To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

DeepGuard breaks PostgreSQL database startup

JulienB
JulienB W/ Alumni Posts: 5 Security Scout

Basically the database fails to start with a error 487.

 

The DeepGuard forces ASLR which messes with the Inter-process communications of the database (it does massive usage of shared memory).

 

F-Secure shall blacklist/disable the DeepGuard activities for postgres.exe processes BY DEFAULT, please do that, otherwise it just wastes other people's time in tech support.

 

DeepGuard just breaks PostgreSQL, and on top of that... randomly !

 

For reference:

https://community.f-secure.com/t5/Business/DeepGuard-seems-to-cause/td-p/88447  

 

And also on the forums :

https://forums.postgresql.fr/viewtopic.php?id=4005

https://github.com/npgsql/npgsql/issues/1507

https://www.postgresql.org/message-id/flat/20161111121249.8760.29584@wrigleys.postgresql.org#20161111121249.8760.29584@wrigleys.postgresql.org

https://forums.postgresql.fr/viewtopic.php?id=3995

Comments

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    You wrote:

    > https://github.com/npgsql/npgsql/issues/1507

     

    It contains this text:

    "Turning off the Use_advanced_process_monitoring feature of F-Security DeepGuard solves the problem (though the DeepGuard by himself can be activated).

     

    Best regards: Tamas Feher, Hungary.

  • JulienB
    JulienB W/ Alumni Posts: 5 Security Scout

    Thanks for you answer, but...     should we tell our clients "youhouu there is a workaround ! you don't need to uninstall F-Secure". We already tell our clients to disable F-Secure, to workaround the problem.

     

    The PostgreSQL database, needed by our software does not work out of the box because of F-Secure : it may work sometimes or break randomly (because of randomization). It provokes headaches for tech support, making the diagnotic difficult. The others blog posts I linked in my message meant : "This is not just our business, other people are also walking in the dark trying to guess what's happening".

     

    Does F-Secure has a sort of integrated blacklist of the softwares it *breaks* so it will avoid breaking them ? I mean, without user interaction, without tech support expertise ?

     

    NB: If all you want to provide us is a workaround, can you please post a solution to detect if F-Secure is installed ? So that our setup will at least warn our customers.

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,
     
    > PostgreSQL ... ASLR which messes with the Inter-process communications of the database (it does massive usage of shared memory)

    Honestly said, if PostgreSQL doesn't support ASLR, that's not F-Secure's problem. A business purpose database that holds valuable data and personal data should be secure by design and ASLR is an important info-security feature. With breaches like Equifax happening day after day it is not wise to use insecure databases and the vendor should fix ASLR support.

    Anyhow, the advanced mode of F-Secure Deepguard uses a mini-DLL injection method and some applications are known to be allergic to that, for example games or expensive CAD software equipped with sophisticated copy protection and DRM schemes.

    Best regards: Tamas Feher, Hungary.

  • JulienB
    JulienB W/ Alumni Posts: 5 Security Scout

    So I guess postgres.exe is also allergic to the DLL injection (and maybe it is just the DLL injection that breaks things).  Is there a list somewhere of applications allergic to that advanced feature of F-Secure ? Where can I subscribe ?

     

    To feed the honest troll about security, PostgreSQL is a great database, but well.. indeed, no developer is perfect, and sometimes a product will disappoint you because of some small specific annoying things.  I agree with you on that point. Nevertheless, it behaves very well in production, and this is more "there is a bug on win32 so we disable it" than "we lack support for this on all platforms".

     

    But there is no reason or excuses for breaking programs, especially when users reports failures.

     

    BTW, when our clients produce crazy amounts of $$$ a minute, and the new server randomly fails because of F-Secure. We try to find them a good solution. And I post this message because I care.

     

    So.. Is there a registry key available to shunt DeepGuard for a particular binary ?

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    F-Secure Deepguard defines "trusted" for protection using SHA-1 checksums of the affected software binaries.

     

    It is located in F-Secure Policy Manager Console, Advanced View mode, under:

    Settings / F-Secure / F-Secure Deepguard 5.xx / Applications table

     

    If that doesn't help, you may have to degrade the entire Deepguard module from Enhanced Process Monitoring Mode to baseline mode.

     

    Best Regards: Tamas Feher, Hungary.

     

  • JulienB
    JulienB W/ Alumni Posts: 5 Security Scout

    mikaelw confirmed me by mail that the problem is probably only due to the advanced tricks :

     


    We had to disable the "Use advanced process monitoring" flag for DeepGuard. Since then we haven't had the issue. 
This discussion has been closed.