OPTIMIZE MALWARE DEFINITIONS FOR ISOLATED NETWORKS

frenchy35

Hi girls and guys,

 

I'back for this question, could you help me idenify the channels that I use for my network clients!? I must precise that I work with FSSS 12.11 and FSCS 13.10 managed by FSPM 13.10.

 

In the admin Guide it's writen like writen under:

 

'conf\channels.json: this contains a list of the channels to be updated. By default, it includes updates for all the supported clients managed by Policy Manager, so we recommend that you leave only those that are necessary for your environment.'

 

Help me!

 

Best regards

 

--

Philipp

From France

Vad

Hello Philipp,

 

For FSCS 13.10 Standard you will need to have:

aquarius-win32 (for 32bit OS)

aquarius-win64 (for 64bit OS)

deepguard-db

hydra-win32

hydra-win64

lynx-win32

lynx-win64

ols-win32

ols-win64

sidegrade

ulcore-win32

ulcore-win46

ulupdater-win32

ulupdater-win64

uss-win32

uss-win64

virgo-win32

virgo-win64

 

For FSCS 13.10 Premium you will need to have:

fsoftupd

channel in addition.

 

For FSSS Standard 12.11 you will need to have:

aquawin32

avmisc

fsav_1100_bin

gemdb

hipsn

hydrawin

mlcwin

nifbin

orsp-win-v2

 

Again for Premium version you will need to have:

fsoftupd

channel in addition.

 

Best regards,

Vad

etomcat

Hello,

> ISOLATED NETWORKS

There is a knowledge base article:

 

Using archives to update malware definitions

https://community.f-secure.com/t5/Business/Using-archives-to-update-malware/ta-p/102979

 

Best Regards: Tamas Feher, Hungary.

frenchy35

Thank a lot vad,

 

Where did your information comes!? I'd like to know where I can find information, about witch channel is needed for witch application!

 

Anyway great thank for your reply

 

Best regard

 

--

Phil

France

frenchy35

Thanks tamas,

 

I've read it before my question, my question of the day is, how can I do for download the thinest archive for my isolated network.

 

Great thanks anyway

 

--

Phil

France

frenchy35

Hi,

 

could you tellm e where this information come from!?

 

best regard

 

--

Phil

France

 

Vad

Hello Phil,

 

I guess there is no official document. But if you have a machine with the Business Suite product installed (and connected to PM, which has all DB updates), you can find the list of the channels used by the client product as a set of sub-folders in the folder c:\ProgramData\F-Secure\FSAUA\content\ for 12.x clients, or in the folder c:\ProgramData\F-Secure\FSAUA\guts2\ for 13.x clients. One exception to this is the "sidegrade" channel, which is not present in this set, as it is used only in the pre-installation phase.

Note, that the set is different for 32x and 64x Windows for 13.x BS clients.

 

Best regards,

Vad

 

frenchy35

hi,

 

Great thanks for your answer, thats a first step through my ojective, I've probably not explain it enough!

 

In fact, my ultime step will be to identify which modules depend of which channels, and reversly.  

 

best regard

 

--

Phil

France

MJ-perComp

Hi,

honestly this is a dangerous idea you are following (or an obsolete one). Why?

1) If the systems are in an isolated network, where does the threat come from? If from "removable media", you could easily check them on a non-isolated system.

2) The detection rate for isolated system only doing a manual scan is around 70% for new (first seen) malware, maybe even worse.
To compensate that, F-Secure has added Deepguard and other modules (and you should have all activated in an isolotaed network).
BUT by their generic detection mechanisms they cause false positives or even false negatives. Again F-Secure compensates here using is Reputation network allowing to doublecheck the finding with a global Database using ORSP-Client. But that requires to be online.

3) Without a direct connection to a PM the client will not be aware of a rollback, or emergency update and without online connection the client is not able to handle false positives efficently.

So you see F-Secure is not designed for such an environment. (And non of the competitors is either)

Now what can you do?

 

If you have a very stable installation on the clients with only rare changes, and noone is allowed to bring in new installations you could use F-Secure without online connection (ORSP) but you have to  test the clients functionallity after each update, esp those that are connected to Deepgurad.

Updateing a Client, even with an"isolated" copy of the "outside" PM is not very well documented. We have just started with the new GUTS2 updateing mechanism and I have no clue if a copy of the repository would work.

All in all you will end up in a pretty regular and complex manual work to get updates to the clients, connected with a severy loss in detction rates and reliability. Maybe you could use a movable media that you mount to the ouside PM, start that PM, let it update the media, stop that PM, move the media to "isolated" PM, mount it there and start that PM again. But you still lack online reputation.