To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

DB updates status from the registry?

etomcat
etomcat Posts: 1,172 Firewall Master
in Business Suite

Dear Sirs,

 

A customer want to know where to find F-Secure Client Security update status information in the Windows registry?

 

For example, something like this:

 

AV Update Date:
HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\"SignaturesLastUpdated"

 

Antivirus definition:
HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\"AVSignatureVersion"

 

AV Client Version:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client\”DisplayVersion”

 

( I think they should be using the Microsoft Windows Security Center interface or NAP support for this, but they insist on the registry. )

 

Thanks in advance, Yours Sincerely: Tamas Feher, 2F 2000 Kft., Hungary.

Comments

  • Vad
    Vad Posts: 1,069 Cybercrime Crusader

    Hello Tamas,

     

    Unfortunately, this information is available only in policy statistics.

     

    In PSB WS 10.50 we introduced new feature:

    • RMM integration by WMI provider
      F-Secure WMI provider allows you to monitor F-Secure product properties and statistics and to start some operations, such as virus scans, remotely.

    But this feature is not yet present in Client Security, even in the latest 12.00 version.

     

    Best regards,

    Vad

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Dear Vad,

     

    Thanks for the quick info! If policy is the only avalaible source for such info, how to get it for use by another software? Mine the H2 DB via SQL commands?

     

    For your information:  the same customer also uses or used another brand of AV software, which we also represent. That AV product had serious incompatibility with that in-house developed security monitoring framework, which is based on the registry read-out method.

     

    (Honestly said, If I were an AV program, I would be very nervous and probably throw an alert or even block the action, if another software tried to read my vital statistics directly from the registry or other protected area.)

     

    Yours Sincerely: Tamas Feher, Hungary.

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Dear Vad,

     

    - I found this in a test VM running "F-Secure Client Security 12.00 build 648" protection. But it is not necessarily a good, stable regiustry place, since TNB means the 30-day trial functionality, I think?

    HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\TNB\Products\506
    version (REG_SZ) = 12.00
    build (REG_SZ) = 648

     

    - The AV module within FSCS 12.00 is "F-Secure Anti-Virus 9.51 build 223". I found data for that here:

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Anti-Virus
    CurrentVersionEx (REG_SZ) = 9.51.223

    - As for virus recognition fingerprint database freshness dates, the customer could possibly use the output from:

    C:\PROGRA~1\F-Secure\Anti-Virus> fsav /version

    (* Note.: Path is C:\PROGRA~2\... on computers running 64-bit OS)

     

    Yours Sincerely: Tamas Feher, Hungary.

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Dear Vad,

     

    > use polutil.exe from F-Secure\Common\ for checking updates related statistics policies

     

    Thanks for the hint, but does this work entirely correctly in FSCS 12?

     

    Polutil.exe g 1.3.6.1.4.1.2213.12.2.120 apparently returns Unix-seconds as a generic result (e.g. 1434708569) for the time when virus definitions were previously updated. That's fine.

     

    But when querying for the details, the following command returns empty, even if piped to a text file on disk:

    polutil g 1.3.6.1.4.1.2213.12.2.22.100.100

     

    On the other hand, the following command returns "Error DFP_ERR_NO_SUCH_OID occurred":

    C:\PROGRA~1\F-Secure\Common>polutil g 1.3.6.1.4.1.2213.12.2.22.100.100.1

     

    Yours Sincerely: Tamas Feher, Hungary.

  • Vad
    Vad Posts: 1,069 Cybercrime Crusader

    Registry places are stable (same for any type of keycode). As far as i remember, product number (506 in your example) is different for CS Standard and Premium.

    Note that AV module version in registry indicates the version present in installer, and is not updated when new FSAV update comes from the channel.

    FSAV update freshness can be found in C:\PROGRA~1\F-Secure\Anti-Virus\scanningplatform.ini file.

     

    Best regards,

    Vad

  • Vad
    Vad Posts: 1,069 Cybercrime Crusader

    > But when querying for the details, the following command returns empty, even if piped to a text file on disk: polutil g 1.3.6.1.4.1.2213.12.2.22.100.100

     

    Polutil doesn't support "g" option for tables/table rows. You need to use "dump" option if you want to access tables.

     

    Best regards,

    Vad

  • etomcat
    etomcat Posts: 1,172 Firewall Master

    Hello,

     

    Turns out F-Secure Corp. even has a Knowledge Base article to elaborate this topic:

     

    http://community.f-secure.com/t5/tkb/articleprintpage/tkb-id/End-point_Security@tkb/article-id/280

     

    Thanks: Tamas Feher, Hungary.

This discussion has been closed.

Categories