To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

FS Server security slowing down/preventing windows update

hyvokar
hyvokar W/ Alumni Posts: 165 Junior Protector

Hi, 

 

as long as I remember, I've had problems with F-secure products and windows updates (10+ years). 
For now example, I'm trying to update 2020-01 Cumulative for Win Server 2016 and it's been sitting in 0% for couple of hours while fssm32 hogs up all the CPU.

 

Is there ever going  to be any change on this by F-secure? (maybe test the updates released by microsoft?)

If not, is there a list of locations that should be excluded from F-secure to succesfully install updates? 
I know this is a really really really bad choice, but I'm getting desperate.

Comments

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    Yet again, waited 4+ hours to update to finish, but it was stuck at 37% for another couple of hours. 
    Once again, disabled all the FS services, stoppped remaining FS processes and update finished immediatly.

     

    pls advice. Pointles to do this every month for dozens of servers.

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff

    Hi hyvokar,

     

    If you are using F-Secure Server Security version 12.x, a hotfix has been created to address this issue with the product. The hotfix is available in F-Secure Server Security public web "Support and downloads" pages under "Hotfixes" section.

     

    https://www.f-secure.com/en/business/downloads/server-security

     

    Proceed to select 12.12 tab and download the F-Secure Server Security (Standard & Premium) 12.x FSAV Hotfix.

     

    Regards,
    Monika

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    Hi, 

     

    thank you for your reply.

    That hotfix has already been applied to all our servers last year. No help.

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Hello hyvokar,

     

    First of all, we would recommend to upgrade your product to SS 14 version.

    If this is not possible, then the workarounds, which may help are:

    1. Recommended exclusions.

    2. Turning off DeepGuard advanced process monitoring feature.

    You can also try with DeepGuard fully turned off, but this is not recommended approach.

     

    Best regards,

    Vad

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master
    "Recommended Exclusions"?
    F-Secure's recommendation is to NEVER set any exclusion except for debugging or temporary workaround!
    And to be more painful: This is a very bad UX for any new customer using the trials on any Windows platform (server and client).
    The product must work out of the box!
    my2ct
  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    Unfortunately we cannot still upgrade to 14, since the change with the firewall is quite monumental.
    As per comp said, as a paying customer, I'd really like the product to work out of the box without exclusions. 


    I'll try disabling advanced process monitoring

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master
    The Firewall should be no problem
    1. previous SS had no firewall. Thus a bypass all configuration would do the job
    2. latest setup allows to drop the firewall interface completely, which will lead to unchanged settings as only Windows firewall an GPOs control what is happening.

    Thus no reason to wait!
  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    Fyi, same problem with CU 2020-02 for server 2016 (KB4537764)

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector
    edited March 2020

    Same prolem continues with 2020-03 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4540670).

    As a test I installed update in question on a server that has f-secure services turned off, it took less than an hour.

    For server with identical hw (except faster disks) the installation first took 2 hours (in gui) and after that it has been stuck for additional hour in "Getting Windows ready Don't turn off your computer".

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    Left the update running, and after being 1.5hours at "Getting Windows ready Don't turn off your computer", computer rebooted and the update failed to install.


    So it's even worse than I thought.

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    Again, same problem with KB4556813 (2020-05 cumulative update for windows server 2016)

    update status has been "preparing to install updates" for 2,5 hours now. Identical server with f-secure services disabled installed the update in 40minutes. Opened a support ticket yet again.

  • hyvokar
    hyvokar W/ Alumni Posts: 165 Junior Protector

    F-secure support recommended to exclude following folders from real time scanning. I'm speechelss.


    c:\Windows\SoftwareDistribution\

    c:\Windows\WinSxS\

    c:\System Volume Information\

This discussion has been closed.