RELEASE NOTES F-Secure Client Security Version 11.50 build 309 (RTM) F-Secure Client Security Premium Version 11.50 build 118 (RTM) Copyright 1993-2013 F-Secure Corporation. All Rights Reserved. Portions Copyright 2004 BackWeb Technologies Inc. This product may be covered by one or more F-Secure patents, including the following: GB2353372, GB2366691, GB2366692, GB2366693, GB2367933, GB2368233, GB2374260 1. General This document contains information about F-Secure Client Security 11.50 release. We strongly recommend that you read the entire document. Please refer to the online help for more information. 2. Product contents The solution can be licensed and deployed as F-Secure Client Security or F-Secure Client Security Premium. F-Secure Client Security product has the following features that you can install: Virus & spyware protection protects your computer against viruses, trojans, spyware, rootkits and other malware. DeepGuard proactive, instant protection against unknown threats. It monitors application behavior and stops potentially harmful activities in real-time. E-mail scanning detects malicious content in e-mail traffic (IMAP4, POP3 and SMTP protocols) to protect you against e-mail malware. Web traffic scanning detects and blocks malicious content in web traffic (HTTP protocol) to provide additional protection against malware. Internet Shield consists of Firewall, Application Control, and Intrusion Prevention (IPS). Browsing protection provides additional protection against unsafe web sites. Device control lets you control and disable hardware devices. Microsoft NAP Plug-in integrates with Microsoft Network Access Protection (NAP). Offload scanning allows to offload malware scanning to F-Secure Scanning and Reputation Server. F-Secure Client Security Premium product includes the additional feature: Software Updater -- keeps your system and applications up-to-date by automatically installing patches as they are released by vendors. The supported languages are: English, Chinese (P.R.C, Taiwan, Hong Kong), Czech, Danish, Dutch, Estonian, Finnish, French, Canadian French, German, Greek, Hungarian, Italian, Japanese, Korean,
Norwegian, Polish, Portuguese, Brazilian Portuguese, Romanian, Russian, Slovenian, Spanish, Latin American Spanish, Swedish, and Turkish. 3. What s new 3.1 New features and improvements Offload Scanning Agent It can be installed in order to offload malware scanning and content reputation checking to a dedicated server running F-Secure Scanning and Reputation Server. This allows to minimize the performance impact to virtualization infrastructure. Host Identification changes You can chose additional Host Identification methods. The added Host Identification methods are identifying the host by WINS name or MAC address. Randomization of scheduled scan tasks It is now possible to start scheduled scan tasks with a randomized delay interval. This allows to minimize performance impact when scheduled scanning starts on multiple virtual machines simultaneously. Added support for Microsoft Windows 8.1 You can install and use the product on Microsoft Windows 8.1. Other enhancements made in this release: AUA content folder has been moved from %ProgramFIles% to %ProgramData% folder. 3.2 Fixed issues This section lists important issues fixed in this release: SVCE-301: No scanners available after fsav-1100-bin update is installed SVCE-328: Too many errors with the full computer scan SPT-253: Web Traffic Scanning can cause delay on network services SVCE-413: The client is using random UID even though the MSI package was prepared to use MAC based host identification 4. Installation and system requirements Before you install the product, we recommend that you review the sections in this document to make sure that your network, hardware, software, and other system components meet the requirements for F-Secure Client Security 11.50. 4.1 Local and centrally managed installations For centrally managed installations, import the Client Security installation JAR package (fscs_11.50-309- rtm.jar or fscspr_11.50-118-rtm.jar) to Policy Manager Console and deploy the product remotely to selected hosts. With Policy Manager Console, you can also export an MSI package that you can deploy via other central management systems to install the product. To run the installation locally, create the MSI package with the export tool in F-Secure Policy Manager Console. Note that the installation requires local administrator rights. Note: Standalone installation has not been supported since F-Secure Client Security version 10.00.
4.1.1 Installation instructions in Virtual Environments using the F-Secure Offload Scanning Agent If you want to deploy F-Secure Client Security in a virtual environment using the Offload Scanning Agent to minimize the performance impact to virtualization infrastructure you need to select the installation of the Offload Scanning Agent during the installation or export of the MSI package. For detailed installation instructions of this feature please refer to the F-Secure Security for Virtual and Cloud Environments deployment guide. Note: Please note that you need to have the Scanning and Reputation Server in place for this functionality to work. Note: In this version, the Device Control feature can be managed only from Policy Manager Console. 4.2 Supported platforms This release can be installed on the following platforms: Microsoft Windows XP (32-bit editions only) Microsoft Windows Vista (all 32-bit and 64-bit editions) Microsoft Windows 7 (all 32-bit and 64-bit editions) Microsoft Windows 8 and 8.1 (all 32-bit and 64-bit editions) Note: All operating systems are required to have the latest Service Pack installed. Note: Here, 64-bit editions mean AMD64 (x64) platform editions. 4.3 Recommended hardware requirements Microsoft Windows 8, Windows 7 and Vista Processor: Intel Pentium 4 2GHz or higher Memory: 1GB for 32-bit / 2 GB for 64-bit or more Disk space: at least 1,5 GB Internet connection: an Internet connection is required to receive updates and use cloud-based technology features Microsoft Windows XP SP3 Processor: Intel Pentium III 1Gz or higher Memory: 512 MB or more Disk space: at least 1,5 GB Internet connection: an Internet connection is required to receive updates and use cloud-based technology features 4.4 Centralized management requirements The following versions of F-Secure Policy Manager are required to centrally manage F-Secure Client Security installations F-Secure Policy Manager (Windows) 11.10 or newer F-Secure Policy Manager (Linux) 10.30 or newer 5. Known issues
5.1 Sidegrade PSB WKS sidegrade does not work correctly When installing Client Security, PSB Workstation Security sidegrade does not work correctly. To solve this issue, install Client Security twice or uninstall PSB Workstation Security before the installation. 5.2 Installation, upgrade and uninstallation Remote installation to Windows 8 To remotely install Client Security to Windows 8 host from Policy Manager Console, set the following registry at the host to enable access to 'admin$' share: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "LocalAccountTokenFilterPolicy"=dword:00000001 Policies are not received immediately after reboot In some cases, the installed client may not receive policies immediately after the reboot. Usually, the client receives the new policy after some time and recovers automatically. If this does not happen, restart the computer. Unused databases are still visible after upgrade When upgrading from a previous version, some database and engine updates that were used in the previous version may not be needed anymore. They are still visible in Settings > Other settings > Downloads marked as Not Installed. This is normal and entries will disappear automatically after 7 days. System might be slow for several minutes after the first reboot while the installation finishes The system may start up slowly during the initial restart after the installation. After the restart, the product downloads and installs various updates to finalize the installation in the background. The effect is more noticeable after a fresh installation, as more updates need to be downloaded. The local user interface has a blue status indicator and a Completing Installation status until the installation is complete. Subsequent restarts are not affected. NAP Health Validator is not removed from configured health policies during uninstallation During uninstallation, references to F-Secure System Health Validator (SHV) are not automatically removed from health policies. Computers that use these policies are considered as non-compliant with health policies and they are quarantined. To fix broken references to F-Secure SHV, open the health policies properties in the Network Policy Server console (nps.msc) and confirm the automatic update. Installation of Client Security 11.50 removes McAfee Agents During the installation, the product removes 3rd-party software that may be incompatible (including McAfee Agent and McAfee NAI epolicy Orchestrator Agent). If you need 3rd-party software that would be removed, submit a support ticket to F-Secure customer support to request a special build that does not remove software that you need. 5.3 Browsing protection and Web traffic scanning Change in Browsing protection settings may look ineffective due to caching
Sometimes it may seem that new Browsing protection settings do not do anything, because the browser finds the page content from the browser cache. Use Ctrl-F5 to ignore the cache and reload the web page content. Uninstalling only Browsing protection/web traffic scanning does not immediately switch it off After you uninstall the Browsing protection feature, it works until the GateKeeper service (FSGKHS) is restarted. The same is true with Web traffic scanning. Browsing protection search results Browsing protection does not show safety ratings on search result pages that use HTTPS. Web traffic scanning does not protect encrypted traffic This version of Web traffic scanning does not handle and protect HTTPS protocol. 5.4 E-mail scanning TLS- and SSL-encrypted e-mail protocols not supported (44173, 44869, 54496, 55285, 89415) E-mail scanning works only with unencrypted e-mails using protocols POP3, IMAP or SMTP. Scanning e-mails that are encrypted with Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols is not supported. When TLS and SSL protocols are used, e-mail scanning either cannot scan e- mails or may block them. Turn off e-mail scanning if you use either TLS or SSL protocols for secure e-mail transmissions. If E-mail scanning is configured to listen to a port which is used by TLS- or SSL- encrypted e-mail, the traffic is blocked completely even when e-mail scanning is turned off [89415]. To solve this issue, reconfigure E-mail scanning to listen to the standard unencrypted port (110) or to any unused port, if port 110 is used already. Unable to open attachment scanned via IMAP on Thunderbird email client (CTS-91745/CSEP-441) Sometimes, Thunderbird cannot download messages or attachments via IMAP protocol when E-mail scanning is turned on. In these cases, the user can turn off the mail.server.default.fetch_by_chunks setting in Thunderbird at the host: 1. Open Thunderbird and go to Tools > Options. 2. In the dialog that opens, select Advanced settings (rightmost icon) and go to the General tab. 3. Click the "Config Editor..." button. The Advanced options dialog opens. 4. In the Advanced options, set the following value: mail.server.default.fetch_by_chunks = false 5. Close the dialogs and restart Thunderbird. For centrally managed hosts, the administrator can use the setting 1.3.6.1.4.1.2213.12.1.113.400.10.20 in Advanced mode to Allow partial FETCH for IMAP clients. Note, however, that this decreases the level of e-mail protection. 5.5 Anti-Virus Incorrect engine versions are shown in policy statistics After a clean installation, the Status tab of Policy Manager Console (F-Secure Anti-Virus > Plug-ins table) and scanning reports show incorrect engine versions. To solve this issue, restart the FSGKHS service.
5.6 Software Updater Some proxy configurations can prevent Software Updater functionality (CTS-91963/CSEP-543) If your corporate network is behind a proxy or a firewall that has strict deny rules, Software Updater may be unable to download patches from some sites. Make sure that your proxy allows hosts to access download.microsoft.com and the download sites of other vendors (web or ftp), whose products are installed in your corporate environment. Software Updater does not automatically install updates not signed by trusted authority Some updates, for example Notepad++, WinZip, and 7-Zip, are released unsigned. Software Updater does not automatically install unsigned updates and reports the installation error There is no signature. The administrator can use the selective installation from the Policy Manager Console to install these updates. Alternatively, the administrator can use the setting 1.3.6.1.4.1.2213.59.1.20.30 to Allow unsigned updates automatic installation. Note, however, that this may decrease the level of protection, because it applies to all future updates, which are installed according to automatic installation rules, including missing updates of newly installed products. Installation of some updates can hang The installation of updates runs under the local system account without user interaction. On rare occasions, the installation can hang because it waits for user s input or is handling an error. The installation is cancelled after the timeout period, which is 4 hours by default. After the timeout, the batch installation continues, skipping the problematic patch / update. Software Updater reports the installation error as Installation hung up. To forcibly retry the installation of the problematic update, use the selective installation. Installation dialog shown every day for MS Office updates (CSEP-461) Software Updater requests a path input for MS Office 2003 patches. Failed to download update for MS Office 2000 suite (CTS-91704) This issue is related to the issue with the MS Office 2003 patches (CSEP-461). A dialog requests the user to provide the path to MS Office 2000 installation sources and if the user does not answer anything within one hour, all Office 2000 patches are skipped. Skype Update requires reboot when distributed through SWUP (CSEP-631) When Software Updater updates Skype, the Skype update (for example from version 6.3 to version 6.5) requests to restart the computer. 6. Contact information and feedback We look forward to hearing your comments and feedback on the product functionality, usability and performance. Please report any technical issues via: F-Secure support web site: http://support.f-secure.com/ F-Secure Community: http://community.f-secure.com/t5/business/ctp/business_security_solutions When reporting a technical problem, please attach the F-Secure system summary report to the feedback. To collect the system summary report, you need to have administrator rights.
In Windows XP, select Start All Programs F-Secure Client Security, right-click on Support Tool, select Run as and finally select to run the program as administrator. In Windows Vista and Windows 7, select Start All Programs F-Secure Client Security Premium, right-click on Support Tool and select Run as administrator. In Windows 8, right-click on Support Tool application in Metro UI and use Run as Administrator option. 7. F-Secure license terms F-Secure license terms are included in the software. You must read and accept them before you can install and use the software.