Frequently Asked Questions

• Why are certain clean files detected as medium virus threats?
• Why does F-Secure Settings and Statistics display the status of F-Secure Automatic Update Agent as Disabled?
• Why does F-Secure Settings and Statistics display the status of F-Secure Automatic Update Agent as Suspended?
• Why the F-Secure Automatic Update Agent is not downloading any virus definition database updates?
• How can I verify that updating the virus and spam definition databases really works?
• The Received Packages page states that a virus definition database update is not installed. What should I do?
• Why there are no new files in the product directory even though the virus definition databases should've been updated?
• Why SMTP messages are accumulating in the spool directories?
• Why connection to the backup Content Scanner Server remains open after it has become inactive?
• Why does F-Secure Internet Gatekeeper sometimes fail to process uuencoded files?
• Spam Control is enabled, but the end users still receive bulk e-mail in their inboxes. How can I fix this?
• Why it seems to be impossible to login to the F-Secure Internet Gatekeeper Web Console?
• Why the F-Secure Automatic Update Agent Downloads page displays almost all the installed packages twice?
• Does F-Secure Internet Gatekeeper scan files that are downloaded with download managers?
• Why F-Secure Anti-Virus for Internet Gateways rejects FTP connections?
• Does F-Secure Anti-Virus for Internet Gateways scan files downloaded with FTP clients?
• How can I get Microsoft Outlook Web Access 2003 to work with F-Secure Anti-Virus for Internet Gateways?
• Users receive "Redirection limit for this URL exceeded" error messages, how can I fix this?
• How to fix error messages about Bad Gateway?
• Is it possible to use a remotely installed F-Secure Content Scanner Server with F-Secure Anti-Virus for Internet Gateways?
• Why F-Secure Anti-Virus for Windows Servers detects viruses in the F-Secure Internet Gatekeeper directories?
• How does the Maximum Requests per Child Process setting work?
• Why the Internet radio stations or other similar streaming media services do not work with the File Type Recognition feature enabled?
• Why the HTTP scanning performance has decreased and the log files contain error messages about socket addresses?
• Why downloading large archives sometimes fail silently when the Data Trickling feature is enabled?
• Why the start-up time of the HTTP scanning component does not always reflect to the start-up time of the product?
• How F-Secure Internet Gatekeeper related performance counters can be viewed in Perfmon on Windows Server 2003 x64 Edition?
• Why the product reports about virus outbreaks when reprocessing quarantined messages?
• Why messages get quarantined because of dangerous headers?
• What do the Zero Hour related spam classifications mean?
• Why releasing messages from the quarantine results to a message stopped error message?
• Is F-Secure Internet Gatekeeper compatible with F-Secure Policy Manager 7.0 on the same server?
• Is F-Secure Internet Gatekeeper compatible with F-Secure Anti-Virus for Windows Servers 7.0?
• Why the Web Console acts sluggishly or is instabile?
• Why the MSDE installation fails during the setup when I have a space character in the password?
• Why the product gives error messages about problems with saving messages to the quarantine?
• How to configure F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper to protect against the WMF (Windows Metafile) vulnerability?
• Why the product reports FNP/SCIP errors 7 and Memory errors?
• What is the difference between dns_available setting values test and yes in the RBL configuration file?
• Why spam definition databases have not been updated for a while?
• Why customized virus and stripping notifications do not contain information of more than one found threat?
• Why I'm getting errors about database updates being older than the previously accepted one?
• Why spool/log/quarantine directories get reseted to defaults in an upgrade?
• Why the Database Updates settings reset back to the default values?
• Why spam scanner database updating fails with an error message about missing path?
• How to configure F-Secure Internet Gatekeeper to protect against the .jpeg vulnerability?
• Why suddenly a relatively several e-mails have been quarantined with the error "malformed header" in the log?
• Why scanning an e-mail causes the processor load go high and stays there for a couple of minutes?
• Why F-Secure Internet Gatekeeper started to report about "FM API error 20" when scanning e-mails?
• How I can stop viruses or worms, such as Bagle.F, spreading in password protected ZIP files with F-Secure Internet Gatekeeper?
• Why are all my messages bounced back after installing the F-Secure Internet Mail 6.3x version?
• F-Secure Anti-Virus for Internet Gateways rejects all FTP connections, why?
• What is the difference between F-Secure Anti-Virus for Internet Gateways and F-Secure Anti-Virus for Internet Mail?
• How can I check that F-Secure Content Scanner Server is Up and Running?
• How can I check that the Network Connection to the Original MTA is Working?
• What archive file formats does F-Secure Content Scanner Server support?
• Why I cannot send SMTP alerts to more than one email address?
• What is the difference between Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange/Internet Mail/Lotus Domino/Firewalls?
• Which platforms can Content Scanner Server be installed on?
• Why do you recommend to install the product on Windows NT/2000 Server?
• Can I run any anti-virus programs locally on my F-Secure Content Scanner Server and at the same time have my e-mail traffic protected by F-Secure Anti-Virus for Microsoft Exchange/Lotus Domino/Internet Mail/Firewalls on the same server?
• What happens to e-mails if the F-Secure Content Scanner Server machine is down?
• What about management features? Does the product work with F-Secure Policy Manager?
• Can I use the same F-Secure Administrator that I am already using with Workstation Suite?
• Can I use the same F-Secure Policy Manager Server that I am already using with Workstation Suite?
• Do I need to use F-Secure Policy Manager Server or can I use a shared directory (CommDir)?
• What alerting and reporting features are available?
• How are the virus database updates done?
• F-Secure Anti-Virus for Microsoft Exchange/Internet Mail/Lotus Domino/Firewalls found a virus in .zip but could not disinfect it. Why?
• Can I use remote installation to install F-Secure Anti-Virus for Microsoft Exchange, FSAV for Internet Mail, FSAV for Firewalls and FSAV for Lotus Domino?
• Can I install CSS to support multiple F-Secure Anti-Virus Mail Server and Gateway products?

This applies to F-Secure Internet Gatekeeper 6.60 and newer.

The proactive virus threat detection used in the F-Secure Internet Gatekeeper does not use signature based detection. This means that there are no static rules of what is considered as medium virus threat and what is not.

The medium virus threat classification is determined by heuristics based on multiple parameters, specially designed to be able to react to possible virus outbreaks within the first minutes of the initial virus launch. This also means that sometimes normal clean files can possibly be classified as medium virus threats.

In situations like this, F-Secure Internet Gatekeeper with default settings will stop the e-mail and quarantine it. However, this e-mail will be reprocessed 3 times within the following 24 hours. If the e-mail is not confirmed of containing any known malware during that time, the product can be configured to release the e-mail to the original recipient(s). These timers are also configurable for faster releasing.

These e-mails can also be manually released sooner if necessary with the F-Secure Internet Gatekeeper Web Console. However, for the obvious security reasons, in uncertain situations it is recommended to wait for the confirmation cycle to complete.

This applies to all the versions of F-Secure Internet Gatekeeper.

F-Secure Automatic Update Agent is not running if the status is displayed as "Disabled". Either it has not yet started or it has been shut down, or you have uninstalled the F-Secure Automatic Update Agent core components.

If you have just started Windows, just wait a while to see whether the status changes to Enabled. If F-Secure Automatic Update Agent does not start after a while, the F-Secure Automatic Update Agent installation may be corrupted. Try to uninstall and then reinstall the client.

Please note that F-Secure Automatic Update Agent is a crucial component in the product, as it is responsible for downloading the virus and spam definition databases. If it is not running, the product does not get newly published virus and spam definition databases.

This applies to all the versions of F-Secure Internet Gatekeeper.

Either you have suspended downloads from the F-Secure Automatic Update Agent task bar menu or there is a problem, for example the disk may be full. Select Resume downloading from the task bar menu, or check for other possible problems.

Please note that F-Secure Automatic Update Agent is a crucial component in the product, as it is responsible for downloading the virus and spam definition databases. If it is not running, the product does not get newly published virus and spam definition databases.

This applies to all the versions of F-Secure Internet Gatekeeper.

Select the Received Packages tab in the F-Secure Automatic Update Agent window and check that no virus definitions update packages are listed in there.

Select the Channel Status page in the F-Secure Automatic Update Agent. If the Channel Name and Channel Address fields are empty, the client has not yet connected to F-Secure Automatic Update server. Make sure that your Internet connection is working, and if the Current Status is Ready, click Connect Now to force the client to connect to the server immediately. Downloading the virus definitions database update for the first time can take a while if you have a lot of other Internet traffic open at the same time.

If the client cannot connect to the server, make sure that your browser can access the Internet. Open your browser and connect to http://fsbwserver.f-secure.com/. If you cannot connect to the web page, check your network settings. If the connection was successful, open the Settings page. If Polite Agent is selected in the Communication section, change it to HTTP. If you change the protocol from Polite Agent to HTTP or vice versa, you have to restart the F-Secure Automatic Update Agent.

If changing to HTTP communication does not help, check if you are connected to the Internet through an HTTP proxy server. If you have to connect to the Internet through an HTTP proxy server, enable the Use HTTP proxy check box on the F-Secure Automatic Update Agent window’s Settings page and type in the field the proxy server address and port number that you retrieved from your browser (such as myproxy.example.com:80). If you are not connected through a proxy server, ensure that the Use HTTP proxy option is not selected.

If you are still not able to receive content and your client is configured correctly, make sure that your firewall is configured to accept outgoing HTTP requests and incoming responses to these requests.

This applies to F-Secure Internet Gatekeeper 6.50 and newer.

First, open the F-Secure Automatic Update Agent window from F-Secure Settings and Statistics and select the Received Packages tab. If a virus definitions database update has been downloaded, you should see something like "F-Secure Anti-Virus Update 2007-08-09" under Title.

Check the Last Result column. If the update has been successfully placed into the destination directory, the Latest Result displays Installed. If the Latest Result is Not installed, the update has been downloaded but the F-Secure Automatic Update Agent could not copy it into the destination directory. The F-Secure Automatic Update Agent tries to copy it there again in one minute intervals. Click Package Properties to see the error message.

If the Last Result value is Installed, check the date and time in the First Installed column at the bottom of the Received Packages page. Then, open Windows Explorer and select the F-Secure Anti-Virus folder, select Details from the View menu, and click the Modified column title above the file list to display the files sorted by date and time. The F-Secure Anti-Virus folder should have files (with filename extensions .def, .avc, .set or .dat) which have the same date and time as is listed in the the First Installed column on the user interface.

This applies to all the versions of F-Secure Internet Gatekeeper.

Click on the package title and then Package Properties to view the error message. Here are descriptions of the typical error messages:

This applies to all the versions of F-Secure Internet Gatekeeper.

After downloading the update and placing it into a communication directory, F-Secure Content Scanner Server does not immediately retrieve the files from there. The delay depends on the polling interval of F-Secure Management Agent, with a default interval of 10 minutes the delay can be up to 20-30 minutes.

In a stand-alone installation, make sure F-Secure Automatic Update Agent is installed in Stand-alone mode. Open the Settings page in F-Secure Automatic Update Agent window. The Change button should be disabled.

With centrally managed installations, check that you have enabled "Poll Automatically" for Virus Definitions Updates on the F-Secure Policy Manager Server. Open the Settings page in the F-Secure Automatic Update Agent window and check that you have selected the correct communication directory as the destination for the updates.

If you are not sure, try downloading Latest.zip from http://www.F-Secure.com/download-purchase/updates.shtml, and import it to F-Secure Policy Manager Console. If the update succeeds this way, but not with F-Secure Automatic Update Agent, and the Received Packages page states that an update is "Installed", the F-Secure Automatic Update Agent is most probably configured to place the updates in a wrong directory.

This applies to F-Secure Internet Gatekeeper version 6.50 and newer.

If the outbound e-mail messages are not always delivered when the product has been configured to deliver the e-mails using the DNS MX records, the most likely explanation is that some of the destination mail servers cannot be reached at the moment. This is perfectly normal on the Internet and in normal situations does not require any attention - F-Secure Internet Gatekeeper will try to deliver the messages for five days by default before giving up.

If inbound SMTP messages start to accumulate in the spool directory, the most probable reason is that the network connection to the internal mail server is broken. Check that network connections are working - see the Troubleshooting chapter in the F-Secure Internet Gatekeeper administrator's guide for instructions.

If F-Secure Anti-Virus for Internet Mail reports a scanning error for a particular mail, you can see the contents of the mail by stopping F-Secure Anti-Virus for Internet Mail and viewing the files in the spool directory.

You an use a tool called spoolinfo.exe for viewing the contents of the spool directory. This tool has a graphical user interface and it displays detailed information of the contents of the spool directory. You can find the tool in %Program Files%\F-Secure\Anti-Virus Agent for Internet mail\spoolinfo.exe and you can run the tool by double-clicking the executable.

When you use spoolinfo.exe for the first time, you need to configure the tool to display the contents of the spool directory. Click Configure... and then enter the path to the spool directory in the field, or click Browse to locate the spool directory. Then click OK.

When the spool directory path has been configured, you can see a list of the spooled messages. Select a spooled message from the list to view detailed information of the message. The different tabs (Summary, Flags, Recipients, Scanlog and Data) display the message details, and you should check especially the Recipients and Scanlog tabs to find out if a particular messages has caused the mails to accumulate in the spool directory.

WARNING: From the Data tab it is possible to access also the content of a spooled message. Please note that in many countries it is illegal to read other people’s messages even for the system administrators.

If necessary, the e-mails located in the spool directories can be also delivered without scanning using these instructions:

Warning: Note that the possible infected messages will NOT be detected when e-mails are delivered using this method.

1. Change the following settings:
   • Change Inbound and Outbound Mail / Receiving / Accept Mail to Reject Temporarily.
   • Clear the Examine attachments for viruses checkbox in Inbound and Outbound / Virus Scanning.
2. Flush the spool directory. Open Common / Spooling and click Flush Now to scan and send all currently spooled messages.
3. After the mails have been delivered, change the settings back to the original values.

This applies to all the versions of the F-Secure Internet Gatekeeper when it has been configured to use both primary and backup F-Secure Content Scanner Servers.

In a situation where the product has been using the backup F-Secure Content Scanner Server, but has already switched the processing back to the primary server, the connection from the F-Secure Anti-Virus for Internet Mail to the backup server may stay open for a long time. This is by design. If wanted, this network connection can be made to close faster using the Keep Alive Timeout setting for the backup F-Secure Content Scanner Server.

This applies to all the versions of the F-Secure Internet Gatekeeper when it is used to scan e-mails.

Uuencode is a very old and non-standardized way to encode files so that they can be sent by e-mail. There are numerous different uuencoding implementations by various vendors, groups and individuals. While some of them are mostly compatible with each other, there are also many unique and incompatible uuencoding methods. Nowadays it is recommended to replace uuencoding by the Internet standard MIME encodings.

F-Secure Internet Gatekeeper tries to uudecode the uuencoded files. In case the uuencoding method is unknown to the decoding methods F-Secure Internet Gatekeeper uses, the message will not be delivered. Depending on the quarantine settings, it may be quarantined with appropriate error message.

If really needed, the product can be configured to let these messages through with the Action on Malformed Mails setting. For more information, see the chapter about Security Options in the F-Secure Internet Gatekeeper Administrator's Guide.

This applies to all the versions of F-Secure Internet Gatekeeper with spam scanning enabled.

Make sure that the end-users’ e-mail clients are properly set up to work with Spam Control. Spam Control can be configured to add specific headers to messages detected as spam, as well as to add identifying strings to the Subject line.

You can adjust the spam filtering level under F-Secure Anti-Virus for Internet Mail / Settings / Inbound Mail / Spam Control to filter more messages as spam. Please see the F-Secure Internet Gatekeeper administrator's guide for instructions how to use the settings if necessary.

This applies to all the versions of F-Secure Internet Gatekeeper when the Web Console is used with Microsoft Internet Explorer.

There are situations where the F-Secure Internet Gatekeeper Web Console returns back to the user name and password prompt after the administrator has already entered them. Typically the reason for this is that the server's Privacy level has been set to High in the Internet Explorer.

The solution is to add the address of the F-Secure Internet Gatekeeper Web Console, https://127.0.0.1:25023/, to the Trusted sites in Internet Explorer 6.0 Security options. This ensures that the F-Secure Internet Gatekeeper Web Console works properly on Windows Server 2003. If you are accessing the Web Console over the network, you must specify the correct IP address instead of the 127.0.0.1 (localhost) address.

This applies to F-Secure Internet Gatekeeper 6.61 when installed on the same server with F-Secure Anti-Virus for Windows Servers.

When the two products are installed on the same server, F-Secure Automatic Update Agent downloads and installs virus definition database updates for both of them. Because of this the dowloaded packages (definition databases) are displayed twice for those databases that are used by both products. Some of the databases are used only by one of the products so they will not be displayed twice.

This applies to F-Secure Internet Gatekeeper version 6.60 and newer when it is used to scan HTTP traffic.

If F-Secure Anti-Virus for Internet Gateways (HTTP scanning component in the product) is deployed transparently, F-Secure Internet Gatekeeper scans web traffic passing through F-Secure Anti-Virus for Internet Gateways, including files downloaded with download managers. For more information about transparent installations, please check the Deployment Chapter in the F-Secure Internet Gatekeeper Administrator's Guide.

If you have not deployed F-Secure Anti-Virus for Internet Gateways transparently, make sure that all applications that use HTTP use F-Secure Anti-Virus for Internet Gateways as the proxy.

This applies to all the versions of F-Secure Internet Gatekeeper when used to scan HTTP traffic.

F-Secure Anti-Virus for Internet Gateways does not scan data that is downloaded using FTP protocol. It scans only files which are downloaded via HTTP or FTP-over-HTTP protocol with a web browser. All native FTP connection attempts through F-Secure Anti-Virus for Internet Gateways are rejected.

This applies to all the versions of F-Secure Internet Gatekeeper.

F-Secure Anti-Virus for Internet Gateways scans only files which are downloaded via HTTP or FTP-over-HTTP protocol with a web browser. Files transferred with native FTP protocol cannot be scanned with this product.

This applies to F-Secure Internet Gatekeeper version 6.60 and newer.

Microsoft Outlook Web Access 2003 uses content ranges when users connect to that with their web browsers. Content range transfers cannot be scanned with F-Secure Internet Gatekeeper.

Configure Microsoft Exchange and the web browser to use Secure Socket Layers (SSL) with the Outlook Web Access. This way the connection between the web browser and the e-mail server will be encrypted (the address in the browser's Location field starts with "https://" and there will be the lock symbol near the bottom right corner of the browser window). The encrypted https connections will pass through the F-Secure Internet Gatekeeper without scanning.

If for some reason SSL cannot be used, open the F-Secure Anti-Virus for Internet Gateways' Content Blocking page and enable Allow Content Ranges. For more information on this, please see the chapter about blocking connections in the F-Secure Internet Gatekeeper Administrator's Guide.

This applies to F-Secure Internet Gatekeeper 6.60 and newer.

When users browse to some web pages while using F-Secure Internet Gatekeeper, the browser may be unable to load the requested page and displays the "Redirection limit for this URL exceeded" error message. If F-Secure Internet Gatekeeper is disabled, the browser loads the page without any errors.

This may happen when the URL of the requested page contains tilde (~) characters, which are unsafe characters according to the URL standard (RFC 1738). F-Secure Internet Gatekeeper converts the tilde character into "%7e", i.e. the way the tilde character should be encoded. However, some web servers which violate the protocol specification may be unable to understand the modified address. This may result to this error message.

This applies to F-Secure Internet Gatekeeper version 6.60 and newer when it is used to scan the HTTP traffic.

Error messages about "Bad Gateway" occur typically when the server running F-Secure Anti-Virus for Internet Gateways (the HTTP scanning component in the product) does not get prompt responses from the DNS server.

If the DNS service is slow, DNS queries can timeout quite easily. In this case, you should configure the DNS client on the computer where F-Secure Anti-Virus for Internet Gateways is installed to wait longer for a response. This must be done through registry settings. Remember to create a backup copy of the registry before you edit it.

Follow these instructions to configure the DNS client:

1. Open the Windows Start menu > Run... and start Regedt32.exe.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.
3. Edit or add a new REG_MULTI_SZ entry called DNSQueryTimeouts and specify the following values: 8 8 8 8 8 0. Separate each entry with ENTER and make sure that the sixth value is 0 (zero).
4. Restart the operating system to take the new settings into use.

This applies to all the F-Secure Internet Gatekeeper versions.

It is not possible to use a remote F-Secure Content Scanner Server with F-Secure Anti-Virus for Internet Gateways, the HTTP scanning component in the product. It interacts only with a F-Secure Content Scanner Server installed on the same server.

This applies to all the versions of F-Secure Internet Gatekeeper when F-Secure Anti-Virus for Windows Servers is installed on the same server.

When F-Secure Anti-Virus is installed on the same server with F-Secure Internet Gatekeeper, it will automatically exclude quarantine, spool and working directories from the real-time virus scan. If for some reason those directories are not exluded automatically, or the exclusions have been accidentally removed from the F-Secure Anti-Virus for Windows Servers configuration, they can also be added manually. For more information, see F-Secure Anti-Virus Administrator’s Guide.

This applies to F-Secure Internet Gatekeeper version 6.60 and newer.

By default, F-Secure Internet Gatekeeper does not have a maximum limit for the requests per child processes. If you set Maximum Requests per Child Process to a certain value, F-Secure Internet Gatekeeper handles that many requests before it restarts and starts to handle the requests again. The restart may take some time during which F-Secure Internet Gatekeeper is unable to handle any new requests. Usually there is no need to limit the amount of requests per child process.

This applies to F-Secure Internet Gatekeeper version 6.60 and above.

When File Type Recognition is enabled, streaming content cannot be provided to the users as File Type Recognition requires the whole file to be processed before it is allowed through. With streaming content the "whole file" cannot be downloaded, as the download will be a continuous process.

If it is necessary for the users to receive streaming content, but at the same time File Type Recognition must be used, one possibility is to define the sites from where the streaming content is downloaded as trusted sites. Note, however, that this might entail a security risk.

This applies to F-Secure Internet Gatekeeper 6.60 and newer with HTTP scanning enabled.

If the HTTP scanning performance has decreased from the normal, please check the F-Secure Anti-Virus for Internet Gateways (the HTTP scanning component in the product) log files. Search the log files for the following error messages:

[error] (OS 10048) Only one usage of each socket address (protocol/network address/port) is normally permitted. : proxy: HTTP: attempt to connect to 172.16.7.6:80 (172.16.7.6) failed

These errors mean that all the ports offered by the opertaing system are taken up, so there are not enough open ports for the current amount of traffic. To fix this problem you need to increase the number of open ports. For information on how to do this, see the following Microsoft knowledge base articles:

• http://support.microsoft.com/default.aspx?scid=kb;en-us;196271
• http://support.microsoft.com/default.aspx?scid=kb;EN-US;149532

This applies to F-Secure Internet Gatekeeper 6.60 and newer with HTTP scanning enabled.

One of the reasons why a file download terminates silently is the Max Scan Timeout setting. This setting is used to specify the maximum time the product is allowed to scan a file before giving up. This protects the product espcially from the malicious archive files which have been designed to attack the virus scanners.

Scanning an archive file, especially an archive that is very big or has several nested levels, may take a while. One reason for this problem might be that the maximum scanning timeout is exceeded. Try to increase the value defined in the Max Scan Timeout setting. Another possibility is to add the site in question on the list of Trusted Sites, but you should do this only if you are absolutely certain that the site is safe.

If the use of Scan Result Cache is enabled and a user tries to download the same archive file again, the product tries to find a match for the file in the Recent Transactions Scan Result Cache. If it finds the result before data trickling has started, the product displays the appropriate warning or an error message to the end user. You could try to increase the value in the Trickle Interval setting to see if that helps to display the appropriate error and warning messages. The value to use depends on the speed of the Internet connection.

This applies to F-Secure Internet Gatekeeper version 6.60 and newer when the HTTP scanning component (F-Secure Anti-Virus for Internet Gateways) is in use.

Whenever the F-Secure Internet Gatekeeper statistics are reset through the user interface, it will also reset the start-up time for the F-Secure Anti-Virus for Internet Gateways. Changing nearly any of the settings for F-Secure Anti-Virus for Internet Gateways also automatically restart the component and thus its start-up time will be changed as well.

This applies to F-Secure Internet Gatekeeper 6.60 and newer when installed on the Windows Server 2003 x64 Edition.

F-Secure Internet Gatekeeper provides only 32-bit performance counters for Windows' Perfmon. Because of this, they are not visible in the native 64-bit Perfmon used in the Windows Server 2003 x64 Edition.

To view the F-Secure Internet Gatekeeper performance counters on the 64-bit platform, the 32-bit Perfmon must be used. This is installed by default also on the 64-bit Windows servers at %WINDIR%\SysWOW64\perfmon.exe.

This applies to F-Secure Internet Gatekeeper 6.60 and newer.

If the administrator reprocesses the quarantined messages detected as unsafe, the product may alert about a possible virus outbreak. This occurs if the amount of infected messages in the quarantine exceeds what has been set in the virus outbreak threshold. This is according to the product design, even though the viruses have already been detected when they have originally arrived to the system.

This applies to all the supported versions of F-Secure Internet Gatekeeper.

F-Secure Anti-Virus for Internet Mail, the e-mail scanning module in F-Secure Internet Gatekeeper performs multiple structural tests to the e-mails while scanning them for malware. There are several viruses which try to hide themselves in messages which do not follow the SMTP standards. The messages may still be readable with some e-mail clients even though they're not fully standard ones.

F-Secure Internet Gatekeeper detects these malformed messages and does not let the messages pass through.

Here is one example of an alert sent by F-Secure Internet Gatekeeper about a potentially dangerous e-mail:

2007-05-09 16:20:00-02:00 fsigk-server SYSTEM F-Secure Anti-Virus for Internet Mail 1.3.6.1.4.1.2213.22.1
Disallowed attachment found in the mail:
Sender: <>
Recipient:
Subject: Ronnie Rocks!
Message ID:
Spool ID: smtp1234567890
Attachment name: body_part_1.$$$
Attachment size: 23025 bytes
Reason: Dangerous header (multiple conflicting Content-Type values: 'multipart/related' and 'multipart/alternative', multiple conflicting Content-Type 'boundary=' values, '------------ms0206330930405303600300050302' and '------------ms043270564060705860105060205')
Action: dropped
Quarantined: not quarantined


In this case, the MIME attachment had conflicting values in the Content-Type header, as well as conflicting boundary values as well. There are numerous other reasons for dangerous headers as well.

The drawback of blocking these messages violating the SMTP standards is that some legitimate e-mail clients, servers or various e-mail sending scripts generate e-mails which also violate SMTP standards similarly to some viruses. These e-mails will be equally detected and stopped by F-Secure Internet Gatekeeper.

It is possible to turn off the header checking in F-Secure Internet Gatekeeper. However, because of the obvious security reasons, F-Secure does not recommend this.

Using F-Secure Policy Manager, the header checking setting can be found at F-Secure Anti-Virus for Internet Mail / Settings / Inbound Mail and Outbound Mail / Security Options / Action on Malformed Mails. The same settings are available also on the products' Web Console.

This applies to F-Secure Internet Gatekeeper 6.60 and newer with the F-Secure Spam Control module.

When viewing the full message headers, there will be one line starting with X-Spam-Status. This line may contain names of multiple different tests the message has been subjected to. Some of the tests are related to the heuristic spam scanning, while the Zero Hour spam classifications are the following:

• clConfirmed: The e-mail is confirmed spam message.
• clBulk: The e-mail is likely a bulk mail, for example a newsletter type of posting.
• clSuspected: The e-mail has been sent to slightly larger than average distribution, or an unidentified spam message sent during the first few seconds of a massive spam outbreak.
• clUnknown: The e-mail does not have any spam-like characteristics.
• clNone: The e-mail is certainly not a spam, comes from a trusted source.

This applies to F-Secure Internet Gatekeeper 6.60.

There is a bug in F-Secure Internet Gatekeeper which may result to the following error message when releasing messages from quarantine:

Sender: <>
Recipient: "Example Recipient" <test.user@example.com>
Subject: DELIVERY FAILURE: User test.user (test.user@example.com) not listed
Message ID: <FOO.BAR1252-DIO-HDTLILSHIDE.LUTWSHAM-I-TLILMKTD-MOTM@example.net>
Spool ID: smtp22031972
Reason: message stopped or processing completed with errors, check 'failure' records in mail log

The message then gets quarantined again.

If you encounter these errors for no apparent reason, please check whether you have defined the "Max Number of Recipients per Message" setting as zero, which should set it as unlimited. In centrally managed environments the setting is located at F-Secure Anti-Virus for Internet Mail / Settings / Inbound Mail (as well as Outbound Mail) / Receiving.

If the setting has been set as zero (0), releasing the messages from quarantine will fail with the above error. As a workaround to this problem, you can define the max number of recipients as a reasonable large number, such as 999999. In practise, this will not limit the number of recipients and it solves this problem.

This applies to F-Secure Internet Gatekeeper 6.60 on all the supported platforms.

F-Secure Internet Gatekeeper 6.60 is not compatible with F-Secure Policy Manager Server 7.0 when installed on the same server. This compatibility is included to F-Secure Internet Gatekeeper 6.61, scheduled to be released during Q1/2007.

This applies to F-Secure Internet Gatekeeper 6.60 on all the supported platforms.

F-Secure Internet Gatekeeper 6.60 and F-Secure Anti-Virus for Windows Servers 7.0 can be installed on the same server. The release notes file for F-Secure Anti-Virus for Windows Server outline the installation procedure, but the main thing with the installation is the installation order:

1. F-Secure Internet Gatekeeper 6.60
2. F-Secure Anti-Virus for Windows Servers 7.0

If installed in the opposite order, the installation of the F-Secure Internet Gatekeeper 6.60 will fail. To correct the situation, F-Secure Anti-Virus for Windows Servers 7.0 must be first uninstalled - after which the installations must be done in the order listed above.

This applies to F-Secure Internet Gatekeeper 6.60 on all the supported platforms.

In certain DNS settings and network topologies the web console may become instabile when accessing remotely. Also if the DNS services respond slowly or are unreachable, the Web Console may also act equally slow.

F-Secure has released a hotfix to solve these problems. You may download it on the F-Secure Internet Gatekeeper hotfix page.

This applies to F-Secure Internet Gatekeeper 6.50 and 6.60 when installed together with the Microsoft SQL Server 2000 Desktop Engine (MSDE).

MSDE does not support the space character in the password. During the F-Secure Internet Gatekeeper setup the administrator is asked to specify password for the 'sa' user account. If the password contains space, the installation will start but will result to a fault during the MSDE installation phase.

To overcome this problem, please specify a password without a space in it.

This applies to F-Secure Internet Gatekeeper 6.50 on any of the supported platforms when managed through F-Secure Policy Manager.

There is a confirmed problem related to the quarantine storage and log directory settings. If the quarantine storage and/or log directories have been defined as relative paths (such as .\Log), the product tries to use wrong directories. This fails with error messages about quarantine directory.

There is a workaround to this problem: The directory settings can be defined as absolute paths instead of the relative paths. These settings are located under F-Secure Anti-Virus for Internet Mail/Settings/Common/Quarantine/ branch. The log directory path by default is C:\Program Files\F-Secure\Quarantine Manager\log and storage directory is C:\Program Files\F-Secure\Quarantine Manager\quarantine.

After changing the relative paths to absolute paths, both of them must be set as Final by clicking the Restriction button and selecting the Final checkbox. After this the policy can be distributed and the correct settings will be taken into use.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.40 and all the supported versions of F-Secure Internet Gatekeeper on Windows.

Refer to:
http://www.f-secure.com/news/items/news_2005123000.shtml.

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

F-Secure Internet Gatekeeper by default scans all attachments from incoming email traffic providing also the scanning of the WMF files. However, when using HTTP or FTP-over-HTTP scanning the WMF file extension should be added to the list of included content types.

In the Policy Manager Console:
Add a WMF file extension to the existing entry in the Included Content Types table as follows:
F-Secure Anti-Virus for Internet Gateways/Settings/Content Control/Virus Scanning/Included Content Types:
Active = Enable | Content Type = * | Filename/Extension(s) = "*.WMF" (without the quotation marks).

F-Secure Anti-Virus for Microsoft Exchange should be configured by adding the WMF file extension to the list of "Included Extensions".

In Policy Manager Console:
F-Secure Anti-Virus for Microsoft Exchange/Settings/Real-Time Processing/Virus Scanning/Included Extensions:
Included Extensions (Octet String) = "*.WMF" (without the quotation marks).

To make sure that the WMF files are caught if arriving packed inside an archive, please check that scan inside archives setting is enabled and the proper list of extensions is set to be scanned in the archives:
F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Inside Archives = Enabled

Add the above extension to the list of extensions to be scanned inside archives:
F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Extensions Inside Archives=[default list] + the list above

These settings are available also through both products' web console in the stand-alone installations.

This applies to F-Secure Internet Gatekeeper 6.42 on any of the supported platforms when managed through F-Secure Policy Manager.

The product reports this kind of error messages while processing e-mails:

2005-05-23 21:25:45+02:00 scanning_server SYSTEM F-Secure Anti-Virus for Internet Mail 1.3.6.1.4.1.2213.22.1 Sending content to the primary F-Secure Content Scanner Server on 127.0.0.1:18971 was unsuccessful while processing spool job 'smtp427A8E4200', attachment 'document.pdf'. Error occurred: FNP/SCIP error 7. Memory error occurred in processing operation.

This problem occurs when the F-Secure Anti-Virus for Internet Mail spool directory has not been defined as an absolute path and it has had the "Final" flag set.

To solve the problem, please configure the spool directory with an absolute path, e.g. "C:\Program Files\F-Secure\Anti-Virus Agent for Internet Mail\spool". The setting is available through F-Secure Policy Manager Console at this location: F-Secure Anti-Virus for Internet Mail / Settings / Common / Spooling / Spool Directory.

This applies to F-Secure Internet Gatekeeper 6.42 with F-Secure Spam Control.

The RBL (Real-Time Blackhole List) configuration file (fssc.cfg and fssc_example.cfg) contains setting called "dns_available". By default this is set to "test". The documentation in the file claims that it should be set to "yes". That is a mistake in the documentation and the setting normally should be left to be "test."

When the setting is set to "test", the product first verifies that the network connections before starting to do the actual RBL checks. The product makes a few test queries and, if successful, it proceeds with the actual RBL checks. These tests are performed when the product is started and then subsequently after every 5000 e-mails.

If the setting is changed to "yes", these tests are not done. This is useful mainly in network related troubleshooting situations - typically the setting should be left to "test".

This applies to F-Secure Internet Gatekeeper 6.40 and 6.41 when Spam Control module is installed. This problem is solved in F-Secure Internet Gatekeeper 6.42.

Because of certain technical limitations with the spam database format used by the Spam Control module in F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper, F-Secure did not release new spam definition databases to the automatic update channel used by these products for a short period.

The database format limitations have been solved in F-Secure Content Scanner Server hotfix 4, available on the Hotfix download pages. Installing this hotfix is required for the automatic spam database updates. Environments without the Spam Control module do not benefit from this hotfix.

Users of the affected products with the Spam Control module enabled may update the latest spam definition databases also manually. This should be done if spam detection capabilities with the current databases seem to degrade. The databases can be easily updated manually following these steps:

1. First download the newest database as a ZIP archive by clicking this link.
2. Stop the F-Secure Content Scanner Server Daemon through Control Panel / Administrative Tools / Services applet
3. Unzip the downloaded file to the %Program Files%\F-Secure\Spam Control\ directory
   • Please make sure the "Use Folder Names" or equivalent setting in the Unzip program is selected.
   • Answer "Yes" when asked about overwriting existing files.
   • If the product is installed in non-default directory, unzip the file there.
4. Start the F-Secure Content Scanner Server Daemon through the Content Scanner Server tab in the Web Console.

After updating the databases, the spam definition database version in the user interfaces will display "2005-03-01_01" or newer. This will be visible in the Web Console and in network administered mode also in the F-Secure Policy Manager Console. In some cases it may take a few minutes before the user interfaces display the correct database version.

This applies to any version of F-Secure Internet Gatekeeper on all the supported platforms.

The notification texts must be enclosed with $REPORT-BEGIN and $REPORT-END tokens if they contain any of the available variables. Otherwise the notification texts will not contain all the prevented threats. All the other tokens between the begin and end tokens are processed once per each found threat in the message.

This applies to F-Secure Internet Gatekeeper 6.40 and 6.41 on all the supported platforms in centrally administered environments, when F-Secure Automatic Update Agent is installed on the same server. F-Secure Automatic Update Agent is always installed when Spam Control is installed.

The symptoms for this problem are the following two error messages, shown frequently in the logs and sent to the administrator:

42 2004-11-07 23:58:00+02:00 server_name SYSTEM F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 The database update is older than the previously accepted one.
43 2004-11-07 23:58:00+02:00 server_name SYSTEM F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 Updating virus definition databases was unsuccessful.

This problem is caused by the fact that the F-Secure Automatic Update Agent downloads the databases directly from the F-Secure update servers. This polling is done typically once in a hour. At the same time the product contacts F-Secure Policy Manager Server in the organization and downloads the databases. This is done by default every ten minutes, but the interval is configurable.

One of these components always manages to download and install the new databases first. The second attempt of the database update will fail with the above error message, as there is already the same database in use.

Workaround to stop these alerts is to stop F-Secure Content Scanner Server from polling the F-Secure Policy Manager Server for database updates. This can be configured with F-Secure Policy Manager Console by setting F-Secure Content Scanner Server / Settings / Database Updates / Poll Automatically to "Disabled" and distributing the policies.

After changing this setting, the product will not try to download databases from the F-Secure Policy Manager Server. It will still continue downloading the databases with the local installation of F-Secure Automatic Update Agent. It will also report the database updates and versions to the F-Secure Policy Manager and will send out an alert should the databases become outdated.

This applies to F-Secure Internet Gatekeeper 6.40 on any of the supported platforms when upgraded from an earlier version.

Upgrading from an earlier version changes the spool, log and quarantine directories to their default values. If they've been changed in the previous release, the change will not be taken into use in the F-Secure Internet Gatekeeper 6.40. The original contents of the directories will not be removed, only the directory name in the setting is changed and the product will start to use the default directories.

To solve the problem the directories need to be manually set back to the correct ones either through F-Secure Policy Manager (in the network administrated environments) or through F-Secure Internet Gatekeeper Web Console (stand-alone environments). With F-Secure Policy Manager the directory setting must be defined as "Final" in the restriction editor before distributing the policies.

This applies to F-Secure Internet Gatekeeper version 6.40 on all the supported platforms when installed in Stand-Alone mode and administrated through F-Secure Internet Gatekeeper Web Console with Netscape Navigator.

When any of the settings on the Content Scanner Server / Database Updates page are changed with Netscape Navigator, the settings reset back to the default values after clicking the Apply button.

There are two solutions to this problem. After changing the settings on the Content Scanner Server / Database Updates page, go to any other page in the Content Scanner Server settings and click Apply button there. Alternatively, you can change the Content Scanner Server / Database Updates settings with any other browser.

This applies to F-Secure Internet Gatekeeper 6.40 with Spam Control enabled on any of the supported platforms.

This problem occurs because of a change in the spam database structure change. Spam scanner database updating fails to an error about missing path like this:

19 2004-10-13 15:35:04+03:00 FSIGK_SERVER Example\administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 Started updating spam scanner database.
20 2004-10-13 15:35:06+03:00 FSIGK_SERVER Example\administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.1 The file 'C:\Program Files\F-Secure\Spam Control\lib\Mail\SpamAssassin\Util\RegistrarBoundaries.pm' cannot be written to due to error: The system cannot find the path specified. .
21 2004-10-13 15:35:06+03:00 FSIGK_SERVER Example\administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 Updating spam scanner database was unsuccessful.

F-Secure has released hotfix (F-Secure Content Scanner Server 6.40 Hotfix 2) to solve the problem. It can be downloaded from the F-Secure Internet Gatekeeper Hotfix Page. This hotfix requires a reboot, but it can be done after the spam databases have been manually updated as described below.

Revised on October 14th, 2004:

It is strongly recommended to install the spam database manually for the first time after applying this hotfix. If this is not done, on the next restart of the F-Secure Content Scanner Server the product will issue a scanning error with all the e-mails under 200 kilobytes.

Spam databases can be updated manually with these steps:

• First download the database by clicking this link.
• Unzip the file to the %Program Files%\F-Secure\Spam Control\ directory - please make sure the "Use Folder Names" or equivalent setting in the Unzip program is selected.
• Reboot the server.

After doing this, the subsequent spam database updates will be installed and taken into use fully automatically.

This applies to all the versions of F-Secure Internet Gatekeeper on any of the supported platforms.

A security vulnerability related to processing of picture files in the JPG-format has been reported recently. The vulnerability is present in Windows XP (without service pack 2) and Windows Server 2003 operating systems as well as several other products from Microsoft. This vulnerability does not pose an immediate threat to users at the moment. But viruses that use this vulnerability are likely to appear in the future. F-Secure wants to draw your attention to this, as a successful JPG-virus would be unique and break many common believes about how viruses replicate.

Affected file extensions are the following: BMP DIB EMF GIF ICO JFIF JPE JPEG JPG PCX PNG RLE TGA TIF TIFF WMF

F-Secure Internet Mail which provides the email scanning can be configured to protect the user against the .jpeg vulnerability with the following settings. The default configuration is set to scan all attachments. This can be verified from the Policy Manager Console:

• F-Secure Anti-Virus for Internet Mail/Settings/Inbound Mail/Virus Scanning/Scan for Viruses=All Attachments
• F-Secure Anti-Virus for Internet Mail/Settings/Outbound Mail/Virus Scanning/Scan for Viruses=All Attachments.

See also that scan inside archives is enabled and the proper list of extensions is set to be scanned in the archives:

• F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Inside Archives=Enabled

Add the above extensions to the list of extensions to be scanned inside archives:

• F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Extensions Inside Archives=[default list] + the list above

F-Secure Internet Gateways, which provides the web scanning, HTTP and FTP-over-HTTP, can be configured to protect the user against the .jpeg vulnerability with the following settings:

• F-Secure Anti-Virus for Internet Gateways/Settings/Content Control/Virus Scanning/Scan for Viruses=Only Included Extensions (default)

Add a new entry and update the existing entry in the Included Content Types table as follows:

• F-Secure Anti-Virus for Internet Gateways/Settings/Content Control/Virus Scanning/Included Content Types
  
  1) new entry:
  • Content Type = Image/*
  • Filename/Extensions = *
    
    2) existing entry:
  • Content Type = *
  • Filename/Extensions = [default list] + the extension list above

See also that scan inside archives is enabled and the proper list of extensions is set to be scanned in the archives:

• F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Inside Archives=Enabled

Add the list above to the list of extensions to be scanned inside archives. Please note that if you added them already with F-Secure Anti-Virus for Internet Mail as described above, you do not need to add the extensions again):

• F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Extensions Inside Archives=[default list] + the list above

For more information about the issue, please check the following pages:

General information: http://www.f-secure.com/news/items/news_2004100500.shtml

Technical Description: http://www.f-secure.com/v-descs/ms04-028.shtml

This applies to all F-Secure Internet Gatekeeper versions when used together with F-Secure Content Scanner Server 6.31.

F-Secure Content Scanner Server 6.31 sometimes flags normal e-mails with the error message "Email message is found suspicious. Malformed header field." This problem has been corrected in the F-Secure Content Scanner Server 6.31 hotfix 2, available for download on the F-Secure Internet Gatekeeper hotfix page.

This applies to all F-Secure Internet Gatekeeper versions when used together with F-Secure Content Scanner Server 6.31.

F-Secure Content Scanner Server 6.31 has a problem when scanning some certain file types. The structure of the file causes the product use considerable amount of processor time. F-Secure has identified the problem and it has been corrected in the F-Secure Content Scanner Server 6.31 hotfix 2, available for download on the F-Secure Internet Gatekeeper hotfix page.

This applies to all the F-Secure Internet Gatekeeper and F-Secure Anti-Virus for Internet Mail versions when used together with F-Secure Content Scanner Server version 6.3x.

Some viruses, typically Sober.D, may spread itself archived in a corrupted ZIP file. The corrupted ZIP file cannot be properly unpacked by F-Secure Content Scanner Server and the following error message will appear:

284 2004-03-08 11:10:59+03:00 fsav4im1 FSAV4IM1\Administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.1 Scanning the file was unsuccessful.
Agent: fsav4im1
Transaction: 21437
Protocol: unknown
Source:
Destination:
File name: Patch.zip
File size: 33926 bytes
Error: File '*123460760' cannot be opened due to error: FM API error 20. File is corrupted in archive. Extended error code: 0.

The file will be stopped and put into quarantine.

This applies to F-Secure Internet Gatekeeper versions 6.30, 6.31 and 6.32 on all Windows server platforms.

Since it is impossible to scan inside the password protected ZIP files, regular e-mail virus scanner is not able to detect the infections. However, F-Secure Anti-Virus Mail Server and Gateway products can be configured to stop password protected archive files regardless the content of the archive.

In environments managed through F-Secure Policy Manager, change the F-Secure Content Scanner Server/Settings/Virus Scanning/Suspect Password Protected Archives setting to "Treat as Unsafe." You must have the archive scanning enabled to be able to use this setting. Once you've changed the setting, you must distribute the policies to take the setting into use.

In the locally managed environments, select F-Secure Content Scanner Server from the F-Secure Settings And Statistics and go to the Scanning/Advanced page. The same setting can be found there.

• Windows NT Server and Advanced Server, Service Pack 4 or later
• Windows 2000 Server and Advanced Server, Service Pack 1 or later

NOTE! In very large, performance-critical installations, you will benefit from having backup F-SecureContent Scanner Server(s). Backup Content Scanner Servers will be used when the primaryone becomes unavailable. Each F-Secure Content Scanner Server should be installed on a dedicated machine.

Note: In small environments both the Policy Manager Server and Content Scanner Server may be installed on the same machine, but in general, especially if there is lots of traffic going through the system, this is not recommended.

NOTE! F-Secure Anti-Virus for Workstation or Server does not disinfect inside archives automatically. You have to extract it and remove malicious code from it manually.

Install first CSS with the keycode for one product then run the same setup program and enter the keycode for the other product you want the CSS to support to additionally install components required. When running setup.exe for the second time (with the second product's key code), the setup program will ask to confirm the installation of the first product and you just need to enter again the keycode for it.

This (multiple keycodes feature) is supported in CSS 6.01 and later.