Disturbing the end user as little as possible

PerHam

Hello,

I use PM and policy-based updates to update Client Security on my clients. This works very well but I have a few thoughts about the end user experience.

 

Unfortunately the client computer needs to be restarted after every update - would be nice if that could be avoided... But what bothers the end user the most is the network quarantine after the restart. The end user often get a message that the virus definitions are to old and need to be updated (the definitions were up-to-date before the CS update) and therefore the computer is in network quarantine. It takes several minutes (sometimes five to ten minutes) before the computer is released from quarantine. I can understand that users are frustrated.

 

My question: Is this a "normal" behavior or am I missing some settings in the policy?

 

I must add that I have Network quarantine enabled in the policy but the "Virus definition age..." is set at 30 days. Normally I have five days but as a test i increased it to 30.

 

Regards,
Per

 

etomcat

Hello,

 

> Unfortunately the client computer needs to be restarted after every update

 

That is definitely not so! Virus recognition definition database updates (which happen multiple times every workday) as well as minor scan engine revision upgrades do NOT require Windows reboot in F-Secure protected endpoints, because F-Secure protection has zero or very little kernel-mode components. Similarly, the downloading, indexing and publishing of protection databases in F-Secure Policy Manager does not require a reboot of the server computer.

 

If your system behaves differently, that must be a tech problem! (Last time I saw client reboots mandated after every update was with some McAfee protection, circa 1999. That time signatures were distributed once a week as 2MB sized self-extracting programs, which took a long time download over 33.6k modem.)

 

However, in case of a product version upgrade, let's say F-Secure Client Security 11.00->11.60, a reboot could still be required, for example to upgrade the Internet Shield firewall driver within NDIS, which cannot be done during runtime. Similarly, the server may need to be rebooted to upgrade the F-Secure Policy Manager version, say 11.10 -> 11.22. However, new product versions are usually published once every 4-6 months, so this is not a frequently occuring phenomenon and it is the local sysadmin who decides when the version upgrade should be performed!

 

Best regards: Tamas Feher, 2F 2000, Hungary.

PerHam

Hello Tamas,

 

Thanks for your reply. You are absolutely right. I realize that I was a bit unclear. I'm not talking about the daily updates at all I'm only referring to the version updates.

However you are missing the main  subject in my post. It's not about the reboots it's about what happens after the reboot.

 

Thanks again but your reply is of no use to me.

 

Regards,

Per

 

etomcat

Hello PerHam,

 

The av databases are not part of the F-Secure install package, so they need to be downloaded separately. Indeed, it would be nice if F-Secure programmers implemented the addition of recent AV databases to the JAR package when it is pushed to endpoints directly by FSPM or JAR gets exported to MSI file.

 

On the other hand, I think it is always risky to send AV version upgrades to endpoints, while the office people work on them. If it crashes during the upgrade process and some Excel work goes to dev/null or computer becomes unable to boot into Windows, resulting in a lost workday for the unlucky clerk, the sysadmin may receive threatening messages.

 

You could maybe rely on Wake-on-LAN to energize turned off computers and do the upgrade during off-work hours. Maybe with scripting and/or remote access, so you don't have to stay onsite for the night shift when all goes right. That way, 5 or 10 minutes of network quarantine would not be a problem.

 

Best Regards: Tamas Feher, Hungary.

PerHam

Hello Tamas,

The idea of including the AV databases in the exported msi package is excellent. That would probably help. I hope someone at F-Secure reads this.

 

I do try to push the updates "out of hours" to avoid most of the death threats. Most of our clients are laptops so I need to catch them when they are online. A user interruption is hard to avoid.

 

Anyway, thanks for your reply and opinion.

 

Have a nice weekend.

 

Regards,

Per

etomcat

Hello Perham,

 

> Most of our clients are laptops so I need to catch them when they are online. A user interruption is hard to avoid.

 

In this case, if the users are of a cooperative mindset and possess local computer admin rights, maybe use the MSI method?

 

Re-export the imported JAR file from PM console, so it becomes a pre-configured MSI file, including licence key, comms and policy settings. Put it on the public web somewhere and generate e-mails that ask end users to run the package when they have half hours of free time. They will not have to configure anything, just click the Next button once. (Most people here wouldn't mind doing it, but attitudes differ, e.g. the french would surely make angry phone calls.)

 

Anyhow, F-Secure's home user market segment products (FSAV/FSIS 2015) and SMB market offering (FSAV PSB) have more advanced automatic or semi-auto version upgrade capabilities. I feel Business Suite (FSPM+FSAVCS) is much lagging in this respect, like 5 years behind on the curve.

 

Best Regards: Tamas Feher, Hungary.

Chu

You can slso after rebooted the computers, force them to manually update the AV database.

 

https://www.f-secure.com/en/web/labs_global/database-updates

 

Att,

 

Roberto Chu