Firewall Services funny looking entries

Hi,

In my FS under Firewall Services, the list of shown services includes lots of mysterious-looking entries that have no name and no "Used in rule" showing. There are also a bunch of items listed that have names such as "Acid shivers - Trojan". I can't find anything in the documentation to state what should or should not be seen here - can you please tell me if this is normal/valid/correct FS behaviour.

Also, can you tell me how how to determine if my FS is correctly set up and working i.e. how to I visually inspect to determine if FS is uncompromised and working correctly.

thanks.

Find more posts tagged with

Comments

MattAU

Thanks Vad, this has been helpful.

Cheers,

Matt.

Vad

Yes, it could be normal.

Regarding empty names. If you create a service manually from Policy Manager Console (PMC), then on the first screen of creation wizard you are asked to specify the name of service and a comment with more wide description. This comment ends up as a service name in the local GUI of Clien Security, and the fact is that you can leave it empty in the wizard. So, all the empty services are the services created by admins in PMC.

Regarding "Acid shivers - Trojan", this is a built in service, as well as several others ending with "Trojan".

MattAU

Can you give me a general indication if the observed FS state I've described is suspect vs normal FS behaviour? Its in a restricted environment where doing as you've suggested is not a small thing - doing so just to be told what Im seeing is completely normal for FS might not be helpful to my cause you are totally correct though of course in advising this, and it will be my next step. Thanks!

MattAU

and how about I stop calling you Vlad! Sorry about that, I'm a tad overtired/bleary-eyed plus I'm friends with a Vlad..

Vad

I see your point. I would propose you to contact support having support tool (fsdiag) information collected on suspected host at hand. We'll check if something is wrong or not.

Best regards,

Vad

MattAU

p.s. I should add that I do suspect a possibility of FS being compromised. I'm seeing other system issues such as Windows and FSecure disagreeing on the firewall status, machines no longer installing automatic updates etc. So I'm looking at an environment where FS itself bing infected is a possibility.

MattAU

Hi Vlad,

Thanks for the reply. I should mention I'm a 19 yr IT industry veteran, mostly spent building enterprise web apps. Im posting here as I've been asked to look into some machines at a work site to address some concerns raised about a recent infection. LAN security isn't my primary specialty but I do what I can

I haven't had a lot of previous experience with FS specifically. When I look at the Firewall Services listing I'm seeing many entries that are all blank text i.e. I can open them and view the details, just the name and often the description too are just blank (both in the listing and the properties window). I'm also seeing many entries whose names are the names of various pieces of malware e.g. Acid shivers - Trojan. All other entries are things I would exect to find.

For both the blank entries and the malware-named ones, can you tell me if this is the nomal correct thing to be seeing? None of the documentation Ive seen so far proides any kind of a listing of which entries should be visible here if FS is working correctly and is not compromised. I assume the malware-named entries are rules addressing those particular threats. I'm concerned about the blank entries however?

I'll have a word to them about the old version and recommend they upgrade as a priority.

Thanks,

Matt.

Vad

Matt, thank you for the information.

First of all, you version of Clien Security is very old. Please, check this topic:

http://community.f-secure.com/t5/End-point/Important-End-of-life-for-9/td-p/29672

I would recommend you to upgrade to the latest version 11.00 as soon as possible.

The list of services is available just to simplify creation of rules for the user. So, please, don't worry if you don't know what some of service names mean. If you want to check the general information about firewall services, in local GUI open Settings->Network connections -> Firewall window, select Services tab, and press Help button.

Regarding your question about correct setup and working. If your Client Security is installed in centralized mode, you can check all the information about your protection status from Policy Manager Console.

Locally you can just check the F-Icon condition in Windows taskbar notification area. If it's not blinking or showing red or yellow marks, then the product is in normal condition. Also Windows Security Center will inform you if Anti-Virus or Firewall is turned off by any reason.

Best regards,

Vad

MattAU

Hi Vlad,

Sorry about that. Its:F-Secure Client Security 9.01 build 122

F-Secure Anti-Virus 9.20 build 16071
F-Secure Automatic Update Agent 8.25 build 4183
F-Secure User Interface 9.23 build 6978
F-Secure Management Agent 8.20 build 40059
F-Secure Network connections 6.24 build 125
F-Secure Email Scanner 6.00 build 466
F-Secure Online Help 1.98 build 1030
F-Secure Customization CS/1.30.01
F-Secure Browsing Protection/SW 1.10 build 5829
F-Secure Browsing Protection/ES 1.10 build 1039

Cheers,

Matt.

Vad

Hello MattAU,

Please, specify your F-Secure product / version.

Best regards,

Vad