Effective way to use fsdiag.exe logs

Feldunoob
Feldunoob W/ Alumni Posts: 2 Security Scout
in WithSecure Elements Endpoint Protection

Hello,

 

I have several hundreds to a thousand of fsdiag.exe log files processed with fsecure business license on endpoints. I need to do one analysis on each one of them as daily task, and provide a specific response 75% of the time. This is a time consumming task and sometimes missing things out is a real problem and threat to the company.

 

I would like to see a timeline processing tool and pointers on default fsdiag files. Could you provide a list of tools, or even some f-secure tools, in order to process this analysis in a reasonnable speed-working time ? This would greatly help IT departments as some of them have a lot of analysis to handle.

 

Product is Fsecure Business suite, feel free to contact me by mail about this matter as i'm currently drowning.

 

Thanks !

 

 

Comments

  • fedool
    fedool W/ Staff, W/ Article Coordinator Posts: 162 W/ Staff

    Hello,

     

    Can you send me a private message explaining which info you are looking for in the logs and why are you doing it with fsdiag logs?

    I'm sure we can find some way to simplify your life

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    > I need to do one analysis on each one of them as daily task

     

    No, you don't. F-Secure is a vendor with highly automated products, so if something is wrong with an F-Secure endpoint and the endpoint is not able to remedy itself (fatal error or security event grade occurances) then you receive an e-mail or syslog alert through the Policy Manager centralized control server.

     

    (The kind of misery attitude your message emits is more fitting say the Kaspersky products, which were apparently designed to make the life of corporate IT personnel difficult. Conjure up images of the Volga ship towing crew in Rjepin's famous painting.)

     

    If you are worried about targeted attacks, a diagnostic log won't help there. For that "APT" threat, F-Secure has a sensor-based Rapid Detection and Response solution, which can be operated as a service by F-Secure itself or by a local partner with escalation to F-Secure or even by the end-user (if they are a large company with a highly trained IT-Sec department).

     

    As for false malware alarms, which are currently on an uptick, the easiest way is to upload the affected file to "Virustotal.com" and send the resulting weblink to F-Secure lab with a few lines of text descibing the issue (i.e. our in-house brewed HR software was hit by a Deepguard or HEUR false alarm today morning). They can access the binary file sample through the VT infrastructure, so I don't recommend fiddling with passworded e-mail attachments and other legacy submission methods that usually don't work reliably.

     

    Best regards: Tamas Feher, Hungary.

  • Feldunoob
    Feldunoob W/ Alumni Posts: 2 Security Scout

    Hello Etomcat,

     

    I am not sure to get your point of view, to be more specific my actual problematic isn't about fsdiag.exe in itself or Kaspersky. This isn't either about syslog or centralized control manager policy. There is no misery attitude, I'm only trying to find out the best way to use the outputted logs from fsdiag.exe tool which is available in F-Secure free tools.

     

    As i have a ton of logs as IT Sec Analyst which is why i'm trying to find out new ways to work faster or exploit datas in a better way, especially in a timeline way. So please don't say that I don't have to do my work.

     

    You will never see me having to send a file to Virustotal, simply because this is confidential and I rather prefer to send Hashes on it.

     

     

This discussion has been closed.

Categories