DeepGuard breaks PostgreSQL database startup

JulienB

Basically the database fails to start with a error 487.

 

The DeepGuard forces ASLR which messes with the Inter-process communications of the database (it does massive usage of shared memory).

 

F-Secure shall blacklist/disable the DeepGuard activities for postgres.exe processes BY DEFAULT, please do that, otherwise it just wastes other people's time in tech support.

 

DeepGuard just breaks PostgreSQL, and on top of that... randomly !

 

For reference:

https://community.f-secure.com/t5/Business/DeepGuard-seems-to-cause/td-p/88447  

 

And also on the forums :

https://forums.postgresql.fr/viewtopic.php?id=4005

https://github.com/npgsql/npgsql/issues/1507

https://www.postgresql.org/message-id/flat/20161111121249.8760.29584@wrigleys.postgresql.org#20161111121249.8760.29584@wrigleys.postgresql.org

https://forums.postgresql.fr/viewtopic.php?id=3995

etomcat

Hello,

 

You wrote:

> https://github.com/npgsql/npgsql/issues/1507

 

It contains this text:

"Turning off the Use_advanced_process_monitoring feature of F-Security DeepGuard solves the problem (though the DeepGuard by himself can be activated).

 

Best regards: Tamas Feher, Hungary.

JulienB

Thanks for you answer, but...     should we tell our clients "youhouu there is a workaround ! you don't need to uninstall F-Secure". We already tell our clients to disable F-Secure, to workaround the problem.

 

The PostgreSQL database, needed by our software does not work out of the box because of F-Secure : it may work sometimes or break randomly (because of randomization). It provokes headaches for tech support, making the diagnotic difficult. The others blog posts I linked in my message meant : "This is not just our business, other people are also walking in the dark trying to guess what's happening".

 

Does F-Secure has a sort of integrated blacklist of the softwares it *breaks* so it will avoid breaking them ? I mean, without user interaction, without tech support expertise ?

 

NB: If all you want to provide us is a workaround, can you please post a solution to detect if F-Secure is installed ? So that our setup will at least warn our customers.

etomcat

Hello,
 
> PostgreSQL ... ASLR which messes with the Inter-process communications of the database (it does massive usage of shared memory)

Honestly said, if PostgreSQL doesn't support ASLR, that's not F-Secure's problem. A business purpose database that holds valuable data and personal data should be secure by design and ASLR is an important info-security feature. With breaches like Equifax happening day after day it is not wise to use insecure databases and the vendor should fix ASLR support.

Anyhow, the advanced mode of F-Secure Deepguard uses a mini-DLL injection method and some applications are known to be allergic to that, for example games or expensive CAD software equipped with sophisticated copy protection and DRM schemes.

Best regards: Tamas Feher, Hungary.

JulienB

So I guess postgres.exe is also allergic to the DLL injection (and maybe it is just the DLL injection that breaks things).  Is there a list somewhere of applications allergic to that advanced feature of F-Secure ? Where can I subscribe ?

 

To feed the honest troll about security, PostgreSQL is a great database, but well.. indeed, no developer is perfect, and sometimes a product will disappoint you because of some small specific annoying things.  I agree with you on that point. Nevertheless, it behaves very well in production, and this is more "there is a bug on win32 so we disable it" than "we lack support for this on all platforms".

 

But there is no reason or excuses for breaking programs, especially when users reports failures.

 

BTW, when our clients produce crazy amounts of $$$ a minute, and the new server randomly fails because of F-Secure. We try to find them a good solution. And I post this message because I care.

 

So.. Is there a registry key available to shunt DeepGuard for a particular binary ?

etomcat

Hello,

 

F-Secure Deepguard defines "trusted" for protection using SHA-1 checksums of the affected software binaries.

 

It is located in F-Secure Policy Manager Console, Advanced View mode, under:

Settings / F-Secure / F-Secure Deepguard 5.xx / Applications table

 

If that doesn't help, you may have to degrade the entire Deepguard module from Enhanced Process Monitoring Mode to baseline mode.

 

Best Regards: Tamas Feher, Hungary.

 

JulienB

mikaelw confirmed me by mail that the problem is probably only due to the advanced tricks :

 

---

We had to disable the "Use advanced process monitoring" flag for DeepGuard. Since then we haven't had the issue. 

JulienB

 So .. the guilty is identified, and since we have no other options (i.e. F-Secure won't fix or disable) we will :

1) Document the problem

2) Recommand our clients against using F-Secure

3) Warn our clients during the setup phase, that F-Secure presence is detected

 

---

 

---

We had to disable the "Use advanced process monitoring" flag for DeepGuard. 

"ADVANCED PROCESS MONITORING"  is guilty..
AND F-SECURE WON'T FIX THAT OR DISABLE IT FOR POSTGRESQL.

---