FS Server security slowing down/preventing windows update

hyvokar

Hi, 

 

as long as I remember, I've had problems with F-secure products and windows updates (10+ years). 
For now example, I'm trying to update 2020-01 Cumulative for Win Server 2016 and it's been sitting in 0% for couple of hours while fssm32 hogs up all the CPU.

 

Is there ever going  to be any change on this by F-secure? (maybe test the updates released by microsoft?)

If not, is there a list of locations that should be excluded from F-secure to succesfully install updates? 
I know this is a really really really bad choice, but I'm getting desperate.

hyvokar

Yet again, waited 4+ hours to update to finish, but it was stuck at 37% for another couple of hours. 
Once again, disabled all the FS services, stoppped remaining FS processes and update finished immediatly.

 

pls advice. Pointles to do this every month for dozens of servers.

MonikaL

Hi hyvokar,

 

If you are using F-Secure Server Security version 12.x, a hotfix has been created to address this issue with the product. The hotfix is available in F-Secure Server Security public web "Support and downloads" pages under "Hotfixes" section.

 

https://www.f-secure.com/en/business/downloads/server-security

 

Proceed to select 12.12 tab and download the F-Secure Server Security (Standard & Premium) 12.x FSAV Hotfix.

 

Regards,
Monika

hyvokar

Hi, 

 

thank you for your reply.

That hotfix has already been applied to all our servers last year. No help.

Vad

Hello hyvokar,

 

First of all, we would recommend to upgrade your product to SS 14 version.

If this is not possible, then the workarounds, which may help are:

1. Recommended exclusions.

2. Turning off DeepGuard advanced process monitoring feature.

You can also try with DeepGuard fully turned off, but this is not recommended approach.

 

Best regards,

Vad

MJ-perComp

"Recommended Exclusions"?
F-Secure's recommendation is to NEVER set any exclusion except for debugging or temporary workaround!
And to be more painful: This is a very bad UX for any new customer using the trials on any Windows platform (server and client).
The product must work out of the box!
my2ct

hyvokar

Unfortunately we cannot still upgrade to 14, since the change with the firewall is quite monumental.
As per comp said, as a paying customer, I'd really like the product to work out of the box without exclusions. 

I'll try disabling advanced process monitoring

MJ-perComp

The Firewall should be no problem
1. previous SS had no firewall. Thus a bypass all configuration would do the job
2. latest setup allows to drop the firewall interface completely, which will lead to unchanged settings as only Windows firewall an GPOs control what is happening.

Thus no reason to wait!

hyvokar

Fyi, same problem with CU 2020-02 for server 2016 (KB4537764)

hyvokar

Same prolem continues with 2020-03 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4540670).

As a test I installed update in question on a server that has f-secure services turned off, it took less than an hour.

For server with identical hw (except faster disks) the installation first took 2 hours (in gui) and after that it has been stuck for additional hour in "Getting Windows ready Don't turn off your computer".

hyvokar

Left the update running, and after being 1.5hours at "Getting Windows ready Don't turn off your computer", computer rebooted and the update failed to install.

So it's even worse than I thought.

hyvokar

Again, same problem with KB4556813 (2020-05 cumulative update for windows server 2016)

update status has been "preparing to install updates" for 2,5 hours now. Identical server with f-secure services disabled installed the update in 40minutes. Opened a support ticket yet again.

hyvokar

F-secure support recommended to exclude following folders from real time scanning. I'm speechelss.

c:\Windows\SoftwareDistribution\

c:\Windows\WinSxS\

c:\System Volume Information\