Policy Manager Alerts tab shows "Databases are old" for a host

Issue:

Policy Manager Alerts tab shows an alert with the Severity Security and the description "Databases are old" for a host. How to troubleshoot why virus definitions are shown as outdated?

Resolution:

WithSecure Policy Manager receives the updates through our guts2 delivery and stores them in C:\Program Files (x86)\F-Secure\Management Server 5\data\guts2 folder.

WithSecureSecure Policy Manager Server checks for new update versions every 10 minutes, other checks (headers, diffs) are requested by clients.

What do I do if clients are alerting about Virus definitions being x days old?

Make sure connection between client and F-Secure Policy Manager is stable.

-   Check for latest policy under status
-   Check Automatic updates under Status
-   Verify your F-Secure Policy Manager HTTP and HTTPS address are reachable from client, by opening example http://10.0.0.50:80 and https://10.0.0.50:443 in Browser. Successful connection will show you "F-Secure Policy Manager Server is installed and is working fine", if not, make sure your https and https Ports defined in your F-Secure Policy Manager are opened for the clients.

Note: You might be using http proxy and therefore F-Secure Policy Manager might not be reachable in case traffic to F-Secure Policy Manager is routed through the HTTP proxy.

• You can define your http proxy by opening settings in your F-Secure Policy Manager console, expand Centralized management and scroll down to Internet connections.
• Custom HTTP proxy address - this is used when "Use HTTP proxy" is set to "Custom". It can be defined as follows:

http://[user[:password]@]host:port, for example:
http://myproxy.com
http://myproxy.com:8080
http://<http-encoded-user-name>:<http-encoded-password>@host:port

or

domain\user is considered domain%5cuser.
Our support for authenticated proxies is limited to SIMPLE and NTLM authentication and should be the same as
FsHttpRequest's.

2. From your local WithSecure Policy Manager host, you can check if there are any problems with updates:

fspms-download-updates.log shows the download activities -> C:\Program Files (x86)\F-Secure\Management Server 5\logs
If there are some connection issues to our backend, make sure you allow these two Hostnames *.f-secure.com and *.fsapi.com on your Firewall.
From your WithSecure Policy Manager console, open Tools and then Server Configurations and check the setting for " consider virus definitions outdated after xx days.
This value (number of days) indicates when the virus definitions are considered "old".
A warning is sent to the administrator if the last virus definition file is older than the specified number of days).
Another way of troubleshooting is to reset the updates:

Stop the WithSecure Policy Manager Server service (net stop fsms)
Empty the folder -> C:\Program Files (x86)\F-Secure\Management Server 5\data\guts2
Restart the service (net start fsms)
Troubleshoot from the affected clients locally as each client will request updates independently

From system tray, open WithSecure UI and click on ‘Check for updates. Here you will have another visibility of connection state.
You can click ‘Check now’ and scroll down to view update history.
View the log file to see if updates are being downloaded and installed.
Verify if the updates are being stored under example: C:\Program Files (x86)\F-Secure\Server Security\Ultralight and C:\ProgramData\F-Secure\GUTS2
Additionally, you can verify from Guts2Plugin.log-> C:\ProgramData\F-Secure\Log\CCF if updates have a ‘Success’ status.

Note: For older versions like 12.xx series the host notification: Database to be xx days old.

Client should not alert even if forgot the Back web cache. Client still has recent updates. If you upgrade client from 12.x, it in theory might alert as does not have any updates downloaded - like when it is clean installed.

And in overall, it is recommended to check point 2 first, client log might already explain all reasons even without WithSecure Policy Manager connectivity checks. Even probably client to F-Secure Policy Manager check is needed only if AUA log says client is pinging fake address instead of the F-Secure Policy Manager address in policies.

In case you see some wrong behavior and there is only one client affected, you can solve the problem by running "FsUninstallationTool.exe" https://download.sp.f-secure.com/uninstallationtool/FsUninstallationTool.exe, restart the server and reinstall the product or contact F-Secure customer Care.

Additional information:

What is diff?
If client has full previous package, example: capricorn-win64' version '1603142724' it can just ask diff, but once it breaks, it has to do full downloads. Client writes these activities locally on [Guts2Plugin.log] which is located under 'C:\ProgramData\F-Secure\GUTS2\'

There are 4 calls to server: discovery (q or your request depending on product version), header downloads (h), diff request (o), content (f).
If discovery tells there is new version, client, if it has completed previous version on disk, can ask server to just give diff from that version to the latest version.

When should I apply FSAUA-reset Tool?

When you have checked the WithSecure Policy Manager and didn't find any issues related, and still see installation error in aua log (different from pending restart)
15.xx series have aua-reset tool bundled with the product, for example Client Security-> c:\Program Files (x86)\F-Secure\Client Security\fsaua-reset.exe

Policy Manager Server 15.30 for Linux

In case of Policy Manager Server 15.30 for Linux, check if there is sufficient storage space. The proxy server may have enough storage however, but if you have multiple Logical Volumes and the Logical Volumes for /var/opt/ wasn’t big enough, Policy Manager will be showing the error “Databases are old”. To resolve this, extended the Logical Volume size.

Article no: 000003426