Fspm800 en

F-Secure Policy
Manager 8.0
Administrator’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-
Secure product names and symbols/logos are either trademarks or registered trademarks of F-
Secure Corporation. All product names referenced herein are trademarks or registered
trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in
the marks and names of others. Although F-Secure Corporation makes every effort to ensure that
this information is accurate, F-Secure Corporation will not be liable for any errors or omission of
facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in
this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No
part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of F-Secure Corporation.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233

GB2374260
Copyright © 2008 F-Secure Corporation. All rights reserved.12000013-7A12

Contents
About This Guide 9
Overview ............................................................................................................................ 10
How This Guide is Organized ............................................................................................ 11
Conventions Used in F-Secure Guides .............................................................................. 13
Symbols .................................................................................................................... 13
Chapter 1 Introduction 15
1.1 Overview ....................................................................................................................16
1.2 Installation Order........................................................................................................ 17
1.3 Features ..................................................................................................................... 18
1.4 Policy-Based Management ........................................................................................ 19
1.4.1 Management Information Base ...................................................................... 21
Chapter 2 System Requirements 23

2.1 F-Secure Policy Manager Server ............................................................................... 24
2.2 F-Secure Policy Manager Console ............................................................................ 25
Chapter 3 Installing F-Secure Policy Manager Server 26

3.1 Overview ....................................................................................................................27
3.2 Security Issues...........................................................................................................28
3.2.1 Installing F-Secure Policy Manager in High Security Environments............... 28
3.3 Installation Steps........................................................................................................ 34
3.4 Configuring F-Secure Policy Manager Server............................................................ 47
iii
3.4.1 Changing the Communication Directory Path ................................................ 47
3.4.2 Changing the Ports Where the Server Listens for Requests.......................... 48
3.4.3 F-Secure Policy Manager Server Configuration Settings ............................... 49
3.5 Uninstalling F-Secure Policy Manager Server ........................................................... 54
Chapter 4 Installing F-Secure Policy Manager Console 56

4.1 Overview ....................................................................................................................57
4.2 Installation Steps........................................................................................................ 57
4.3 Uninstalling F-Secure Policy Manager Console......................................................... 73
Chapter 5 Using F-Secure Policy Manager Console 74

5.1 Overview ....................................................................................................................75
5.2 F-Secure Policy Manager Console Basics.................................................................76
5.2.1 Logging In....................................................................................................... 77
5.2.2 F-Secure Client Security Management........................................................... 80
5.2.3 The Advanced Mode User Interface............................................................... 81
5.2.4 Policy Domain Pane ....................................................................................... 82
5.2.5 Properties Pane..............................................................................................82
5.2.6 Product View Pane ......................................................................................... 83
5.2.7 Messages Pane..............................................................................................90
5.2.8 The Toolbar .................................................................................................... 90
5.2.9 Menu Commands ........................................................................................... 92
5.3 Managing Domains and Hosts ................................................................................... 94
5.3.1 Adding Policy Domains................................................................................... 96
5.3.2 Adding Hosts .................................................................................................. 97
5.3.3 Host Properties.............................................................................................102
5.4 Software Distribution ................................................................................................104
5.4.1 F-Secure Push Installations..........................................................................106
5.4.2 Policy-Based Installation ..............................................................................112
5.4.3 Local Installation and Updates with Pre-Configured Packages....................116
5.4.4 Information Delivery......................................................................................120
5.5 Managing Policies ....................................................................................................120
5.5.1 Settings.........................................................................................................121
5.5.2 Restrictions...................................................................................................121
5.5.3 Saving the Current Policy Data ....................................................................123
5.5.4 Distributing Policy Files ................................................................................123
iv
5.5.5 Policy Inheritance .........................................................................................123
5.6 Managing Operations and Tasks .............................................................................126
5.7 Alerting .....................................................................................................................126
5.7.1 Viewing Alerts and Reports ..........................................................................126
5.7.2 Configuring Alert Forwarding........................................................................128
5.8 Reporting Tool..........................................................................................................129
5.8.1 Policy Domain / Host Selector Pane.............................................................130
5.8.2 Report Type Selector Pane ..........................................................................131
5.8.3 Report Pane .................................................................................................132
5.8.4 Bottom Pane.................................................................................................133
5.9 Preferences..............................................................................................................133
5.9.1 Connection-Specific Preferences .................................................................134
5.9.2 Shared Preferences......................................................................................137
Chapter 6 Maintaining F-Secure Policy Manager Server 139

6.1 Overview ..................................................................................................................140
6.2 Backing Up & Restoring F-Secure Policy Manager Console Data...........................140
6.3 Replicating Software Using Image Files ..................................................................143
Chapter 7 Updating F-Secure Virus Definition Databases 145

7.1 Automatic Updates with F-Secure Automatic Update Agent....................................146
7.2 Using the Automatic Update Agent ..........................................................................148
7.2.1 Configuration ................................................................................................148
7.2.2 How to Read the Log File .............................................................................149
7.3 Forcing the Update Agent to Check for New Updates Immediately.........................153
7.4 Updating the Databases Manually ...........................................................................153
7.5 Troubleshooting .......................................................................................................154
Chapter 8 F-Secure Policy Manager on Linux 155

8.1 Overview ..................................................................................................................156
8.1.1 Differences Between Windows and Linux ....................................................156
8.1.2 Supported Distributions ................................................................................156
8.2 Installation ................................................................................................................157
8.2.1 Installing F-Secure Automatic Update Agent................................................157
v
8.2.2 Installing F-Secure Policy Manager Server ..................................................158
8.2.3 Installing F-Secure Policy Manager Console................................................159
8.2.4 Installing F-Secure Policy Manager Web Reporting.....................................160
8.3 Configuration............................................................................................................161
8.4 Uninstallation............................................................................................................161
8.4.1 Uninstalling F-Secure Policy Manager Web Reporting ................................161
8.4.2 Uninstalling F-Secure Policy Manager Console ...........................................162
8.4.3 Uninstalling F-Secure Policy Manager Server..............................................162
8.4.4 Uninstalling F-Secure Automatic Update Agent ...........................................163
8.5 Frequently Asked Questions ....................................................................................163
Chapter 9 Web Reporting 168

9.1 Overview ..................................................................................................................169
9.2 Introduction ..............................................................................................................169
9.3 Web Reporting Client System Requirements...........................................................170
9.4 Generating and Viewing Reports .............................................................................170
9.4.1 Required Browser Settings for Viewing Web Reports ..................................170
9.4.2 Generating a Report .....................................................................................171
9.4.3 Creating a Printable Report ..........................................................................173
9.4.4 Generating a Specific URL for Automated Report Generation.....................173
9.5 Maintaining Web Reporting......................................................................................174
9.5.1 Disabling Web Reporting..............................................................................174
9.5.2 Enabling Web Reporting...............................................................................174
9.5.3 Restricting or Allowing Wider Access to Web Reports .................................175
9.5.4 Changing the Web Reporting Port................................................................176
9.5.5 Creating a Backup Copy of the Web Reporting Database ...........................177
9.5.6 Restoring the Web Reporting Database from a Backup Copy .....................177
9.5.7 Changing the Maximum Data Storage Time in the Web Reporting Database ...
178
9.6 Web Reporting Error Messages and Troubleshooting .............................................179
9.6.1 Error Messages ............................................................................................179
9.6.2 Troubleshooting............................................................................................180
Chapter 10 F-Secure Policy Manager Proxy 182

10.1 Overview ..................................................................................................................183
vi
10.2 Main Differences between Anti-Virus Proxy and Policy Manager Proxy..................183
Chapter 11 Troubleshooting 185

11.1 Overview ..................................................................................................................186
11.2 F-Secure Policy Manager Server and Console........................................................186
11.3 F-Secure Policy Manager Web Reporting................................................................191
11.4 Policy Distribution.....................................................................................................192
Appendix A SNMP Support 194

A.1 Overview ................................................................................................................. 195
A.1.1 SNMP Support for F-Secure Management Agent ........................................195
A.2 Installing F-Secure Management Agent with SNMP Support ..................................196
A.2.1 F-Secure SNMP Management Extension Installation ..................................196
A.3 Configuring The SNMP Master Agent......................................................................197
A.4 Management Information Base ................................................................................198
Appendix B Ilaunchr Error Codes 199

B.1 Overview ................................................................................................................. 200
B.2 Error Codes..............................................................................................................201
Appendix C FSII Remote Installation Error Codes 204

C.1 Overview ................................................................................................................. 205
C.2 Windows Error Codes ..............................................................................................205
C.3 Error Messages........................................................................................................206
Appendix D NSC Notation for Netmasks 208

D.1 Overview ................................................................................................................. 209
Technical Support 211

Overview .......................................................................................................................... 212
Web Club .........................................................................................................................212
Virus Descriptions on the Web................................................................................ 212
Advanced Technical Support ...........................................................................................212
vii
F-Secure Technical Product Training ...............................................................................213
Training Program .................................................................................................... 213
Contact Information................................................................................................. 214
Glossary 215
About F-Secure Corporation
viii
ABOUT THIS GUIDE
Overview.................................................................................... 10
How This Guide is Organized..................................................... 11
9
10
Overview
F-Secure Policy Manager provides tools for administering the following
F-Secure software products:
F-Secure Client Security
F-Secure Internet Gatekeeper for Windows
F-Secure Anti-Virus for
Windows Workstations
Windows Servers
Citrix Servers
Microsoft Exchange
MIMEsweeper
F-Secure Linux Security
F-Secure Linux Client Security
F-Secure Linux Server Security
F-Secure Policy Manager Proxy.
About This Guide 11
How This Guide is Organized

The F-Secure Policy Manager Administrator’s Guide is divided into the
following chapters.
Chapter 1. Introduction. Describes the architecture and components of
the policy-based management.
Chapter 2. System Requirements. Defines the software and hardware
requirement for F-Secure Policy Manager Console and F-Secure Policy
Manager Server.
Chapter 3. Installing F-Secure Policy Manager Server. Covers the
installation of F-Secure Policy Manager Server on the server machine.
Chapter 4. Installing F-Secure Policy Manager Console. Covers the
installation of F-Secure Policy Manager Console applications on the
administrator’s workstation.
Chapter 5. Using F-Secure Policy Manager Console. Includes an
overview, setup procedures, the logon procedure, menu commands, and
basic tasks.
Chapter 6. Maintaining F-Secure Policy Manager Server. Covers backup
procedures and restoration routines.
Chapter 7. Updating F-Secure Virus Definition Databases. Describes the
various ways you can update your virus definition databases.
Chapter 8. F-Secure Policy Manager on Linux. Describes how to install
and manage F-Secure Policy Manager on Linux.
Chapter 9. Web Reporting. Describes how to use F-Secure Policy
Manager Web Reporting, a new enterprise-wide graphical reporting
system included in F-Secure Policy Manager Server.
Chapter 10. F-Secure Policy Manager Proxy. Contains a brief
introduction into F-Secure Policy Manager Proxy.
Chapter 11. Troubleshooting. Contains troubleshooting information and
frequently asked questions.
Appendix A. SNMP Support. Contains information about SNMP support.
Appendix B. Ilaunchr Error Codes. Contains a list of Ilaunchr error codes.
12
Appendix C. FSII Remote Installation Error Codes. Describes the most

common error codes and messages that can occur during the
Autodiscover Windows Hosts operation.
Appendix D. NSC Notation for Netmasks. Defines and offers information
on NSC notation for Netmasks.
Glossary — Explanation of terms
Technical Support — Web Club and contact information for assistance.
About F-Secure Corporation — Company background and products.
13
Conventions Used in F-Secure Guides

This section describes the symbols, fonts, and terminology used in this
manual.
Symbols
WARNING: The warning symbol indicates a situation with a

risk of irreversible destruction to data.
IMPORTANT: An exclamation mark provides important information

that you need to consider.
REFERENCE - A book refers you to related information on the

topic available in another document.
NOTE - A note provides additional information that you should

consider.
l
TIP - A tip provides information that can help you perform a task
more quickly or easily.
⇒ An arrow indicates a one-step procedure.
Fonts
Arial bold (blue) is used to refer to menu names and commands, to
buttons and other items in a dialog box.
Arial Italics (blue) is used to refer to other chapters in the manual, book
titles, and titles of other manuals.
Arial Italics (black) is used for file and folder names, for figure and table
captions, and for directory tree names.
Courier New is used for messages on your computer screen.
14
Courier New bold is used for information that you must type.
SMALL CAPS (BLACK) is used for a key or key combination on your
keyboard.
Arial underlined (blue) is used for user interface links.
Arial italics is used for window and dialog box names.
PDF Document
This manual is provided in PDF (Portable Document Format). The PDF
document can be used for online viewing and printing using Adobe®
Acrobat® Reader. When printing the manual, please print the entire
manual, including the copyright and disclaimer statements.
For More Information

Visit F-Secure at http://www.f-secure.com for documentation, training
courses, downloads, and service and support contacts.
In our constant attempts to improve our documentation, we would
welcome your feedback. If you have any questions, comments, or
suggestions about this or any other F-Secure document, please contact
us at documentation@f-secure.com.
1 INTRODUCTION
Overview..................................................................................... 16
Installation Order ........................................................................ 17
Features ..................................................................................... 18
Policy-Based Management......................................................... 19
15
16
1.1 Overview
F-Secure Policy Manager provides a scalable way to manage the security
of numerous applications on multiple operating systems, from one central
location. It can be used to keep security software up-to-date, manage
configurations, oversee enterprise compliance, and can be scaled to
handle even the largest, most mobile workforce. F-Secure Policy
Manager provides a tightly integrated infrastructure for defining security
policies, distributing policies and installing application software to local as
well as remote systems, and monitoring the activities of all systems in the
enterprise to ensure compliance with corporate policies and centralized
control.
The power of the F-Secure Policy Manager lays in the F-Secure
management architecture, which provides high scalability for a widely
distributed, mobile workforce. F-Secure Policy Manager is comprised of
F-Secure Policy Manager Console and F-Secure Policy Manager Server.
They are seamlessly integrated with the F-Secure Management Agent
that handles all management functions on local hosts.
Main Components of F-Secure Policy Manager

F-Secure Policy Manager Console provides a centralized management
console for the security of the managed hosts in the network. It enables
the administrator to organize the network into logical units for sharing
policies. These policies are defined in F-Secure Policy Manager Console
and then distributed to the workstations through the F-Secure Policy
Manager Server. F-Secure Policy Manager Console is a Java-based
application that can be run on several different platforms. It can be used
to remotely install the Management Agent on other workstations without
the need for local login scripts, restarting, or any intervention by the end
user.
F-Secure Policy Manager Server is the repository for policies and
software packages distributed by the administrator, and status information
and alerts sent by the managed hosts. It provides scalability by working
as an extension to the Apache web server. Communication between
CHAPTER 1 17
Introduction
F-Secure Policy Manager Server and the managed hosts is accomplished

through the standard HTTP protocol, which ensures trouble-free
performance on the LAN and WAN.
F-Secure Policy Manager Web Reporting is an enterprise-wide web
based graphical reporting system included in F-Secure Policy Manager
Server. With F-Secure Policy Manager Web Reporting you can quickly
create graphical reports based on historical trend data, identify computers
that are unprotected or vulnerable to virus outbreaks.
F-Secure Policy Manager Update Server & Agent are used for
updating virus and spyware definitions on the managed hosts. F-Secure
Automatic Update Agent allows users to receive automatic updates and
informational content without interrupting their work to wait for files to
download from the Web. F-Secure Automatic Update Agent downloads
files automatically in the background using bandwidth not being used by
other Internet applications, so the users can always be sure they will have
the latest updates without having to search the Web. If F-Secure
Automatic Update Agent is always connected to the Internet, it will
automatically receive new virus definition updates within about two hours
after they have been published by F-Secure.
F-Secure Management Agent enforces the security policies set by the
administrator on the managed hosts, and provides the end user with a
user interface and other services. It handles all management functions on
the local workstations and provides a common interface for all F-Secure
applications, and operates within the policy-based management
infrastructure.
1.2 Installation Order

To install F-Secure Policy Manager, please follow this installation order
(unless you are installing F-Secure Policy Manager Server and F-Secure
Policy Manager Console on the same machine, in which case setup
installs all components during the same installation process):
1. F-Secure Policy Manager Server and F-Secure Policy Manager
Update Server & Agent,
2. F-Secure Policy Manager Console,
18
3. Managed point applications.
1.3 Features
Software Distribution
First-time installation on Windows domains with F-Secure Push
Installation.
Updating of executable files and data files, including virus
definition databases.
Support for policy-based updates. Policies force the F-Secure
Management Agent to perform updates on a host. Both policies
and software packages are signed, making the entire update
process strongly authenticated and secure.
Updates can be provided in several ways:
From the F-Secure CD.
From the F-Secure Web site to the customer. These can be
automatically ‘pushed’ by F-Secure Automatic Update Agent,
or voluntarily ‘pulled’ from the F-Secure website.
F-Secure Policy Manager Console can be used to export
pre-configured installation packages, which can also be delivered
using third-party software, such as SMS, and similar tools.
Configuration and Policy Management

Centralized configuration of security policies. The policies are
distributed from F-Secure Policy Manager Server by the
administrator to the user’s workstation. Integrity of the policies is
ensured through the use of digital signatures.
CHAPTER 1 19
Introduction
Event Management
Reporting through the Management API to the Event Viewer
(local and remote logs), SNMP agent, e-mail, report files, etc.
Event redirection through policies.
Event statistics.
Performance Management
Statistics and performance data handling and reporting.
Task Management
Management of virus scanning tasks and other operations.
1.4 Policy-Based Management

A security policy is a set of well-defined rules that regulate how sensitive
information and other resources are managed, protected, and distributed.
The management architecture of F-Secure software uses policies that are
centrally configured by the administrator for optimum control of security in
a corporate environment. Policy-based management implements many
functions:
Remotely controlling and monitoring the behavior of the products
Monitoring statistics provided by the products and the
Management Agent
Remotely starting predefined operations
Transmission of alerts and notifications from the products to the
system administrator
20
The information flow between F-Secure Policy Manager Console and the
hosts is accomplished by transferring policy files. There are three kinds of
policy files:
Default Policy files (.dpf)
Base Policy files (.bpf)
Incremental Policy files (.ipf)
The current settings of a product consist of all three policy file types:
Default Policy Files

The Default Policy file contains the default values (the factory settings) for
a single product that are installed by the setup. Default policies are used
only on the host. If neither the Base Policy file nor the Incremental Policy
file contains an entry for a variable, then the value is taken from the
Default Policy file. New product versions get new versions of the Default
Policy file.
Base Policy Files

Base Policy files contain the administrative settings and restrictions for all
the variables for all F-Secure products on a specific host (With domain
level policies, a group of hosts may share the same file). A Base Policy
file is signed by F-Secure Policy Manager Console, protecting the file
against changes while it is passing through the network and while it is
stored in the host’s file system. These files are sent from F-Secure Policy
Manager Console to the F-Secure Policy Manager Server. The host
periodically polls for new policies created by F-Secure Policy Manager
Console.
Incremental Policy Files

Incremental Policy files are used to store local changes to the Base
Policy. Only changes that fall within the limits specified in the Base Policy
are allowed. The Incremental Policy files are then periodically sent to
F-Secure Policy Manager Console so that current settings and statistics
can be viewed by the administrator.
CHAPTER 1 21
Introduction
1.4.1 Management Information Base

The Management Information Base (MIB) is a hierarchical management
data structure used in the Simple Network Management Protocol
(SNMP). In F-Secure Policy Manager, the MIB structure is used for
defining the contents of the policy files. Each variable has an Object
Identifier (OID) and a value that can be accessed using the Policy API. In
addition to basic SNMP MIB definitions, the F-Secure MIB concept
includes many extensions that are needed for complete policy-based
management.
The following categories are defined in a product’s MIB:
Settings Used to manage the workstation in the manner

of an SNMP. The managed products must
operate within the limits specified here.
Statistics Delivers product statistics to F-Secure Policy

Manager Console.
Operations Operations are handled with two policy

variables: (1) a variable for transferring the
operation identifier to the host, and (2) a variable
for informing F-Secure Policy Manager Console
about the operations that were performed. The
second variable is transferred using normal
statistics; it acknowledges all previous
operations at one time. A custom editor for
editing operations is associated with the
subtree; the editor hides the two variables.
Private The management concept MIBs may also

contain variables which the product stores for its
internal use between sessions. This way, the
product does not need to rely on external
services such as Windows registry files.
22
Traps Traps are the messages (including alerts and

events) that are sent to the local console, log
file, remote administration process, etc. The
following types of traps are sent by most of the
F-Secure products:
Info. Normal operating information from a host.
Warning. A warning from the host.
Error. A recoverable error on the host.
Fatal error. An unrecoverable error on the host.
Security alert. A security hazard on the host.

2 SYSTEM REQUIREMENTS
F-Secure Policy Manager Server ............................................... 24

F-Secure Policy Manager Console............................................. 25
23
24
2.1 F-Secure Policy Manager Server

In order to install F-Secure Policy Manager Server, your system must
meet the following minimum requirements:
Operating system: Microsoft Windows:

Microsoft Windows 2000 Server (SP 4 or higher)
Windows 2003 Server (32- and 64-bit)
Windows 2008 Server (32- and 64-bit)
Linux:
Red Hat Enterprise Linux 3, 4 and 5
openSUSE Linux 10.3
SUSE Linux Enterprise Server 9 and 10
SUSE Linux Enterprise Desktop 10
Debian GNU Linux Etch 4.0
Ubuntu 8.04 Hardy
Processor: Intel Pentium III 450 MHz processor or faster.

Managing more than 5000 hosts or using Web
Reporting requires Intel Pentium III 1 GHz level
processor or faster.
Memory: 256 MB RAM

When Web Reporting is enabled, 512 MB RAM.
Disk space: Disk space: 200 MB of free hard disk space; 500
MB or more is recommended. The disk space
requirements depend on the size of the
installation.
In addition to this it is recommended to allocate
about 1 MB per host for alerts and policies. The
actual disk space consumption per host is hard
to anticipate, since it depends on how the
policies are used and how many installation
packages are stored.
Network: 10 Mbit network. Managing more than 5000

hosts requires a 100 Mbit network.
CHAPTER 2 25
System Requirements
2.2 F-Secure Policy Manager Console

In order to install F-Secure Policy Manager Console, your system must
meet the following minimum requirements:
Operating system: Microsoft Windows:

Microsoft Windows 2000 Professional (SP4 or
higher)
Windows XP Professional (SP2 or higher)
Windows Vista (32- and 64-bit)
Windows 2000 Server SP4
Windows 2003 Server (32- and 64-bit).
Windows 2008 Server (32- and 64-bit).
Linux:
Red Hat Enterprise Linux 3, 4 and 5
openSUSE Linux 10.3
SUSE Linux Enterprise Server 9 and 10
SUSE Linux Enterprise Desktop 10
Debian GNU Linux Etch 4.0
Ubuntu 8.04 Hardy
Processor: Intel Pentium III 450 MHz processor or faster.

Managing more than 5000 hosts requires
Pentium III 750 MHz processor or faster.
Memory: 256 MB of RAM. Managing more than 5000
hosts requires 512MB of memory.
Disk space: 100 MB of free hard disk space.
Display: Minimum 256-color display with resolution of
1024x768 (32-bit color with 1280x960 or higher
resolution recommended).
Network: Ethernet network interface or equivalent.
10 Mbit network between console and server is
recommended. Managing more than 5000 hosts
requires 100Mbit connection between console
and server.
3 INSTALLING F-SECURE
POLICY MANAGER
SERVER
Overview..................................................................................... 27
Security Issues ........................................................................... 28
Installation Steps ........................................................................ 34
Uninstalling F-Secure Policy Manager Server............................ 54
26
CHAPTER 3 27
Installing F-Secure Policy Manager Server
3.1 Overview
The following are advanced instructions for installing F-Secure
Policy Manager Server on a machine dedicated only to the Server.
F-Secure Policy Manager Server can also be installed on the same
machine as F-Secure Policy Manager Console.
F-Secure Policy Manager Server is the link between F-Secure Policy
Manager Console and the managed hosts and acts as the repository for
policies and software packages distributed by the administrator, as well
as status information and alerts sent by the managed hosts.
Communication between F-Secure Policy Manager Server and other
components can be achieved through the standard HTTP protocol, which
ensures trouble-free performance on LAN and global networks.
The information stored by F-Secure Policy Manager Server includes the
following files:
Policy Domain Structure.
Policy Data, which is the actual policy information attached to
each policy domain or host.
Base Policy files generated from the policy data.
Status Information, including incremental policy files, alerts, and
reports.
Autoregistration requests sent by the hosts.
Host certificates.
Security News received from F-Secure.
Product installation and virus definition database update
packages.
The Web Reporting component stores statistics and historical
trend data about the hosts.
28
3.2 Security Issues

F-Secure Policy Manager Server utilizes Apache Web Server technology,
and even though we do the utmost to deliver a secure and up-to-date
technology we advise you to regularly consult the following sites from
information on Apache technology and security.
The most up to date information on security issues related to Operating
Systems and Apache web server can be found at the CERT web site:
http://www.cert.org.
A document containing advice on how to secure an installation of the
Apache web server is available at http://www.apache.org/docs/misc/
security_tips.html. and a list of vulnerabilities at
http://www.apacheweek.com/features/security-13.
The release notes contain important information about installation

and security. Read these notes carefully!
3.2.1 Installing F-Secure Policy Manager in High Security

Environments
F-Secure Policy Manager is designed to be used in internal corporate
networks mainly for managing F-Secure Anti-Virus products. F-Secure
does not recommend using F-Secure Policy Manager over public
networks such as Internet.
IMPORTANT: When installing F-Secure Policy Manager in high

security environments, you should make sure that the
Administration port (by default port 8080) and the Host port (by
default port 80) are not visible in the Internet.
CHAPTER 3 29
F-Secure Policy Manager's Built-In Security Features

F-Secure Policy Manager has built-in security features that ensure
detection of changes in the policy domain structure and policy data. More
importantly, it is impossible to deploy unauthorized changes to managed
hosts. Both these features rely on a management key pair that is
available to administrators only. These features, based on strong digital
signatures, will in most cases provide the right balance between usability
and security in most Anti-Virus installations, but the following features
may require additional configuration in high security environments:
1. By default, all users can access the Policy Manager Server in
read-only mode but are only able to view the management data. This
is a convenient way of sharing information to users who are not
allowed full administrative rights. Multiple users can keep a read-only
session open simultaneously, monitoring the system status without
affecting other administrators or managed hosts in any way.
2. To enable easy migration to new management keys, it is possible to
re-sign the policy domain structure and policy data with a newly
generated or previously existing key pair. If this is done accidentally,
or intentionally by an unauthorized user, the authorized user will
notice the change when he tries to login to F-Secure Policy Manager
the next time. In the worst case, the authorized user needs to recover
backups in order to remove the possible changes made by the
unauthorized user. In any case, the policy domain structure and
policy data changes will be detected, and there is no way to distribute
the changes to managed hosts without the correct original key pair.
Both of these features may be undesirable in a high security environment
where even seeing the management data should be restricted. The
following measures can be taken to increase the level of system security:
30
Possible different installation scenarios for high security

environments:
1. F-Secure Policy Manager Server and F-Secure Policy Manager
Console will be installed in the same machine and access to the
F-Secure Policy Manager Server will be limited only to the localhost.
After this, only the person who has physical access to the localhost
can use the F-Secure Policy Manager Console.
When access to the F-Secure Policy Manager Server is limited only
to the localhost during the installation (see Step 8. , 40), F-Secure
Setup modifies the #FSMSA listen directive in httpd.conf file as
follows:
#FSMSA listen
Listen 127.0.0.1:8080 <- Allow connections only from
localhost to PMC port 8080
2. Access to F-Secure Policy Manager Server will be limited only to the
separately defined IP addresses by editing the httpd.conf file.
If the access to port 8080 was limited only to the localhost during
the setup, you should now open the port and then define the list of
allowed IP addresses (see the Listen 8080 directive in the example
below).
CHAPTER 3 31
Below is an example of edited httpd.conf file section:

#FSMSA listen
Listen 8080 <- make sure that connections are not limited to
localhost only
#FSMSA port
<VirtualHost _default_:8080>
<Location /fsmsa/fsmsa.dll>
Order Deny,Allow
Deny from all <- First deny all
Allow from 127.0.0.1 <- Then allow access to the server
from local machine
Allow from 10.128.129.2 <- Allow access from the server
machine
Allow from 10.128.129.209 <- Allow access from
Administrator's workstation
SetHandler fsmsa-handler
</Location>
</VirtualHost>
After this, only the person who has access to the machines with the
defined IP addresses can use F-Secure Policy Manager Console.
3. If there is a very strong need to use F-Secure Policy Manager over a
public network (such as the Internet), it is recommended to encrypt
the connection between F-Secure Policy Manager Server and
F-Secure Policy Manager Console with a VPN or SSH type product.
As an alternative, F-Secure Policy Manager Console and F-Secure Policy
Manager Server can be installed on the same machine, and access
limited to the localhost. Remote administrator access to the F-Secure
Policy Manager Console can be arranged by using a secure remote
desktop product.
32
Installing F-Secure Policy Manager Web Reporting in

High-Security Environments
F-Secure Policy Manager Web Reporting is designed to be used in
internal corporate networks for generating graphical reports of, for
example, F-Secure Client Security virus protection status and alerts.
F-Secure does not recommend using F-Secure Policy Manager Web
Reporting over public networks such as Internet.
Possible different installation scenarios for high security
environments:
1. Access to Web Reports is limited to localhost only during the
installation. After this, only the person who has physical access to the
localhost can use F-Secure Policy Manager Web Reporting.
When access to F-Secure Policy Manager Web Reporting is limited
only to the localhost during the installation (see , 41), F-Secure Setup
modifies the #Web Reporting listen directive in httpd.conf file as
follows:
#Web Reporting listen
Listen 127.0.0.1:8081 <- Allow connections only from
localhost to Web Reporting port 8081
2. Access to F-Secure Policy Manager Web Reporting is limited only to
the separately defined IP addresses by editing the httpd.conf file (see
below)
If the access to port 8081 was limited only to the localhost during
the setup, you should now open the port and then define the list of
allowed IP addresses (see the Listen 8081 directive in the example
below).
CHAPTER 3 33
Below is an example of edited httpd.conf file section, in which access

is allowed from the localhost and from one separately defined IP
address:
Listen 8081
# Web Reporting port:

JkMount /* ajp13
ErrorDocument 500 "Policy Manager Web Reporting could not
be contacted by
the Policy Manager Server.
<Location / >
Order Deny,Allow
Deny from all <- First deny all
Allow from 127.0.0.1 <- Then allow access to Web Reporting
from the local machine
Allow from 10.128.129.209 <- Allow access from
Administrator’s workstation
</Location>
</VirtualHost>
After this, only the person who has access to the local host or the
machine with the defined IP address can use F-Secure Policy
Manager Web Reporting.
34
3.3 Installation Steps

To install F-Secure Policy Manager Server, you need physical access to
the server machine.
Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.

2. Select Corporate Use. Click Next to continue.
3. Go to the Install or Update Managed Software menu and select
F-Secure Policy Manager.
Step 2. Setup begins. View the Welcome screen, and follow the setup
instructions. Select the installation language from the drop-down menu.
Click Next to continue.
CHAPTER 3 35
Step 3. Read the license agreement information. If you agree, select I accept this
agreement. Click Next to continue.
36
Step 4. If you are installing on a clean computer, select F-Secure Policy Manager
Server. Click Next to continue.
CHAPTER 3 37
Step 5. Choose the destination folder. Click Next.

It is recommended to use the default installation directory. If you want to
install F-Secure Policy Manager Server in a different directory, you can
use the Browse feature.
WARNING: If you have F-Secure Management Agent installed

in the same machine you must not change the installation
directory of the F-Secure Policy Manager Server
38
Step 6. Setup requests confirmation if a previous installation of F-Secure Policy

Manager exists.
1. If Yes, select I have existing F-Secure Policy Manager installation.
Enter the communication directory path of the installed F-Secure
Policy Manager. The contents of this directory will be copied under
<server installation directory>\ Communication Directory (commdir\
directory under F-Secure Policy Manager Server installation
directory), and this will be the directory that F-Secure Policy Manager
Server will use as a repository. You can use the previous commdir as
a backup, or you can delete it once you have verified that F-Secure
Policy Manager Server is correctly installed.
2. If No, select I do not have existing F-Secure Policy Manager.
This will not require a existing commdir, and will create an empty
commdir in the default location (under <F-Secure Policy Manager 5
installation directory>\commdir).
CHAPTER 3 39
Step 7. Select whether you want to keep the existing settings or change them.
This dialog is displayed only if a previous installation of F-Secure

Policy Manager Server was detected on the computer.
By default the setup keeps the existing settings. Select this option
if you have manually updated the F-Secure Policy Manager
Server configuration file (HTTPD.conf). This option automatically
keeps the existing administration, host and web reporting ports.
If you want to change the ports from the previous installation,
select the Change settings option. This option overwrites the
HTTPD.conf file, and restores the settings to defaults.
40
Step 8. Select the F-Secure Policy Manager Server modules to enable:

Host module is used for communication with the hosts. The
default port is 80.
Administration module is used for communication with F-Secure
Policy Manager Console. The default HTTP port is 8080.
If you want to change the default port for communication,

you will also need to change the HTTP Port Number setting
in F-Secure Policy Manager Console.
By default the access to the Administration module is restricted to
the local machine. This is the most secure way to use the
product.
When using a connection over a network, please consider
securing the communication with F-Secure SSH.
For environments requiring maximum security, see section

Installing F-Secure Policy Manager in High Security
Environments in F-Secure Policy Manager Administrator’s
Guide.
Web Reporting module is used for communication with F-Secure
Policy Manager Web Reporting. Select whether it should be
enabled. Web Reporting uses a local socket connection to the
Admin module to fetch server data. The default port is 8081.
By default access to Web Reports is allowed also from other
computers. If you want to allow access only from this computer,
select Restrict access to the local machine.
CHAPTER 3 41

42
Step 9. Select to add product installation package(s) from the list of available
packages (if you selected F-Secure Installation Packages in Step 4 on
page 17). Click Next.
CHAPTER 3 43
Step 10. Setup displays the components that will be installed. Click Next.
44
Step 11. When the setup is completed, the setup shows whether all components
were installed successfully.
CHAPTER 3 45
Step 12. F-Secure Policy Manager Server is now installed. Restart the computer if
you are prompted to do so. Click Finish to complete the installation.
46
Step 13. To determine if your installation was successful, open a web browser in
the machine where F-Secure Policy Manager Server was installed, enter
http://localhost:80 (if you used the default port number during the
installation) and press ENTER. If the server installation was successful, the
following page will be displayed.
The F-Secure Policy Manager Server starts serving hosts only after
F-Secure Policy Manager Console has initialized the
Communication directory structure, which happens automatically
when you run F-Secure Policy Manager Console for the first time.
Step 14. The setup wizard creates the user group FSPM users. The user who was
logged in and ran the installer is automatically added to this group. To
allow another user to run F-Secure Policy Manager you must manually
add this user to the user group FSPM users.
CHAPTER 3 47
3.4 Configuring F-Secure Policy Manager Server

Under the conf\ directory in the Policy Manager Server installation
directory, you will find a file named httpd.conf, which contains the
configuration information for F-Secure Policy Manager Server.
After any change to the configuration, you need to stop F-Secure

Policy Manager Server, and restart it for the changes to become
active.
The F-Secure Policy Manager Web Reporting settings that can be

configured in httpd.conf are explained in “Maintaining Web
Reporting”, 174
3.4.1 Changing the Communication Directory Path

If the existing network drive on which the communication directory is
located is getting full, you can change its location by using these
instructions.
1. Choose a new network path on a drive with more space. Create the
path and ensure that the fsms_<machine wins name> user has Full
Control access rights to all the directories on the path.
2. Stop the F-Secure Policy Manager Server service.
3. Copy the whole directory structure from the old commdir path to the
new path.
4. Change the value for the CommDir and CommDir2 directives in
httpd.conf. The default configuration contains the following
configuration:
CommDir "C:\Program Files\F-Secure\Management Server
5\CommDir"
CommDir2 "C:\Program Files\F-Secure\Management Server
5\CommDir"
If you want to change the Communication Directory Location to
E:\CommDir, change the directives to reflect that configuration:
CommDir "E:\CommDir"
CommDir2 "E:\CommDir"
48
5. Start the F-Secure Policy Manager Server service.

6. Check that everything still works.
7. Delete the old commdir files.
3.4.2 Changing the Ports Where the Server Listens for

Requests
There are two directives that define the ports for both of the WebServer
Modules that constitute F-Secure Policy Manager Server: Listen and
<VirtualHost>. By default, F-Secure Policy Manager Server Admin
Module (the component that handles requests coming from Policy
Manager Console) listens in port 8080, and F-Secure Policy Manager
Server Host Module (the component that handles requests from
workstations) listens in port 80. You can, however, define what ports they
should listen in, if the defaults are not suitable.
If you want to change the port in which F-Secure Policy Manager Server
Admin Module listens, add a Listen entry in the configuration file with the
new port (e.g. Listen 8888), and remove the Listen directive that
defines the default port in which F-Secure Policy Manager Server Admin
Module listens: Listen 8080.
When a new Listen entry is added, be sure to remove the obsolete

entry. Otherwise, the server will unnecessarily consume system
resources, such as a network port.
After adding the Listen directive, F-Secure Policy Manager Server
knows that it should listen in the new port (8888 in our example).
However, you must still configure it to associate the F-Secure Policy
Manager Server Admin Module to that new port. This is done by changing
CHAPTER 3 49
the <VirtualHost> directive, which is associated with F-Secure Policy

Manager Server Admin Module. Here is that directive’s default
configuration:
#FSMSA port
</Location>
</VirtualHost>
To associate it with the newly selected port, change the statement to:
#New FSMSA port
</Location>
</VirtualHost>
WARNING: If you have workstations already configured to

access F-Secure Policy Manager Server (through the F-Secure
Policy Manager Server Host module) you should not change
the F-Secure Policy Manager Server Host port where agents
communicate, since you might reach a state where the
workstations will not be able to contact the server
3.4.3 F-Secure Policy Manager Server Configuration Settings

This section introduces and explains all the relevant entries present in the
F-Secure Policy Manager Server configuration file, and how they are
used.
ServerRoot: This directive sets the directory in which the server is
installed. Relative paths for other configuration files are taken as relative
to this directory.
50
Timeout: This directive defines the period of time that the server will wait
before closing a connection, when there is no outbound or inbound traffic
in the network connection.
LoadModule: This directive defines the symbolic name of the module to
read and the path to the library that contains the module binaries.
Example: LoadModule fsmsh_module
"C:\serverroot\modules\fsmsh.dll"
Listen: This directive defines what port the server should listen on. The
default configuration for a web server, for example is: Listen 80. You
can restrict where the connections can be received from, for example,
Listen 127.0.0.1:80 will only allow connections to port 80 from the
machine where the server is running (localhost).
You can configure F-Secure Policy Manager Server to listen on different
ports by changing this setting and the associated <VirtualHost> setting
that we also discuss in this section. For more information, see “Changing
the Ports Where the Server Listens for Requests”, 48.
DocumentRoot: This directive should contain an absolute path. It defines
the directory that everyone will be able to access, so don’t use a path to a
directory with sensitive data. By default F-Secure Policy Manager Server
allocates a directory under F-Secure Policy Manager Server installation
directory, htdocs\. This directory is where the “welcome page” for the
server is located. If you change it, this page will no longer be displayed.
<Directory “c:\somepath”>: This directive will define what kind of
security settings will be associated with the directory specified in the path
component of the directive.
ErrorLog: The error log directive sets the name of the file to which the
server logs any errors it encounters. If the file path does not begin with a
slash (/), it is assumed to be relative to the ServerRoot. If the file path
begins with a pipe (|), it is assumed to be a command to spawn handling
of the error log. This feature is used for spawning the rotatelogs (see the
rotatelogs entry in this section) utility so that log file is actually rotated
and not written to an ever growing file.
<VirtualHost _default_:port>: This directive defines a set of directives
that will apply only to a VirtualHost. A VirtualHost is a virtual server, i.e., a
different server that is run in the same process as other servers. F-Secure
CHAPTER 3 51
Policy Manager Server; for example, has two virtual hosts, one running in
port 80 (F-Secure Policy Manager Server Host Module) and another one
running in port 8080 (FSMSA or Admin Module).
Here is the default configuration for F-Secure Policy Manager Server:
# FSMSH port
<Location /fsms/fsmsh.dll>
SetHandler fsmsh-handler
</Location>
<Location /commdir>
SetHandler fsmsh-handler
</Location>
</VirtualHost>
#FSMSA port
</Location>
</VirtualHost>
Commdir and Commdir2: These directives define the path to the
communication directory or repository. This is the directory where
F-Secure Policy Manager Server stores all the Management Data that it
receives from Policy Manager Console and F-Secure Management
Agent. You can alter the Communication Directory location by changing
these directives, but you must make sure that the account under which
the server is run (fsms_<machine wins name>) has full rights to that
directory.
Commdir "C:\Program Files\F-Secure\Policy Manager
Server\CommDir"
Commdir2 "C:\Program Files\F-Secure\Policy Manager
Server\CommDir"
52
CustomLog: This entry is used to log requests to the server. The first
parameter is either a file (file to which the requests should be logged) or a
pipe ('|') followed by the path to a program to receive the log information
on its standard input. This feature is used for spawning the rotatelogs
(see the rotatelogs entry in this section) utility so that the log file is
actually rotated and not written to an ever growing file.
The second parameter specifies what will be written to the log file, and is
defined under a previous LogFormat directive.
Below is an example of an entry in the access.log file:
10.128.131.224 - - [18/Apr/2002:14:06:36 +0300]
/fsmsa/
fsmsa.dll?FSMSCommand=ReadPackage&Type=27&SessionID=248 HTTP/
1.1"
200 5299 0 - 0 - "FSA/5.10.2211 1.3.1_02 Windows2000/5.0 x86"
mod_gzip: DECHUNK:DECLINED:TOO_SMALL CR:0pct.
10.128.131.224 - - [18/Apr/2002:14:06:36 +0300] tells you when the
request to the server was made and by which host (described by its IP
address).
The fxnext component informs you which module the command sent to /
fsmsa/fsmsa.dll. This module (fsmsa.dll) is the Admin Module. fsmsh.dll
would be the Host Module.
Then come the command and parameters
FSMSCommand=ReadPackage&Type=27&SessionID=248. In this case the
host requested an object of Type 27 (there is only one).
The HTTP version used is also noted HTTP/1.1
Immediately after the http version comes six different numbers, as
follows:
1. HTTP response code: In this example 200 is used, meaning OK in
HTTP specification. There are other codes, all of them covered under
the HTTP specification that can be obtained from http://www.w3.org.
2. Bytes transferred from the server: The example entry informs of 5299
bytes transferred.
3. How long the server took to serve the request (in seconds).
4. Connection status when response is completed.
CHAPTER 3 53
'X' = connection aborted before the response completed.

'+' = connection may be kept alive after the response is sent.
'-' = connection will be closed after the response is sent.
5. F-Secure Policy Manager Server Admin Module error code (0 for
success).
6. Bytes transferred to the server (“-” for none).
The next string identifies the client "FSA/5.10.2211 1.3.1_02
Windows2000/5.0 x86". In this case, note that the server was contacted
by FSA 5.10 build 2211.
The information that follows is about the compression of data:
mod_gzip: DECHUNK:DECLINED:TOO_SMALL.
In this instance the data was not compressed because it was too small.
And finally the compression ratio, 0% in this case: CR:0pct.
Rotatelogs: This is a small program that is used to rotate the logs that
F-Secure Policy Manager Server produces. This allows us to define the
length a log should be kept (8 days by default) and when the files should
be rotated, e.g. when the access.log is named access.log.1 and a new,
empty access.log file is created where the new requests will be logged.
Example usage:
CustomLog '|""C:\Program Files\F-Secure\Policy Manager Server
5\bin\rotatelogs"
"C:\Program Files\F-Secure\Policy Manager Server
5\logs\access.log" 8 86400"' common"
In this example the CustomLog directive defines that the rotatelogs utility
should open the access.log file, and keep 8 files (8 archive files plus the
active file) that are rotated daily (86400 seconds = 24 hours). In practice
this means that the files for the last full week plus one day are kept and
there is still a file for logging accesses during the current day.
<ifModule mod_gzip.c>: There is a new feature in F-Secure Policy
Manager Server that allows you to compress all the data that is
transferred between Console and Server. This directive marks the start of
the compression settings, which end just before the directive </ifModule>.
54
For more information on the settings you can read the httpd.sample file
that is located in the same directory as the configuration file of F-Secure
Policy Manager Server (<fspms installation directory>\conf).
mod_gzip_on Yes: This setting is one of the several compression
settings, and the one that enables or disables support for the
compression in F-Secure Policy Manager Server. Compression is
disabled if the setting is changed to mod_gzip_on No.
FastPolicyDistribution On: This is a performance versus maximum
backward compatibility switch. When enabled (On) it will allow the
F-Secure Policy Manager Server to distribute policies in a way that
speeds up the process greatly (30-100 times, depending on the number
of hosts). The disabled switch (Off) should be used when there are other
components accessing the communication directory concurrently (e.g.
F-Secure Management Agent).
RetryFileOperation 10: This setting tells the server how many times it
should retry a failed file operation (with a 1 second retry-interval) before
giving up.
CommdirCacheSize 10: The number-value of this setting informs the
server how much memory, percentage-wise, it should use for storing files
in memory before serving them. This will allow the server to serve the files
much faster, since it will not have to read them from the disk all the time. If
you use the default (10), the server will use 10% of the memory available
for this cache. For example, in a 512MB RAM machine, it will use 51,2
MB for the cache.
3.5 Uninstalling F-Secure Policy Manager Server

To uninstall F-Secure Policy Manager Server (or other F-Secure Policy
Manager components), follow these steps:
1. Open the Windows Start menu and go to Control Panel. Select Add/
Remove Programs.
2. Select F-Secure Policy Manager Server (or the component you want
to uninstall), and click the Add/Remove button.
CHAPTER 3 55
3. The F-Secure Uninstall dialog box appears. Click Start to begin

uninstallation.
4. When the uninstallation is complete, click Close.
5. Click OK to exit Add/Remove Programs.
4 INSTALLING F-SECURE
POLICY MANAGER
CONSOLE
Overview..................................................................................... 57
Installation Steps ........................................................................ 57
Uninstalling F-Secure Policy Manager Console ......................... 73
56
CHAPTER 4 57
Installing F-Secure Policy Manager Console
4.1 Overview
F-Secure Policy Manager Console can operate in two modes:
Administrator mode - you can use F-Secure Policy Manager
Console to its full extent.
Read-Only mode - you can view F-Secure Policy Manager
Console information but cannot perform any administrative tasks
(this mode is useful for such users as Helpdesk personnel).
The same console installation can be used for both Administrator and
Read-Only connections. The following sections explain how to run the
F-Secure Policy Manager Console setup from the F-Secure CD, and how
to select the initial operation mode when the console is run for the first
time. The CD setup is identical for both modes, and it is always possible
to add new Administrator and Read-Only connections after the initial
startup.
4.2 Installation Steps

Step 1. 1. Insert the F-Secure CD in your CD-ROM drive.
2. Select Corporate Use. Click Next to continue.
3. Select F-Secure Policy Manager from the Install or Update
Management Software menu.
58
Step 2. View the Welcome screen, and follow the setup instructions. Select the
installation language from the drop-down menu. Click Next to continue.
CHAPTER 4 59
Step 3. Read the license agreement information. If you agree, select I accept this
agreement. Click Next to continue.
60
Step 4. Select F-Secure Policy Manager Console. Click Next to continue.

CHAPTER 4 61
Step 5. Choose the destination folder. Click Next.

It is recommended to use the default installation directory. Use the
Browse feature to install F-Secure Policy Manager Console in a different
directory.
62
Step 6. Specify F-Secure Policy Manager Server address, and Administration

port number. Click Next to continue.
CHAPTER 4 63
Step 7. Review the changes that setup is about to make. Click Next to continue.
64
Step 8. Click Finish to close the installer.

CHAPTER 4 65
Step 9. Run F-Secure Policy Manager Console by clicking on Start >Programs >
F-Secure Policy Manager Console > F-Secure Policy Manager Console.
When F-Secure Policy Manager Console is run for the first time, the
Console Setup Wizard collects the information needed to create an initial
connection to the server.
The first page of F-Secure Policy Manager Console setup wizard
summarizes the installation process. Click Next to continue.
66
Step 10. Select your user mode according to your needs:

Administrator mode - enables all administrator features.
Read-Only mode - allows you to view administrator data, but no
changes can be made. If you select Read-only mode, you will not
be able to administer hosts. To change to Administrator mode,
you will need the admin.pub and admin.prv administration keys.
CHAPTER 4 67
Step 11. Enter the address of the F-Secure Policy Manager Server that is used for
communicating with the managed hosts.
68
Step 12. Enter the path where the administrator’s public key and private key files
will be stored. By default, key files are stored in the F-Secure Policy
Manager Console installation directory:
Program Files\F-Secure\Administrator.
If the key-pair does not pre-exist, it will be created later in the setup
process
CHAPTER 4 69
Step 13. Move your mouse cursor around in the window to initialize the random
seed used by the management key-pair generator. Using the path of the
mouse movement ensures that the seed number for the key-pair
generation algorithm has enough randomness. When the progress
indicator has reached 100%, the Passphrase dialog box will open
automatically.
70
Step 14. Enter a passphrase, which will secure your private management key.
Re-enter your passphrase in the Confirm Passphrase field. Click Next.
CHAPTER 4 71
Step 15. Click Finish to complete the setup process.
F-Secure Policy Manager Console will generate the management

key-pair.
After the key-pair is generated, F-Secure Policy Manager Console will
start.
Step 16. The setup wizard creates the user group FSPM users. The user who was
logged in and ran the installer is automatically added to this group. To
allow another user to run F-Secure Policy Manager you must manually
add this user to the user group FSPM users.
72
F-Secure Policy Manager Console starts in Anti-Virus mode, which is a

optimized user interface for managing F-Secure Client Security and
F-Secure Anti-Virus for Workstations. If you are going to use F-Secure
Policy Manager Console for managing any other F-Secure product, you
should use the Advanced Mode user interface. You can access it by
opening the View menu and selecting Advanced Mode.
When setting up workstations, you must provide them with a copy of the
Admin.pub key file (or access to it). If you install the F-Secure products on
the workstations remotely with F-Secure Policy Manager, a copy of the
Admin.pub key file is installed automatically on them. However, if you run
the setup from a CD, you must transfer a copy of the Admin.pub key file
manually to the workstations. The best and most secure method is to
copy the Admin.pub file to a diskette and use this diskette for workstation
installations. Alternatively, you can put the Admin.pub file in a directory
that can be accessed by all hosts that will be installed with remotely
managed F-Secure products.
CHAPTER 4 73
Changing the Web Browser Path

The F-Secure Policy Manager Console acquires the file path to the
default Web browser during setup. If you want to change the Web
browser path, open the Tools menu, and select Preferences.
Select the Locations tab and enter the new file path.
4.3 Uninstalling F-Secure Policy Manager Console

To uninstall F-Secure Policy Manager Console (or other F-Secure Policy
Manager components), follow these steps:
1. Open the Windows Start menu and go to Control Panel. Select Add/
Remove Programs.
2. Select the component you want to uninstall (F-Secure Policy
Manager Console or Certificate Wizard), and click the Add/Remove
button.
3. The F-Secure Uninstall dialog box appears. Click Start to begin
uninstallation.
4. When the uninstallation is complete, click Close.
5. Click OK to exit Add/Remove Programs.
5 USING F-SECURE
POLICY MANAGER
CONSOLE
Overview..................................................................................... 75
F-Secure Policy Manager Console Basics ................................. 76
F-Secure Client Security Management....................................... 80
Managing Domains and Hosts ................................................... 94
Software Distribution ................................................................ 104
Managing Policies .................................................................... 120
Managing Operations and Tasks.............................................. 126
Alerting ..................................................................................... 126
Reporting Tool .......................................................................... 129
Preferences .............................................................................. 133
74
CHAPTER 5 75
Using F-Secure Policy Manager Console
5.1 Overview
F-Secure Policy Manager Console is a remote management console for
the most commonly used F-Secure security products, designed to provide
a common platform for all of the security management functions required
in a corporate network.
An administrator can create different security policies for each host, or
create a single policy for many hosts. The policy can be distributed over a
network to the workstations, servers, and security gateways.
With F-Secure Policy Manager Console, you can:
Set the attribute values of managed products,
Determine rights for users to view or modify attribute values that
were remotely set by the administrator.
Group the managed hosts under policy domains sharing common
attribute values.
Manage host and domain hierarchies easily.
Generate signed policy definitions, which include attribute values
and restrictions.
Display status.
Handle alerts.
Handle F-Secure Anti-Virus scanning reports.
Handle remote installations.
View reports in HTML format, or export reports to various exports
formats.
F-Secure Policy Manager Console generates the policy definition, and
displays status and alerts. Each managed host has a module (F-Secure
Management Agent) enforcing the policy on the host.
The conceptual world of F-Secure Policy Manager Console consists of
hosts that can be grouped within policy domains. Policies are
host-oriented. Even in multi-user environments, all users of a specific host
share common settings.
F-Secure Policy Manager Console recognizes two types of users:
administrators and read-only mode users.
76
The administrator has access to the administration private key. This

private key is stored as a file, which may be shared among users with
management rights. The administrator uses F-Secure Policy Manager
Console to define policies for different domains and individual hosts.
In Read-only mode, the user can:
View policies, statistics, operation status, version numbers of
installed products, alerts and reports.
Modify F-Secure Policy Manager Console properties, because its
installation is user-based and modifications cannot affect other
users.
The user cannot do any of the following in Read-only mode:
Modify the domain structure or the properties of domains and
hosts.
Modify product settings.
Perform operations.
Install products.
Save policy data.
Distribute policies.
Delete alerts or reports.
There can be only one Administrator mode connection to F-Secure Policy
Manager Server at a time. There can be several read-only connections to
F-Secure Policy Manager Server simultaneously.
5.2 F-Secure Policy Manager Console Basics

The following sections describes the F-Secure Policy Manager Console
logon procedure, menu commands and basic tasks.
CHAPTER 5 77
5.2.1 Logging In
When you start F-Secure Policy Manager Console, the following dialog
box will open (click Options to expand the dialog box to include more
options)
Figure 5-1 F-Secure Policy Manager Console Login dialog

The dialog box can be used to select defined connections. Each
connection has individual preferences, which makes it easier to manage
many servers with a single F-Secure Policy Manager Console instance.
It is also possible to define multiple connections to a single server. After
selecting the connection, enter your F-Secure Policy Manager Console
passphrase. This is the passphrase that you defined when you installed
the program. This is not your network administrator password.
You can start the program in Read-Only mode, in which case you do not
need to enter a passphrase. In this case, however, you will not be allowed
to make changes.
The setup wizard creates the initial connection, which appears by default
in the Connections: field. To add more connections, click Add or to edit an
existing connection, click Edit (these options are available when the
dialog box is expanded).
Note that it is possible to make copies of existing connections. This
makes it easy to define multiple connections to the same server, with
slightly different connection preferences for different usages. For
example, an existing connection can be taken as a template, and different
connection preferences can be tested with the new copy without affecting
the original settings.
78
Connection Properties
The link to the data repository is defined as the HTTP URL of the
F-Secure Policy Manager Server.
Figure 5-2 Connection Properties dialog

The Name field specifies what the connection will be called in the
Connection: field in the login dialog. If the Name field is left empty, the
URL or the directory path is displayed.
Public Key File and Private Key File paths specify what management
key-pair to use for this connection. If the specified key files do not exist,
F-Secure Policy Manager Console will generate a new key-pair.
Communication Preferences
Select the Communication tab to customize communication settings. To
change polling intervals, click Polling Period Options.
Host connection status controls when hosts are considered disconnected
from F-Secure Policy Manager. All hosts that have not contacted
F-Secure Policy Manager Server within the defined interval are
considered disconnected. The disconnected hosts will have a notification
CHAPTER 5 79
icon in the domain tree and they will appear in the Disconnected Hosts list
in the Domain status view. Note that it is possible to define an interval that
is shorter than one day by simply typing in a floating point number in the
setting field. For example, with a value of "0.5" all hosts that have not
contacted the server within 12 hours are considered disconnected. Values
less than one day are normally useful only for trouble shooting purposes,
because in a typical environment some hosts are naturally disconnected
from the server every now and then. For example, laptop computers may
not be able to access the server daily, but in most cases this is perfectly
acceptable behavior.
Figure 5-3 Connection Properties > Communication dialog

The communication protocol selection affects the default polling intervals.
You should modify the communication setting to suit your environment. If
you are not interested in certain management information, you should
switch unnecessary polling off by clearing the polling item you want to
disable. Disable All Polling disables all of the polling items. Whether or not
automatic polling is disabled, manual refresh operations can be used to
refresh the selected view.
80
Figure 5-4 Polling Periods dialog

See “Preferences”, 133 for more information about other
connection-specific settings. After F-Secure Policy Manager Console
startup these settings can be edited normally from the Preferences view.
5.2.2 F-Secure Client Security Management

When you first start F-Secure Policy Manager Console, the simplified
Anti-virus mode user interface opens. This mode is optimized for
administering F-Secure Client Security. Using the Anti-Virus mode user
interface you can complete most tasks for managing F-Secure Client
Security or F-Secure Anti-Virus for Workstations.
For more information on the Anti-Virus mode user interface, see the
F-Secure Client Security Administrator’s Guide.
You should be able to complete most tasks with the Anti-Virus mode user
interface, however particularly if you need to administer products other
than F-Secure Client Security, you will need to use the Advanced Mode
user interface.
CHAPTER 5 81
5.2.3 The Advanced Mode User Interface

To use all the functionality available in F-Secure Policy Manager Console
you need to change to the Advanced mode user interface. To do so,
select View > Advanced Mode.
The Advanced mode user interface opens displaying the following four
panes: Policy Domain pane, Properties pane, Product View pane and
Messages pane (not visible if there are no messages).
Figure 5-5 F-Secure Policy Manager Console user interface

82
5.2.4 Policy Domain Pane

In the Policy Domain pane, you can do the following:
Add a new policy domain (click the icon, which is located on
the toolbar). A new policy domain can be created only when a
parent domain is selected.
Add a new host (click the icon).
Find a host.
View the properties of a domain or host. All hosts and domains
should be given unambiguous names.
Import autoregistered hosts.
Autodiscover hosts from a Windows domain.
Delete hosts or domains.
Move hosts or domains, using cut and paste operations.
Export a policy file.
After selecting a domain or host, you can access the above options from
the Edit menu.
The domains referred to in the commands are not Windows NT or DNS
domains. Policy domains are groups of hosts or subdomains that have a
similar security policy.
5.2.5 Properties Pane

Defining policies consists of specifying default values for settings,
specifying what values are allowed, and specifying access restrictions to
the settings. Policies for a domain or a host are defined in the Properties
pane.
The Properties pane contains subtrees (“branches”), tables, rows, and
policy variables. Subtrees are only used to expand the structures. Tables
may contain any number of rows.
CHAPTER 5 83
The Properties pane has the following tabs:

Policy - The Policy tab allows you to use the Product View pane
to define settings, restrictions, and operations for domains or
hosts. These changes become effective after the policy has been
distributed and the Agent has fetched the policy file.
Status - Beneath each product shown in the Status tab are two
status categories: Settings and Statistics. Settings displays the
local settings that have been explicitly modified in the host;
default values or values set in the Base Policy are not displayed.
The Statistics subtree displays statistics for the host for each
product. If a policy domain is selected, the Status view displays
number of hosts in the domain and which hosts are disconnected
from F-Secure Policy Manager.
Alerts - Displays a list of alerts originating from hosts in the
selected domain, displays the selected alert in the Product View
pane, and displays reports related to the alerts.
Reports - Displays all reports from the selected host.
Installation - Displays installation options.
5.2.6 Product View Pane

The function of the Product View pane changes according to which tab of
the Properties pane is open:
Policy tab - In the Product View pane, you can set the value of a
policy variable. All modifications affect the selected policy domain
or host. There is a predefined editor for each type of policy
variable. The editor is displayed when you select the variable
type in the Policy tab. Some subtrees, tables, and leaf nodes
might have special custom editors. These editors customize
84
F-Secure Policy Manager Console for each installed product.

There are also Restriction Editors, which open within the Product
View pane or open as a separate dialog box.
Status tab - In the Product View pane, you can view (1)
“settings”, which are the local modifications reported by the host,
and (2) statistics.
Alerts tab - When an alert is selected in the Alerts tab, details of
the alert are displayed in the Product View pane.
Reports - When a report is selected in the Reports tab, details of
the report are displayed in the Product View pane.
Installation - In the Product View pane, you can view and edit
installation information.
The traditional F-Secure Policy Manager Console MIB tree contains all
the settings/operations (Policy) and local setting/statistics (Status) in a
product component specific MIB tree.
The F-Secure Management Agent Product View is on the following page
as an example (the same generic operations and functionality are found
in all Product Views).
Using Help
In most cases the Product View fields offer the same help texts as the
MIB tree nodes. In addition, each tab has it's own help text. The help texts
follow mouse clicks (all tabs and policy and status editors) and field focus
(only available when the Policy tab is selected in the Properties pane).
You can click either the field label or the value editor field to activate the
corresponding help text.
CHAPTER 5 85
Editing Policy Settings

Select a product (e.g. F-Secure Management Agent) and the Policy tab
from the Properties Pane. F-Secure Policy Manager Console will render a
Product View in the Product View Pane for your selected product, and
contains the most commonly used settings and the most often needed
restriction editors from the MIB tree, in the following categories:
Communication - edit communication settings.
Alerting - edit alert settings.
Alert Forwarding - see “Configuring Alert Forwarding” on
page 128 for more details.
Certificates - allows definition of trusted certificates
Certificate Directory - defines the directory settings where
certificates are stored.
About - contains a link to F-Secure Web Club (for more details,
see “Web Club”, 212).
You can edit the policy settings normally, and use the restriction setting
(final, hidden) to define end user access rights.
Figure 5-6 Product View pane

86
Using the Context Menu for Policy Settings

Most editor fields in the Product View include a context menu (activated
by right-clicking your mouse). The context menu contains the following
options: Go To, Clear Value, Force Value and Show domain values.
Figure 5-7 Context menu
Shortcut to the MIB Tree Node

Sometimes it is convenient to see what setting of the MIB tree is actually
changed when modifying some specific Product View item. Select the Go
To menu item to display the corresponding MIB tree node in the
Properties pane.
Note that in most cases the MIB tree offers more, though less frequently
needed, setting parameters. For example, this is one way to edit the
restrictions of those policy settings that do not display direct restriction
editors in the Product View.
Clear Value
The functionality of the Clear Value menu item is the same as in the MIB
tree. After clearing the current value, the field will either display the
inherited value (grey text), or no value at all. The Clear Value menu item
is available only if there is a value defined for the currently defined
domain or host.
CHAPTER 5 87
Force Value
This Force Value menu item is available only when a Policy Domain is
selected. You can enforce the current domain setting to also be active in
all subdomains and hosts. In practice, this operation clears the
corresponding setting in all subdomains and hosts below the current
domain, enabling the inheritance of the current value to all subdomains
and hosts. Use this menu entry cautiously: all values defined in the
subdomain or hosts under the selected domain are discarded, and cannot
be restored.
Show Domain Values
The Show Domain Values menu item is available only when a Policy
Domain is selected. You can view a list of all policy domains and hosts
below the selected policy domain, together with the value of the selected
field.
Click any domain or host name to quickly select the domain or host in the
Policy Domains pane. It is possible to open more than one Domain Value
dialog simultaneously.
Figure 5-8 Show Domain Values dialog

88
Viewing Status
Open the Status tab and select the product from the Properties pane.
F-Secure Policy Manager Console will render a Product View to the
Product View pane, where you can view the more important local settings
and statistics.
Values cannot be edited, but the MIB help texts can be displayed
by clicking a field or its label.
For the policy domains, the Status tab will show the domain level status
overview: number of hosts in the domain, and list of disconnected hosts.
Figure 5-9 Status tab

Click any disconnected host to quickly change the policy domain selection
into that host. This way it is possible to investigate if the disconnected
host managed to send some alerts or useful statistics before the
disconnection. This information may help to investigate why the host was
disconnected. If the reason is clear, for example, if the host's F-Secure
software has been uninstalled, the host can be deleted normally. After
investigating one disconnected host, the most convenient way to get back
to the previously selected domain level is to click the button in the
toolbar.
The Domain Status view also offers two shortcut operations for handling a
greater number of disconnected hosts: selecting all disconnected hosts
and deleting all disconnected hosts. Both operations can be accessed
through the Disconnected Host tree root node context menu.
CHAPTER 5 89
Figure 5-10 An example of shortcuts available in the Domain Status View
WARNING: Deleting all disconnected hosts is potentially a

dangerous operation, as it is possible that some existing
hosts are for some natural reason temporarily disconnected
longer than the allotted threshold days. Always check the
disconnection threshold value from Preferences before
deleting hosts. If a still existing host is deleted accidently, all
host specific alerts, report, status and policy settings will be
lost. However, the host will send an autoregistration message
once it discovers that it has been removed from the F-Secure
Policy Manager. The host can be re-imported to the domain
tree, but from the Policy Manager point of view it's like any
other newly added host.
90
5.2.7 Messages Pane

F-Secure Policy Manager Console logs messages in the Message pane
about different events. Unlike the Alerts and Reports panes, Message
pane events are generated only by F-Secure Policy Manager Console.
There are three categories of messages: Information, Warnings, and
Errors. Each Message View tab can contain messages of all three
severities. You can delete a category in the displayed context menu by
right-clicking on a tab. By right-clicking on an individual message, a
context menu is displayed with cut, copy, and delete operations.
By default, messages are logged into both files in the message
subdirectory of the local F-Secure Policy Manager Console installation
directory. Logs of the messages are kept both in English and the
language you have set for F-Secure Policy Manager Console. A separate
log file is created for each message category (tab names in the Message
pane). You can use the Preferences-Locations page to specify the
directory for the log file, and to switch logging on and off. The functionality
of the Messages view is not affected when you switch message saving on
and off.
5.2.8 The Toolbar
The toolbar contains buttons for the most common F-Secure Policy
Manager Console tasks.
Saves the policy data
Distributes the policy
Go to the previous domain or host in the domain tree

selection history.
CHAPTER 5 91
Go to the next domain or host in the domain tree selection

history.
Go to the parent domain.
Cuts a host or domain.
Pastes a host or domain.
Adds a domain to the currently selected domain.
Adds a host to the currently selected domain.
Displays the Properties box of a host or domain.
Launches the Autodiscover Windows Hosts tool. New

hosts will be added to the currently selected policy
domain.
Starts push installation to Windows hosts.
Imports autoregistered hosts to the currently selected

domain. Green signifies that the host has sent an
autoregistration request.
Displays available installation packages.
Displays all alerts. The icon is highlighted if there are new

alerts. When you start F-Secure Policy Manager Console,
the icon is always highlighted.
92
5.2.9 Menu Commands

Menu Command Action
File New Policy Creates a new policy data instance with the Management
Information Base (MIB) defaults. This command is rarely
needed because existing policy data will usually be modified
and saved using the Save As command.
Open Policy Opens previously saved policy data.
Save Policy Saves current policy data.
Save Policy As Saves policy data with a specified name.
Distribute Policies Distributes the policy files.
Export Host Policy File Exports the policy files.
Exit Exits F-Secure Policy Manager Console.
Edit Cut Cuts selected items.
Paste Pastes items to selected location.
Delete Deletes selected items.
New Policy Domain Adds a new domain.
New Host Adds a new host.
Import Autoregistered Imports hosts that have sent an autoregistration request.
Hosts
Autodiscover Windows Imports hosts from the Windows domain structure.
Hosts
Push Install to Windows Installs software remotely, and imports the hosts specified by
Hosts IP address or WINS name.
Find Search for a string in the host properties. All hosts in the
selected domain are searched.
Domain/Host Properties Displays the Properties page of the selected host or policy
domain.
View Toolbar Displays the toolbar.
CHAPTER 5 93
Status Bar Displays the status bar.

ToolTips Displays on-screen descriptions of buttons when the mouse
pointer rests on them.
Embedded Restriction Toggles between the embedded restriction editor and the
Editors restrictions dialog box.
Messages Pane Shows/hides the Messages pane at bottom of screen.
Open on New Message If selected the Message pane opens automatically when a
new message is received.
Back Takes you to the previous domain or host in the domain tree
selection history.
Forward Takes you to the next domain or host in the domain tree
selection history.
Parent Domain Takes you to the parent domain.
All Alerts Opens the Alerts page in the Properties pane with all alerts
showing.
Advanced Mode Changes to the advanced mode user interface, which is the
user interface described in this manual.
Anti-Virus Mode Changes to the Anti-Virus mode user interface, which is
optimized for managing centrally F-Secure Client Security.
Refresh <Item> Manually refreshes the status, alert, or report view. The menu
item changes according to the selected tab in the Properties
pane.
Refresh All Manually refreshes all data affecting the interface:policy,
status, alerts, reports, installation packages, and
autoregistration requests.
Tools Installation Packages View Installation Packages info in a dialog box.
Change Passphrase Changes login passphrase (the passphrase protecting the
F-Secure Policy Manager Console private key).
Reporting Lets you select the reporting methods and the domains/hosts
and products included in the reports.
94
Preferences Sets the local properties for F-Secure Policy Manager

Console. These properties only affect the local installation of
F-Secure Policy Manager Console.
Help Contents Displays the Help index.
Web Club Opens your Web browser and connects to the F-Secure
Policy Manager Web Club.
Contact Information Displays contact information for F-Secure Corporation.
About F-Secure Policy Displays version information.
Manager Console
5.3 Managing Domains and Hosts

If you want to use different security policies for different types of hosts
(laptops, desktops, servers), for users in different parts of the organization
or users with different levels of computer knowledge, it is a good idea to
plan the domain structure based on these criteria. This makes it easier for
you to manage the hosts later on.
If you have designed the policy domain structure beforehand, you can
import the hosts directly to that structure. If you want to get started
quickly, you can also import all hosts to the root domain first, and create
the domain structure later, when the need for that arises. The hosts can
then be cut and pasted to the new domains.
CHAPTER 5 95
Figure 5-11 An example of a policy domain structure

All domains and hosts must have a unique name in this structure.
Another possibility is to create the different country offices as
subdomains.
Figure 5-12 An example of a policy domain: country offices as sub-domains

96
5.3.1 Adding Policy Domains
Figure 5-13 An example of a policy domain with sub-domains

From the Edit menu, select New Policy Domain (a parent domain must be
selected), or click in the toolbar (alternatively press ctrl+ insert).

The new policy domain will be a subdomain of the selected parent
domain.
Figure 5-14 Policy Domain Properties Dialog

You will be prompted to enter a name for the policy domain. An icon for
the domain will be created in the Policy Domain pane.
CHAPTER 5 97
5.3.2 Adding Hosts

The main methods of adding hosts to your policy domain, depending on
your operating system, are as follows:
Import hosts directly from your Windows domain.
Import hosts through autoregistration (requires that F-Secure
Management Agent be installed on the imported hosts). You can
also use different criteria to import the autoregistered hosts into
different sub-domains.
Create hosts manually by using the New Host command.
Windows Domains
In a Windows domain, the most convenient method of adding hosts to
your policy domain is by importing them through F-Secure Intelligent
Installation by choosing ‘Autodiscover Windows hosts’ from the Edit menu
in F-Secure Policy Manager Console. Note that this also installs F-Secure
Management Agent on the imported hosts. In order to import hosts from a
Windows domain, select the target domain, and choose ‘Autodiscover
Windows hosts’ from the Edit menu. After the autodiscover operation is
completed, the new host is automatically added to the Policy Domain
tree. For more information, see “Software Distribution”, 104.
Autoregistered Hosts
Another possibility for importing hosts into F-Secure Policy Manager
Console is by using the autoregistration feature. You can do this only after
F-Secure Management Agent has been installed on the hosts and after
the hosts have sent an autoregistration request. The F-Secure
Management Agent will have to be installed from a CD-ROM, from a login
script, or some other way. To import autoregistered hosts, click , or
choose Import Autoregistered Hosts from the Edit menu, or from the
Installation view. When the operation is completed, the host is added to
the domain tree. The autoregistered hosts can be imported to different
domains based on different criteria, such as the hosts’s IP or DNS
address. For more information, see “Autoregistration Import Rules”, 99.
98
Figure 5-15 Import Autoregistered Hosts dialog > Autoregistered Hosts tab
The Autoregistration view offers a tabular view to the data which the host
sends in the autoregistration message. This includes the possible custom
autoregistration properties that were included in the remote installation
package during installation (see step 6 in “Using the Customized Remote
Installation JAR Package”, 116 section). It is possible to sort
autoregistration messages according to the values of any column by
clicking the corresponding table header. Column ordering can be
changed by dragging and dropping the columns to the suitable locations,
and column widths can be freely adjusted. The table context menu (click
the right mouse button on table header bar) can be used to specify which
autoregistration properties are visible in the table.
CHAPTER 5 99
Autoregistration Import Rules
Figure 5-16 Import Autoregistered Hosts dialog > Import Rules tab
You can define the import rules for the autoregistered hosts on the Import
Rules tab in the Import Autoregistered Hosts window. You can use the
following as import criteria in the rules:
WINS name, DNS name, Dynamic DNS name, Custom
Properties
These support * (asterisk) as a wildcard. * can replace any
number of characters. For example: host_test* or
*.example.com.
Matching is case in-sensitive, so upper case and lower case
characters are treated as the same character.
IP address, Dynamic IP address
These support exact IP address matching (for example:
100
192.1.2.3) and IP sub-domain matching (for example:

10.15.0.0/16).
You can hide and display columns in the table by using the right-click
menu that opens when you right-click any column heading in the Import
Rules window. Only the values in the currently visible columns are used
as matching criteria when importing hosts to the policy domain. The
values in the currently hidden columns are ignored.
You can also add new custom properties to be used as criteria when
importing hosts. One example of how to use the custom properties is to
create separate installation packages for different organizational units,
which should be grouped under unit-specific policy domains. In this case
you could use the unit name as the custom property, and then create
import rules that use the unit names as the import criteria. Note, that
custom property names that are hidden are remembered only until the
Console is closed.
To add a new custom property, do as follows:
1. Right-click a column heading and select Add New Custom Property.
The New Custom Property dialog opens.
2. Enter a name for the custom property, for example the unit name.
Then click OK.
3. The new custom property now appears in the table, and you can
create new Autoregistration Import rules in which it is used as import
criteria.
To create a new Autoregistration Import rule, do as follows:
1. Click Add on the Import Rules tab. The Select Target Policy Domain
for Rule dialog opens displaying the existing domains and
sub-domains.
2. Select the domain for which you want to create the rule and click OK.
3. Now you can define the import criteria. Select the new row that was
created, click the cell where you want to add a value and click Edit.
Enter the value in the cell.
When autoregistered hosts are imported, the rules are verified in
top-down order, and the first matching rule is applied. You can change the
order of the rules by clicking Move down or Move up.
CHAPTER 5 101
If you want to create several rules for a domain, you can use the Clone
option. Start by creating one rule for the domain. Then select the row and
click Clone. Now you can edit the criteria on the new duplicated row.
When you want to start the import operation, select the Autoregistered
Hosts tab and click Import. The importing rules you have defined will be
validated before the importing starts. After the hosts have been imported,
you will see a summary dialog displaying the number of successfully
imported hosts and the number of unsuccessful import operations.
Note, that an empty set of conditions is treated as always matching.
Creating Hosts Manually
To create a host manually, select a policy domain and select New Host
from the Edit menu, or click the Add Host button (alternatively press
Insert). This operation is useful in the following cases:
Learning and testing – You can try out a subset of F-Secure Policy
Manager Console features without actually installing any software in
addition to F-Secure Policy Manager Console.
Defining policy in advance – You can define and generate a policy for a
host before the software is installed on the host.
Special cases – You can generate policies for hosts that will never
access the server directly (that is, when it is not possible to import the
host). For example, it is possible to generate Base Policy files for a
computer that does not access the F-Secure Policy Manager Server. The
Base Policy file must be transferred either manually or by using another
external transport mechanism. To do this, select Export Policy File from
the Edit menu.
102
Figure 5-17 An example of a domain with hosts and servers in their own
sub-domains
Hosts without F-Secure Management Agent installed cannot be

administered through F-Secure Policy Manager Console because
they have no means of fetching policies. Also, no status
information will be available.
Any changes made to the domain structure are implemented even
though you exit F-Secure Policy Manager Console without saving
changes to the current policy data.
5.3.3 Host Properties

Host names for the network can be IP addresses, domain names, or
WINS names. To view host properties, right-click on the appropriate host
and from the menu that opens, select Properties (alternatively press alt
enter). To change host properties, clear the Autoupdate Properties check
box in the Identities tab of the Host Properties dialog box. You can open
the Host Properties dialog box by choosing Properties from the Edit
menu, or by clicking in the toolbar.
CHAPTER 5 103
The network name for the host is the name that the host uses internally in
the network to access policies.
Figure 5-18 Host Properties dialog

Every host has a UID. This is a unique identifier: a string of characters
and numbers that is used to uniquely identify every host in the system.
In the Platform tab, you can add the operating system of the host to the
properties. Platform name is the name of the operating system. The
operating system version numbers are the following:
Windows 2000 5.0
Windows XP 5.1/5.10
Windows Vista 6.0
An alias for the host can be defined in the Miscellaneous tab. If an alias is
defined, the alias will replace the real identity of the host in the display of
the domain tree.
104
5.4 Software Distribution

F-Secure Policy Manager offers multiple methods of installing and
updating managed applications:
Push Installations - F-Secure Policy Manager can install
software to new hosts that are not yet under centralized
management. Hosts can be browsed from Windows domains
using the Autodiscover Windows Hosts feature, or the target host
can be specified directly by WINS name or IP address using the
Push Install to Windows Host feature. In addition to first time
installations, push installation features can be used to update or
repair installations whenever the policy-based installations are
not suitable.
Policy-Based Installations - F-Secure Policy Manager can
initiate installation and update operations with policy based
triggering. This requires that the hosts are already under
centralized management, i.e. included in a policy domain in
Local Installations and Updates from CD-ROM - Installation
can be performed independently on the host by running the setup
directly from the CD-ROM. After installation, F-Secure
Management Agent sends a registration message to F-Secure
Policy Manager. The administrator can then view and accept the
new host by choosing the Import Autoregistered Hosts command
from the Edit menu in F-Secure Policy Manager Console.
Local Installation and Updates with pre-configured packages
- Instead of using the standard CD-ROM setup, you can use
F-Secure Policy Manager to prepare a customized installation
package (JAR or MSI) that includes information about the
settings used for the installation. The end user’s computer can be
set up silently, since the pre-configured package contains all of
the settings that are normally requested from the user.
F-Secure Virus Definition Database Updates - F-Secure Policy
Manager can update the latest Anti-Virus databases by
downloading them automatically from F-Secure’s Automatic
Update site. Managed hosts will fetch the updates from F-Secure
Policy Manager according to the host policy, either automatically
CHAPTER 5 105
or with remotely triggered operations. For more information, see

“Automatic Updates with F-Secure Automatic Update Agent”,
146.
Shortcuts to all the installation-related features are gathered in the
Properties pane under the Installation tab.
106
5.4.1 F-Secure Push Installations

The only difference between the Autodiscover Windows Hosts and the
Push Install to Windows Hosts features is how the target hosts are
selected: Autodiscover browses the Windows domains and user can
select the target hosts from a list of hosts, Push Install to Windows Hosts
allows you to define the target hosts directly with IP addresses or host
names. After the target hosts are selected, both push installation
operations proceed the same way.
Autodiscover Windows Hosts

To install:
1. Select the policy domain for the hosts to which you will install
F-Secure Management Agent.
2. Open the Edit menu and select Autodiscover Windows Hosts
(alternatively, click the button).

CHAPTER 5 107
3. From the NT Domains list, select one of the domains and click
Refresh.
The host list is updated only when you click Refresh. Otherwise
cached information is displayed for performance reasons. Before
clicking Refresh, you can change the following Autodiscover
options:
Hide already managed hosts
Select the Hide Managed Hosts check box to show only those
hosts, which do not have F-Secure applications installed.
Resolve hosts with all details (slower)
With this selection, all details about the hosts are shown, such as
the versions of the operating system and F-Secure Management
Agent.
Resolve host names and comments only (quicker)
If all hosts are not shown in the detailed view or it takes too much
time to retrieve the list, this selection can be used. Note, that
sometimes it may take a while before Master Browser can see a
new host recently installed into network.
4. Select the hosts to be installed. Press the space bar to check
selected host(s).
Several hosts can be easily selected by holding down the shift key
and doing one of the following:
clicking the mouse on multiple host rows,
dragging the mouse over several host rows,
using the up or down arrow keys.
108
Alternatively, you can right-click your mouse. Use the host list’s
context menu to select:
Check - checkmarks the selected host(s) (same as pressing the
space bar).
Uncheck - removes the checkmark from the selected host(s)
(same as pressing the space bar).
Check All - checkmarks all hosts in the selected Windows
domain.
Uncheck All - removes the checkmark from all hosts in the
selected Windows domain.
Click Install to continue.
5. After you have selected your target hosts, continue to “Push
Installation After Target Host Selection”, 109 for instructions on
push-installing the applications to hosts.
Push Install to Windows Hosts

To install:
1. Select the policy domain for the hosts to which you will install
F-Secure Management Agent.
2. Open the Edit menu and select Push Install to Windows Hosts
(alternatively, click the button).
3. Enter the target host names of those hosts to which you want to push
install, and click Next to continue.
You can click Browse to check the F-Secure Management Agent
version(s) on the host(s).
CHAPTER 5 109
4. After you have selected your target hosts, continue to “Push

Installation After Target Host Selection”, 109 for instructions on
push-installing the applications to hosts.
Push Installation After Target Host Selection

To push install the installation package(s) after you have selected the
target hosts:
1. Select the installation package, and click Next to continue.
2. Select the products to install. You can choose to force reinstallation if
applications with the same version number already exist. Click Next
to continue.
3. Choose to accept the default policy, or specify which host or domain
policy should be used as an anonymous policy. Click Next to
continue.
110
4. Choose the user account and password for the push installation.
Push Installation requires administrator rights for the target machine during
the installation. If the account you entered does not have administrator
rights on one of the remote hosts, an “Access denied” error message will
be indicated for that host, while installation will continue on the other hosts.
CHAPTER 5 111
Select either This Account (the current account) or Another

Account.
This Account — When you select “This Account”, you will use the
security rights of the account currently logged on. Use this option in
the following cases:
a. You are already logged in as Domain Administrator; or
b. You are logged in as the local administrator with a password that
matches the local administrator’s password on the target host.
Another Account — Enter account and password.
The administrator can enter any proper Domain Administrator
account and password to easily complete the remote installation on
selected hosts.
When completing the installation to the trusted and non-trusted
domains with a domain account, make sure you enter the account in
format DOMAIN\ACCOUNT.
When using a local administrator account, use format ACCOUNT. (Do
not enter the host name as part of the account, otherwise the account
is accepted only by the host in question.)
When installing, if administrator machine has open network connections to

the target machine with another user account, the NT Credential conflict
error message 1219 appears. The solution in this case is to close the
active connections before using the Intelligent Installation.
5. Review the installation summary. To start the Remote Installation
Wizard, click Start.
The Remote Installation Wizard will guide you through a series of
dialog boxes in which you must answer some questions for the
installation to take place. In the final dialog box, click Finish, and go
to the next step.
6. F-Secure Policy Manager installs F-Secure Management Agent and
the selected products on the hosts. During this process, the Status
line will display the procedure in process. You can click Cancel at any
time to stop the installation.
When the Status line displays finished, the process has finished. You
can select in which domain the new hosts should be placed using the
import settings. Click Finish. F-Secure Policy Manager Console will
112
place the new hosts in the domain that you selected in Step 1, unless
you specified another domain in this dialog. You can also choose not
to place the hosts to any domain automatically. The new hosts will
send autoregs and the hosts can be imported that way.
7. After a few minutes, the Product View pane (the right pane) will list
the products that were installed. To see this list, select the Installation
tab in the Properties pane (alternatively select the top domain in the
Policy Domain pane).
If the installation fails, see “FSII Remote Installation Error Codes”,

204 for explanations to most common error situations.
5.4.2 Policy-Based Installation

Base policy files are used to start installations on hosts that have
F-Secure Management Agent installed. F-Secure Policy Manager
Console creates an operation-specific installation package, which it
stores on the F-Secure Policy Manager Server, and writes an installation
task to the base policy files (thus, policy distribution is required to start
installations). Both base policy files and the installation package are
signed by the management key-pair so that only genuine information is
accepted by the hosts.
F-Secure Management Agent on the hosts fetches the new policies from
F-Secure Policy Manager Server and discovers the installation task.
F-Secure Management Agent fetches the installation package specified in
the task parameters from the server and starts installation program.
When the installation is complete, F-Secure Management Agent sends
the result of the installation operation in an incremental policy file to the
server. F-Secure Policy Manager Console discovers the new status
information and shows the results.
Uninstallation uses these same delivery mechanisms. The results of the
uninstallation will not be reported.
CHAPTER 5 113
Using the Installation Editor

The Installation Editor must be used on those hosts that already have
F-Secure Management Agent installed. To access the Installation Editor,
open the Policy tab in the Properties pane and select the root node (the
F-Secure sub-tree). Alternatively, open the Install tab in the Properties
pane. The Installation Editor opens in the Product View pane.
In the Installation Editor, the administrator selects the products to be
installed on the currently selected host or policy domain.
Figure 5-19 Installation Editor

The Installation Editor contains the following information about the
products that are installed on your target policy domain or host:
Product Name Name of the product, which is either installed on

a host or domain, or which can be installed with
an available installation package.
Installed Version Version number of the product. If there are

multiple versions of the product installed, all
version numbers will be displayed. For hosts,
this is always a single version number.
114
Version to Install Version numbers of the available installation

packages for the product.
Version Being The current version being installed on a host or

Installed domain.
Progress Progress of the installation task. The ‘Progress’

field displays information that is different for
hosts and for domains.
If a host is selected, the Progress field displays one of the following

messages:
In progress The installation operation has been started

(added to policy data), but the host has not yet
reported the operation’s success or failure.
Failed The installation or uninstallation operation failed.

Click the button in the Progress field for detailed
status information.
Completed The installation or uninstallation operation

succeeded. This message will disappear when
the Installation Editor is closed.
(Empty field) No operations are active. The Installed Version

field displays the currently installed product
version.
CHAPTER 5 115
If a domain is selected, the Progress field displays one of the following:
<number> hosts left <number> installations failed. Number of hosts

left and number of failed installations. Click the
button in the progress field for detailed status
information.
Completed The installation or uninstallation operation

succeeded on all hosts.
(Empty field) No operations are active. The Installed Version

field displays all currently installed product
versions.
When all required version numbers are selected, click Start. The
Installation Editor launches the Installation Wizard, which queries the user
for the installation parameters. The Installation Editor then prepares a
distribution installation package that is customized for the specific
installation operation. The new package is saved on F-Secure Policy
Manager Server.
The Start button is used to start the installation operations selected in the
Version to Install field. If the installation editor is closed without first clicking
the Start button, then all changes will be discarded.
Because the installation operation uses policy-based triggering, you must
distribute new policy files. The policy file will contain an entry that tells the
host to fetch the installation package and perform the installation.
Note that it may take a considerable length of time to carry out an
installation operation. This may happen if an affected host is not currently
connected to the network, or if the active installation operation requires a
user to restart his host before the installation is completed. If the hosts are
connected to the network and they send and receive policy files correctly,
then there could be a real problem. The host may not be correctly
acknowledging the installation operation. In any case, it is possible to
remove the installation operation from the policy by clicking Stop All. This
will cancel the installation operations defined for the selected policy
domain or host. It is possible to stop all installation tasks in the selected
domain and all subdomains by selecting the Recursively cancel
installation for subdomains and hosts option in the confirmation dialog.
116
The Stop All button is enabled only if the current host or domain has an
installation operation defined. Any subdomain operations do not affect the
button state. Stop All only removes the operation from the policy. If a host
has already polled the previous policy file, it may try to carry out the
installation operation even though it is no longer visible in the Installation
Editor.
Remote Uninstallation
Uninstallation can be performed as easily as an update. A distribution
package is created that contains only the software needed to uninstall the
product. If the product does not support remote uninstallation, the
Installation Editor does not display an option for uninstallation.
Choosing Reinstall will reinstall the current version. This option should
only be used for troubleshooting. Most of the time, there is no reason to
reinstall a product.
5.4.3 Local Installation and Updates with Pre-Configured

Packages
You can export pre-configured packages in JAR or in MSI (Microsoft
Installer) format. The MSI packages can be distributed, for example,
using Windows Group Policy in Active Directory environment.
The procedure for exporting in both formats is the same, and is explained
below. You can select the file format for the customized package in the
Export Installation Package dialog (see step 4. below).
Login Script on Windows Platforms

There are two ways of doing this: by using a customized remote
installation JAR package or by using a customized MSI package.
Using the Customized Remote Installation JAR Package
1. Run F-Secure Policy Manager Console.
2. Choose Installation Packages from the Tools menu. This will open the
Installation Packages dialog box.
CHAPTER 5 117
3. Specify the file format, JAR or MSI, and the location where you want
to save the customized installation package. Click Export.
4. Specify the file location where you want to save the customized
installation JAR package. Click Save.
5. Select the products you want to install. Click Next to continue.
6. Choose to accept the default policy, or specify which host or domain
policy should be used as an anonymous policy. Click Next to
continue.
118
7. Select the installation type. The default, Centrally managed

installation, is recommended.
You can also prepare a package for a stand-alone host.
8. A summary page shows your choices for the installation. Review the
summary and click Start to continue to the installation wizard.
F-Secure Policy Manager Console displays the Remote Installation
Wizards that collect all necessary setup information for the selected
products.It is possible to include any number of custom
autoregistration properties to the installation package. A host will add
these custom properties to the autoregistration message it sends to
the F-Secure Policy Manager after local installation. These
customer-specific properties will appear together with the standard
host identification properties in the Autoregistration view (see
“Autoregistered Hosts”, 97). The custom property name will be the
column name, and the value will be presented as a cell value.
One example of how to utilize custom properties is to create a
separate installation package for different organizational units, which
should be grouped under unit-specific policy domains. The property
name could be Unit and the value is different in each installation
package. Now hosts from each unit can be distinguished in the
autoregistration view, and using the column sorting and multiple
CHAPTER 5 119
selection all the hosts from one unit can be imported to their target
domain. Note that the target domain can be changed directly from the
autoregistration view, and after that the hosts from another unit can
be imported to their target domain.
When you reach the last wizard page, click Finish to continue.
9. You can install the exported JAR to the hosts by running the
ilaunchr.exe tool. The ilaunchr.exe tool is located in Policy Manager
Console installation directory under the ...\Administrator\Bin directory.
To do this:
a. Copy ilaunchr.exe and the exported JAR to a location where the
login script can access them.
b. Enter the command:
ilaunchr <package name>.jar
where <package name> is replaced by the actual name of the
JAR package being installed.
When the installation runs, the user will see a dialog displaying
the installation progress. If a restart is required after the
installation, the user is prompted to restart the computer as
defined when the installation package was exported.
If you want the installation to run in silent mode, enter the
command in format:
ilaunchr <package name>.jar /Q
Also in this case the user may be prompted to restart the
computer after the installation, and if a fatal error occurs during
the installation, a message is displayed.
ILAUNCHR has the following command line parameters:
/U — Unattended. No messages are displayed, even when a fatal
error occurs.
/F — Forced installation. Completes the installation even if F-Secure
Management Agent is already installed.
Enter ILAUNCHR /? at the command line to display complete help.
See Appendix B. Ilaunchr Error Codes for a list of exit error codes
and an example that can be used in batch files.
120
5.4.4 Information Delivery

All of the installation information is delivered as files through the F-Secure
Policy Manager Server The Installation packages are JAR archives that
can be viewed (in WinZip, for example), but other files types (such as the
policy files and INI files) are used for triggering the actual installation
process.
Delivery of Installation Packages to F-Secure Policy Manager

Server
Before F-Secure Policy Manager Console can start any installation, the
initial installation package must be transferred to F-Secure Policy
Manager Server. The installation packages are available from two
sources:
The installation CD-ROM, or
The F-Secure website.
Normally new remote installation packages are installed from the
CD-ROM, and F-Secure Policy Manager setup moves the packages
automatically to the server. If a remote installation package is obtained
some other way, you can import the package by clicking the Import
button in the Installation Packages view, or import the installation package
from the Installation Packages dialog. Alternatively the installation
package can be copied manually to the /Install/Entry subdirectory under
server.
F-Secure Policy Manager Console will verify that the new installation
package is signed with the F-Secure Corporation’s private key before
allowing the package to be used.
5.5 Managing Policies

This section describes how to configure and distribute policies.
CHAPTER 5 121
5.5.1 Settings
To configure settings, browse the policy tree and change the values of the
policy variables.
There are two types of policy variables: (1) leaf nodes under a subtree,
and (2) table cells. All policy variables have an associated type. You can
set their values in the Product View pane. A policy variable can be one of
the following types:
Integer: normal integer number
Display String: 7-bit ASCII text string
IP Address: four-octet IP address
Counter: incrementing integer
Gauge: non-wrapping integer
TimeTicks: elapsed time units (measured in 1/100s of a second)
Octet String: binary data (this type is also used in UNICODE text
strings)
OID: object identifier
Opaque: binary data that can represent additional data types
A policy variable may have a pre-defined default value. The default
values behave as if they were inherited from above the root domain. That
is, they appear to be inherited values even if the top (root) domain is
selected. Default values can be overridden just like any other value.
Values on the selected policy domain level are color-coded as follows:
Black – Changed values on the selected policy domain or host
level
Gray – Inherited values
Red – Invalid values
Dimmed red – Inherited invalid values.
5.5.2 Restrictions
There are two types of restriction: Access restrictions and Value
restrictions.
122
Access restrictions are Final and Hidden. Final always forces the policy:
the policy variable overrides any local host value, and the end user
cannot change the value as long as the Final restriction is set. Hidden
merely hides the value from the end user. Unlike the Final restriction, the
Hidden restriction may be ignored by the managed application.
Figure 5-20 Embedded restriction editor

Using value restrictions, an administrator can restrict the values of any
policy variable to a list of acceptable values from which the user can
choose. Additionally, the administrator can restrict integer-type variables
(Integer, Counter, and Gauge) to a range of acceptable values. An
additional restriction, the FIXED SIZE restriction, can be applied to tables.
With this restriction, the end user cannot add or delete rows from
fixed-size tables. Because the Final restriction cannot be used for empty
tables, the FIXED_SIZE restriction should be used for this purpose
(preventing end users from changing tables' values).
If a variable in the product Management Information Base (MIB) already
contains a range or choice definition, the administrator can further restrict
the range or choices, but not extend them. If the product MIB does not
define value restrictions, the administrator can specify any range or
choice restriction.
Restrictions can be edited within the embedded Product View pane, or in
a separate dialog box. To toggle between these two choices, choose
Embedded Restriction Editors from the View menu. If embedded editors
are switched off, the Product View pane displays buttons for launching the
dialog editors.
CHAPTER 5 123
5.5.3 Saving the Current Policy Data

The policy data is a database that contains policy information for each
policy domain and host.
To save the policy data, choose either Save or Save As from the File
menu. Save As is recommended as you save the policy data with a new
name thus allowing you to revert to an older policy configuration, if
needed.
5.5.4 Distributing Policy Files

After you have finished configuring domains and hosts, you must
distribute the new configurations to the hosts. To do this, click in the
toolbar or select Distribute from the File menu (alternatively press
CTRL+D). F-Secure Policy Manager Console saves the current policy
data and then generates Base Policy. Policy files are copied to the
Communication directory, where the F-Secure software on the hosts will
check for it periodically.
No changes will take effect before you have distributed the policy and the
host has fetched the policy file. This also applies to operations, because
they are implemented using the policy-based mechanism.
5.5.5 Policy Inheritance

In F-Secure Policy Manager Console, each policy domain automatically
inherits the settings of its parent domain, allowing for easy and efficient
management of large networks. The inherited settings may be overridden
for individual hosts or domains. When a domain's inherited settings are
changed, the changes are inherited by all of the domain’s hosts and
subdomains. Any overridden setting can be made inherited again by
using the Clear operation. Because the setting is deleted from the
currently selected policy domain or host, the setting is replaced by the
setting in the parent domain.
124
Policy inheritance simplifies the defining of a common policy. The policy

can be further refined for subdomains or even individual hosts. The
granularity of policy definitions can vary considerably among installations.
Some administrators might want to define only a few different policies for
large domains. Other administrators might attach policies directly to each
host, achieving the finest granularity.
Combining these strategies achieves the best of both worlds. Some
products could inherit their policies from large domains, while other
products could inherit their policies from subdomains or even get
host-specific policies.
If policy changes are implemented at multiple levels of the policy domain
hierarchy, tracking changes can become a challenging task. One
convenient way is to use the Show Domain Values operation to see what
changes have been made to one specific policy setting.
Figure 5-21 Show Domain Values dialog

If the subdomain or host values need to be reset to the current domain
values, the Force Value operation can be used to clean the sub-domain
and host values.
You can also use the Reporting Tool to create Inheritance Reports
that show where inherited settings have been overridden. For more
information, see “Reporting Tool”, 129.
CHAPTER 5 125
Index Inheritance in Tables

When you clear a row in a table using the Clear row button, the selected
row is emptied. The result depends on the types of default rows defined in
the parent domains and in MIB as default rows.
If a row exists that has the same index values as the cleared row,
it will be re-inherited.
If a row that has the same index values as the cleared row does
not exist, the emptied row will remain empty after the Clear row
operation.
The row can be inherited from a parent domain, or from a MIB (a

definition of the settings and containing the default values for all
settings) as a default row. The MIB can be considered a "domain
above the root domain" in relation to leaf value or row inheritance.
MIB defaults are inherited to subdomains unless overridden at a
domain level. To override an inherited row, define a row with the
same index column values. MIB defaults are obtained based on the
product version installed on hosts. For a domain, the values from
the newest product version are used.
Certain F-Secure products override the default table implementation, and
as such they do not implement the normal table inheritance as stated
above.
For example, the following tables use their own mechanism without basic
table inheritance:
F-Secure Internet Shield Rules table
F-Secure Internet Shield Services table
F-Secure Internet Shield Security Levels table
Please refer to the corresponding product manuals for more information
about table behavior in these cases.
Inherited and locally derived rows can be distinguished by color:

inherited rows are gray and locally derived rows are black.
126
5.6 Managing Operations and Tasks

To launch an operation from F-Secure Policy Manager Console:
1. Select one of the actions from the selected product’s Operations
branch in the Policy tab of the Properties pane.
2. Click Start in the product view pane to start the selected operation.
3. The operation begins on the host as soon as you have distributed the
new policy and the host has fetched the policy file. You may click
Cancel at any time to undo the operation.
5.7 Alerting
This section describes how to view alerts and reports, and how to
configure alert forwarding.
5.7.1 Viewing Alerts and Reports

The hosts can send alerts and reports if there has been a problem with a
program or an operation. When an alert is received, the button will
brighten. To view the alerts, click . The Alerts tab in the Properties
pane will open. All alerts received will be displayed in the following format:
CHAPTER 5 127
Ack Click the Ack button to

acknowledge an alert. If all
the alerts are
acknowledged, the Ack
button will be dimmed.
Severity The problem’s severity.

Each severity level has its
own icon:
Info Normal operating

information from a host.
Warning A warning from the host.
Error Recoverable error on the

host.
Fatal error Unrecoverable error on the

host.
Security alert Security hazard on the host.
Date/Time Date and time of the alert.
Description Description of the problem.
Host/User Name of the host/user.
Product The F-Secure product that

sent the alert.
When an alert is selected from the list, the Product View pane displays
more specific information about the alert. F-Secure Anti-Virus scanning
alerts may have an attached report. This report will also be in the Product
View pane.
128
To view reports, click on the Reports tab in the Properties pane, or choose
Messages from the Product View menu. The Reports tab has the same
structure as the Alerts tab.
Alerts tables and Reports tables can be sorted by clicking on the column
heading.
5.7.2 Configuring Alert Forwarding

You can configure alerts by editing the Alert Forwarding table, which is
located under F-Secure Management Agent>Settings>Alerting>Alert
Forwarding.
Figure 5-22 F-Secure Management Agent>Settings>Alert Forwarding.
The same table can also be found in the F-Secure Management Agent
product view in the Alert Forwarding tab.
You can specify where alerts are sent according to severity level. The
target can be F-Secure Policy Manager Console, the local user interface,
an alert agent (such as the Event Viewer, a log file, or SMTP), or a
management extension.
The Alert Forwarding table has its own set of default values.
CHAPTER 5 129
Figure 5-23 Alert Forwarding table

Information alerts and warning-level alerts are, by default, not sent to
F-Secure Policy Manager Console or displayed to the user. These
lower-priority alerts and notifications can provide very useful information
for troubleshooting, but if these alerts are enabled, the number of
transmitted alerts will increase substantially. If you have a large domain
structure, specifying strict alert-forwarding rules at the root domain level
could flood F-Secure Policy Manager Console with too many alerts.
You can further configure the alert target by setting the policy variables
under target-specific branches. For example
“Settings->Alerting->F-Secure Policy Manager Console->Retry Send
Interval” specifies how often a host will attempt to send alerts to F-Secure
Policy Manager Console when previous attempts have failed.
5.8 Reporting Tool

The Reporting tool allows users to view and export reports of F-Secure
Policy Manager Console managed data. The viewing and exporting
functionality provides a fine way to examine the data of several hosts/
domains at the same time.
To launch the Reporting tool, go to the Tools menu and select
Reporting… . The Reporting tool can also be launched from the context
menu in F-Secure Policy Manager Console‘s Policy Domain pane.
130
Figure 5-24 Reporting Tool
5.8.1 Policy Domain / Host Selector Pane

In the Policy Domain / Host Selector pane you can select the domains
and/or hosts you are interested in from the reporting point of view. The
domain selected in the Policy Domain pane is selected by default in the
Reporting tool.
By selecting the Recursive check box, all hosts that are recursively under
the selected domains in the domain hierarchy are also included in the
report.
CHAPTER 5 131
5.8.2 Report Type Selector Pane

In the Report Type Selector pane you can do the following:
Select the type of report to be made.
Select the filtering by product (only information on selected
products is included to the report to be made).
The following report types are currently available:
Policy Report Type Export/view reports containing values of all

policy variables of the selected products from
the selected domains. You can also select with
Inheritance-check box, if inheritance information
is to be included in the report.
Inheritance Report Export/view reports containing values of all

Type policy variables of the selected products from
the selected domains, that are not inherited from
any upper level domain i.e. values of all policy
variables that are overridden in the selected
domains.
Status Report Type Export/view reports containing the values of all

local settings and status variables of the
selected products from the selected domains.
Properties Report Export/view reports containing values of all

Type domain-component property fields. You can also
select with Property Selector check boxes,
which property fields are included to the report
to be made.
132
Alert Report Type Export/view reports containing information of all

alerts at the selected domains. You can also sort
alerts with Sort Order Selector, by defining sort
order among alert description fields. With
Severity Selector you can select, which severity
alerts are included to the report to be made.
Configuration Report Export/view reports containing information of

Type installed products of the selected products from
the selected domains.
Anti-Virus Report Export/view reports containing values of domain

Type status of product versions and virus definition
database updates.
5.8.3 Report Pane

In the Report pane, you can:
Select report type dependent configurations for the currently
selected report type. With the report type dependent
configurations, the user can adjust more filtering to the report to
be made.
Find description for the currently selected Report Type.
Configurations to currently known report types are:
Policy report type dependent configurations allows you to select
inheritance information of policy values to be included to the
report to be made.
Properties report type dependent configurations allows you to
select among identities, platform, miscellaneous and polling
properties, which information is included to the report to be made.
Alert report type dependent configurations allows you to sort
alerts by all the alert description fields and select by severity
which severity alerts are included to the report to be made.
CHAPTER 5 133
5.8.4 Bottom Pane

In the bottom pane, you can:
Reset the defaults to all user interface components.
Launch the report exporting process.
Launch the report viewing process.
Stop the report generating process.
Close the Reporting Tool user interface. This does not stop
generation of the report to be exported; it is run in the
background. The report being generated for viewing can be
stopped from the dialog that appears.
Viewing the Report

Click View in the bottom pane to generate a report of the selected report
type with selected configurations. The report is then viewed in HTML
format with the default web browser. If default web browser has not been
defined, a dialog box appears prompting you to define your web browser.
Exporting the report

Click Export in the bottom pane to generate a report from the selected
report type with the selected configurations. You can define the file path
and report format for the report to be made with the File save dialog that
appears. The report is then exported to the selected file in the selected
report format.
5.9 Preferences
Preference settings are either shared or applied to the specific
connection.
134
5.9.1 Connection-Specific Preferences

To edit these, select Preferences from the Tools menu. Only the current
connection object is affected.
Tab Setting Meaning

Communication Polling Periods Polling periods for different package types. You can select or
clear the check boxes to enable or disable the polling of a
specific package type. Select the Disable All Polling check
box if you want to always use manual refresh operations
instead of automatic polling.
Host connection Controls when hosts are considered disconnected from

status F-Secure Policy Manager. All hosts that haven't contacted
Policy Manager Server within the defined interval are
considered disconnected. The disconnected hosts will have a
notification icon in the domain tree and they will appear in the
Disconnected Hosts list in the Domain status view. The
domain tree notification icons can be switched off from
Appearance > Policy Domain Options. Note that it's
possible to an interval define shorter than one day by typing
in a floating point number in the setting field. For example,
with a value of "0.5" all hosts that haven't contacted the
server within 12 hours are considered disconnected. Values
less than one day are normally useful only for troubleshooting
purposes, because in a typical environment some hosts are
naturally disconnected from the server every now and then.
For example, laptop computers may not be able to access
the server daily, but in most cases this is perfectly acceptable
behavior.
Alerts and These options:

Reports Options control the automatic deletion of old alerts and
reports
the background loading of alerts and reports
Advanced Status Cache You can adjust the number of hosts for which F-Secure Policy
communication Manager Console caches status information.
options
CHAPTER 5 135
Disable initial You can disable initial status loading if you want to reduce
status loading F-Secure Policy Manager Console startup time in a large
environment (this is an advanced option that should be used
with care, since it causes the following functional differences
to the normal status handling):
1. All hosts appear to have no software installed. This
affects the Properties pane and the Installation Editor.
2. Status items are not initially available. This affects the
Properties pane and product views, whenever the Status
tab is selected.
3. All hosts will receive policies generated from the latest
MIB version, because MIB version information is not
available.
Skipping the initial status loading option does not affect
manual status refreshment or periodic status polling. If
necessary, you can disable the automatic status polling. To
do this, open the Tools menu and select Preferences. Select
the Communications tab and click Polling Period options.
Check the Disable all polling checkbox.
Policy Files Policy File Indentation defines if separation characters will be added to
Optimizations the file when it is being created, which would make it more
human-readable. If you choose to switch Indentation off, no
separator characters will be added, and the files will be less
human-readable, but still completely correct and
machine-readable. It is possible to select either space or tab
characters as separators. Tabs are recommended because
the resulting file is smaller than with space separators.
Include Comments affects the size of the policy files
produced by F-Secure Policy Manager Console. These
comments are used to make the file more understandable by
the users if they want to read the values directly from the file.
These settings are normally used only for debugging
purposes, and both indentation and comments could be
disabled in normal production use.
136
Policy File Serial The serial file of generated Base Policy files. The serial
Number number increments automatically. Normally, there is no need
to adjust it manually. You only need to increase the value if
hosts are not accepting policy files because of serial numbers
that are too low (the hosts report this as errors.) In this case,
the serial number must be increased to be larger than the
serial number in the latest Base Policy file fetched by the
hosts.
Push Installation Installation The maximum time F-Secure Policy Manager Console waits
Timeout for the results of an installation operation.
Browsing Important only if the Hide Already Managed Hosts option is in

Timeout use. This is the maximum time allowed to access the host
registry.
Maximum You can adjust the number of network operations. The default
concurrent is recommended, but if you have a slow network connection
network that is causing problems when you are push installing,
operations decrease the number of concurrent network connections
accordingly.
Progress You can choose to display the progress indicator to end users
Indicator during remote installation.
CHAPTER 5 137
5.9.2 Shared Preferences

These apply to all connections defined in a particular installation of
Tab Setting Meaning

Appearance -> Language Language selection. You can select the local language of your
General Options operating system or the default English setting. All objects that
do not support the system’s local language will be displayed in
English. You must restart F-Secure Policy Manager Console
for the change to take effect.
Appearance -> Highlight You can highlight disconnected hosts in a policy domain tree.
Policy Domains Disconnected
Hosts
Font Font used throughout F-Secure Policy Manager Console. The

font change will take place after program restart.
Look & Feel Defines the appearance and behavior of the user interface
components. The change will take place after program restart.
Policy Files Products Allows you to deactivate MIBs for products which you do not
have installed, and exclude them from the distributed policy
files. Deactivating MIBs reduces the size of the policy files sent
to managed hosts.
WARNING: Do not deactivate MIBs unless you have been
instructed to do so by F-Secure. Deactivating MIBs for
products that are actually installed in some managed
hosts will result in system malfunction.
Push Installation Clear Cache You may clear all cached information concerning browsed
hosts and installed software to clean up disk space.
Location Web Club Area Choose your location to connect to the F-Secure web server
closest to you.
HTML Browser The full path to the HTML browser’s executable file. The
Path browser is utilized for displaying online Help pages, Web Club
pages, and Anti-Virus reports.
138
Message Logs You can select to enter the path to a directory where log files
Path for each tab on the Message view are created. Each log file
contains the title of the corresponding tab and a message per
line including severity and creation time.
Save Messages Toggle message saving on and off. It is highly recommended

that you keep logging on as the log information can be useful
for troubleshooting.
Anti-Virus Virus Definitions With this value you can define the time after which virus
definitions are shown as outdated in Anti-Virus mode.
6 MAINTAINING F-SECURE
POLICY MANAGER
SERVER
Overview .......................................................................... 140

Backing Up & Restoring F-Secure Policy Manager Console
Data ................................................................................. 140
Replicating Software Using Image Files ............................ 143
139
140
6.1 Overview
F-Secure Policy Manager Server can be maintained by routinely backing
up and restoring the console data in the Server.
6.2 Backing Up & Restoring F-Secure Policy Manager

Console Data
It is highly recommended that you back up the most important
management information regularly. At a minimum, back up the entire
fsa\domains directory of the communication directory. The communication
directory is normally located under the F-Secure Policy Manager Server
installation directory under commdir\. This directory contains both the
policy domain structure and all saved policy data.
Before backing up the fsa\domains directory, make sure that no

F-Secure Policy Manager Console sessions are open.
It is also possible to back up the entire repository. By doing so, you will be
able to restore not only the policy domain structure, but also the alerts,
host statistics, and installation operations. You will also be able to quickly
restore policy files. When you only back up the fsa\domains directory, you
must distribute the policies afterwards. The disadvantage of backing up
the entire repository is that there can be tens of times more data than in
the fsa\domains directory. Another disadvantage is that F-Secure Policy
Manager Server must be stopped before doing the full backup.
CHAPTER 6 141
Maintaining F-Secure Policy Manager Server
To back up the management key-pair, copy the admin.prv file and the
admin.pub file from the root of the local F-Secure Policy Manager
Console installation directory. Keep the admin.prv file stored in a secure
place. It is very important to save a backup copy of the admin.prv key file.
If you lose a management key (either admin.pub or admin.prv), you

will have to create a new key pair and distribute the respective
admin.pub key to all the managed hosts by reinstalling each host
manually, since policy based operations cannot be used any more.
Trust between F-Secure Policy Manager Console and managed
hosts is based on a digital signature. Without the correct private
key, it is not possible to create a valid signature that hosts would
accept.
If you want to save the F-Secure Policy Manager Console preferences,
back up the lib\Administrator.properties file from the local installation
directory.
The “Administrator.properties” file is created during the first run of

F-Secure Policy Manager Console and contains session related
information such as window size or the server URL.
Creating the Backup

You can choose between two methods of creating a backup:
Full Backup. Full backup includes restoring the policy domain
structure as well as the alerts, host statistics, and installation
operations
Policy Data and Domain Structure Backup. Backup of the
fsa\domains directory of Policy Manager Server’s repository
(Commdir).
Full Backup
1. Close all F-Secure Policy Manager Console management sessions.
2. Stop F-Secure Policy Manager Server service.
3. Back up the Communication Directory.
4. Back up the admin.prv and admin.pub files from the root of the local
F-Secure Policy Manager Console installation directory.
142
5. Back up the lib\Administrator.properties file from the local F-Secure

Policy Manager Console installation directory.
6. Restart F-Secure Policy Manager Server service.
7. Reopen the F-Secure Policy Manager Console management
sessions.
Policy Data and Domain Structure Backup
1. Close all F-Secure Policy Manager Console management sessions.
2. Back up the fsa\domains directory and save the backup copy in a
secure place.
sessions.
Restoring the Backup

If you backed up the full content of the communication directory and
Console information such as keys and preferences (Full Backup), restore
it as follows:
1. Close all F-Secure Policy Manager Console management sessions
and stop F-Secure Policy Manager Server service.
2. Delete the communication directory.
3. Copy the backup of the communication directory to its correct
location.
4. Copy the admin.pub to the root of the Console installation directory.
5. Copy the admin.prv to the root of the Console installation directory.
6. Copy the Console preferences (Administrator.properties) to the
<console installation directory>\lib directory.
sessions.
9. Distribute policies.
10. If you backed up only the Policy Domain Structure (Policy Data and
Domain Structure Backup), restore it as follows:
CHAPTER 6 143
Maintaining F-Secure Policy Manager Server
11. Close all F-Secure Policy Manager Console management sessions

and stop F-Secure Policy Manager Server service.
12. Delete the contents of the <communication directory>\fsa\domains
directory.
13. Copy the backed up data to the same directory as above.
15. Reopen all F-Secure Policy Manager Console management
sessions.
16. Distribute policies.
6.3 Replicating Software Using Image Files

F-Secure Anti-Virus may be included when software is replicated using
disk image files. Every product installation does, however, contain a
unique identification code (Unique ID) that is used by F-Secure Policy
Manager. Several computers may attempt to use the same Unique ID if
disk image software is used to install new computers. This situation will
prevent F-Secure Policy Manager from functioning properly.
Please follow these steps to make sure that each computer uses a
personalized Unique ID even if disk imaging software has been used.
1. Install the system and all the software that should be in the image file,
including F-Secure Anti-Virus. Configure F-Secure Anti-Virus to use
the correct F-Secure Policy Manager Server. However, do not import
the host to F-Secure Policy Manager Console if the host has sent an
autoregistration request to the F-Secure Policy Manager Server. Only
hosts to where the image file will be installed should be imported.
2. Run the fsmautil resetuid command from the command prompt. This
utility is typically located in the C:\Program Files\F-Secure\Common
directory (the directory may be different if you are using a localized
version of Windows or if you have specified a non-default installation
path).
3. Shut down the computer. Do not restart the computer at this stage.
4. Create the disk image file.
144
5. The utility program resets the Unique ID in the F-Secure Anti-Virus

installation. A new Unique ID is created automatically when the
system is restarted. This will happen individually on each machine
where the image file is installed. These machines will send
autoregistration requests to F-Secure Policy Manager and the
request can be processed normally.
7 UPDATING F-SECURE
VIRUS DEFINITION
DATABASES
Automatic Updates with F-Secure Automatic Update Agent . 146

Using the Automatic Update Agent....................................... 148
Forcing the Update Agent to Check for New Updates
Immediately.......................................................................... 153
Updating the Databases Manually........................................ 153
Troubleshooting.................................................................... 154
145
146
7.1 Automatic Updates with F-Secure Automatic

Update Agent
With F-Secure Automatic Update Agent, you are able to receive
automatic updates and informational content without interrupting your
work to wait for files to download from the Web. F-Secure Automatic
Update Agent downloads files automatically in the background using
bandwidth not being used by other Internet applications, so users can
always be sure they will have the latest updates without having to search
the Web.
If the F-Secure Automatic Update Agent is always connected to the
Internet, it will automatically receive new automatic updates within about
two hours after they have been published by F-Secure. Any possible
delays will depend on when a connection to the Internet is available.
F-Secure Automatic Update Agent is used to update either centrally
managed or stand-alone F-Secure products. By default the agent also
downloads Virus News. Downloading these can be disabled if so desired.
You may install and use F-Secure Automatic Update Agent in conjunction
with licensed F-Secure Anti-Virus and security products.
How it works
When the F-Secure Automatic Update Agent service is started, it
connects to F-Secure’s Automatic Update server. The agent will keep
polling the server regularly to see whether there is new content available.
Any new content will be automatically downloaded. The polling interval is
set on the server side and cannot be adjusted from the client side.
CHAPTER 7 147
Updating F-Secure Virus Definition Databases
In F-Secure Policy Manager 6.0 and onwards, the Automatic Update

Agent installed with F-Secure products tries to download the automatic
updates from the configured update sources in the following order:
a. If there are Policy Manager Proxies in use in the company
network, the client tries to connect to F-Secure Policy Manager
Server through each Policy Manager Proxy in turn.
b. If the client is configured to use HTTP Proxy, it tries to download
the updates through the HTTP Proxy from F-Secure Policy
Manager Server.
c. Next the client tries to download the updates directly from
F-Secure Policy Manager Server.
d. If there are Policy Manager Proxies in use in the company
network, the client tries to connect to F-Secure Update Server
through each Policy Manager Proxy in turn.
e. If the client is configured to use HTTP Proxy, it tries to download
the updates through the HTTP Proxy from F-Secure Update
Server.
f. After that the client tries to download the updates directly from
F-Secure Update Server.
The Benefits of Using F-Secure Automatic Update Agent

Optimized downloads of virus definition updates
F-Secure Automatic Update Agent detects when the virus definition
database has been changed. It uses sophisticated byte-level algorithms
to download only the changes instead of whole files or the whole
database. Changes are typically only a small fraction of the complete
update, and this enables dial-up users with slow modems to get the daily
updates conveniently, saving significant amounts of bandwidth for
fixed-connection users as well.
Resumable data transfers
F-Secure Automatic Update Agent downloads content over multiple
sessions. If the download is interrupted, F-Secure Automatic Update
Agent saves what was downloaded and continues to download the rest of
the file next time you connect.
148
Automated updates
You don't have to look for the updates and manually download them. With
F-Secure Automatic Update Agent, you will automatically get the virus
definition updates when they have been published by F-Secure.
7.2 Using the Automatic Update Agent

With F-Secure Policy Manager 7.0 and onwards, the F-Secure Automatic
Update Agent installed with F-Secure Policy Manager is configured by
editing the fsaua.cfg configuration file. For more information, see
“Configuration” below.
You can check that the application is working properly by viewing the log
file. For more information, see “How to Read the Log File”, 149.
7.2.1 Configuration
IMPORTANT: These configuration instructions apply only to the

F-Secure Automatic Update Agent installed with F-Secure Policy
Manager Server. You should only edit the settings mentioned
below. Do not edit the other settings in the configuration file.
Step 1. To configure F-Secure Automatic Update Agent, open the fsaua.cfg

configuration file located in
C:\Program Files\F-Secure\FSAUA\program\fsaua.cfg
Step 2. Specify HTTP Proxies

The http_proxies directive controls which HTTP proxies are used by
the F-Secure Automatic Update Agent.
Use the following format:
http_proxies=[http://
][[domain\]user[:passwd]@]<address>[:port][,[http://
][[domain\]user[:passwd]@]<address>[:port]]
CHAPTER 7 149
Examples:
http_proxies=http://proxy1:8080/,http://backup_proxy:8880/,http://
domain\username:usernamespassword@ntlmproxy.domain.com:80
Step 3. Specify the Polling Interval

The poll_interval directive specifies how often the F-Secure
Automatic Update Agent checks for new updates.The default is 3600
seconds, which is 1 hour.
poll_interval=3600
If the minimum polling interval defined at the F-Secure Update

Server is, for example, 2 hours, the settings in F-Secure Automatic
Update Agent configuration file cannot override that limitation.
Step 4. Save and close the file.
Step 5. For the changes to take effect, you need to stop and restart the fsaua
service. To do this, enter the following commands on command line:
net stop fsaua
net start fsaua
7.2.2 How to Read the Log File

The fsaua.log file is used to store messages generated by F-Secure
Automatic Update Agent. Some of the messages provide information
about normal operations, such as startup and shutdown. Other messages
indicate errors.
The fsaua.log file is located in
C:\Program Files\F-Secure\FSAUA\program
Reading the Log
Every message in the log contains the following information:
The date and time the message was generated.
150
[ 3988]Thu Oct 26 12:40:39 2006(3): Downloaded

'F-Secure Anti-Virus Update 2006-10-26_04' -
'DFUpdates' version '1161851933' from
fsbwserver.f-secure.com, 12445450 bytes (download
size 3853577)
A brief explanation of what happened. When an update is
downloaded, the update name and version are shown.
size 3853577)
For updates, the message also shows the update source and the
size of the download.
size 3853577)
CHAPTER 7 151
Messages in fsaua.log
Below are examples of some messages that you can find in the log file.
Message Meaning
Update check completed The connection to the update source was successful.
successfully
Update check completed The connection to the update source was successful, but
successfully. No updates are there was nothing new to download.
available.
Downloaded 'F-Secure The connection was successful and some files were
Anti-Virus Update downloaded.
2006-10-26_04' - 'DFUpdates' For a list of update types that you can find in the log, see
version '1161851933' from “What Updates are Logged in fsaua.log?”, 152.
fsbwserver.f-secure.com,
12445450 bytes (download size
3853577)
Installation of 'F-Secure The files were successfully placed into the destination
Anti-Virus Update directory (and the existing files were removed). This is the
2006-10-26_04' : Success result of updating the communication directory. Note that
F-Secure Automatic Update Agent is not able to display
whether the new files have been taken into use by the
host(s) or not.
Update check failed. There An error message indicating that the update check failed.
was an error connecting For more information on the most common errors and
fsbwserver.f-secure.com (DNS instructions on how to solve the problems, see
lookup failure) “Troubleshooting”, 154.
152
What Updates are Logged in fsaua.log?

Below is a list of updates you can find in the log:
'DFUpdates'
'F-Secure Spam Control Update 2006-10-19_02' -
'SCDB3'
'F-Secure Anti Spyware Update 2006-10-18_07' -
'SWCDB'
'F-Secure News Update 2006-10-20_01' - 'VirusNews'
'F-Secure Anti-Virus AVP Extended Update
2006-10-20_05' - 'avpe'
'F-Secure Anti-Virus Libra Update 2006-10-24_04' -
'libradb'
'F-Secure Anti-Virus Orion Update 2006-10-02_07' -
'oriondb'
'F-Secure Anti-Virus Misc Update 2006-10-09_03' -
'avmisc'
'F-Secure Housekeeper Update 2006-10-09_03' -
'hke-freebsd'
'F-Secure Housekeeper Update 2006-10-09_03' -
'hke-linux'
'F-Secure IDS Update 2006-10-09_03' - 'idsdb'
'F-Secure Hydra Update 2006-10-09_03' - 'hydrawin'
'F-Secure Hydra Update 2006-10-09_03' - 'hydralinux'
'F-Secure Universal System scanner update
2006-10-09_03' - 'mlcwin'
'F-Secure BlackLight Engine Update 2006-09-15_01' -
'BLENG'
'F-Secure Gemini Update 2006-09-05_04' - 'gemdb'
'F-Secure HIPS Update 2006-09-01_04' - 'hipscfg'
'F-Secure Pegasus Update 2006-09-29_03' - 'pegdb'
CHAPTER 7 153
How to Check from the Log that Everything Works?

When everything works the way it should, the last installation result for
each downloaded update should be shown as ‘Success’. For example:
Installation of 'F-Secure Anti-Virus Update
2006-10-26_04' : Success
You can also see a summary of the Virus, Spyware and System Control
update statuses on the server on the Summary tab in F-Secure Policy
Manager Console.
To check the update status on a centrally managed host, go to the Status
> Overall Protection page in F-Secure Policy Manager Console.
7.3 Forcing the Update Agent to Check for New

Updates Immediately
If you need to force F-Secure Automatic Update Agent to check for new
updates immediately, you need to stop and restart the fsaua service. To
do this, enter the following commands on command line:
net stop fsaua
net start fsaua
This will trigger F-Secure Automatic Update Agent to connect to the

update server and check for new updates.
7.4 Updating the Databases Manually

If your computer is not connected to the Internet, you can update the
databases manually.
1. Connect to http://support.f-secure.com/ from another computer.
2. Download the fsdbupdate.exe tool.
3. Transfer the fsdbupdate.exe tool to your computer, for example, by
using a memory stick or other removable media and run it.
154
7.5 Troubleshooting
Below are some examples of problems that may be logged as error
messages in the fsaua.log file.
Problem: There was a DNS lookup failure, or connection

failed, was lost or refused.
Reason: Network problems
Solution: Check that the network is configured correctly.
Problem: Proxy Authentication failed.
Reason: The password entered for HTTP proxy is incorrect.
Solution: Check and correct the HTTP proxy password in the

http_proxies directive in the fsaua.cfg file. For
more information, see “Configuration”, 148.
Problem: The disk is full or there was an IO error.
Reason: There is not enough free disk space on the drive

where the destination directory is located.
Solution: Free some disk space to enable the update.
Problem: There was a server error or an unspecified

error.
Reason: Unknown
Solution: -
8 F-SECURE POLICY
MANAGER ON LINUX
Overview................................................................................... 156
Installation ................................................................................ 157
Configuration ............................................................................ 161
Uninstallation............................................................................ 161
Frequently Asked Questions .................................................... 163
155
156
8.1 Overview
F-Secure Policy Manager can also be installed on Linux.
8.1.1 Differences Between Windows and Linux

Services not available when F-Secure Policy Manager Console is running
on Linux:
Push Installation features
Windows installer package (MSI) export
Autodiscovery of workstations on the network.
8.1.2 Supported Distributions

F-Secure Policy Manager supports many of the Linux distributions based
on the Debian package management (DEB) system and on the Redhat
Package Management (RPM) system. The commands for these two
systems are different.
Supported Distribution Packaging System
Red Hat Enterprise Linux 5 RPM
SUSE Linux Enterprise Server 10 RPM
SUSE Linux Enterprise Server 9 RPM
SUSE Linux Enterprise Desktop 10 RPM
openSUSE 10.3 RPM
Debian GNU Linux Etch 4.0 DEB
Ubuntu 8.04 Hardy DEB

CHAPTER 8 157
F-Secure Policy Manager on Linux
8.2 Installation
F-Secure Policy Manager is installed in four parts. They must be installed
in the following order:
1. F-Secure Automatic Update Agent
2. F-Secure Policy Manager Server
3. F-Secure Policy Manager Console
4. F-Secure Policy Manager Web Reporting.
F-Secure Policy Manager Server, F-Secure Policy Manager Web
Reporting and F-Secure Automatic Update Agent must all be installed on
the same computer.
F-Secure Policy Manager Console can be installed on the same or a
separate computer.
8.2.1 Installing F-Secure Automatic Update Agent

1. Log in as root.
2. Open a terminal.
3. To install type:
Debian Based Distributions RPM Based Distributions
dpkg -i rpm -i
f-secure-automatic-update-agent_<versio f-secure-automatic-update-agent-<vers
n_number>.<build number>_i386.deb ion_number>.<build number>-1.i386.rpm
4. To configure, type
/opt/f-secure/fsaua/bin/fsaua-config
and answer the questions. Push ENTER to choose the default setting
(shown in square brackets).
5. If you want to configure F-Secure Automatic Update Agent to use
HTTP proxies, enter the HTTP proxy addresses when the
configuration script asks for them. Use the following format:
158
http://[user:passwd@]address[:port]/[,proxy2[,proxyN]]
6. If you want to specify how often F-Secure Automatic Update Agent
checks for new updates, enter a new polling interval value when the
configuration script asks for it. The default is 3600 seconds, which is
1 hour.
If the minimum polling interval defined at the F-Secure Update

Server is, for example, 2 hours, the settings in F-Secure Automatic
Update Agent configuration file cannot override that limitation.
Once the configuration script is finished, F-Secure Automatic Update
Agent is running and will start automatically whenever the computer is
restarted.
8.2.2 Installing F-Secure Policy Manager Server

1. Log in as root.
2. Open a terminal.
3. To install type:
dpkg -i rpm -i
f-secure-policy-manager-server_<version f-secure-policy-manager-server-<versi
_number>.<build number>_i386.deb on_number>.<build number>-1.i386.rpm
4. To configure type:
/opt/f-secure/fspms/bin/fspms-config
and answer the questions.
Push ENTER to choose the default setting (shown in square brackets)
for each of these questions.
F-Secure Policy Manager Server is now running and will start
automatically whenever the computer is restarted.
CHAPTER 8 159
8.2.3 Installing F-Secure Policy Manager Console

1. Log in as root.
2. Open a terminal.
3. To install type:
dpkg -i rpm -i
f-secure-policy-manager-console_<versio f-secure-policy-manager-console-<vers
n_number>.<build number>_i386.deb ion_number>.<build number>-1.i386.rpm
A new user group called fspmc is created automatically. Users must be

added to the fspmc user group before they can run F-Secure Policy
Manager Console:
4. Check which groups the user belongs to:
groups <user id>
For example, if the user is Tom:
groups Tom
5. Add this user to the fspmc group:
/usr/sbin/usermod -G fspmc,<groups the user belongs to
now (as comma separated list)> <user id>
For example, if Tom belongs to the groups normal_users and
administrators the command is:
/usr/sbin/usermod -G fspmc,normal_users,administrators
Tom
The comma separated group list will replace what ever groups
the user previously belonged to.
6. Log out.
7. Log in.
8. To start type:
/opt/f-secure/fspmc/fspmc
160
The first time this command is entered, you will be prompted to

answer a few questions to complete the configuration. These
questions are the same as for the Windows version (see “Installation
Steps”, 57).
8.2.4 Installing F-Secure Policy Manager Web Reporting

1. Log in as root.
2. Open a terminal.
3. To install type:
dpkg -i rpm -i
f-secure-policy-manager-web-reporting_< f-secure-policy-manager-web-reporting
version_number>.<buildnumber>_i386.deb -<version_number>.<buildnumber>-1.i38
6.rpm
4. To configure type:
/opt/f-secure/fspmwr/bin/fspmwr-config
and answer the questions.
Push ENTER to choose the default setting (shown in square brackets)
for each of these questions.
5. To start type:
/etc/init.d/fspmwr start
CHAPTER 8 161
8.3 Configuration
F-Secure Policy Manager components have separate configuration
scripts. To configure each component type the corresponding
configuration command and answer the questions.
F-Secure Policy Manager Component Configuration Command

F-Secure Policy Manager Server /opt/f-secure/fspms/bin/fspms-config
F-Secure Policy Manager Web Reporting /opt/f-secure/fspmwr/bin/fspmwr-config
8.4 Uninstallation
You must uninstall the four components in this order:
1. F-Secure Policy Manager Web Reporting
2. F-Secure Policy Manager Console
3. F-Secure Policy Manager Server
4. F-Secure Automatic Update Agent.
8.4.1 Uninstalling F-Secure Policy Manager Web Reporting

1. Log in as root.
2. Open a terminal.
3. Type:
dpkg -r rpm -e
f-secure-policy-manager-web-reporting f-secure-policy-manager-web-reporting
Log files and configuration files are not removed as these are
irreplaceable and contain valuable information. To remove these,
type:
rm -rf /opt/f-secure/fspmwr
162
8.4.2 Uninstalling F-Secure Policy Manager Console

1. Log in as root.
1. Open a terminal.
2. Type:
dpkg -r f-secure-policy-manager-console rpm -e f-secure-policy-manager-console
irreplaceable and contain valuable information. To remove these,
type:
rm -rf /opt/f-secure/fspmc
8.4.3 Uninstalling F-Secure Policy Manager Server

1. Log in as root.
2. Open a terminal.
3. Type:
dpkg -r f-secure-policy-manager-server rpm -e f-secure-policy-manager-server
irreplaceable and contain useful information. To remove these,
type:
rm -rf /var/opt/f-secure/fsaus
rm -rf /var/opt/f-secure/fspms
rm -rf /etc/opt/f-secure/fspms
rm -rf /etc/opt/f-secure/fsaus
CHAPTER 8 163
8.4.4 Uninstalling F-Secure Automatic Update Agent

1. Log in as root.
2. Open a terminal.
3. Type:
# /opt/f-secure/fsaua/fsaua-config uninstall
4. Type:
dpkg -r f-secure-automatic-update-agent rpm -e f-secure-automatic-update-agent
8.5 Frequently Asked Questions

Q. Why doesn't F-Secure Policy Manager Console start?
A. Runtime errors and warnings are logged to:
/opt/f-secure/fspmc/lib/Administrator.error.log
Q. Why doesn't F-Secure Policy Manager Server start?

A. Runtime errors, warnings and other information are logged to:
/opt/f-secure/fspms/logs/error_log
/opt/f-secure/fsaus/log/fsaus/log/log
/opt/f-secure/fsaus/log/fsaus/log/fsaus_watchdog_log
A common problem is that you already have a server using port 80
and/or 8080. To check this:
a. Log in as root.
b. Type:
netstat -t -p
or
fuser -vn tcp 80 8080
164
Q. How can I update the virus definition database manually?

A. Run the updating tool by typing:
sudo -u fspms /opt/f-secure/fspms/bin/fsavupd
Q. Why does F-Secure Policy Manager Server not distribute new

virus definition databases? F-Secure Policy Manager Server and
F-Secure Automatic Update Agent are working fine.
A. You can get information on possible communication errors between
F-Secure Policy Manager Server and F-Secure Automatic Update
Agent by typing:
sudo -u fspms /opt/f-secure/fspms/bin/fsavupd --debug
Q. Where are the F-Secure Policy Manager Console files located in

the Linux version?
A. To list all files and their places type:
dpkg -L f-secure-policy-manager-console rpm -ql

f-secure-policy-manager-console
Q. Where are the F-Secure Policy Manager Server log files,

configuration files and Communication Directory located in the
Linux version?
A. To list all files and their places type:
dpkg -L f-secure-policy-manager-server rpm -ql f-secure-policy-manager-server

CHAPTER 8 165
Locations of some files of special interest:

Items of interest Location in filesystem
Log files /var/opt/f-secure/fspms/logs
Configuration files /etc/opt/f-secure/fspms/
Communication Directory /var/opt/f-secure/fspms/commdir
Q. How do I change the ports at which F-Secure Policy Manager

Server listens for requests?
A. See “Access to F-Secure Policy Manager Server will be limited only
to the separately defined IP addresses by editing the httpd.conf file.”,
30.
Q. How can I restart F-Secure Policy Manager Server after having

changed the configuration file?
A. To restart F-Secure Policy Manager Server:
a. Log in as root.
b. Type:
/etc/init.d/fspms restart
Q. How can I get information about how F-Secure Policy Manager

Server is running?
A. Type:
/etc/init.d/fspms status
Q. How can I set up the scheduling for the automatic updates of my

virus definitions?
A. You can do this by running the F-Secure Policy Manager Server
configuration script:
/opt/f-secure/fspms/bin/fspms-config
166
Q. How can I configure F-Secure Automatic Update Agent to use

F-Secure Policy Manager Proxy
A. To use F-Secure Policy Manager Proxy:
a. Open the file /opt/f-secure/fsaua/etc/fsaua_config with a
text editor
b. Add the line update_proxies=host:port to the file, for
example:
update_proxies=proxy.domain.com:80
Multiple proxies are written as a comma separated list, for
example:
update_proxies=proxy.domain.com:80,back_up_proxy.dom
ain2.com:80
c. Restart F-Secure Automatic Update Agent so that the changes
take effect:
/etc/init.d/fsaua restart
Q. How can I use an HTTP proxy with F-Secure Automatic Update

Agent?
A. HTTP proxies are set through the file /opt/f-secure/fsaua/etc/
fsaua_config
a. Open the file /opt/f-secure/fsaua/etc/fsaua_config with a
text editor.
b. Add the line http_proxies=user:password@host:port to the
file, for example:
http_proxies=Tom:toms_password@proxy.domain.com:80
Multiple proxies are written as a comma separated list, for
example:
http_proxies=Tom:toms_password@proxy.domain.com:80,A
nn:anns_password@back_upproxy.domain2.com:80
c. Restart F-Secure Automatic Update Agent so that the changes
take effect:
CHAPTER 8 167
Q. How can I restart F-Secure Automatic Update Agent after

changing the configuration file?
A. To restart F-Secure Automatic Update Agent, type:
9 WEB REPORTING
Overview................................................................................... 169
Introduction............................................................................... 169
Web Reporting Client System Requirements ........................... 170
Generating and Viewing Reports.............................................. 170
Maintaining Web Reporting ...................................................... 174
Web Reporting Error Messages and Troubleshooting.............. 179
168
CHAPTER 9 169
Web Reporting
9.1 Overview
This chapter contains
An introduction to F-Secure Policy Manager Web Reporting and
its features
Instructions how to generate and view web reports
Instructions how to configure and maintain the F-Secure Policy
Manager Web Reporting application; for example, how to restrict
or give a wider access to web reports and how to back up and
restore the Web Reporting database.
Web Reporting installation is a part of F-Secure Policy Manager

Server setup. For more information, see “Installation Steps”, 34
For information about special considerations when installing

F-Secure Policy Manager Web Reporting in high security
environments, see “Installing F-Secure Policy Manager Web
Reporting in High-Security Environments”, 32.
9.2 Introduction
F-Secure Policy Manager Web Reporting is a graphical reporting system
included in F-Secure Policy Manager Server. The detailed graphical
reports in F-Secure Policy Manager Web Reporting allow you to identify
computers that are unprotected or vulnerable to virus outbreaks. With
F-Secure Policy Manager Web Reporting you can quickly create
graphical reports based on historical trend data using a web based
interface. You can produce a wide range of useful reports and queries
from F-Secure Client Security alerts and status information sent by the
F-Secure Management Agent to the F-Secure Policy Manager Server.
You can export the reports into HTML.
F-Secure Policy Manager Web Reporting is integrated with SQL database
which guarantees it's suitability for every size of company. The Web
Reporting database collects all data that is currently stored in the
F-Secure Policy Manager Server, and adds new data as it arrives. The
collected data includes most of the data in alerts and some of the data in
170
Incremental Policy Files (.ipf). You can configure how long the data is
stored in the Web Reporting database and in this way also optimize the
database performance.
9.3 Web Reporting Client System Requirements

In order to view the reports generated by F-Secure Policy Manager Web
Reporting your computer must have a internet browser, for example
Internet Explorer or Mozilla Firefox.
9.4 Generating and Viewing Reports

The general types of reports you can generate include, for example, bar
and pie graphs of the current security situation, trend reports and detailed
list reports. To view the exact reports and report templates available,
select one of the pages (Virus Protection Summary, Internet Shield
Summary, Alerts, Installed Software and Host Properties) in the Web
Reporting user interface.
The starting of F-Secure Policy Manager Web Reporting can take a lot of
time in big environments. When the Web Reporting is starting the reports
are not available, and if you try to access them some error messages
might be displayed. For more information, see “Web Reporting Error
Messages and Troubleshooting”, 179.
9.4.1 Required Browser Settings for Viewing Web Reports

When you start to use Web Reporting, it is a good idea to check your
browser settings to make sure that your browser always loads the newest
reports and does not display any cached reports or parts of reports. If part
of the report information is retrieved from the cache, your browser might
also display an error message.
The recommended browser cache settings in Netscape Communicator
and Mozilla are:
CHAPTER 9 171
Web Reporting
Compare the page in the cache to the page on the network

Every time I view the page.
Select this if you want Netscape to compare a web page to the
cache every time you view it.
When the page is out of date.
Select this if you want Netscape to compare a web page to the
cache when the page is determined by the server to have
expired.
The recommended browser cache settings in Microsoft Internet Explorer
are:
Check for newer versions of stored pages:
Every visit to the page.
Select this if you want Internet Explorer to compare a web page
to the cache every time you view it.
Automatically.
Select this if you want Internet Explorer to check for a new
version of the page automatically.
Cookies
It is also a good idea to enable cookies in your browser, as this makes, for
example, browsing the policy domain tree easier. If you just want to
access a stored report, it is not necessary to enable cookies.
9.4.2 Generating a Report

You can generate a web report as follows:
1. First open the F-Secure Policy Manager Web Reporting main page.
Enter the name or IP address of the F-Secure Policy Manager Server
followed by the Web Reporting port (separated by a colon) in your
browser. For example, fspms.example.com:8081.
Alternatively, if you are accessing Web Reporting locally, you can
access Web Reporting from the Start menu: Start >F-Secure Policy
Manager Server >Web Reporting.
172
2. Wait until the Web Reporting page opens. In large environments this
can take a lot of time.
When the F-Secure Policy Manager Web Reporting page opens, it
displays a default report for the currently selected report category.
Root is selected by default in the Policy Domains pane.
3. To view a new report, first select the domain, subdomain or host for
which you want to generate the report.
4. Then select a report category (Virus Protection Summary, Internet
Shield Summary, Alerts, Installed Software and Host Properties) and
the exact report to be generated.
5. Wait until the report is displayed in the lower part of the main window.
CHAPTER 9 173
Web Reporting
9.4.3 Creating a Printable Report

To get a printable version of the page, click the icon in the upper right
corner of the page. This opens a new browser window with the contents
of the main frame in printable format, and you can then print the page with
your browser’s normal print functionality.
You can also save the report for later use with your browser’s Save as or
Save page as options. You should make sure that the Save option used
saves the complete web page, including images:
If you are using Microsoft Internet Explorer, first select Save as
from the File menu. When the Save Web Page window opens,
select Web Page, complete from the Save as Type drop-down
menu.
If you are using Mozilla, select Save Page As from the File menu.
9.4.4 Generating a Specific URL for Automated Report

Generation
You can also generate a specific URL that can be used for automated
report generation. This means that you do not have to select the report
category, report type or policy domain which you want to monitor
separately the next time you want to generate the same report, because
this information is already included in the report specific URL address.
You have two possibilities:
Generate a report that includes the selections you want to
monitor, and then add a link to that report on your computer
(desktop, Bookmarks or some other location). The next time you
access F-Secure Policy Manager Web Reporting through this
link, the report is regenerated and thus it contains the latest data.
You can also save the report you have generated so that you can
compare the current situation with the reports you will generate in
the future. First generate a printable version of the page and then
save the whole page in a browser. This will always show the 'old'
report. For instructions, see “Creating a Printable Report”, 173.
174
9.5 Maintaining Web Reporting

This section covers the most common F-Secure Policy Manager Web
Reporting maintenance tasks.
9.5.1 Disabling Web Reporting

You can disable F-Secure Policy Manager Web Reporting by using the
Service Control Panel as follows:
1. Open the Service Control Panel from the Windows Start menu.
2. Select F-Secure Policy Manager Web Reporting from the list of
services.
3. Open the Action menu and select Properties. Click Stop to stop the
service.
4. Set the startup type to Manual. Skip this step if you want to stop the
Web Reporting only temporarily.
5. Click OK.
Alternatively you can disable Web Reporting by re-running

F-Secure Policy Manager Setup.
9.5.2 Enabling Web Reporting

You can enable Web Reporting using these instructions only if you
have previously enabled it during installation, and then disabled it
by using the instructions above.
You can always enable Web Reporting by re-running the Setup.
You can enable F-Secure Policy Manager Web Reporting by using the
Service Control Panel as follows:
1. Open the Service Control Panel from the Windows Start menu.
2. Select F-Secure Policy Manager Web Reporting from the list of
services.
CHAPTER 9 175
Web Reporting
3. Open the Action menu and select Properties. Click Start to start the
service.
4. Set the startup type to Automatic.
5. Click OK.
The Policy Manager Admin Module must also be enabled for Web
Reporting to work.
9.5.3 Restricting or Allowing Wider Access to Web Reports

Under the conf\ directory in the F-Secure Policy Manager Server
installation directory, you will find a file named httpd.conf, which contains
the configuration information for F-Secure Policy Manager Server and
F-Secure Policy Manager Web Reporting.
After any change to the configuration, you need to stop F-Secure

Policy Manager Server, and restart it for the changes to become
active.
There are three possibilities for defining the access rights to Web
Reporting: access from the local machine only, access from everywhere,
and access from a number of hosts defined by their IP addresses.
Allow Access from Everywhere (default)

By default F-Secure Policy Manager Web Reporting can be accessed
from any computer that can access the Web Reporting port on the Policy
Manager Server. This is defined by the following parameter in the
httpd.conf file:
Listen 8081
Allow Access from the Local Machine Only

Access to F-Secure Policy Manager Web Reporting can also be allowed
only from the local machine by configuring the Web Reporting port
parameter in the httpd.conf file as follows:
Listen 127.0.0.1:8081
176
Specify a List of Hosts That Can Access Web Reporting

Access to F-Secure Policy Manager Web Reporting can also be allowed
only from certain separately defined IP addresses. Below is an example
of the edited httpd.conf file section:
Listen 8081
# Web Reporting port:

JkMount /* ajp13
ErrorDocument 500 "Policy Manager Web Reporting could not
be contacted by the Policy Manager Server.
<Location / >
Order Deny,Allow
Deny from all
Allow from ip-address-1
</Location>
</VirtualHost>
After this, only those people who have access to the machines with the
defined IP addresses can use Web Reporting.
9.5.4 Changing the Web Reporting Port

The recommended method for changing the F-Secure Policy Manager
Web Reporting port is to re-run the F-Secure Policy Manager Setup, and
change the Web Reporting port there. For more information, see
“Installation Steps”, 34.
You can also change the Web Reporting port by editing the httpd.conf file.
CHAPTER 9 177
Web Reporting
1. Stop F-Secure Policy Manager Server.

2. Edit the Web Reporting port (Listen) and VirtualHost parameters
in the httpd.conf file so that they contain the new port number.
3. Start F-Secure Policy Manager Server.
If there is a port conflict, F-Secure Policy Manager Server will not start,
and an error message will be printed in the log file. In this case you should
try another, unused port.
9.5.5 Creating a Backup Copy of the Web Reporting

Database
You can create a backup of the Web Reporting database on a backup
media as follows:
1. Stop the F-Secure Policy Manager Web Reporting service.
2. Copy the file
C:\Program Files\F-Secure\Management Server 5\Web
Reporting\firebird\data\fspmwr.fdb
to the backup media. You can also use some compression utility to
compress the file. Using a compression utility also provides you a
means to check that the backed up database is still intact.
3. Restart F-Secure Policy Manager Web Reporting Service
A backup copy protects historical data against corruption. It can

also be used to archive old data that would be deleted when the
maximum data storage time in the Web Reporting database is
modified (see “Changing the Maximum Data Storage Time in the
Web Reporting Database”, 178).
9.5.6 Restoring the Web Reporting Database from a Backup

Copy
You can restore the F-Secure Policy Manager Web Reporting database
from a backup copy as follows:
178

2. Copy and decompress the fspmwr.fdb file from the backup media to
the following directory:
3. C:\Program Files\F-Secure\Management Server 5\Web
Reporting\firebird\data
4. Restart the F-Secure Policy Manager Web Reporting service.
9.5.7 Changing the Maximum Data Storage Time in the Web

Reporting Database
You can configure how long the trend data is kept in the database before
it is deleted. The default time is one year. If you want to generate trend
reports from a longer period of time, you can configure this time to be
longer. If you want to keep the trend data for a shorter time, you can also
configure this time to be shorter.
2. Change the maximum time defined in the fspmwr.conf file in the Web
Reporting directory. The time unit used is seconds. Below is an
example of section to be edited in the configuration file:
#
# The database data retaining time. The database data
older than the current time
# minus retaining time will be removed from the database
permanently.
#
# Value: Use a retaining time measured in seconds.
# Default: An empty value will set the default retaining
time in use. The default
# retaining time is 12 months.
#
fspmwr.db.retain.time=31536000
3. Restart the F-Secure Policy Manager Web Reporting service.
CHAPTER 9 179
Web Reporting
The new setting will be taken into use immediately. For example, if
you shortened the maximum time that data will be stored in the
database, all the data that is older than the new time limit will be
deleted.
9.6 Web Reporting Error Messages and

Troubleshooting
This section covers F-Secure Policy Manager Web Reporting error
messages and Web Reporting database troubleshooting.
9.6.1 Error Messages

Browser error message: “The connection was refused when
attempting to contact <location>"
Your browser could not contact Web Reporting at all. The link you have
might point to a wrong machine or to a wrong port, Web Reporting is not
installed on that machine, or F-Secure Policy Manager Server service is
not running. Check all of these in this order. A firewall may also prevent
the connection.
Error message: “F-Secure Policy Manager Web Reporting could not
be contacted by F-Secure Policy Manager Server.”
If you see an error message stating something like “Policy Manager Web
Reporting could not be contacted by the Policy Manager Server.”, this
means that the F-Secure Policy Manager Web Reporting is currently
starting. Wait a while to see if the problem was due to all services not
being started yet, and then reload the page.
Note that if you disabled Web Reporting manually by using the

Service Control Panel, you will also get this error message.
The time it takes for the service to start depends on the size of the
managed environment. You can reduce the startup time by deleting some
of the alerts from the CommDir.
180
Error message: "Web Reporting lost its connection to the F-Secure

Policy Manager Server at <location>. Report data may be outdated,
therefore reports cannot be viewed.”
If Web Reporting cannot contact F-Secure Policy Manager Server it may
mean that the F-Secure Policy Manager Server was extremely
overloaded for a long time, and the current data is no longer accurate.
Because of this no reports are shown. If this is the case you should
upgrade your hardware.
If there is some Web Reporting specific error, restarting both F-Secure
Policy Manager Server and the Web Reporting service should help.
Error message: "Web Reporting lost its database connection, this
may require restarting the Web Reporting service."
If Web Reporting cannot contact the database, you should restart the
Web Reporting service. If this does not help, you may wish to reinstall
Web Reporting, keeping the existing database.
9.6.2 Troubleshooting
In general, if F-Secure Policy Manager Web Reporting does not work, try
one of the following, in this order:
Reload the page.
If the problem is caused by all processes not having started yet,
wait for a while, and then try to reload the page. You can also
reduce the startup time by deleting the unnecessary alerts from
the CommDir.
Restart the F-Secure Policy Manager Web Reporting service.
Restart the F-Secure Policy Manager Server.
Restart the computer.
Re-install F-Secure Policy Manager Server, keeping the existing
configuration.
If all else fails, reset the F-Secure Policy Manager Web Reporting
database or restore it from a backup copy.
CHAPTER 9 181
Web Reporting
Resetting the Web Reporting Database

Normally the Web Reporting Server erases automatically any obsolete
data from the database, based on the currently configured maximum time
the data is to be stored. However, if the database is really broken, you can
also copy an empty database file on top of the broken one. This is done
as follows:
2. Copy fspmwr.fdb.empty on top of fspmwr.fdb, replacing fspmwr.fdb.
They are in the same directory. If the fspmwr.fdb.empty file
accidentally gets lost, you need to re-install F-Secure Policy Manager
Server.
3. Start the F-Secure Policy Manager Web Reporting service.
10 F-SECURE POLICY
MANAGER PROXY
Overview................................................................................... 183
Main Differences between Anti-Virus Proxy and Policy Manager
Proxy ........................................................................................ 183
182
CHAPTER 10 183
F-Secure Policy Manager Proxy
10.1 Overview
F-Secure Policy Manager Proxy is a new product, and should not
be confused with F-Secure Anti-Virus Proxy. For more information
about F-Secure Policy Manager Proxy, see F-Secure Policy
Manager Proxy Administrator’s Guide.
F-Secure Policy Manager Proxy offers a solution to bandwidth problems
in distributed installations of F-Secure Client Security by significantly
reducing load on networks with slow connections. It caches virus
definition database updates retrieved from F-Secure Policy Manager
Server or F-Secure Update Server.
F-Secure Policy Manager Proxy resides in the same remote network as
the hosts that use it as a database distribution point. There should be one
F-Secure Policy Manager Proxy in every network that is behind slow
network lines. F-Secure Policy Manager Proxy retrieves virus definition
database updates directly from F-Secure's distribution server, and hosts
running F-Secure Anti-Virus fetch the updates locally from F-Secure
Policy Manager Proxy. Workstations in the remote offices communicate
also with the Policy Manager Server in the main office, but this
communication is restricted to remote policy management, status
monitoring, and alerting. Since the heavy database update traffic is
redirected to the F-Secure Anti-Virus Proxy in the same local network, the
network connection between manager workstations and F-Secure Policy
Manager Server has a substantially lighter load.
10.2 Main Differences between Anti-Virus Proxy and

Policy Manager Proxy
F-Secure Anti-Virus Proxy is a product designed to be used with F-Secure
Client Security 5.x, while F-Secure Policy Manager Proxy is a product
designed to be used with F-Secure Client Security 6.x and later.
184
Both types of proxies can exist on the same network but they cannot
provide updates for the product for which they are not designed for. For
example, F-Secure Anti-Virus Proxy cannot be used to deliver updates to
F-Secure Client Security 6.x and later.
F-Secure Anti-Virus Proxy acts as a standalone server in the network,
and it can provide updates to hosts without a connection to an upstream
server. The only upstream server it can connect to is the F-Secure Update
Server.
F-Secure Policy Manager Proxy acts as a true proxy in the network and
requires a connection to an upstream server to be able to serve updates
to clients. F-Secure Policy Manager Proxy can connect to both F-Secure
Update Server and F-Secure Policy Manager Server.
11 TROUBLESHOOTING
Overview................................................................................... 186
F-Secure Policy Manager Server and Console ........................ 186
F-Secure Policy Manager Web Reporting ................................ 191
Policy Distribution..................................................................... 192
185
186
11.1 Overview
This chapter contains troubleshooting information and frequently asked
questions about F-Secure Policy Manager Server and F-Secure Policy
Manager Console.
For information on how to configure F-Secure Policy Manager Server,
and how to change the ports the server listen for requests, see
“Configuring F-Secure Policy Manager Server”, 47.
11.2 F-Secure Policy Manager Server and Console

Q. Why doesn't F-Secure Policy Manager Server start?
A. Runtime errors, warnings and other information can be found in the
file:
<F-Secure>\Management Server 5\logs\error.log
If the Application Log in Event Viewer (Administrative tools in NT/
2000/2003) shows 'ServerRoot must be a valid directory' or 'Syntax
error on line 6' from Apache service, do the following:
First check the validity of the ServerRoot line that is defined in the
httpd.conf file (line 6 by default). If this is correct, check that the
Communication Directory access rights (properties/security/
permissions) includes the fsms_<COMPUTERNAME> user account. If
fsms_<COMPUTERNAME> is not listed as an authorized user, add the
CHAPTER 11 187
Troubleshooting
user manually, and set the access rights to Full Control. Propagate
the access rights to the Management Server 5 directory (by default
C:\Program Files\F-Secure\Management Server 5) and all its
subdirectories. After these changes, restart the F-Secure Policy
Manager Server service or reboot the computer.
The fsms_<COMPUTERNAME> account is created during the installation
of F-Secure Policy Manager Server, and the service is started under
this user account. With normal installation, the directory access rights
for Management Server 5 directory are automatically set correctly. If
the directory is copied by hand or, for example, restored from backup,
the access rights might be deleted. In this case execute the steps
described in the previous paragraph
Q. Where are the log files, configuration files and Communication

Directory located for F-Secure Policy Manager Server?
A. The log files are located in:
<F-Secure>\Management Server 5\logs
The configuration files are in:
<F-Secure>\Management Server 5\conf
The F-Secure Policy Manager Server Communication Directory is
located at:
<F-Secure>\\Management Server 5\commdir
Q. Where are the F-Secure Policy Manager Console log files

located?
A. The log file is:
<F-Secure>\Administrator\lib\administrator.error.log
188
Q. How can the server role change stop F-Secure Policy Manager
Server from working?
A. Domain Controller server and Member/Standalone server use
different types of accounts: domain accounts on Domain Controller
and local accounts on Member server. Because F-Secure Policy
Manager Server uses its own account to run, this account becomes
invalid with the role change.
The easiest way to restore the F-Secure Policy Manager Server after
server role change is to re-install F-Secure Policy Manager Server
with the Keep existing settings option selected. This will recreate the
F-Secure Policy Manager Server account and reset all file access
rights to the correct ones.
If you have moved the commdir manually to a new location, you

might need to re-add full control for the new account in that
directory tree.
Q. Why does F-Secure Policy Manager Server use its own account
to run instead of the system account?
A. Policy Manager Server account (fsms_<COMPUTERNAME>) is used for
security reasons. By running under its own account, any security
vulnerability in F-Secure Policy Manager Server will only affect it and
not the whole system. If a system account would be used, the whole
system could be compromised in the unlikely event of a security
problem in F-Secure Policy Manager Server.
CHAPTER 11 189
Troubleshooting
Q. How can Windows security hardening stop F-Secure Policy

Manager Server from working?
A. Access rights restrictions, especially restrictions under
%SystemRoot% directory (c:\windows or c:\winnt) can stop F-Secure
Policy Manager Server from starting, as its own account
(fsms_<COMPUTERNAME>) needs to be able to read the network
related DLL and SYS files.
You must allow the fsms_<COMPUTERNAME> account to 'read' the
following directories:
%SystemRoot%
%SystemRoot%\system32
%SystemRoot%\system32\drivers
Some service restrictions can also prevent the F-Secure Policy
Manager Server service from starting. For more information on these
please consult the Microsoft Windows Server documentation.
Q. Why am I unable to connect to F-Secure Policy Manager Server?

A. If you are getting the ‘Unable to connect to management server.
Another administrator may be logged on’ error, check that nobody
else is logged in to F-Secure Policy Manager Server with F-Secure
Policy Manager Console. This error might also be caused by an
unclean shutdown of F-Secure Policy Manager Console. To fix the
situation you can either wait for F-Secure Policy Manager Server to
timeout (<=5 minutes) or delete the file admin.lck file under the
Commdir and restart the F-Secure Policy Manager Server service.
190
Q. Why does F-Secure Policy Manager Console lose the connection

to F-Secure Policy Manager Server?
A. If F-Secure Policy Manager Console is run on a separate computer
from F-Secure Policy Manager Server, then the connection may be
affected by network problems. There have been numerous reports
where, for example, a network switch change caused
loss-of-connection problems between F-Secure Policy Manager
Console and Server. Usually these problems are fixed by updating
the network drivers to the latest version in the affected machines or
by reconfiguring the new switch and the network cards on the
F-Secure Policy Manager Console and Server machines.
If F-Secure Policy Manager Console is installed on the same
computer as F-Secure Policy Manager Server, then there is a risk
that F-Secure Policy Manager Server could be under such a heavy
network load that it does not have any free network connections
available. F-Secure Policy Manager Console and all hosts are
competing for the same network resources.
With the default settings F-Secure Policy Manager Server can only
handle 150 simultaneous connections. You can increase the number
of simultaneous connections by increasing ThreadsPerChild value
in the httpd.conf file and restarting the F-Secure Policy Manager
Server after that. Other possible solutions are to increase the polling
intervals of hosts, to change the Windows networking timeouts
shorter, or to increase the number of Windows networking ports.
Useful Windows networking settings are:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
MaxUserPort (maximum number of network ports, default = 5000)
HKLM\SYSTEM \CurrentControlSet\Services\Tcpip\Parameters\
TcpTimedWaitDelay (time to wait before closing inactive
network connection, default = 240 seconds).
The netstat -an command can be used to check whether there are
too many connection open to the server.
CHAPTER 11 191
Troubleshooting
11.3 F-Secure Policy Manager Web Reporting

Q. Where are the log files and configuration files located for
F-Secure Policy Manager Web Reporting?
A. The log files are located in:
<F-Secure>\Management Server 5\Web Reporting\logs
The configuration files are in:
<F-Secure>\Management Server 5\Web Reporting\fspmwr.conf
<F-Secure>\Management Server 5\Web Reporting\jetty\
etc\fspmwr.xml
<F-Secure>\Management Server 5\Web Reporting\firebird\
aliases.conf
<F-Secure>\Management Server 5\Web
Reporting\firebird\firebird.conf
See also the F-Secure Policy Manager Server configuration files:
<F-Secure>\Management Server 5\conf\httpd.conf
<F-Secure>\Management Server 5\conf\workers.properties
192
11.4 Policy Distribution

Q. When distributing a policy, F-Secure Policy Manager Console
shows an error message about an invalid policy value. What
should I do?
A. See below for information on error messages you may see during
policy distribution, and for the reasons and solutions.
Error messages: "<setting name>" has value out of

restriction
"<setting name>" has invalid restriction
"<setting name>" has invalid value:
"<value>"
Reason 1: The value selected from a choice list is not

among the choices on a sub-domain or host,
too high or low values are specified as range
restriction boundaries, or an empty choice
list is specified.
When a domain includes hosts that have

different product versions installed, the MIB
settings from the newest product version are
used for editing the policy values. As result,
policy distribution may fail on hosts that have
older versions of the software installed,
because the older versions do not support
the new policy settings or values.
Solution: Divide the hosts into subdomains so that it is

possible to set the new value for hosts with
the new software installed, and to use some
older policy values for other hosts. To do
this:
CHAPTER 11 193
Troubleshooting
1. Group the hosts into subdomains based

on the installed product version. For
example, group hosts that have
F-Secure Client Security 6.x installed
into one sub-domain, and hosts that
have F-Secure Client Security 7.x
installed into another domain
2. Set most of the settings on the root
domain and create a sub-domains for
exceptions. This is a good solution if you
have only a few hosts with the older
software versions installed.
Reason 2: You entered an integer value that is outside
of the range restrictions.
Error message: "<setting name>" is required but

undefined
Reason: The setting is required but it is currently

empty.
Solution: Enter a value or apply the Clear operation to

re-inherit the value from parent domain or
MIB. If the value is empty on several domain
levels, you may need to apply the Clear
operation several times.
A SNMP Support
Overview................................................................................... 195
Installing F-Secure Management Agent with SNMP Support... 196
Configuring The SNMP Master Agent ...................................... 197
Management Information Base ................................................ 198
194
APPENDIX A 195
SNMP Support
A.1 Overview
This section covers the following topics about SNMP support:
F-Secure Management Agent with SNMP Agent
Installing F-Secure Management Agent with SNMP support
F-Secure Management Agent Management Information Base
(MIB)
SNMP traps sent by F-Secure Management Agent
Network Manager Software Add-ons
SNMP support is currently implemented for all versions of Windows NT,
including Windows 2000, Windows XP and Windows Server 2003,
Windows Server 2008 and Windows Vista.
A.1.1 SNMP Support for F-Secure Management Agent

Windows NT
The NT version of SNMP support for F-Secure Management Agent
implements the Windows NT master agent as a service. Windows
Sockets has to be installed with TCP/IP or IPX/SPX, since the SNMP
service uses Windows Sockets for network communication.
The master agent is an extensible SNMP agent, which allows it to service
additional MIBs. The NT SNMP agent itself does not contain
instrumentation for any MIBs. Instead, it is responsible for retrieving
SNMP requests for the NT workstation or server and for passing these
requests on to the appropriate modules for resolution.
The F-Secure SNMP Management Extension is a Windows NT SNMP
extension agent, which is loaded and unloaded with the master agent.
The SNMP service normally starts on NT start-up so the extension agent
is always loaded. The NT master agent hosts the extensions and passes
the requests to the Management Agent, which is responsible for returning
the request to the management console that made it. The F-Secure
SNMP Management Extension may be loaded even if no other modules
196
are loaded, thus enabling the F-Secure SNMP Management Extension to

monitor F-Secure Management Agent activities independently of other
F-Secure Management Agent modules.
A.2 Installing F-Secure Management Agent with

SNMP Support
A.2.1 F-Secure SNMP Management Extension Installation

SNMP support for F-Secure Management Agent is installed by installing
Management Extensions.
If the SNMP master agent is installed when installing the F-Secure

SNMP Management Extension, the corresponding Service Pack
has to be re-installed (see Configuring The SNMP Master Agent)
APPENDIX A 197
SNMP Support
A.3 Configuring The SNMP Master Agent

The SNMP Service is installed from the Windows Control Panel Network
Options window. The SNMP Service option is in the TCP/IP Installation
Options window. After the SNMP Service software is installed on your
computer, you must configure it with valid information in order for SNMP
to operate.
To configure SNMP, you must be logged on as the administrator for the
local computer. The SNMP configuration information identifies
communities and trap destinations. A community is a group of hosts to
which a Windows NT computer running the SNMP service belongs. You
can specify one or more communities to which the computer will send
traps. The name of the community is included with the trap.
When the SNMP Service receives a request for information that does not
contain the correct community name and does not match an accepted
host name for the Service, the SNMP Service can send a trap to the trap
destination, indicating that the request failed authentication.
Trap destinations are the names or IP addresses of hosts to which you
want the SNMP Service to send traps with the selected community name.
If you want to use SNMP for statistics, but not for identifying communities
or traps, you can specify the "public" community name when you
configure the SNMP Service.
Use the SNMP Security Configuration dialog box to specify security
parameters for SNMP services. This dialog box appears when you click
the Security button in the SNMP Service Configuration dialog box.
SNMP security allows you to specify the communities and hosts from
which a computer will accept requests, and to specify whether to send an
authentication trap when an unauthorized community or host requests
information.
198
A.4 Management Information Base

A Management Information Base (MIB) describes a set of managed
objects on an SNMP agent. A management system can manipulate the
objects if the SNMP agent has associated an extension agent DLL with
that MIB.
The SNMP MIB files are automatically installed under F-Secure Policy
Manager Console in the directory Administrator\snmp-mib\ during the
F-Secure Policy Manager Console installation. Each product has its own
SNMP MIB file.
The entry for each managed object has a unique identifier (OID). The
entry also contains a description of the object's type (such as counter,
string, gauge, or address), the object's access type (such as read or read/
write), size restrictions, and range information.
An OID is a unique identifier assigned to a specific object. The identifier
consists of a sequence of numbers that identify the source of the object
as well as the object itself. OIDs are organized in a tree-like structure and
the sequence of numbers identifies the various branches of the subtree
that a given object comes from. The root of the tree is the ISO
(International Standards Organization) trunk. Its value is 1. Each branch
coming from the root further identifies the source of the given object. All
SNMP objects are members of the branch identified by
iso.org.dod.internet or 1.3.6.l. Each additional component in this dotted
notation further specifies the exact location of an object. The numbers for
each sub-branch are assigned by the IETF to ensure that all branches are
unique.
Traps are SNMP messages from an agent to a preconfigured
management station. They are used to notify management consoles of
significant events. Traps are typically used for reporting the starting and
stopping of a service, reporting serious error conditions, etc.
Traps are sent to the management station through the SNMP agent only if
forwarding is selected in the product’s redirection table in F-Secure Policy
Manager Console. For more information about trap redirection, see
“Configuring Alert Forwarding”, 128.
B Ilaunchr Error Codes
Overview................................................................................... 200
Error Codes .............................................................................. 201
199
200
B.1 Overview
When Ilaunchr.exe is completed silently, it reports installation results with
the standard exit codes. With the login script, you can test for the cause of
the problem. Here is one example, which you can insert into your login
script:
Start /Wait ILaunchr.exe \\server\share\mysuite.jar /U
if errorlevel 100 Go to Some_Setup_Error_occurred
if errorlevel 5 Go to Some_Ilaunchr_Error_occurred
if errorlevel 3 Go to Problem_with_JAR_package
if errorlevel 2 Go to User_does_not_have_admin_rights
if errorlevel 1 Go to FSMA_was_already_installed
if errorlevel 0 Echo Installation was OK!
APPENDIX B 201
Ilaunchr Error Codes
B.2 Error Codes

0 Installation OK.
1 FSMA already installed.
2 User has no administrative rights.
3 JAR not found.
4 JAR corrupted.
6 Error occurred when unpacking an installation

package.
7 Target disk has insufficient free space for

installation.
8 File package.ini was not found in JAR file.
9 File package.ini did not contain any work

instructions.
10 Wrong parameters in command line or .ini file.
11 Error in initializing a new working process.
12 Error in creating the install process for setup.
13 Could not create a temp directory.
14 Undefined error.
100 Data needed for silent installation is missing.

Invalid JAR file.
202
101 Update is disabled. (Setup attempted to update

the installation.)
102 Setup was unable to read the product.ini file.
103 Invalid data is encountered in prodsett.ini.
104 Management Agent canceled the installation or

conflicting software was found. Installation
aborted.
105 The CD-KEY was entered incorrectly or is

missing. Installation aborted.
110 Out of disk space.
111 The destination drive is not local.
120 The user has no administrative rights to the

machine.
130 Setup was unable to copy non-packed files to

the target directory.
131 Setup was unable to copy uninstallation plug-in

to the product target directory.
132 Setup was unable to copy product.ini file to the

temp directory.
133 Error occurred while copying product file to the

destination directory.
134 Unable to copy prodsett.ini.
140 Newer version of Suite was detected.
150 Setup was unable to load product plug-in dll.

APPENDIX B 203
Ilaunchr Error Codes
151 Setup was unable to load installation support

dll.
152 Setup was unable to load wrapper dll.
160 Setup was unable to initialize a cabinet file.
170 Management Agent Setup plug-in returned

error.
171 Plug-in returned an unexpected code.
172 Plug-in returned a wrapper code.
173 One of the previous install/uninstall operations

was not completed. Reboot is required to
complete it.
174 The target machine was rebooted to complete

one of the previous install/uninstall operations.
Please push installation again.
200 Partial Success. Installation of some products

failed.
C FSII Remote
Installation Error
Codes
Overview................................................................................... 205
Windows Error Codes............................................................... 205
Error Messages ........................................................................ 206
204
APPENDIX C 205
FSII Remote Installation Error Codes
C.1 Overview
This appendix describes the most common error codes and messages
that can occur during the Autodiscover Windows Hosts operation.
C.2 Windows Error Codes

Error Code Description
1057 The user account name is invalid or does not exist.
5 Access Denied -- If using “This Account”, it is important that the

administrator is logged on to the F-Secure Policy Manager Console
machine with Domain Administrator privileges. With Domain Trusts,
make sure you have logged on to the F-Secure Policy Manager
Console using the account from the trusted domain.
1069 Logon Failure. In most cases, the entered password is wrong.
1722 RPC server is unavailable. This error message might appear if the host
was restarted immediately after installation and F-Secure Policy
Manager Console did not have time to verify that the installation was
successfully completed.
1219 F-Secure Policy Manager Console has open network connections to

target workstation. Close the connections before trying to open
connections with another user account.
206
C.3 Error Messages

Q. The required privilege is not granted for the current account and
should be added manually.
A. By default even the administrator does not have a required “Act as
part of operating system” privilege on the F-Secure Policy Manager
Console machine. Without this privilege, Windows NT does not allow
FSII to authenticate the entered user accounts. To add this privilege
to administrator’s account on the F-Secure Policy Manager Console,
use Windows NT User Manager > Policies > User Rights.
Q. Management Agent canceled the installation or some conflicting

software was found. Installation aborted.
A. Management Agent portion of Setup cancels the whole installation in
the following situations:
1. When it detects conflicting third party software.
2. There are various other possibly reasons including: the wrong URL to
Policy Manager Server.
Q. The CD-KEY was entered incorrectly or is missing. Installation

aborted.
A. The installation on the remote host cannot start because the CD KEY
was entered improperly. Check the syntax.
Q. Out of Disk space in target host

A. The destination host does not have enough disk space. Usually at
least 20 MB is required.
Q. Management Agent installation failed to fatal FSMAINST error,

see host log files for details.
A. Fatal installation error occurred during F-Secure Management Agent
installation. It is recommended that Management Agent be installed
manually to the host. It is also possible to try to find out the ERROR
keyword from the fswssdbg.log file located in the target Windows
directory.
APPENDIX C 207
FSII Remote Installation Error Codes
Q. Newer F-Secure product detected, installation aborted

A. If the target host has a newer product version already installed, the
installation cannot be completed without first uninstalling it.
Q. Invalid data is encountered in prodsett.ini.

A. The prodsett.ini configuration file has invalid information.If you have
edited it manually, make sure the syntax is correct. It is recommended
to Export JAR files and use ILAUNCHR to install instead of directly
editing prodsett.ini.
D NSC Notation for
Netmasks
Overview................................................................................... 209
208
APPENDIX D 209
NSC Notation for Netmasks
D.1 Overview
NSC notation is a standard shorthand notation, which combines a
network address with its associated netmask.
NSC notation defines the number of contiguous one-bits in the netmask
with a slash and a number following the network address. Here is a
simple example:
Network Address Netmask NSC Notation
192.168.0.0 255.255.0.0 192.168.0.0/16
192.168.1.0 255.255.255.0 192.168.1.0/24
192.168.1.255 255.255.255.255 192.168.1.255/32
NSC notation is not compatible with networks that use "comb" style
netmasks, where all one-bits are not contiguous. The following table gives
the number of bits for each permitted netmask.
The .0.0.0/0 is a special network definition reserved for the default route.
Netmask Bits Netmask Bits
128.0.0.0 1 255.128.0.0 9
192.0.0.0 2 255.192.0.0 10
224.0.0.0 3 255.224.0.0 11
240.0.0.0 4 255.240.0.0 12
248.0.0.0 5 255.248.0.0 13
252.0.0.0 6 255.252.0.0 14
254.0.0.0 7 255.254.0.0 15
255.0.0.0 8 255.255.0.0 16
210
Netmask Bits Netmask Bits

255.255.128.0 17 255.255.255.128 25
255.255.192.0 18 255.255.255.192 26
255.255.224.0 19 255.255.255.224 27
255.255.240.0 20 255.255.255.240 28
255.255.248.0 21 255.255.255.248 29
255.255.252.0 22 255.255.255.252 30
255.255.254.0 23 255.255.255.254 31
255.255.255.0 24 255.255.255.255 32
TECHNICAL SUPPORT
Overview................................................................................... 212
Web Club.................................................................................. 212
Advanced Technical Support.................................................... 212
F-Secure Technical Product Training ....................................... 213
211
212
Overview
F-Secure Technical Support is available by e-mail and from the F-Secure
Web site. You can access our Web site from within your F-Secure
application or from your Web browser.
Web Club
The F-Secure Web Club provides assistance to users of F-Secure
products. To enter, choose the Web Club command from the Help menu
in the F-Secure application. The first time you use this option, enter the
path and name of your Web browser and your location.
To connect to the Web Club directly from your Web browser, go to:
http://www.f-secure.com/webclub/
Virus Descriptions on the Web

F-Secure Corporation maintains a comprehensive collection of
virus-related information on its Web site. To view the Virus Information
Database, go to:
http://www.f-secure.com/security_center/.
Advanced Technical Support

For advanced technical support, go to the F-Secure Support Center at
http://support.f-secure.com/ or contact your local F-Secure distributor
directly.
For basic technical assistance, please contact your F-Secure distributor.
Please include the following information with your support request:
Technical Support 213
1. Name and version number of your F-Secure software program

(including the build number).
2. Name and version number of your operating system (including the
build number).
3. A detailed description of the problem, including any error messages
displayed by the program, and any other details, which could help us
duplicate the problem.
When contacting F-Secure support by telephone, please do the following
so that we may help you more effectively and save time:
Be at your computer so you can follow instructions given by the
support technician, or be prepared to write down instructions.
Have your computer turned on and (if possible) in the state it was
in when the problem occurred. Or you should be ready to
replicate the problem on the computer with minimum effort.
After installing the F-Secure software, you may find a ReadMe file
in the F-Secure folder in the Windows Start > Programs menu. The
ReadMe file contains late-breaking information about the product.
F-Secure Technical Product Training

F-Secure provides technical product training, material and information for
our distributors, resellers and customers to succeed with F-Secure
security products and services. Training can also be obtained through
F-Secure Certified Training Partners. With these tools and expertise, our
partners are able to differentiate their business from their competitors with
a unique and powerful solution for enterprise security, and obtain higher
levels of customer satisfaction while increasing market share and
profitability.
Training Program
For more detailed information about our course offerings, please go to our
F-Secure Technical Product Training page on the Internet at:
http://www.f-secure.com/partners/training-partners/
214
The courses take place in modern and well-equipped classrooms. All of

our courses consist of theory and hands-on parts. At the end of each
course there is a certification exam. Contact your local F-Secure office or
F-Secure Certified Training Partner to get information about the courses
and schedules.
Contact Information
General issues: Training@f-secure.com
Registration: Training-Registration@f-secure.com
Feedback: Training-Feedback@f-secure.com
GLOSSARY
215
216
Authentication
The act of proving one’s identity.
Authorization
The right to perform an action on an object. Also the act of proving
this right.
Bit
The smallest unit of memory size, sets of which make up bytes,
arranged in a sequential pattern to express text, numbers, or other
detailed information, recognizable by the computer’s processing
system.
Byte
A set of bits that represent a single character. There are 8 bits in a
byte.
Certificate
See Public Key.
Client
A program that is used to contact and obtain data from a Server
program on another computer.
Corrupted
Data that has been modified without the user’s authorization or
approval.
Domain Name
A unique name that identifies an Internet site (for example,
F-Secure.com)
DNS
Domain Name System. A service that converts symbolic node names
to IP addresses. DNS uses a distributed database.
Firewall
A combination of hardware and software that separates a network
into two or more parts for security purposes.
Glossary 217
FTP
(File Transfer Protocol) A very common method of moving files
between two Internet sites.
Host
Any computer on a network that is a repository for services available
to other computers on the network.
HTTP
The Hyper Text Transfer Protocol is the protocol used between a Web
browser and a server to request a document and transfer its contents.
The specification is maintained and developed by the World Wide
Web Consortium.
IP Address
Internet Protocol Address. A unique network address consisting of 4
numeric strings separated by dots. This will change in IPv6.
IPSec
(IETF) The IP Security Protocol is designed to provide interoperable,
high quality, cryptography-based security for IPv4 and IPv6. The set
of security services offered includes access control, connection-less
integrity, data origin authentication, protection against replays,
confidentiality (encryption), and limited traffic flow confidentiality.
These services are provided at the IP layer, offering protection for IP
and/or upper layer protocols.
ISP
Internet Service Provider. An institution that provides access to the
Internet in some form.
JAR
Java ARchive. A file format used for aggregating many files into one.
218
Kernel Mode
The part of the Windows operating system, through which, among
other things, user-mode applications and services use an API to
interact with the computer's hardware. The Kernel mode also
contains an interface to user-mode, and a facility for synchronizing it's
own services and coordinating all I/O functions. Kernel mode memory
is protected from user mode access.
LAN
(Local Area Network) A computer network limited to the immediate
area, usually the same building or floor of a building. Sometimes
using a simple network protocol.
Login (noun)
The account name used to gain access to a computer system.
Mbit
Megabit.
MD5
Message Digest number 5, a secure hash function published in RFC
1321.
MIB
(SNMP terminology) Management Information Base. Detailed
information about MIBs can be found from RFC1155-SMI,
RFC1212-CMIB and RFC1213-MIB2.
Netmask
Tells how the IP-address is divided into the network portion and to the
host portion.
Network
Two or more computers connected together in order to share
resources. Two or more networks connected together is an internet.
Ping
Sending ICMP echo packets and listening for echo reply packets to
verify connections to a remote computer or computers.
Glossary 219
Policy
The set of conditions under which users of a system can access the
system’s resources.
Policy-based management
Controlling the actions and configurations of a system using policy
statements.
Private Key
The part of the key in a public key system which is kept secret and is
used only by its owner. This is the key used for decrypting messages,
and for making digital signatures.
Protocol
A protocol is an algorithm, or step by step procedure, carried out by
more than one party.
Public Key
The part of the key in a public key system which is widely distributed
(and not kept secure). This key is used for encryption (not decryption)
or for verifying signatures. A public key also contains other
information about the subject, issuer, lifetimes, etc.
Random Seed
The seed value for the cryptographically strong random number
generator, which is updated each time an F-Secure application
closes.
Server
A computer, or a piece of software, that provides a specific kind of
service to client software.
Service
An application that is running on a host regardless of who is logged in
and which provides some service to other applications.
220
SNMP
Simple Network Management Protocol. A standard TCP/IP protocol
used for monitoring and setting network parameters and counters of
LAN- and WAN-connected repeaters, bridges, routers, and other
devices.
TCP/IP
(Transmission Control Protocol/Internet Protocol) This is the suite of
protocols that defines the Internet. Originally designed for the UNIX
operating system, TCP/IP software is now available for every major
kind of computer operating system. To be truly on the Internet, your
computer must have TCP/IP software.
Text file
Any file whose contents are intended by the file’s creator to be
interpreted as a sequence of one or more lines containing ASCII or
Latin printable characters.
URL
(Uniform Resource Locator) The standard way to give the address of
any resource on the Internet.
User mode
The protected part of an operating system where user applications
are run and that calls kernel mode to perform operating system
functions.
Virus Definition Database
Virus Definition Databases are used to detect viruses. Whenever a
new virus is found, the databases need to be updated for virus
protection to be able to detect that virus.
WAN
(Wide Area Network) Any internet or network that covers an area
larger than a single building or campus.
About F-Secure Corporation
F-Secure Corporation protects consumers and businesses against computer
viruses and other threats from the Internet and mobile networks. We want to
be the most reliable provider of security services in the market. One way to
demonstrate this is the speed of our response. According to independent
studies in 2004, 2005 and 2006 our response time to new threats is
significantly faster than our major competitors. Our award-winning solutions
are available for workstations, gateways, servers and mobile phones. They
include antivirus and desktop firewall with intrusion prevention, antispam and
antispyware solutions. Founded in 1988, F-Secure has been listed on the
Helsinki Exchanges since 1999, and has been consistently growing faster
than all its publicly listed competitors. F-Secure headquarters are in Helsinki,
Finland, and we have regional offices around the world. F-Secure protection
is also available as a service through major ISPs, such as Deutsche Telekom,
France Telecom, PCCW and Charter Communications. F-Secure is the global
market leader in mobile phone protection provided through mobile operators,
such as T-Mobile and Swisscom and mobile handset manufacturers such as
Nokia. The latest real-time virus threat scenario news are available at the
F-Secure Data Security Lab weblog at http://www.f-secure.com/weblog/

Fspm800 en

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Fspm800 en

Caricato da

Copyright:

Formati disponibili

F-Secure Policy

GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233

Copyright © 2008 F-Secure Corporation. All rights reserved.12000013-7A12

Chapter 2 System Requirements 23

Chapter 3 Installing F-Secure Policy Manager Server 26

Chapter 4 Installing F-Secure Policy Manager Console 56

Chapter 5 Using F-Secure Policy Manager Console 74

Chapter 6 Maintaining F-Secure Policy Manager Server 139

Chapter 7 Updating F-Secure Virus Definition Databases 145

Chapter 8 F-Secure Policy Manager on Linux 155

Chapter 9 Web Reporting 168

Chapter 10 F-Secure Policy Manager Proxy 182

Chapter 11 Troubleshooting 185

Appendix A SNMP Support 194

Appendix B Ilaunchr Error Codes 199

Appendix C FSII Remote Installation Error Codes 204

Appendix D NSC Notation for Netmasks 208

Technical Support 211

How This Guide is Organized

Appendix C. FSII Remote Installation Error Codes. Describes the most

Conventions Used in F-Secure Guides

WARNING: The warning symbol indicates a situation with a

IMPORTANT: An exclamation mark provides important information

REFERENCE - A book refers you to related information on the

NOTE - A note provides additional information that you should

⇒ An arrow indicates a one-step procedure.

For More Information

Main Components of F-Secure Policy Manager

F-Secure Policy Manager Server and the managed hosts is accomplished

1.2 Installation Order

3. Managed point applications.

Configuration and Policy Management

1.4 Policy-Based Management

Default Policy Files

Base Policy Files

Incremental Policy Files

1.4.1 Management Information Base

Settings Used to manage the workstation in the manner

Statistics Delivers product statistics to F-Secure Policy

Operations Operations are handled with two policy

Private The management concept MIBs may also

Traps Traps are the messages (including alerts and

Info. Normal operating information from a host.

Warning. A warning from the host.

Error. A recoverable error on the host.

Fatal error. An unrecoverable error on the host.

Security alert. A security hazard on the host.

F-Secure Policy Manager Server ............................................... 24

2.1 F-Secure Policy Manager Server

Operating system: Microsoft Windows:

Processor: Intel Pentium III 450 MHz processor or faster.

Memory: 256 MB RAM

Network: 10 Mbit network. Managing more than 5000

2.2 F-Secure Policy Manager Console

Operating system: Microsoft Windows:

Processor: Intel Pentium III 450 MHz processor or faster.

3.2 Security Issues

The release notes contain important information about installation

3.2.1 Installing F-Secure Policy Manager in High Security

IMPORTANT: When installing F-Secure Policy Manager in high

F-Secure Policy Manager's Built-In Security Features

Possible different installation scenarios for high security