[Resolved] Linux fspms virus definition distribution error

ClaudeRenglet

Hi,

 

I use the f-secure management suite under Linux Debian 7.4 64bits.

fsaua, fsaus en fspms seems to work correctly, except for virus distribution to workstation.

In the fspms logs I receive a realloc() error :

sudo -u fspms /opt/f-secure/fspms/bin/fsavupd --debug

avmisc seems to be non extract
Sending registeration
Asking latest segmentation rules
Sending update request for avmisc version 1369636185
Sending update request for BLENG version 2013052701
Sending update request for gemdb version 1397198576
Sending update request for hipscfg version 1397212201
Sending update request for idsdb version 1232363088
Sending update request for SCDB3 version 2013071801
Sending update request for SCDB31 version 0
Sending update request for hydrawin version 1397208048
Sending update request for hydralinux version 1397208044
Sending update request for mlcwin version 1391497725
Sending update request for aquawin32 version 1397204042
Sending update request for fsav_900_bin version 1390295866
Sending update request for orsp-win-v2 version 1370467978
Sending update request for litmus-bin version 1394529059
Sending update request for exploitshield_v2 version 1329915224
Sending update request for css_720_bin version 1395139428
Sending update request for aqualnx32 version 1397204108
Sending update request for commtouchunix version 1395063913
Sending update request for fmlibunix version 1396531743
Sending update request for fsav_1000_bin version 1396533212
Sending update request for fsav_1100_bin version 1396533309
Sending update request for hipsn version 1393853040
Sending update request for nifbin version 1396349931
Sending update request for lynx-windows version 0
Sending update request for sidegrade version 1391674522
Requesting AUA to perform immediate update
Received segrules
Received packet UPDATE_REQUEST_OK, avmisc version 1369636185
Received packet UPDATE_REQUEST_OK, BLENG version 2013052701
Received packet UPDATE_REQUEST_OK, gemdb version 1397198576
Received packet UPDATE_REQUEST_OK, hipscfg version 1398216600
Received packet UPDATE_REQUEST_OK, idsdb version 1232363088
Received packet UPDATE_REQUEST_OK, SCDB3 version 2013071801
Received packet UPDATE_REQUEST_OK, SCDB31 version 0
Received packet UPDATE_REQUEST_OK, hydrawin version 1398417652
Received packet UPDATE_REQUEST_OK, hydralinux version 1398417648
Received packet UPDATE_REQUEST_OK, mlcwin version 1391497725
Received packet UPDATE_REQUEST_OK, aquawin32 version 1398640671
Received packet UPDATE_REQUEST_OK, fsav_900_bin version 1390295866
Received packet UPDATE_REQUEST_OK, orsp-win-v2 version 1370467978
Received packet UPDATE_REQUEST_OK, litmus-bin version 1398327260
Received packet UPDATE_REQUEST_OK, exploitshield_v2 version 1329915224
Received packet UPDATE_REQUEST_OK, css_720_bin version 1395139428
Received packet UPDATE_REQUEST_OK, aqualnx32 version 1398640714
Received packet UPDATE_REQUEST_OK, commtouchunix version 1395063913
Received packet UPDATE_REQUEST_OK, fmlibunix version 1398250516
Received packet UPDATE_REQUEST_OK, fsav_1000_bin version 1398250783
Received packet UPDATE_REQUEST_OK, fsav_1100_bin version 1398255865
Received packet UPDATE_REQUEST_OK, hipsn version 1393853040
Received packet UPDATE_REQUEST_OK, nifbin version 1396349931
Received packet UPDATE_REQUEST_OK, lynx-windows version 0
Received packet UPDATE_REQUEST_OK, sidegrade version 1391674522
Download complete for hipscfg version 1398216600, OK
Republishing update...running /opt/f-secure/fsaus/bin/bwadmin with args:
 0: /opt/f-secure/fsaus/bin/bwadmin
 1: addsubchannel
 2: -name
 3: DB Updates
 4: -q
running /opt/f-secure/fsaus/bin/bwadmin with args:
 0: /opt/f-secure/fsaus/bin/bwadmin
 1: addexpgroup
 2: -scname
 3: DB Updates
 4: -name
 5: Main
 6: -q
running /opt/f-secure/fsaus/bin/bwadmin with args:
 0: /opt/f-secure/fsaus/bin/bwadmin
 1: set_segrules
 2: -path
 3: /tmp/fsauasc_72ed_segrules
 4: -q
running /opt/f-secure/fsaus/bin/bwadmin with args:
 0: /opt/f-secure/fsaus/bin/bwadmin
 1: add_prs
 2: -scname
 3: DB Updates
 4: -egname
 5: Main
 6: -localdir
 7: /tmp/fsauasc_72ed
 8: -q
OK
*** glibc detected *** /opt/f-secure/fsaua/bin/fsauasc: realloc(): invalid next size: 0x0000000001784c60 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x76d76)[0x7f124eb08d76]
/lib/x86_64-linux-gnu/libc.so.6(+0x7ca4c)[0x7f124eb0ea4c]
/lib/x86_64-linux-gnu/libc.so.6(realloc+0xf0)[0x7f124eb0ed60]
/opt/f-secure/fsaua/bin/fsauasc[0x412e05]
/opt/f-secure/fsaua/bin/fsauasc[0x4132cb]
/opt/f-secure/fsaua/bin/fsauasc[0x41340b]
/opt/f-secure/fsaua/bin/fsauasc(fsl_unix_socket_readwrite_cb+0x9b)[0x4178fb]
/opt/f-secure/fsaua/bin/fsauasc[0x40fb9b]
/opt/f-secure/fsaua/bin/fsauasc[0x4101bd]
/opt/f-secure/fsaua/bin/fsauasc[0x404580]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f124eab0ead]
/opt/f-secure/fsaua/bin/fsauasc[0x40322a]
======= Memory map: ========
00400000-00434000 r-xp 00000000 08:01 1700871                            /opt/f-secure/fsaua/bin/fsauasc
00534000-00535000 rw-p 00034000 08:01 1700871                            /opt/f-secure/fsaua/bin/fsauasc
01783000-017a5000 rw-p 00000000 00:00 0                                  [heap]
7f1248000000-7f1248021000 rw-p 00000000 00:00 0
7f1248021000-7f124c000000 ---p 00000000 00:00 0
7f124e87c000-7f124e891000 r-xp 00000000 08:01 1177348                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f124e891000-7f124ea91000 ---p 00015000 08:01 1177348                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f124ea91000-7f124ea92000 rw-p 00015000 08:01 1177348                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f124ea92000-7f124ec14000 r-xp 00000000 08:01 1181072                    /lib/x86_64-linux-gnu/libc-2.13.so
7f124ec14000-7f124ee13000 ---p 00182000 08:01 1181072                    /lib/x86_64-linux-gnu/libc-2.13.so
7f124ee13000-7f124ee17000 r--p 00181000 08:01 1181072                    /lib/x86_64-linux-gnu/libc-2.13.so
7f124ee17000-7f124ee18000 rw-p 00185000 08:01 1181072                    /lib/x86_64-linux-gnu/libc-2.13.so
7f124ee18000-7f124ee1d000 rw-p 00000000 00:00 0
7f124ee1d000-7f124ee1f000 r-xp 00000000 08:01 1181086                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f124ee1f000-7f124f01f000 ---p 00002000 08:01 1181086                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f124f01f000-7f124f020000 r--p 00002000 08:01 1181086                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f124f020000-7f124f021000 rw-p 00003000 08:01 1181086                    /lib/x86_64-linux-gnu/libdl-2.13.so
7f124f021000-7f124f038000 r-xp 00000000 08:01 1181090                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f124f038000-7f124f237000 ---p 00017000 08:01 1181090                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f124f237000-7f124f238000 r--p 00016000 08:01 1181090                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f124f238000-7f124f239000 rw-p 00017000 08:01 1181090                    /lib/x86_64-linux-gnu/libpthread-2.13.so
7f124f239000-7f124f23d000 rw-p 00000000 00:00 0
7f124f23d000-7f124f25d000 r-xp 00000000 08:01 1181094                    /lib/x86_64-linux-gnu/ld-2.13.so
7f124f440000-7f124f443000 rw-p 00000000 00:00 0
7f124f45a000-7f124f45c000 rw-p 00000000 00:00 0
7f124f45c000-7f124f45d000 r--p 0001f000 08:01 1181094                    /lib/x86_64-linux-gnu/ld-2.13.so
7f124f45d000-7f124f45e000 rw-p 00020000 08:01 1181094                    /lib/x86_64-linux-gnu/ld-2.13.so
7f124f45e000-7f124f45f000 rw-p 00000000 00:00 0
7fff60e2e000-7fff60e4f000 rw-p 00000000 00:00 0                          [stack]
7fff60fff000-7fff61000000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

 And, of course, the virus definition update are not distributed to clients.

on the other side, the policies are well distributed.

 

Is this may be due to the Debian version I used (7.4 64b)?

I didn't try  with older Debian distro yet.

 

Thanks

Claude

ClaudeRenglet

More informations :

Here are the deb packages I've installed :

f-secure-automatic-update-agent_8.36.33_amd64.deb

f-secure-policy-manager-server_10.40.51057_amd64.deb

f-secure-policy-manager-console_10.40.51057_amd64.deb

 

All are 64 bits version. 

It's strange that the version mentionned in the file name of the fsecure automatic update agent is 8.36.33 versus 10.40.51057 for the policy manager server and console. all debs are downloaded from F-Secure download page : http://www.f-secure.com/en/web/business_global/support/downloads/-/carousel/view/82

 

here are the lasted log content for fsaua :

Tue Apr 29 13:26:12 2014(2):  Connecting to fsbwserver.f-secure.com (no BW proxy, no HTTP proxy)...
Tue Apr 29 13:26:13 2014(3):  Database 'hydrawin' version '1398763249' db_size '12264699', free '97217490944'
Tue Apr 29 13:26:13 2014(3):  Downloaded 'F-Secure Hydra Update 2014-04-29_02' - 'hydrawin' version '1398763249', 12264699 bytes (51349 bytes downloaded)
Tue Apr 29 13:26:13 2014(3):  Database 'hydralinux' version '1398763246' db_size '12868181', free '97212915712'
Tue Apr 29 13:26:13 2014(3):  Downloaded 'F-Secure Hydra Update 2014-04-29_02' - 'hydralinux' version '1398763246', 12868181 bytes (642 bytes downloaded)
Tue Apr 29 13:26:13 2014(2):  Update check completed successfully.
Tue Apr 29 14:26:12 2014(2):  Connecting to fsbwserver.f-secure.com (no BW proxy, no HTTP proxy)...
Tue Apr 29 14:26:12 2014(2):  Update check completed successfully. No updates are available.
Tue Apr 29 15:26:12 2014(2):  Connecting to fsbwserver.f-secure.com (no BW proxy, no HTTP proxy)...
Tue Apr 29 15:26:12 2014(2):  Update check completed successfully. No updates are available.

 Updates seems to be well downloaded from f-secure servers but they aren't distributed to my Windows Clients.

 

my Linux Virtual Machine (under ESXI) uname -a : Linux F-SecureManager 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux

Federico

Hi Claude,

 

The program has been tested to work correctly under:

 

DebianGNU Linux 6.0 (Squeeze) 32/64bit
Debian GNU Linux 7.2 (Wheezy) 32/64bit

 

The product may also work on other Linux versions however none of those are supported officially.

 

It is possible the cause of the issue is due to a different version of glibc. I would recommend if you could test the installation on 7.2 to see if you encounter the same issue.

 

Regards,

 

ClaudeRenglet

Thanks for your reply.

 

Unfortunately, it's hard to find a download of Debian Wheezy 7.2, all references I've found on Debian web sites are about the 7.5 version.

 

Anyway, I have tried with Ubuntu 12.04 64 bits, and it seems to be working.

 

Thanks again.

 

 

 

ipiasecki

Hi.

 

On my installation i have the same problem. I have FSPMS 10.40 and FSCS 11.51. My f-secure client fetches policies form servere but not updates, even they are there.

 

On the server:

 

May 15 04:15:04 DL165G6 fsaua[2641]: Database 'aquawin32' version '1400105623' db_size '371374001', free '19063922688'
May 15 04:15:05 DL165G6 fsaua[2641]: Downloaded 'F-Secure Aquarius Update 2014-05-14_07' - 'aquawin32' version '1400105623', 371374001 bytes (116813 bytes downloaded)
May 15 04:15:43 DL165G6 fsaua[2641]: Serving aquawin32 version 1400105623 to fsauasc
May 15 04:15:47 DL165G6 fsaua[2641]: Database 'aqualnx32' version '1400105657' db_size '371961336', free '18694549504'
May 15 04:15:54 DL165G6 fsaua[2641]: Downloaded 'F-Secure Aquarius Update 2014-05-14_07' - 'aqualnx32' version '1400105657', 371961336 bytes (4532 bytes downloaded)
May 15 04:16:37 DL165G6 fsaua[2641]: Serving aqualnx32 version 1400105657 to fsauasc

 

But FCS reports that updates aren't available.

 

One solution: shutdonw FSPMS and let clients fetches updates from f-secure web site.

 

 

Jayson

Hi ipiasecki,

 

Kindly follow the steps in this KB article to reset both F-Secure Automatic Update Agent (AUA) and F-Secure Automatic Update Server (AUS) database repositories in your Linux PMS.

 

Thanks.

 

Best Regards,
Jayson

ipiasecki

Hi. This article helps me. FSCS fetches again updates from FSPMS.

 

But, i Think, there is some fields to improve. When clients doesn/t get updates after some time from FSPMS, then they should fallback to method fetches updates from f-secure web site.

 

In my scenario - FSPMS is avail 24H and FSCS connected to him, don't fetches updates
(even on the server are updates), and this happen again in the loop. So my clients were,nt protected.

 

This mechanism should be improved.

 

In short: when clients notices no updates on FSPMS for some time, should comunicate with f-secure web site for updates.

 

Best regards.