DB updates status from the registry?

Dear Sirs,

A customer want to know where to find F-Secure Client Security update status information in the Windows registry?

For example, something like this:

AV Update Date:
HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\"SignaturesLastUpdated"

Antivirus definition:
HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\"AVSignatureVersion"

AV Client Version:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client\”DisplayVersion”

( I think they should be using the Microsoft Windows Security Center interface or NAP support for this, but they insist on the registry. )

Thanks in advance, Yours Sincerely: Tamas Feher, 2F 2000 Kft., Hungary.

Find more posts tagged with

Comments

etomcat

Hello,

Turns out F-Secure Corp. even has a Knowledge Base article to elaborate this topic:

http://community.f-secure.com/t5/tkb/articleprintpage/tkb-id/End-point_Security@tkb/article-id/280

Thanks: Tamas Feher, Hungary.

Vad

> But when querying for the details, the following command returns empty, even if piped to a text file on disk: polutil g 1.3.6.1.4.1.2213.12.2.22.100.100

Polutil doesn't support "g" option for tables/table rows. You need to use "dump" option if you want to access tables.

Best regards,

Vad

Registry places are stable (same for any type of keycode). As far as i remember, product number (506 in your example) is different for CS Standard and Premium.

Note that AV module version in registry indicates the version present in installer, and is not updated when new FSAV update comes from the channel.

FSAV update freshness can be found in C:\PROGRA~1\F-Secure\Anti-Virus\scanningplatform.ini file.

Best regards,

Vad

etomcat

Dear Vad,

> use polutil.exe from F-Secure\Common\ for checking updates related statistics policies

Thanks for the hint, but does this work entirely correctly in FSCS 12?

Polutil.exe g 1.3.6.1.4.1.2213.12.2.120 apparently returns Unix-seconds as a generic result (e.g. 1434708569) for the time when virus definitions were previously updated. That's fine.

But when querying for the details, the following command returns empty, even if piped to a text file on disk:

polutil g 1.3.6.1.4.1.2213.12.2.22.100.100

On the other hand, the following command returns "Error DFP_ERR_NO_SUCH_OID occurred":

C:\PROGRA~1\F-Secure\Common>polutil g 1.3.6.1.4.1.2213.12.2.22.100.100.1

Yours Sincerely: Tamas Feher, Hungary.

etomcat

Dear Vad,

- I found this in a test VM running "F-Secure Client Security 12.00 build 648" protection. But it is not necessarily a good, stable regiustry place, since TNB means the 30-day trial functionality, I think?

HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\TNB\Products\506
version (REG_SZ) = 12.00
build (REG_SZ) = 648

- The AV module within FSCS 12.00 is "F-Secure Anti-Virus 9.51 build 223". I found data for that here:

HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Anti-Virus
CurrentVersionEx (REG_SZ) = 9.51.223

- As for virus recognition fingerprint database freshness dates, the customer could possibly use the output from:

C:\PROGRA~1\F-Secure\Anti-Virus> fsav /version

(* Note.: Path is C:\PROGRA~2\... on computers running 64-bit OS)

Yours Sincerely: Tamas Feher, Hungary.

Vad

You can use polutil.exe from F-Secure\Common\ for checking updates related statistics policies.

Best regards,

Vad

etomcat

Dear Vad,

Thanks for the quick info! If policy is the only avalaible source for such info, how to get it for use by another software? Mine the H2 DB via SQL commands?

For your information: the same customer also uses or used another brand of AV software, which we also represent. That AV product had serious incompatibility with that in-house developed security monitoring framework, which is based on the registry read-out method.

(Honestly said, If I were an AV program, I would be very nervous and probably throw an alert or even block the action, if another software tried to read my vital statistics directly from the registry or other protected area.)

Yours Sincerely: Tamas Feher, Hungary.

Vad

Hello Tamas,

Unfortunately, this information is available only in policy statistics.

In PSB WS 10.50 we introduced new feature:

RMM integration by WMI provider
F-Secure WMI provider allows you to monitor F-Secure product properties and statistics and to start some operations, such as virus scans, remotely.

But this feature is not yet present in Client Security, even in the latest 12.00 version.

Best regards,

Vad