secure Client Security Alert Pop-ups ........................................190
5.11 Monitoring Viruses on the Network .......................................................................... 190
5.12 Testing your Antivirus Protection ............................................................................. 190
Chapter 6 Configuring Internet Shield 192
6.1 Overview: What can Internet Shield be Used for? ...................................................193
6.1.1 Global Firewall Security Levels .................................................................... 193
6.1.2 Security Level Design Principles .................................................................. 195
6.2 Configuring Internet Shield Security Levels and Rules ............................................196
6.2.1 Selecting an Active Security Level for a Workstation ...................................196
6.2.2 Configuring a Default Security Level for the Managed Hosts....................... 197
6.2.3 Adding a New Security Level for a Certain Domain Only ............................. 198
6.3 Configuring Network Quarantine.............................................................................. 201
6.3.1 Network Quarantine Settings........................................................................201
6.3.2 Enabling Network Quarantine in the Whole Domain .................................... 201
6.3.3 Fine-Tuning Network Quarantine ................................................................. 202
6.4 Configuring Internet Shield Rule Alerts ....................................................................203
6.4.1 Adding a New Internet Shield Rule with Alerting.......................................... 203
6.5 Configuring Application Control................................................................................ 207
6.5.1 Application Control Configuration Settings...................................................209
6.5.2 Setting up Application Control for the First Time .......................................... 210
6.5.3 Creating a Rule for an Unknown Application on Root Level......................... 212
6.5.4 Editing an Existing Application Control Rule ................................................ 213
6.5.5 Disabling Application Control Pop-ups ......................................................... 214
6.6 How to use Alerts for Checking that Internet Shield Works? ...................................215
6.7 Configuring the Intrusion Prevention........................................................................216
6.7.1 Intrusion Prevention Configuration Settings .................................................217
6.7.2 Configuring IPS for Desktops and Laptops .................................................. 218
Chapter 7 How to Check that the Environment is Protected 220
7.1 Overview .................................................................................................................. 221
vi
7.2 How to Check the Protection Status from Outbreak Tab ......................................... 221
7.3 How to Check that all the Hosts Have the Latest Policy ..........................................221
7.4 How to Check that the Server has the Latest Virus Definitions................................222
7.5 How to Check that the Hosts have the Latest Virus Definitions ...............................222
7.6 How to Check that there are no Disconnected Hosts ..............................................223
7.7 Viewing Scanning Reports .......................................................................................223
7.8 Viewing Alerts .......................................................................................................... 224
7.9 Creating a Weekly Infection Report ......................................................................... 225
7.10 Monitoring a Possible Network Attack...................................................................... 225
Chapter 8 Upgrading Software 227
8.1 Overview: Upgrading Software ................................................................................228
8.1.1 Using the Installation Editor.......................................................................... 228
Chapter 9 Local Host Operations 232
9.1 Overview .................................................................................................................. 233
9.2 Scanning File Viruses Manually ...............................................................................233
9.3 Viewing the Latest Scanning Report on a Local Host ..............................................234
9.4 Adding a Scheduled Scan from a Local Host........................................................... 234
9.5 Logging and Log File Locations on Local Hosts ......................................................235
9.5.1 The LogFile.log file ....................................................................................... 235
9.5.2 Packet Logging............................................................................................. 236
9.5.3 The Action.log file......................................................................................... 237
9.5.4 Other Log Files.............................................................................................239
9.6 Connecting to F-Secure Policy Manager and Importing a Policy File Manually.......239
9.7 Suspending Downloads and Updates ...................................................................... 240
9.8 Allowing Users to Unload F-Secure Products .......................................................... 240
Chapter 10 Virus Information 242
10.1 Malware Information and Tools on the F-Secure Web Pages ................................. 243
10.2 How to Send a Virus Sample to F-Secure ...............................................................244
10.2.1 How to Package a Virus Sample .................................................................. 244
10.2.2 What Should Be Sent ................................................................................... 244
vii
10.2.3 How to Send the Virus Sample.....................................................................247
10.2.4 In What Language ........................................................................................ 247
10.2.5 Response Times........................................................................................... 247
10.3 What to Do in Case of a Virus Outbreak? ................................................................248
Chapter 11 Setting Up the Cisco NAC Plugin 250
11.1 Introduction .............................................................................................................. 251
11.2 Installing the Cisco NAC Plugin ...............................................................................251
11.2.1 Importing Posture Validation Attribute Definitions ........................................252
11.3 Attributes to be Used for Application Posture Token ............................................... 252
Chapter 12 Advanced Features: Virus and Spyware Protection 254
12.1 Overview .................................................................................................................. 255
12.2 Configuring Scheduled Scanning.............................................................................255
12.3 Advanced System Control Settings.......................................................................... 257
12.3.1 Notify User on a Deny Event ........................................................................ 257
12.3.2 Let an Administrator Allow or Deny Events from Other Users Programs..... 258
12.3.3 Automatically Allow or Deny Events Requested by a Specific Application...258
12.4 Configuring Policy Manager Proxy........................................................................... 260
12.5 Configuring Automatic Updates on Hosts from Policy Manager Proxy .................... 260
12.6 Configuring a Host for SNMP Management.............................................................261
12.7 Excluding an Application from the Web Traffic Scanner .......................................... 262
Chapter 13 Advanced Features: Internet Shield 263
13.1 Overview .................................................................................................................. 264
13.2 Managing Internet Shield Properties Remotely........................................................264
13.2.1 Packet Logging.............................................................................................264
13.2.2 Trusted Interface .......................................................................................... 265
13.2.3 Packet Filtering............................................................................................. 266
13.3 Configuring Security Level Autoselection................................................................. 266
13.4 Troubleshooting Connection Problems .................................................................... 268
13.5 Adding New Services ...............................................................................................269
13.5.1 Creating a New Internet Service based on the Default HTTP ...................... 270
13.6 Setting up Dialup Control .........................................................................................278
viii
13.6.1 Allowing and Blocking Phone Numbers........................................................278
13.6.2 Call Logging.................................................................................................. 279
Appendix A Modifying PRODSETT.INI 281
A.1 Overview ................................................................................................................. 282
A.2 Configurable Prodsett.ini Settings............................................................................ 282
Appendix B E-mail Scanning Alert and Error Messages 294
B.1 Overview ................................................................................................................. 295
Appendix C Products Detected or Removed During Client Installation 299
C.1 Overview ................................................................................................................. 300
Glossary 306
Technical Support 320
Overview .......................................................................................................................... 321
Web Club ......................................................................................................................... 321
Advanced Technical Support ........................................................................................... 321
F-Secure Technical Product Training ...............................................................................322
ix

ABOUT THIS GUIDE

Overview..................................................................................... 11
Additional Documentation.......................................................... 13
10

Overview

11
This manual covers the configuration and operations that you can do with the F-Secure Policy Manager Anti-Virus Mode user interface and provides the information you need to get started with managing F-Secure Client Security applications centrally.
The F-Secure Client Security Administrator’s Guide is divided into the following chapters.
Chapter 1. Introduction. Describes the basic components of F-Secure
Client Security and the main features of F-Secure Policy Manager.
Chapter 2. Installing F-Secure Policy Manager. Instructions on how to
install F-Secure Policy Manager Server and Console.
Chapter 3. Introduction to F-Secure Policy Manager Anti-Virus Mode User Interface. Describes the F-Secure Policy Manager Anti-Virus Mode
user interface components.
Chapter 4. Setting up the Managed Network. Describes how to plan and
create the centrally managed network.
Chapter 5. Configuring Virus and Spyware Protection. Describes how to
configure Virus Definition Updates, Real-Time Scanning and E-Mail Scanning.
Chapter 6. Configuring Internet Shield. Describes how to configure the
security levels and rules, Application Control and Intrusion Prevention System (IPS).
Chapter 7. How to Check that the Environment is Protected. Provides a
checklist for monitoring the domain and for making sure that the network is protected.
Chapter 8. Upgrading Software. Contains instructions on how to upgrade
software with F-Secure Policy Manager.
Chapter 9. Local Host Operations. Provides information on
administration tasks, such as scheduling a scan locally and collecting information from local log files.
12
Chapter 10. Virus Information. Describes where you can get more
information about viruses and how you can send a virus sample to F-Secure.
Chapter 11. Setting Up the Cisco NAC Plugin. Describes how to install
and set up Cisco network Access Control (NAC) Support.
Chapter 12. Advanced Features: Virus and Spyware Protection. Covers
the advanced virus protection features, such as scheduled scanning, the use of Anti-Virus Proxy and using SNMP-based management.
Chapter 13. Advanced Features: Internet Shield. Covers the advanced
Internet Shield features, such as using port and IP checking with Application Control, adding new services and troubleshooting connection problems.
Appendix A. Modifying PRODSETT.INI. Contains information about
modifying PRODSETT.INI, a file that informs the Setup program which software modules to install on workstations.
Appendix B. E-mail Scanning Alert and Error Messages. Describes the
alert and error messages that E-mail Scanning can generate.
Appendix C. Products Detected or Removed During Client Installation.
Lists all the products that the user is prompted to uninstall or are uninstalled automatically during F-Secure Client Security installation.
Glossary — Explanation of terms
Technical Support — Web Club and contact information for assistance.
About F-Secure Corporation — Company background and products.

Additional Documentation

F-Secure Policy Manager Online Help
The F-Secure Policy Manager Online Help contains information on both the Anti-Virus Mode as well as the Advanced Mode user interfaces. The
online help is accessible from the Help menu by selecting Help Contents, or by pressing F1.
Information concerning the F-Secure Policy Manager Anti-Virus Mode user interface can be found under F-Secure Client Security Administration in the navigation tree.
Information concerning F-Secure Policy Manager Advanced Mode user interface and other advanced operations can be found under F-Secure Policy Manager in the navigation tree.
F-Secure Client Security Online Help
The F-Secure Client Security local user interface comes with a context-sensitive online help. The online help is accessible from the main user interface and from the advanced dialogs by either clicking the Help button or pressing F1.
The online help always opens to a page that holds information about your current location in the F-Secure Client Security user interface. In the left pane of the online help, you can browse through the help using the contents tree and access a full search function.
13
14
F-Secure Policy Manager Administrator’s Guide
For more information on administering other F-Secure software products with F-Secure Policy Manager, see F-Secure Policy Manager Administrator’s Guide. It contains information on the Advanced Mode user interface and instructions on how you can configure and manage other F-Secure products. It also includes information on F-Secure Management Agent, F-Secure Policy Manager Web Reporting.
F-Secure Policy Manager Proxy Administrator’s Guide
For more information on installing and maintaining F-Secure Policy Manager Proxies, see the F-Secure Policy Manager Proxy Administrator’s guide. It contains detailed instructions on how you can use F-Secure Policy Manager Proxies to more efficiently deliver product updates.

Conventions Used in F-Secure Guides

This section describes the symbols, fonts, and terminology used in this manual.

Symbols

WARNING: The warning symbol indicates a situation with a risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information that you need to consider.
REFERENCE - A book refers you to related information on the topic available in another document.
NOTE - A note provides additional information that you should consider.
l
15
Fonts
TIP - A tip provides information that can help you perform a task more quickly or easily.
An arrow indicates a one-step procedure.
Arial bold (blue) is used to refer to menu names and commands, to
buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book
titles, and titles of other manuals.
Arial Italics (black) is used for file and folder names, for figure and table captions, and for directory tree names.
Courier New is used for messages on your computer screen.
16
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK) is used for a key or key combination on your
keyboard.
PDF Document
For More Information
Arial underlined (blue)
Arial italics is used for window and dialog box names.
This manual is provided in PDF (Portable Document Format). The PDF document can be used for online viewing and printing using Adobe® Acrobat® Reader. When printing the manual, please print the entire manual, including the copyright and disclaimer statements.
Visit F-Secure at http://www.f-secure.com for documentation, training courses, downloads, and service and support contacts.
In our constant attempts to improve our documentation, we would welcome your feedback. If you have any questions, comments, or suggestions about this or any other F-Secure document, please contact us at documentation@f-secure.com
is used for user interface links.
.
1

INTRODUCTION

Overview..................................................................................... 18
F-Secure Client Security Components and Features................. 18
Introduction to F-Secure Policy Manager ................................... 23
Basic Terminology ...................................................................... 26
17
18

1.1 Overview

This section describes the main components of F-Secure Client Security and F-Secure Policy Manager and provides an introduction to policy based management.

1.2 F-Secure Client Security Components and Features

F-Secure Client Security is used for protecting the computer against viruses, worms, spyware, rootkits and other malware, and against unauthorized access from the network. F-Secure Client Security consists of Virus Protection, Internet Shield, and Application Management. When installing F-Secure Client Security, you can select which of these components are installed.

1.2.1 Virus and Spy Protection

Virus and Spy Protection includes several scanning methods: Real-Time Scanning, E-mail Scanning, Web Traffic Scanning, Rootkit Scanning, and Manual Scanning. It also includes System Control, Automatic Updates, the F-Secure Automatic Update Agent and the Virus News service.
Real-Time Scanning
The Real-Time Scanning feature gives you continuous protection against viruses and spyware as files are opened, copied, moved, renamed and downloaded from the Web.
Real-Time Scanning functions transparently in the background, looking for viruses whenever you access files on the hard disk, diskettes, or network drives. If you try to access an infected file, Real-Time Scanning will automatically stop the virus from executing. It will then either remove it from the file or display a warning, as specified in the security policy. For more information, see “Configuring Real-Time Scanning”, 164.
CHAPTER 1 19
E-mail Scanning
E-mail Scanning can be used for scanning both incoming and outgoing e-mail messages and attachments. It prevents viruses from getting inside the company network and it also prevents you from accidentally sending infected attachments outside. E-mail Scanning can be configured to drop infected attachments from incoming e-mails. When it has found an infection in an outgoing e-mail, it can block the outgoing e-mail traffic until the problem has been solved. For more information, see “Configuring
E-mail Scanning”, 172.
Web Traffic (HTTP) Scanning
Web Traffic Scanning protects computers against viruses in HTTP traffic. It scans HTML files, image files, downloaded applications and executable files, and removes viruses automatically. For more information, see “Configuring Web Traffic (HTTP) Scanning”, 176.
Rootkit Scanning
If you want to ensure there are no suspicious hidden files, hidden processes, hidden applications or hidden drives in your computer, you can scan the system manually for rootkits. For more information, see “Configuring Rootkit Scanning (Blacklight), 170.
Manual Scanning
You can use Manual Scanning, for example, after you have installed F-Secure Client Security, if you suspect that there might be a virus or spyware on the computer, or if a virus has been found in the local area network. You can select whether all files or only a certain types of files are scanned. You can also decide what action to take with an infected file, the Disinfection Wizard will guide you through the process. You can also use the Scheduled Scanning feature to scan your computer automatically and regularly, for example weekly or 1-2 times a month.
20
System Control
System Control is a new, host-based intrusion prevention system that analyzes the behavior of files and programs. It provides an extra-layer of protection by blocking undiscovered viruses, worms, and other malicious code that try to perform harmful actions on your computer. For more information, see “Configuring System Control, 169.
Automatic Updates
The Automatic Updates feature keeps the virus and spyware definitions always up-to-date. The virus definitions updates are signed by F-Secure Anti-Virus Research Team. The signature is based on strong encryption and the packet cannot be altered in transit.
In case of complex viruses the virus definitions updates include removal tools that are executable binaries. The integrity of the delivered executable code is very important, and F-Secure scanning engines check that all update code is signed by F-Secure Anti-Virus Research. If the integrity is compromised, the code will not be executed. For more information, see “Configuring Automatic Updates, 159.
F-Secure Automatic Update Agent
With F-Secure Automatic Update Agent, you are able to receive virus definition updates and informational content without interrupting your work to wait for files to download from the Web. F-Secure Automatic Update Agent downloads files automatically in the background using bandwidth not being used by other Internet applications, so you can always be sure they will have the latest updates without having to search the Web.
If the F-Secure Automatic Update Agent is always connected to the Internet, it will automatically receive new virus definition updates after they have been published by F-Secure.
When the F-Secure Automatic Update Agent service is started, it connects to F-Secure’s Automatic Update Server. The agent will keep polling the server regularly to see whether there is new content available. The agent downloads only the parts of virus definitions that have changed
since the last download. If the transfer is interrupted for some reason, the next session will start from the point where the previous session ended. For more information, see “Configuring Automatic Updates, 159.
Virus News
F-Secure Virus News delivers instant notifications of serious security events around the world. The F-Secure Virus News service is delivered through F-Secure Automatic Update Agent. See theF-Secure Client Security online help for more information.

1.2.2 Internet Shield

Internet Shield consists of Firewall, Application Control and Intrusion Prevention System (IPS). Together these components can be used to protect your computer against unauthorized connection attempts, insider attacks and information theft, malicious applications, and other unwanted applications, such as peer-to-peer software. Protecting the workstations and laptops with F-Secure Client Security Internet Shield also protects the entire LAN, because the individual computers cannot be used as a stepping stone to gain access to the LAN.
CHAPTER 1 21
Internet Shield offers several different security levels that can be used based on user needs, user mobility, company security policy and user experience.
Firewall
The Firewall component is an integral part of Internet Shield. When Internet Shield is installed on your computer, you have firewall protection even when you are not connected to the LAN, for example when you are at home connecting to the Internet via an Internet Service Provider (ISP).
Typically a firewall accepts or denies traffic based on local and remote addresses, protocols and services that are used, and the current state of the existing connections. It is also possible to issue an alert every time a rule is hit or when illegal datagrams are received, which makes it easy to see what kind of traffic is going on in your system. For more information, see “Configuring Internet Shield Security Levels and Rules, 196.
22
Application Control
Application Control can be used to prevent unauthorized applications from getting access to the network. In addition, application launch control and application manipulation control protect computers against malicious applications that try to launch or use other applications on the computer.
Application Control offers the administrator a possibility to control network usage and restrict the use of applications that are prohibited by company security policy. These mechanisms make it easy to prevent many of the attacks mentioned above, and also to enforce security policies. It is possible to configure different rules for different applications: applications that are considered safe can be granted free access, other applications can be either denied access, or the user is prompted to decide whether the application can initiate a connection. For more information, see “Configuring Application Control, 207.
Intrusion Prevention System
Intrusion Prevention System (IPS) can be used for detecting malicious patterns in network traffic. It can also be used to monitor viruses that try to attack computers in the LAN. It registers the systematic connection attempts made from the outside, which are often a sign of somebody trying to find open ports on the host. Intrusion Prevention System stops the malicious packets aimed at open ports in the host. For more information, see “Configuring the Intrusion Prevention, 216.

1.2.3 Application Management

SNMP Agent
The F-Secure SNMP Agent is a Windows NT SNMP extension agent, which is loaded and unloaded with the master agent. The F-Secure SNMP Agent offers a subset of Policy Manager functionality, and it is meant primarily for alert and statistics monitoring.
F-Secure Management Agent
The F-Secure Management Agent enforces the security policies set by the administrator on the managed hosts. It acts as a central configuration component on the hosts, and for example, interprets the policy files, sends autoregistration requests and host status information to F-Secure Policy Manager, and performs policy-based installations.
Cisco Network Admission Control (NAC) Support
F-Secure Corporation participates in the Network Admission Control (NAC) collaboration led by Cisco Systems®. The Cisco NAC can be used to restrict the network access of hosts that have too old virus definition databases, or the antivirus or firewall module disabled. For more information, see “Setting Up the Cisco NAC Plugin, 250.

1.3 Introduction to F-Secure Policy Manager

This section contains a brief introduction to F-Secure Policy Manager. For more information, see F-Secure Policy Manager Administrator’s Guide.
CHAPTER 1 23
F-Secure Policy Manager provides a scalable way to manage the security of numerous applications on multiple operating systems from one central location. It can be used to keep security software up-to-date, manage configurations, and scaled to handle even the largest, most mobile workforce.
F-Secure Policy Manager can be used for:
defining security policies distributing security policies installing application software to local and remote systems monitoring the activities of all systems in the enterprise to ensure
compliance with corporate policies and centralized control.
When the system has been set up, you can see status information from the entire managed domain in one single location. In this way it is very easy to make sure that the entire domain is protected, and to modify the
24
protection settings when necessary. You can also restrict the users from making changes to the security settings, and be sure that the protection is always up-to-date.

1.3.1 Main Components of F-Secure Policy Manager

The power of the F-Secure Policy Manager lays in the F-Secure management architecture, which provides high scalability for a distributed, mobile workforce.
F-Secure Policy Manager Console provides a centralized management
console for the security of the managed hosts in the network. It enables the administrator to organize the network into logical units for sharing policies. These policies are defined in F-Secure Policy Manager Console and then distributed to the workstations through the F-Secure Policy Manager Server. It can be used to remotely install F-Secure products on other workstations without the need for any intervention by the end user.
F-Secure Policy Manager Console includes two different user interfaces:
Anti-Virus Mode user interface that is optimized for managing
F-Secure Client Security and F-Secure Anti-Virus for Workstations. The Anti-Virus mode user interface is described in this manual.
Advanced Mode user interface that can be used for managing
other F-Secure products. The Advance Mode user interface is described in the Policy Manager Administrator’s Guide.
F-Secure Policy Manager Server is the repository for policies and
software packages distributed by the administrator, and status information and alerts sent by the managed hosts. Communication between F-Secure Policy Manager Server and the managed hosts is accomplished through the standard HTTP protocol, which ensures trouble-free performance on the LAN and WAN.
F-Secure Policy Manager Web Reporting is an enterprise-wide web
based graphical reporting system included in F-Secure Policy Manager Server. With F-Secure Policy Manager Web Reporting you can quickly
create graphical reports based on historical trend data, identify computers that are unprotected or vulnerable to virus outbreaks. For more information, see the F-Secure Policy Manager Administrator’s Guide.
F-Secure Policy Manager Update Server & Agent are used for
updating virus and spyware definitions on the managed hosts. F-Secure Automatic Update Agent updates and informational content without interrupting their work to wait
for files to download from the Web. It downloads files automatically in the background using bandwidth not being used by other Internet applications.
allows users to receive virus definition database

1.3.2 F-Secure Policy Manager Features

Software Distribution
Installation of F-Secure products on hosts from one central
location, and updating of executable files and data files, including virus definitions updates.
CHAPTER 1 25
Configuration and Policy Management
Centralized configuration of security policies. The policies are
distributed from F-Secure Policy Manager Server to the user’s workstation. Integrity of the policies is ensured through the use of digital signatures.
Event Management
Reporting to the Event Viewer (local and remote logs), SNMP
agent, e-mail, and report files and creation of event statistics.
Performance Management
Statistics and performance data handling and reporting.
26
Task Management
Management of virus scanning tasks and other operations.

1.4 Basic Terminology

Host
In this document it means a computer that is centrally managed with F-Secure Policy Manager.
Policy
A security policy is a set of well-defined rules that regulate how sensitive information and other resources are managed, protected, and distributed. The management architecture of F-Secure software uses policies that are centrally configured by the administrator for optimum control of security in a corporate environment.
The information flow between F-Secure Policy Manager Console and the hosts is accomplished by transferring policy files.
For more information on F-Secure Policy Manager Administrator’s Guide.
Policy domain
Policy domains are groups of hosts or subdomains that have a similar security policy.
Policy inheritance
Policy inheritance simplifies the defining of a common policy. In F-Secure Policy Manager Console, each policy domain automatically inherits the settings of its parent domain, allowing for easy and efficient management of large networks. The inherited settings may be overridden for individual hosts or domains. When a domain's inherited settings are changed, the changes are inherited by all of the domain’s hosts and subdomains.
CHAPTER 1 27
The policy can be further refined for subdomains or even individual hosts. The granularity of policy definitions can vary considerably among installations. Some administrators might want to define only a few different policies for large domains. Other administrators might attach policies directly to each host, achieving the finest granularity.
2
INSTALLING F-SECURE P
OLICY MANAGER
Overview..................................................................................... 29
System Requirements ................................................................ 30
Installation Steps ........................................................................ 33
Uninstalling F-Secure Policy Manager ....................................... 55
28

2.1 Overview

CHAPTER 2 29
This chapter contains
The system requirements for F-Secure Policy Manager Server
and F-Secure Policy Manager Console.
Instructions on how to install F-Secure Policy Manager Console
and Server on the same computer. The F-Secure Policy Manager Console and Server setup is run from the F-Secure CD.
For information on alternative installation scenarios as well as the server security issues, see chapters Installing F-Secure Policy Manager Console and Installing F-Secure Policy Manager Server in F-Secure Policy Manager Administrator’s Guide.
The F-Secure Policy Manager setup also installs F-Secure Policy Manager Web Reporting, a component that is used to create graphical reports in HTML format about the status of the managed domain. For more information about the Web Reporting component, see chapter ‘Web Reporting’ in F-Secure Policy Manager Administrator’s Guide.
30

2.2 System Requirements

2.2.1 F-Secure Policy Manager Server

In order to install F-Secure Policy Manager Server, your system must meet the following minimum requirements:
Operating system: Microsoft Windows:
Microsoft Windows 2000 Server (SP 4 or higher) Windows 2003 Server (32- and 64-bit) Windows 2008 Server (32- and 64-bit)
Linux:
Red Hat Enterprise Linux 3, 4 and 5 openSUSE Linux 10.3 SUSE Linux Enterprise Server 9 and 10 SUSE Linux Enterprise Desktop 10 Debian GNU Linux Etch 4.0 Ubuntu 8.04 Hardy
Processor: Intel Pentium III 450 MHz processor or faster.
Managing more than 5000 hosts or using Web Reporting requires Intel Pentium III 1 GHz level processor or faster.
CHAPTER 2 31
Memory: 256 MB RAM
When Web Reporting is enabled, 512 MB RAM.
Disk space: Disk space: 200 MB of free hard disk space;
500 MB or more is recommended. The disk space requirements depend on the size of the installation.
In addition to this it is recommended to allocate about 1 MB per host for alerts and policies. The actual disk space consumption per host is hard to anticipate, since it depends on how the policies are used and how many installation packages are stored.
Network: 10 Mbit network. Managing more than 5000
hosts requires a 100 Mbit network.
32

2.2.2 F-Secure Policy Manager Console

In order to install F-Secure Policy Manager Console, your system must meet the following minimum requirements:
Operating system: Microsoft Windows:
Microsoft Windows 2000 Professional (SP4 or higher)
Windows XP Professional (SP2 or higher) Windows Vista (32- and 64-bit) Windows 2000 Server SP4 Windows 2003 Server (32- and 64-bit). Windows 2008 Server (32- and 64-bit).
Linux:
Red Hat Enterprise Linux 3, 4 and 5 openSUSE Linux 10.3 SUSE Linux Enterprise Server 9 and 10 SUSE Linux Enterprise Desktop 10 Debian GNU Linux Etch 4.0 Ubuntu 8.04 Hardy
Processor: Intel Pentium III 450 MHz processor or faster.
Managing more than 5000 hosts requires Pentium III 750 MHz processor or faster.
Memory: 256 MB of RAM. Managing more than 5000
hosts requires 512 MB of memory.
Disk space: 100 MB of free hard disk space.
Display: Minimum 256-color display with resolution of
Network: Ethernet network interface or equivalent.

2.3 Installation Steps

Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.
2. Select Corporate Use. Click Next to continue.
3. Select F-Secure Policy Manager from the Install or Update Management Software menu.
CHAPTER 2 33
1024x768 (32-bit color with 1280x960 or higher resolution recommended).
10 Mbit network between console and server is recommended. Managing more than 5000 hosts requires 100Mbit connection between console and server.
Step 2. View the Welcome screen, and follow the setup instructions. Then select
the installation language from the drop-down menu. Click Next to continue.
34
CHAPTER 2 35
Step 3. Read the license agreement information. If you agree, select I accept this
agreement. Click Next to continue.
36
Step 4. Select the following components to be installed:
F-Secure Policy Manager Console F-Secure Policy Manager Server F-Secure Policy Manager Update Server & Agent F-Secure Installation Packages
Click Next to continue.
Step 5. Choose the destination folder.
It is recommended to use the default installation directory. Use the
Browse feature to install F-Secure Policy Manager in a different directory.
Click Next to continue.
CHAPTER 2 37
38
Step 6. Setup requests confirmation if a previous installation of F-Secure Policy
Manager exists.
This dialog is displayed only if the setup did not detect a previous F-Secure Policy Manager Server installation on the computer.
1. If Yes
2. If No
Click Next to continue.
, select I have existing F-Secure Policy Manager installation. Enter the communication directory path of the installed F-Secure Policy Manager. The contents of this directory will be copied under
<server installation directory>\ Communication Directory (commdir\ directory under F-Secure Policy Manager Server installation directory), and this will be the directory that F-Secure Policy Manager
Server will use as a repository. You can use the previous commdir as a backup, or you can delete it once you have verified that F-Secure Policy Manager Server is correctly installed.
, select I do not have existing F-Secure Policy Manager.
This will not require a pre-existing commdir, and will create an empty commdir in the default location (under <F-Secure Policy Manager 5 installation directory>\commdir).
CHAPTER 2 39
Step 7. Select whether you want to keep the existing settings or change them.
This dialog is displayed only if a previous installation of F-Secure Policy Manager Server was detected on the computer.
By default the setup keeps the existing settings. Select this option
if you have manually updated the F-Secure Policy Manager Server configuration file (HTTPD.conf). This option automatically keeps the existing administration, host and web reporting ports.
If you want to change the ports from the previous installation,
select the Change settings option. This option overwrites the HTTPD.conf file, and restores the settings to defaults.
Click Next to continue.
40
Step 8. Select the F-Secure Policy Manager Server modules to enable:
Host module is used for communication with the hosts. The
default port is 80.
Administration module is used for communication with F-Secure
Policy Manager Console. The default HTTP port is 8080.
If you want to change the default port for communication, you will also need to change the HTTP Port Number setting in F-Secure Policy Manager Console.
By default the access to the Administration module is restricted to the local machine. This is the most secure way to use the product.
When using a connection over a network, please consider securing the communication with F-Secure SSH.
For environments requiring maximum security, see section
Installing F-Secure Policy Manager in High Security Environments in F-Secure Policy Manager Administrator’s Guide.
Web Reporting module is used for communication with F-Secure
Policy Manager Web Reporting. Select whether it should be enabled. Web Reporting uses a local socket connection to the Admin module to fetch server data. The default port is 8081.
By default access to Web Reports is allowed also from other computers. If you want to allow access only from this computer, select Restrict access to the local machine.
Click Next to continue.
CHAPTER 2 41
42
Step 9. Specify F-Secure Policy Manager Server address, and Administration
port number. Click Next to continue.
Depending on the installation method, this window is not always displayed
CHAPTER 2 43
Step 10. Select to add product installation package(s) from the list of available
packages (if you selected F-Secure Installation Packages in Step 4. , 36). Click Next.
44
Step 11. Review the changes that setup is about to make. Click Start to start the
installation.
CHAPTER 2 45
Step 12. When the setup is completed, the setup shows whether all components
were installed successfully.
46
Step 13. Click Finish to complete the F-Secure Policy Manager Server installation.
After this you should run the F-Secure Policy Manager Console for the fist time.
CHAPTER 2 47
Step 14. It is important to run F-Secure Policy Manager Console after the setup,
because some connection properties will be collected during the initial console startup.
You can find the shortcut from Start
Manager Console
Policy Manager Console is run for the first time, the Console Setup Wizard collects the information needed to create an initial connection to the server.
The first page of F-Secure Policy Manager Console setup wizard summarizes the installation process. Click Next to continue.
ÆF-Secure Policy Manager Console. When F-Secure
ÆProgramsÆF-Secure Policy
48
Step 15. Select your user mode according to your needs:
Administrator mode - enables all administrator features. Read-Only mode - allows you to view administrator data, but no
changes can be made. If you select Read-only mode, you will not be able to administer hosts. To change to Administrator mode, you will need the admin.pub and admin.prv administration keys. If they do not exist yet, they will be created later on in the setup process.
Click Next to continue.
CHAPTER 2 49
Step 16. Enter the address of the F-Secure Policy Manager Server that is used for
communicating with the managed hosts.
50
Step 17. Enter the path where the administrator’s public key and private key files
will be stored. By default, key files are stored in the F-Secure Policy Manager Console installation directory:
Program Files\F-Secure\Administrator.
Click Next to continue.
If the key-pair does not exist already, it will be created later in the setup process.
CHAPTER 2 51
Step 18. Move your mouse cursor around in the window to initialize the random
seed used by the management key-pair generator. Using the path of the mouse movement ensures that the seed number for the key-pair generation algorithm has enough randomness. When the progress indicator has reached 100%, the Passphrase dialog box will open automatically.
52
Step 19. Enter a passphrase, which will secure your private management key.
Re-enter your passphrase in the Confirm Passphrase field. Click Next.
Step 20. Click Finish to complete the setup process.
CHAPTER 2 53
F-Secure Policy Manager Console will generate the management key-pair.
For information on backing up the admin.pub key, see chapter Maintaining F-Secure Policy Manager Server in F-Secure Policy Manager Administrator’s Guide.
Step 21. The setup wizard creates the user group FSPM users. The user who was
logged in and ran the installer is automatically added to this group. To allow another user to run F-Secure Policy Manager you must manually add this user to the user group FSPM users.
54
Step 22. After the key-pair is generated, F-Secure Policy Manager Console will
start.
From here, it is possible to continue by creating policy domains and installing hosts. For more information, see “Creating the Domain
Structure”, 128 and “Adding Hosts”, 130.
If you decide to exit from F-Secure Policy Manager Console, and want to login again later, see “Logging in for the First Time, 124.
If you want to familiarize yourself with the F-Secure Policy Manager Console user interface, see “Introduction to F-Secure Policy Manager
Anti-Virus Mode User Interface”, 56.
Changing the Web Browser Path
The F-Secure Policy Manager Console acquires the file path to the default Web browser during setup. If you want to change the Web browser path, open the Too ls menu, and select Preferences.
Select the Locations tab and enter the new file path.

2.4 Uninstalling F-Secure Policy Manager

To uninstall F-Secure Policy Manager Console and Server (or other F-Secure Policy Manager components), follow these steps:
1. Open the Windows Start menu and go to Control Panel. Select Add/
Remove Programs.
2. Select the component you want to uninstall (F-Secure Policy
Manager Console or Server), and click the Add/Remove button.
3. The F-Secure Uninstall dialog box appears. Click Start to begin
uninstallation.
4. When the uninstallation is complete, click Close.
5. Repeat steps 2-4, if you want to uninstall other F-Secure Policy
Manager components.
6. When you have uninstalled the components, exit Add/Remove
Programs.
7. It is recommended to reboot your computer after the uninstallation.
Rebooting is necessary to clean up the files remaining on your computer after the uninstallation, and before the subsequent installations of the same F-Secure products.
CHAPTER 2 55
INTRODUCTION TO
3
F-S M M
Overview..................................................................................... 57
Policy Domains Tab .................................................................... 58
Management Tabs ...................................................................... 58
Toolbar...................................................................................... 114
Menu Commands ..................................................................... 115
Settings Inheritance.................................................................. 118
ECURE POLICY ANAGER ANTI-VIRUS ODE USER INTERFACE
56

3.1 Overview

CHAPTER 3 57
This section introduces the F-Secure Policy Manager Anti-Virus Mode user interface. It also describes some generic features and visual elements used throughout the user interface to indicate how the settings inheritance works.
F-Secure Policy Manager also includes another user interface, the Advanced Mode user interface. It is used to manage products other than F-Secure Client Security and F-Secure Anti-Virus for Workstations and Servers. It is also used when you need to change F-Secure Client Security advanced settings. You can switch between the modes by selecting Advanced Mode or Anti-Virus Mode in the View menu. For more information on the Advanced Mode user interface, see F-Secure Policy Manager Administrator’s Guide.
The main components of the F-Secure Policy Manager Anti-Virus Mode user interface are:
Policy Domains tab that displays the structure of the managed
policy domains
The management tabs: Summary, Outbreak, Settings, Status,
Alerts, Reports, Installation and Operations that can be used for
configuring and monitoring F-Secure Client Security installed on hosts as well as for carrying out operations.
Message View at the bottom of the window that displays
informative messages from the Policy Manager, for example, when the virus definitions on the server have been updated.
58

3.2 Policy Domains Tab

In the Policy Domains tab, you can do the following:
Add a new policy domain by clicking the icon, which is
located on the toolbar. A new policy domain can be created only when a parent domain is selected.
Add a new host by clicking the icon. Find a host. View the properties of a domain or host. All hosts and domains
should be given unambiguous names.
Import autoregistered hosts. Autodiscover hosts from a Windows domain. Delete hosts or domains. Move hosts or domains, using cut and paste operations. Export a policy file.
After selecting a domain or host, you can access the above options from the Edit menu or by right-clicking the selected host or domain. The Autodiscover and Import autoregistered hosts operations are also available on the Installation tab.
The domains referred to in the commands are not Windows NT or DNS domains. Policy domains are groups of hosts or subdomains that have a similar security policy.

3.3 Management Tabs

This section describes the management tabs (Summary, Outbreak, Settings, Status, Alerts, Reports, Installation and Operations), and the different pages on each of these tabs.

3.3.1 Summary Tab

CHAPTER 3 59
Figure 3-1 Summary Tab
The Summary tab is designed to display the most important information concerning the selected domain(s) or host(s) at a glance. When a domain is selected, the Summary tab displays information about the whole domain. When a single host is selected, you can see more detailed information concerning the host.
60
If some of the settings displayed on the Summary tab require your immediate attention or action, an icon is displayed beside the setting. The icons can be interpreted as follows:
Warns of an error situation that requires your action. The error cannot be fixed automatically. The icon is displayed, for example, when the latest policies have not been distributed, or when virus definitions on hosts are outdated
Warns of a situation that may require your action. This does not create security problems yet, but it may lead to a security problem later on if the problem is not fixed now. The icon is displayed, for example, when there are disconnected hosts.
For more information on how the Summary tab can be used for checking quickly that the domain is protected, see “How to Check that the
Environment is Protected”, 220.
The information displayed on the Summary tab depends on what is selected in the Policy Domains tab:
When a domain is selected, the Summary tab displays
information divided into the following sections: Policy Manager, Domain, Virus Protection for Workstations, and Internet Shield.
When a host is selected, the sections are: Policy Manager, Host,
Virus Protection and Internet Shield.
These sections are described in detail below.
Summary Tab When a Domain is Selected
When a domain is selected in the Policy Domains tab, the following information is displayed on the Summary tab:
CHAPTER 3 61
Policy Manager
Figure 3-2 Policy Manager related information on Summary Tab
In the Policy Manager section you can:
See the current Policy distribution status (saved/unsaved,
distributed/undistributed), and when necessary, save the policy
data and distribute the new policies to hosts.
See the status of the virus definitions on the server. See the status of the spyware definitions on the server. See the status of System Control updates on the server. See the number of new autoregistered hosts. If there are new
hosts, you can add them to the domain by clicking Add these
hosts to a domain....
Autodiscover hosts from a Windows domain by clicking
Autodiscover Windows hosts...
.
62
Domain
Figure 3-3 Domain related information on Summary Tab
In the Domain section you can:
See the number hosts that have the latest policy and access a
summary of their latest policy update by clicking View hosts’s
latest policy update.... This takes you to the Status tab and
Centralized Management page.
See the number of disconnected hosts. You can also access a
detailed list displaying the hosts’ connection status by clicking
View disconnected hosts...
Centralized Management page.
See a summary of new alerts. If you want to get more detailed
information on the alerts, you can click on View alerts by
severity... link to access the Alerts tab.
, which takes you to the Status tab and
The severity of the alerts is indicated by the following icons:
Info. Normal operating information from a host.
Warning. A warning from the host.
Error. Recoverable error on the host.
Fatal error. Unrecoverable error on the host.
CHAPTER 3 63
Security alert.
Security hazard on the host.
Virus Protection for Workstations
Figure 3-4 Virus Protection related information on Summary tab
In the Virus Protection for Workstations section you can:
See how many hosts in the domain have Virus Protection
installed.
See how many hosts in the domain have Real-Time Scanning
enabled. If you want to see which hosts have it enabled and which do not, click View hosts’ overall protection... more detailed information on the Status tab and Overall Protection page.
See how many infections have been found in the domain. If you
want to see host specific infection information, click View hosts’
infection status... to access the Status tab and Overall Protection
page.
See how many of the hosts have the latest virus definitions and
whether the virus definitions on some hosts are recent or outdated.
to access
Recent means that the virus definitions are not the latest
ones.
Outdated means that the virus definitions are older than the
configured time limit.
If you have F-Secure Anti-Virus 5.40 installed on some hosts, the virus definitions version on these hosts is displayed as ‘unknown’.
64
If you need to update the virus definitions on some hosts, click
Update virus definitions...
that takes you to the Operations tab.
Internet Shield
Figure 3-5 Internet Shield related information on Summary tab
In the Internet Shield section you can:
See how many hosts in the domain have Internet Shield installed. See what is the most common latest attack and how many
percents of the domain has been affected. If you want to get more detailed information on the latest attacks, you can click View
Internet Shield Status... to access the Status tab and Internet
Shield page.
Summary Tab When a Host is Selected
When a host is selected in the Policy Domains tab, the Summary tab displays more detailed information in the Host section:
Host
Figure 3-6 Host related data on Summary tab
CHAPTER 3 65
In the Host section you can:
See the name of the selected host displayed beside Computer
identity. You can also access more detailed information on the
host by clicking View host properties...
. This takes you to the
Status tab and Host Properties page.
See what is the active protocol (HTTP or File Sharing), the
address of the Policy Manager Server the host is connected to and the date and time of the last connection.
See whether the policy file the host is using is the latest or not the
latest one.
See whether the host is disconnected or not. See a summary of new alerts. If you want to get more detailed
information on the alerts, click on View alerts by severity...
to
access the Alerts tab.
Virus Protection for Workstations
In addition to the information described in “Virus Protection for
Workstations, 63, the Virus Protection for Workstations section also
displays the virus definitions version number.
Internet Shield
In addition to the information described in “Internet Shield, 64, the Internet Shield section also displays the currently selected Internet Shield security level at host.
66

3.3.2 Outbreak Tab

Figure 3-7 Outbreak Tab
The Security News section shows security news from F-Secure. Security news are usually news about new virus outbreaks, and they state the virus definitions version required on the hosts to protect against this new virus outbreak. They can also be more generic news about security threats.
CHAPTER 3 67
The Security News section shows you how many of your hosts are protected, and whether protection is available on the Policy Manager Server. If protection is not currently available, the Policy Manager Server will automatically download it from F-Secure when it is available.
The security news show the alert level of the security threat:
Level Description
1 Highest level alert. Worldwide epidemic of a
serious new virus.
2 New virus causing large infections. Might be
local to a specific region.
3 New virus technique or platform found. Not
necessarily in the wild
[no number] There is no current alert for this virus.
In the Security News Details section you can see the details about the selected virus news. You can obtain even more details with your web browser by clicking the provided link.
68
The table in the Security News Details section lists all the hosts in the currently selected domain. For each host the following information is provided:
The Protected column shows if the host is protected against the
virus referred to by the currently selected virus news.
The Disconnected column shows whether the host is currently
connected or disconnected.
The Virus Definitions Version, Virus Definitions Updated, and
Latest Connection to Server show more information related to the
automatic updates.
Update delta is the time between the last virus definitions update
on the host and the last time the host has sent statistics to F-Secure Policy Manager.
Note that some columns may be hidden. To show hidden columns right-click on a column heading.
If a host is disconnected, it means it is probably turned off. If such hosts are displayed as unprotected, you can most likely ignore them since they will automatically update the virus and spyware definitions once they are turned on.
Update delta tells you how well the host's automatic updates were functioning when the host sent statistics to the F-Secure Policy Manager Server last time. If you have a host that is displayed as unprotected, but has a small value in the update delta column, the host is most likely ok and can be ignored.

3.3.3 Settings Tab

The Settings tab contains 12 different pages that are used for configuring the components of F-Secure Client Security. They are described briefly below. You can find more details about the values you can select on each page as well as practical configuration examples in “Configuring Virus
and Spyware Protection”, 157 and “Configuring Internet Shield”, 192.
CHAPTER 3 69
For more information on the lock symbols and other items displayed on all Settings pages, see “Settings Inheritance, 118.
Context Menu on Settings Pages
By right-clicking any setting on a Settings tab page you can access a context menu that contains the following options:
Clear This option clears a setting that has been
redefined on the current level.
Force Value The Force Value menu item is available only
when a Policy Domain is selected. You can enforce the current domain setting to also be active in all subdomains and hosts. In practice, this operation clears the corresponding setting in all subdomains and hosts below the current domain, enabling the inheritance of the current value to all subdomains and hosts. Use this menu entry cautiously: all values defined in the subdomain or hosts under the selected domain are discarded, and cannot be restored.
70
Show Domain Values
Locate in Advanced Mode
The Show Domain Values menu item is available only when a Policy Domain is selected. You can view a list of all policy domains and hosts below the selected policy domain, together with the value of the selected field.
Click any domain or host name to quickly select the domain or host on the Policy Domains tab. It is possible to open more than one Domain Value dialog simultaneously.
This option is for advanced users. It takes you to the Advanced Mode user interface and selects the setting there.
Automatic Updates
CHAPTER 3 71
Figure 3-8 Settings > Automatic Updates Tab
Automatic Updates
In the Automatic Updates section you can:
Enable or disable automatic updates. Note that deselecting this
setting disables all ways for the host to get automatic updates.
Specify the time interval for polling updates from F-Secure Policy
Manager Server.
72
See a list of Policy Manager Proxy Servers. You can also add
new servers on the list, delete servers from the list and edit their addresses and priorities.
Select whether an HTTP Proxy can be used and specify the
HTTP Proxy address.
Select whether clients should download updates from each other
in addition to any servers or proxies.
Neighborcast
Neighborcast allows clients to download updates from each other as well as from any available servers or proxies. In this section you can:
Set a client to serve updates to other clients. Set a client to download updates from other clients serving
updates.
Choose the port to use.
Security News
In the Security News section you can select if the client should security news items or not.
For configuration examples and more information, see “Configuring
Automatic Updates”, 159.
Real-Time Scanning
CHAPTER 3 73
Figure 3-9 Settings > Real-Time Scanning page
74
General
In the General section you can Enable or disable real-time scanning.
File Scanning
In the Files to Scan section you can:
Select which files will be scanned and define the included
extensions.
Select whether real-time scanning is executed also inside
compressed files.
Select whether certain extensions will be excluded from the scan
and define what they are.
Select whether the users can exclude objects from real-time
scanning.
Select whether network drives are included in real-time scanning. Select whether files are scanned when they are created or
modified.
Define what is the action to take when an infected file is found.
For configuration examples, explanation of the Action on infection options and more information, see “Configuring Real-Time Scanning, 164
Spyware Scanning on File Access
In the Spyware Scanning on File Access section you can:
Enable or disable real-time scanning for spyware. Select what is the action to take when spyware is found. Deny or allow access to spyware. Select whether alerts of detected spyware are shown to users. Access other spyware scanning options by clicking the
Configure other spyware options in advanced mode
For configuration examples, explanation of the Action on spyware options and more information, see “Configuring Spyware Scanning”, 179.
link.
CHAPTER 3 75
System Control
In the System Control section you can:
Enable or disable System Control. Select what is the action to take when a system modification
attempt is detected.
Select whether ActiveX is prevented from running on the
managed hosts.
Select whether to query a remote server to improve detection
accuracy.
For configuration example, explanation of the Action on system
modification attempt options and more information, see “Configuring
System Control”, 169.
Boot Sector Scanning
In the Boot Sector Scanning section you can:
Enable or disable real-time scanning for floppy disk boot sectors. Select whether boot sectors are scanned at startup. Select what is the action to take when an infection is found.
From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected boot sector is detected.
Choose one of the following actions:
Action Definition
Ask after scan Starts the F-Secure Disinfection Wizard when an
infected floppy disk boot sector is detected.
Disinfect automatically
Disinfects the boot sector automatically when a virus is detected.
Report only Indicates that a virus is found, and does not let
you access the infected object. This option only reports, it does not take any action against the virus.
76
Manual Scanning
Figure 3-10 Settings > Manual Scanning
CHAPTER 3 77
Manual File Scanning
In the Manual File Scanning section the following options are available for selecting what to scan:
All files
All files will be scanned, regardless of their file extension. Forcing this option is not recommended because it might slow down system performance considerably.
Files with These Extensions:
Files with specified extensions will be scanned. To specify files that have no extension, type ‘.’ You can use the wildcard ‘?’ to represent any letter. Enter each file extension separated by a space.
Scan inside compressed files
Select this check box to scan inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR, BZ2, GZ, JAR and TGZ files. Scanning inside large compressed files might use a lot of system resources and slow down the system.
Enable excluded extensions
You can specify whether some files will not be scanned, and enter the extensions that will be excluded from scanning in the
Excluded extensions field. (See also “File Extension Handling”,
166.)
Enable excluded objects
When Enable excluded objects is selected, the users can specify individual files or folders that will not be scanned.
From the Action on infection drop-down list, you can select the action F-Secure Client Security will take when an infected file is detected.
78
Choose one of the following actions:
Action Definition
Ask after scan Starts the F-Secure Disinfection Wizard when an
infected file is detected.
Disinfect automatically
Rename automatically
Disinfects the file automatically when a virus is detected.
Renames the file automatically when a virus is detected
Delete automatically Deletes the file automatically when a virus is
detected. Note that this option also deletes the object the virus is attached to, so this option is not recommended.
Report only Indicates that a virus is found, and does not let
you open the infected object. This option only reports, it does not take any action against the virus.
Manual Spyware Scanning
In the Manual Spyware Scanning section you can:
Enable or disable manual scanning for spyware during virus
scanning.
Select what is the action to take when spyware is found.
Access manual spyware scanning targets settings by clicking the
Configure manual spyware scanning targets in advanced mode link.
For configuration examples, explanation of the Action on spyware options and more information, see “Configuring Spyware Scanning”, 179.
CHAPTER 3 79
Rootkit Scanning
In the Rootkit Scanning section you can:
Enable or disable rootkit scanning. Include or exclude rootkit scanning from full computer check. Specify whether detected suspicious items are shown in the
disinfection wizard and in the scanning report after a full computer check.
For configuration examples and more information, see “Configuring
Rootkit Scanning (Blacklight)”, 170.
Scheduled Scanning
The Configure scheduled scanning in advanced mode link takes you to the F-Secure Policy Manager Console Advanced Mode user interface, where scheduled scanning can be configured. For more information, see “Configuring Scheduled Scanning, 255.
Manual Boot Sector Scanning
In the Manual Boot Sector Scanning section you can:
Enable or disable manual scanning for floppy disk boot sectors Select what is the action to take when an infection is found.
80
Spyware Control
Figure 3-11 Settings > Spyware Control
CHAPTER 3 81
Spyware Scanning on File Access
This section contains the same spyware scanning settings as the
Spyware Scanning on File Access section on the Settings > Real-Time Scanning page. For more information, see “Spyware Scanning on File
Access”, 74.
Manual Spyware Scanning
This section contains the same spyware scanning settings as the Manual Spyware Scanning section on the Settings > Manual Scanning page. For more information, see “Manual Spyware Scanning, 78.
Applications Excluded from Spyware Scanning
The Applications Excluded from Spyware Scanning table displays a list of spyware and riskware that the administrators have allowed to run on the hosts.
Spyware and Riskware Reported by Hosts
The Spyware and Riskware Reported by Hosts table displays spyware and riskware that the hosts have reported, and spyware and riskware that are quarantined at the host(s). The table displays the type and the severity (the TAC score, see Glossary) for each detected spyware and riskware application. All spyware and riskware with status Potentially active were allowed to run on the host by the administrator.
The Change spyware scanning to automatically quarantine all new
spyware setting is changes real-time and manual spyware scanning
settings so that all spyware that is not explicitly allowed by the administrator is prevented from running.
For more information about spyware scanning and for configuration examples, see “Configuring Spyware Scanning, 179.
82
E-mail Scanning
Figure 3-12 Settings > E-mail Scanning page
This page includes separate settings for incoming and outgoing E-mail Scanning. The settings in the General section are common for both.
CHAPTER 3 83
Incoming E-mail Scanning
In the Incoming E-mail Scanning section you can:
Enable incoming e-mail scanning. Select the action to take on incoming infected attachment. Select the action to take on scanning failure. Select the action to take on malformed message parts.
Outgoing E-mail Scanning
In the Outgoing E-mail Scanning section you can:
Enable outgoing e-mail scanning. Select the action to take on outgoing infected attachment. Select the action to take on scanning failure. Select the action to take on malformed message parts. Select to save the blocked messages in the end user’s outbox.
General
In the General section you can:
Select whether all or just some attachments are scanned. You
can also add new extensions in the Included extensions list.
Select whether e-mail scanning also scans compressed
attachments.
Select whether certain extensions will be excluded from the scan
and define what they are.
Select whether scanning progress is shown and define the time
after which it is shown.
Select whether scanning report is shown if infected e-mails are
found or if scanning fails.
For configuration examples and more information, see “Configuring
E-mail Scanning”, 172.
84
Web Traffic Scanning
Figure 3-13 Settings > Web Traffic Scanning
General
In the General section you can enable or disable HTTP scanning.
HTTP Scanning
Select the action to take on infection. Select the action to take on scanning failure. Select whether compressed files are included in scanning.
CHAPTER 3 85
Trusted HTTP Sites
The Trusted HTTP Sites table displays a list of HTTP sites from which are defined as trusted. Downloads from these sited are not scanned for viruses.
For more information on Web Traffic Scanning and for practical configuration examples, see “Configuring Web Traffic (HTTP) Scanning”,
176.
86
Firewall Security Levels
Figure 3-14 Settings > Firewall Security Levels
CHAPTER 3 87
General
In the General section you can:
Select the Internet Shield security level at host. For more
information, see “Global Firewall Security Levels, 193
Configure security level autoselection by clicking Configure
security level autoselection in advanced mode.... This takes you
to the Advanced Mode user interface. For more information, see “Configuring Security Level Autoselection, 266
Enable the firewall rules of the current security level to be applied
to inbound and outbound packets by selecting Enable firewall engine. For more information, see “Configuring Internet Shield
Security Levels and Rules”, 196
Enable the use of trusted interface. For more information, see
Trusted Interface”, 265.
Enable application control. For more information, see
Configuring Application Control, 207.
Network Quarantine
In the Network Quarantine section you can
Enable network quarantine. Specify the virus definitions age after which Network Quarantine
is activated.
Specify whether disabling Real-time Scanning on the host
activates network Quarantine.
For more information and a configuration example, see “Configuring
Network Quarantine”, 201.
88
Intrusion Prevention
In the Intrusion Prevention section you can:
Enable and disable intrusion prevention. Select the action on malicious packet. The options available are: Log and drop and Log without dropping. Define the centralized alert severity. Define the alert and performance level.
For configuration examples and more information, see “Configuring the
Intrusion Prevention”, 216.
Firewall Security Levels Table (Global)
The Firewall Security Levels Table displays the security levels that are available globally in the system. The security levels table is the same for all policy domains, but enabling and disabling individual security levels can be done per policy domain.
For more information, see “Global Firewall Security Levels, 193
Firewall Rules
CHAPTER 3 89
Figure 3-15 Settings > Firewall Rules
90
Firewall Rules Table
The Firewall Rules page contains the Firewall Rules Table, that lists the rules defined for different security levels. You can select the Internet Shield Security level from the Internet Shield security level being edited drop-down menu. When the selected security level is changed, the rules associated with the new security level are displayed in the table.
When the F-Secure Internet Shield Firewall is in use, the firewall rules are checked in the order in which they are displayed in the table, from top to bottom. For the security levels with filtering mode ‘normal’ (see the Firewall Security Levels page on Settings tab), it is possible to define domain or host specific rules. When Allow users to define new rules is selected, the end users are also allowed to define new rules for that security level. The table also displays the location for these rules.
The Firewall Rules table displays the following information for each rule:
Whether the rule is enabled or disabled The name and comment for the rule The type of rule (allow/deny) The related service and direction: <= for an inbound service, =>
for an outbound service and <=> for a bidirectional service.
The affected remote hosts Whether alert sending is enabled Whether the rule is applied only when a dialup link is used.
When Allow users to define new rules is selected, the users can create new rules.
To move where the users new rule are in the table for predefined security levels click Specify a new location
. You can now use the Move Up and
Move Down buttons to move where the users rules are in the table.
In addition, application control on the host will automatically create rules for applications that have been allowed. The rules are placed just before the first ‘Deny rest’ rule in the rules table, which is the first deny rule with service ‘All traffic’ and remote host ‘Any’. The rules allow incoming packets to server applications, and stateful firewall then allows outgoing
CHAPTER 3 91
reply packets from the server applications. Outgoing packets from ordinary applications need to be allowed by the rules in the firewall rules table.
For more information on how to create and modify firewall rules, see “Configuring Internet Shield Security Levels and Rules, 196 and “Configuring Internet Shield Rule Alerts, 203.
92
Firewall Services
Figure 3-16 Settings > Firewall Services
Service, short for Network Service, means a service that is available on the network, e.g. file sharing, remote console access, or web browsing. It is most often described by what protocol and port it uses.
CHAPTER 3 93
Firewall Services Table (Global)
The Firewall Services Table displays a list of services that have been defined for the firewall. It is also possible to create or allow the end users to create new services for the firewall. For more information on how to add or modify firewall services, see “Adding New Services, 269.
You can also restrict the users from adding new services by selecting the Fixed size check box below the table. When it is selected, the end users cannot add or delete rows from the tables.
94
Application Control
Figure 3-17 Settings > Application Control
Application Rules for Known Applications
The Application Control page displays a list of known applications and the rules defined for them for inbound and outbound connection attempts.
Unknown Applications Reported by Hosts
The Unknown Applications Reported by Hosts list displays applications that the hosts have reported and for which no rules exist yet.
CHAPTER 3 95
On this page you can also:
Select the default action for client applications. Select the default action for server applications. Select whether new applications are reported to you by selecting
the Report new unknown applications check box.
Select whether if Application Control should prompt the user
when System Control has already identified the application as trusted or not.
Message for User
The Message for Users section contains the following options:
Show default messages for unknown applications can be used to
select whether users see default messages on unknown application connection attempts
Define default messages... opens the Define Messages window
where you can define messages for known and unknown applications on allow, deny and user decision.
For more information on how to configure and use Application Control as well as for configuration examples, see “Configuring Application Control”,
207.
96
Alert Sending
Figure 3-18 Settings > Alert Sending
General
In the General section you can:
Select the alerting language.
E-mail Alert Sending
Define the E-mail server address (SMTP). Define the E-mail sender address and E-mail subject to be used
when forwarding alerts by e-mail.
CHAPTER 3 97
For information on how to set up Alert Sending, see “E-mail Alert
Sending”, 96.
Alert Forwarding
The Alert Forwarding table can be used to configure where the alerts that are of certain severity are to be forwarded.
For examples on how to configure Anti-Virus alert forwarding, see “Configuring F-Secure Client Security Alert Sending, 188.
For examples on how to configure Internet Shield alert forwarding see “Configuring Internet Shield Rule Alerts, 203 and “How to use Alerts for
Checking that Internet Shield Works?”, 215.
98
Centralized Management
Figure 3-19 Settings > Centralized Management
General
The General section contains the following options:
Allow users to change all settings...
This option makes all the settings throughout the F-Secure Policy Manager Anti-Virus and Advanced Mode user interface non-final, which means that users are allowed to change any setting.
Do not allow users to change any settings...
CHAPTER 3 99
This option makes all the settings throughout the F-Secure Policy Manager Anti-Virus and Advanced Mode user interface final, which means that users are not allowed to change any setting. For more information on final settings, see “Settings Inheritance”,
118.
Clear all settings...
This option restores the default settings for all F-Secure Client Security components.
Allow users to suspend all downloads and updates
This option defines whether the user is allowed to suspend network communications, for example automatic polling of policies, sending statistics and Automatic Updates, temporarily.
This option is useful for hosts that are sometimes used via a slow dial-up line.
Allow users to uninstall F-Secure products
Deselecting this option prevents end-users from uninstalling F-Secure software from their computer. Uninstallation always requires administrative rights. This applies to all Windows operating systems, even to Windows NT/2000/XP where the end-user has administrative rights.
In order to uninstall software locally, one needs to either select this option or shut down the "F-Secure Management Agent" service first, and then proceed with the uninstallation.
Allow users to unload products;
The possible values are: Allowed always; Allowed only in stand-alone installations; Not allowed
This option specifies whether the user is allowed to unload all F-Secure products temporarily for example in order to free memory for games or similar applications. Note that the main functions of the products are disabled during the time the product is unloaded and thus the computer becomes vulnerable to viruses and attacks.
Slow connection definition
100

3.3.4 Status Tab

This variable defines which network connections are regarded as slow. The unit used is kilobits per second. Note, that the nominal speed of the connection is not relevant, but the actual speed of the connection is measured. The default value, 0 (zero), means that all connections are regarded as fast.
Policy Manager Server Settings
Policy Manager Server
URL address of the F-Secure Policy Manager Server.
Incoming packages polling interval
Defines how often the host tries to fetch incoming packages from Policy Manager Server, for example base policy files. The default value is 10 minutes.
Outgoing packages update interval
Defines how often the host tries to send new versions of periodically sent information, for example statistics, towards the Policy Manager Server. The default value is 10 minutes.
The different pages in Status tab display detailed information on the status of certain components of centrally managed F-Secure Client Security applications. If you select a domain in the Policy Domains tab, the Status tab displays the status of all hosts in that domain. If a single host is selected, the Status tab displays the status of that host.
By right-clicking the column headers on the Status pages you can configure which columns are displayed on that page.
Loading...