Header Header Header English Suomi Svenska Deutsch Français Italiano Japanese

  
 
home
support issues.gif
virus-probs.gif
documentation
downloads
Online Services
contact us
home users

Frequently Asked Questions

Q: How to configure F-Secure Anti-Virus for Firewalls to protect against the .jpeg vulnerability?
A:

This applies to all the versions of F-Secure Anti-Virus for Firewalls on any of the supported platforms.

A security vulnerability related to processing of picture files in the JPG-format has been reported recently. The vulnerability is present in Windows XP (without service pack 2) and Windows Server 2003 operating systems as well as several other products from Microsoft. This vulnerability does not pose an immediate threat to users at the moment. But viruses that use this vulnerability are likely to appear in the future. F-Secure wants to draw your attention to this, as a successful JPG-virus would be unique and break many common believes about how viruses replicate.

Affected file extensions are the following: BMP DIB EMF GIF ICO JFIF JPE JPEG JPG PCX PNG RLE TGA TIF TIFF WMF

F-Secure Anti-Virus for Firewalls can be configured to protect the user against the .jpeg vulnerability with the following settings:

1. SMTP e-mail scanning

  • F-Secure Anti-Virus for Firewalls/Settings/Common/SMTP/SMTP Scanning=All Files (default)

2. HTTP scanning

  • F-Secure Anti-Virus for Firewalls/Settings/Common/HTTP/HTTP Scanning=All Files with Included Extensions (default)

    Add the list above to the list of included extensions to be scanned:

  • F-Secure Anti-Virus for Firewalls/Settings/Common/HTTP/HTTP Scanning/Included Extensions

3. FTP scanning

  • F-Secure Anti-Virus for Firewalls/Settings/Common/FTP/FTP Scanning=All Files with Included Extensions (default)

    Add the list above to the list of included extensions to be scanned:

  • F-Secure Anti-Virus for Firewalls/Settings/Common/FTP/FTP Scanning/Included Extensions

For more information about the issue, please check the following pages:

General information: http://www.f-secure.com/news/items/news_2004100500.shtml

Technical Description: http://www.f-secure.com/v-descs/ms04-028.shtml

Q: How I can stop viruses or worms, such as Bagle.F, spreading in password protected ZIP files with F-Secure Anti-Virus for Firewalls?
A:

This applies to F-Secure Anti-Virus for Firewalls version 6.20 on all Windows server platforms.

Since it is impossible to scan inside the password protected ZIP files, regular e-mail virus scanner is not able to detect the infections. However, F-Secure Anti-Virus Mail Server and Gateway products can be configured to stop password protected archive files regardless the content of the archive.

In environments managed through F-Secure Policy Manager, change the F-Secure Content Scanner Server/Settings/Virus Scanning/Suspect Password Protected Archives setting to "Treat as Unsafe." You must have the archive scanning enabled to be able to use this setting. Once you've changed the setting, you must distribute the policies to take the setting into use.

In the locally managed environments, select F-Secure Content Scanner Server from the F-Secure Settings And Statistics and go to the Scanning/Advanced page. The same setting can be found there.

Q: I have upgraded F-Secure Anti-Virus for Firewalls but only F-Secure Management Agent is updated to new version. What's wrong?
A: If you have previously installed an older version of F-Secure Management Agent, you will have to run the setup program twice. On the first run the F-Secure Management Agent will be updated to new version and on the second run the other components can be installed (select "Add components").
Q: A problem when sending larger emails in Checkpoint NG FP3?
A: I have a problem when sending larger emails in Checkpoint NG Feature Pack 3. The problem is when sending the larger emails (>1 mb) through the Firewall and scanning. Then the email is apparently being processed for a very long time and finaly never arrived to the recipient.
In this case you should install a hotfix #1 for NG FP3 which actually fixes this problem. Could you please contact to Checkpoint support to get this fix.
Q: Do you have deployment instruction for Check Point Next Generation (NG)?
A: Yes we have. Clicking next link you can get it as pdf document: NG deployment instructions
Q: Which F-Secure processes are running using the FSAV for Firewalls?
A: Check that the following processes are running:
cvpcp.exe   Only if the support for CVP compliant firewalls was installed
fameh32.exe F-Secure Alert and Management Extension Handler
fch32.exe F-Secure Configuration Handler
fih32.exe F-Secure Installation Launcher
fnpcp.exe Only if the support for generic SCIP/FNP compatible agents was installed
fnrb32.exe F-Secure Network Request Broker
fqm.exe F-Secure Quarantine Manager
fsavsd.exe F-Secure Content Scanner server Daemon
fsdbuh.exe F-Secure Database Update Handler
fsm32.exe F-Secure Settings and Statistics
fsma32.exe F-Secure Management Agent
fsmb32.exe F-Secure Message Broker
fwproc.exe Firewall Processor
opseccp.exe Only if the support for Check Point FireWall-1 was installed
Q: How can I check that the Network Connection to the Original MTA is Working?
A: You can test if the network connection to the original MTA is working properly by opening a telnet connection to the MTA (default port 25) from the host running F-Secure Anti-Virus Agent for Internet Mail. If you get a textual response, it means that the network connection is working. If you get Connection to the host lost or any other error message, it means that the connection was unsuccessful.
Q: How can I check that F-Secure Content Scanner Server is Up and Running?
A: You can test if the product is running by opening a telnet (telnet [ip address] 18971) connection to the F-Secure Content Scanner Server machine to the port 18971 (if you have specified a different FNP/SCIP port, use that port instead). If you get the cursor blinking in the upper left corner, it means that the connection has been established and F-Secure Content Scanner Server can accept incoming connections. If you get Connection to the host lost or other error message or if the cursor does not go to the upper left corner, it means that the connection was unsuccessful.
Q: What archive file formats does F-Secure Content Scanner Server support?
A: F-Secure Content Scanner Server supports the following file formats: ARJ, BZ2, CAB, GZ, JAR, LZH, RAR, TAR, TGZ, ZIP.
Q: Why cannot some web pages be opened with Internet Explorer?
A: A page does not open at all or just some parts of the page open when using Internet Explorer. Netscape displays the pages correctly, though. Possible reasons:
You are using FireWall-1 version 3.x, 4.0 pre-SP7 or 4.1 pre-SP2. These versions of FireWall-1 and Security Servers have problems with HTTP/1.1 protocol. FireWall-1 4.0 SP7 and 4.1 SP2 fix these problems. By default, Internet Explorer uses HTTP/1.1, while Netscape uses HTTP/1.0. Disable HTTP 1.1 support from Internet Explorer to fix the problem.
Q: F-Secure Anti-Virus for Firewalls found virus from a file inside an archive but could not disinfect it. Why?
A: F-Secure Anti-Virus for Firewalls cannot disinfect files inside archives. However, an infected archive file is placed to quarantine folder and administrator can extract and remove malicious code from it manually if necessary.
Q: SMTP Messages are accumulating in the FireWall-1 spool. Why?
A: If SMTP messages start to accumulate in the spool directory, under $FWDIR/spool, the most probable reason is that FireWall-1 Security Server has crashed. Check troubleshooting for I get "Cannot reach the content security server" messages over and over again in FireWall-1 log. What's wrong? case below. In some cases, however, just the mail queue on the FireWall-1 not the whole FireWall-1 Security Server has died. It can be restarted with command "fw mdq" on the FireWall-1 machine. After issuing the command, messages in the spool directory are processed as normal.
Q: Why I cannot send SMTP alerts to more than one email address?
A: It is known problem in versions 4.x of F-Secure Management Agent (FSMA) cannot send SMTP alerts to more than one SMTP address.
Q: What is the difference between a Content Scanner Server and a Content CVP Server?
A: Technically they are both the same thing. F-Secure Content Scanner Server is a Content Vectoring Server. The Content Scanner Server is the CVP (Content Vectoring Protocol) Server and the firewall is the CVP Client.
Q: What is the difference between Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange/Internet Mail/Lotus Domino/Firewalls?
A: Content Scanner Server is a part of F-Secure Anti-Virus for Mail Servers and Gateways' products. It consists of several components which work together and provide the actual virus scanning service. Content Scanner Server communicates with the F-Secure Anti-Virus Agent installed on the actual mail server or gateway. According to the keycode used in the installation, different components will be installed - for example, components needed only with F-Secure Anti-Virus for Internet Mail are not installed when F-Secure Anti-Virus for Microsoft Exchange is being installed.
Q: Which platforms can Content Scanner Server be installed on?
A: The supported platforms are:
  • Windows NT Server and Advanced Server, Service Pack 4 or later
  • Windows 2000 Server and Advanced Server, Service Pack 1 or later
Q: What is the difference between CVP1 and CVP2?
A: F-Secure Anti-Virus for Firewalls supports both CVP1 and CVP2. These are also known as Generic CVP and OPSEC CVP respectively. In both cases the CVP protocol is the same, but in CVP2 the protocol is hidden inside an API.

Q: Why do you recommend to install the product on Windows NT/2000 Server?
A: Windows NT/2000 Server is better adapted to network services than Workstation; which is, by definition, just designed to be a workstation. Microsoft's license agreements also states that server products must be installed on the server version of the operating system. More information about differences between Windows NT Workstation and Server can be found at the following location:
http://agent.microsoft.com/NTWorkstation/news/mktbulletins/ntwvnts.asp
Q: What protocols can be scanned by this product?
A: SMTP, FTP and HTTP.

Note! Files transferred using the HTTPS protocol can not be scanned, as those files are sent encrypted all the way from the web server to the browser.
Q: Does the product have OPSEC certification?
A: Yes, F-Secure Anti-Virus for Firewalls is an OPSEC certified product.
Q: Can I run any anti-virus programs locally on my F-Secure Content Scanner Server and at the same time have my e-mail traffic protected by F-Secure Anti-Virus for Microsoft Exchange/Lotus Domino/Internet Mail/Firewalls on the same server?
A: No it is not possible in the current version of the Content Scanner Server 6.0x. Content Scanner Server 6.0x and F-Secure Anti-Virus for Server does not work together on the same server. However, if this is necessary you can install the previous version of the Content Scanner Server 5.01. Packet of the Content Scanner Server 5.01 contain local F-Secure Anti-Virus for Server.
Q: What happens to e-mails if the F-Secure Content Scanner Server machine is down?
A: The messages stay in Microsoft Exchange server spool directory and when the Content Scanner Server is up and running again, the e-mails are sent to be scanned as usual.

NOTE! In very large, performance-critical installations, you will benefit from having backup F-SecureContent Scanner Server(s). Backup Content Scanner Servers will be used when the primaryone becomes unavailable. Each F-Secure Content Scanner Server should be installed on a dedicated machine.
Q: Do I need to install something on the firewall?
A: Yes and no. You do not need to install any software, but you need to define a rule to direct the traffic to the Content Scanner Server. See the Administrator's Guide page 80 - 97 for instructions how to do this.
Q: What about management features? Does the product work with F-Secure Policy Manager?
A: All F-Secure Mail Server and Gateway products, can be fully managed with the F-Secure Policy Manager.
Q: Which Service Packs are recommended with CheckPoint Firewall's?
A: We recommend applying the following service packs when using CheckPoint Firewall-1 on Windows NT with our Anti-Virus for Firewalls product:

  • Windows NT SP6
  • Windows 2000 Server SP1 or later
  • Firewall-1 4.0 SP7 or later (preferably the latest)
  • Firewall-1 4.1 SP3 or later
  • Next Generation FP1 or later
Q: How can I strip attachments in emails?
A: A1: F-Secure Anti-Virus for Firewalls 6.01 is capable of stripping attachments without FireWall-1. Check the manual to see how the product can be configured to strip disallowed attachments.

A2: F-Secure Anti-Virus for Firewalls 5.0 cannot strip attachments in email. However you can configure FireWall-1 to do that. For example, if you want to strip all Word document attachments, you can define a new SMTP resource and define application/msword in Strip MIME of Type (under Action2 tab). Add the new SMTP resource to your rulebase, before anti-virus scanning rule (!) and then install new policies. To strip all executable (EXE, COM, DLL, OCX, VBS, etc.) and office document attachments, you can specify application in Strip MIME of Type.

A3: If you have installed Check Point FireWall-1 4.1 SP3 you have the option to strip certain files based on the file extension. You need to define the extension in /etc/fw/conf/objects.C. Add a forbidden section in the resourcesobj part. In the example below, the resource is named smtp-attachment. Close the firewall GUI before manipulating the objects.C and reinstall the policy after the modification: 

 :resourcesobj (resourcesobj 
     : (smtp-attachment 
         :maxsize (1000) 
         :allowed_chars ("8 bit") 
         :av_setting (none) 
         :av_server () 
         :color (blue) 
         :type (smtp) 
         :comments () 
         :err_notify (false) 
         :default_server () 
         :error_server () 
          : (match_from 
             : ("*") 
          ) 
          : (match_to 
             : ("*") 
          ) 
          : (from 
             : () 
          ) 
          : (to 
             : () 
             : () 
          ) 
          : (user_field 
             : () 
             : () 
             : () 
          ) 
         :except_track ("Exception Log" 
             :type (log) 
             :color (Blue) 
             :format (long) 
             :icon (log.pr) 
         ) 
         : (content-type 
             : () 
         ) 
         : (forbiddenfiles 
             : ("{*.vbs,*.exe}") 
         ) 
     ) 
 )
Q: Can I use the same F-Secure Administrator that I am already using with Workstation Suite?
A: Yes, you can. You just need to import the appropriate mib-files. (For instructions please see the appropriate product manual).
Q: Can I use the same F-Secure Policy Manager Server that I am already using with Workstation Suite?
A: Yes, you can.
Q: Can F-Secure Anti-Virus for Firewalls detect ActiveX and Java applets for malicious code?
A: F-Secure Anti-Virus for Firewalls detects all known Java and ActiveX viruses. Also you can configure FireWall-1 to drop ActiveX and Java.
Q: Do I need to use F-Secure Policy Manager Server or can I use a shared directory (CommDir)?
A: Both solutions are supported.

Note: In small environments both the Policy Manager Server and Content Scanner Server may be installed on the same machine, but in general, especially if there is lots of traffic going through the system, this is not recommended.
Q: Which firewalls does the F-Secure Anti-Virus for Firewalls work with?
A: F-Secure Anti-Virus for Firewalls should work with any CVP compliant firewalls. Here is the list of some CVP compliant firewalls:

OPSEC CVP
Generic CVP
Check Point FireWall-1
Sun Solstice FireWall-1 		Digital AltaVista Firewall
Milkyway Networks Firewall
TIS Gauntlet
Cyberguard Firewall
Secure Computing Firewall
Novell FireWALL for NT

Q: Why do I get 'Connection to Final-MTA failed' error in FireWall-1 log?
A: You probably have a rule to scan outgoing email. The problem is that when FireWall-1's SMTP security server attempts to deliver mail to an outside destination, if that destination's mail-server is non-responsive, FireWall-1 will NOT attempt to deliver to the next lower precedence server (as defined by the MX records in the destination's DNS domain). This problem exists with CheckPoint FireWall-1 3.x, 4.0, and 4.1. Hopefully, Check Point will fix it in future versions of VPN-1/FireWall-1.

Here is what you can do to workaround this problem. You can install a "smart" SMTP server. This SMTP Server can either be inside or outside your firewall, but you have to make sure that any SMTP traffic from this host does not get processed by any SMTP resources. To ensure this doesn't happen when your mail server is inside the firewall, you need to craft your SMTP rules according to the following order:

Source Destination Service Action
Smart-SMTP-Server Any SMTP Accept
Any Internal-SMTP-Server SMTP->Inbound_Resource Accept
Internal-SMTP-Server Any SMTP->Outbound_Resource Accept

The "smart SMTP Server" rule above your other SMTP rules with resources will insure the SMTP Security Server does not get invoked. The Inbound_Resource will be configured per your tastes. The Outbound_Resource will be configured to forward all outbound email to your "smart" SMTP server after scanning. You can do this by setting the "Mail Server" part of the resource to your smart SMTP server's IP address. This will force all outbound email to be forwarded to the Smart SMTP Server, regardless of the actual destination.
Q: What alerting and reporting features are available?
A: F-Secure Anti-Virus for Microsoft Exchange supports all the same methods such as alerting as F-Secure Policy Manager; SMTP, etc. You can send a warning message to the recipient of the e-mail and an administrator as well.
Q: Why do I fail to access some web sites when using FSAV for Firewalls?
A: You are probably using HTTP 1.1 and the browser simply time-outs. There is a known issue with Check Point Firewall-1 4.0 where "chunked" data can cause connections to fail when using CVP with HTTP 1.1. In FireWall-1 version 4.0, this has been addressed in Service Pack 5.

If using version 4.1, the firewall's objects.C file needs to be manually edited to force the conversion of HTTP 1.1 packets to HTTP 1.0. To do this:

  1. Stop the Firewall-1 service.
  2. Edit the file $FWDIR\conf\objects.C.
    After the line
    :props (
    Add the line
    :http_force_down_to_10 (true)
  3. Start the FireWall-1 service.
  4. Reinstall the security policy.

Also, check the following question.
Q: How are the virus database updates done?
A: Please see the possible options at the database update page.
Q: When I connect to some sites, I get error message 'Failed connect to www server'. Why?
A: There are two possible reasons for this:

  1. Connection to the site timed out or was refused at the remote end.
  2. The remote site either has a missing or inconsistant "reverse DNS" entry for it's IP (thanks to Arjan van der Valk for uncovering this).

Check Point considers the latter a security risk and does not allow these sites to be contacted through the HTTP/FTP Security Server. Check Point also does not allow you to turn this feature off. Your options for working around this are:

  1. Contact the remote site in question to ask them to fix their reverse DNS entry
  2. Add an entry in your firewall's local host file and have the system resolve against the hosts file first (note: This is untested)
  3. Exclude the site in question from going through the security server by adding a rule above your security server rule that permits normal HTTP/FTP to the site.
Q: Why data trickling does not work although i am followed the instruction of the FSAV for Firewalls Administrator Guide?
A: The manual for F-Secure Anti-Virus for Firewalls includes an error concerning data trickling with FireWall-1 (4.0 and 4.1). The cvp_server.attr file, as seen on the page 31 to 32, should be like the following. Please note that the lines must be exactly in this order:

  1. Copy the cvp_attributes utility to the computer running CheckPoint FireWall-1.
  2. Create a CVP server attributes file called cvp_server.attr into the same directory where you copied the cvp_attributes utility.
  3. Enter the following information in the cvp_server.attr file:
    rply 2
    ftp_use_cvp_reply_safe true
    http_use_cvp_reply_safe true
    smtp 2
    rcpt_to
    mail_from
    Note! Make sure that you leave one empty line at the bottom of the cvp_server.attr file.
    Note! Check that you do not have FireWall-1 Policy Editor open before you run cvp_attributes.
    Note! Before running the cvp_attributes utility with version 4.1 of VPN-1/FireWall-1, the $FWDIR environment variable must be defined and set to point to the VPN-1/FireWall-1 installation directory (by default, c:\winnt\fw1\4.1 in Windows).
  4. From the command line run the following command:
    cvp_attributes cvp_server.attr
    where is the name of the F-Secure Anti-Virus for Firewalls you have specified in Server Objects in FireWall-1's Policy Editor.
  5. Open FireWall-1 Policy Editor and install the policy.
  6. Reboot the FireWall-1 computer.
Q: F-Secure Anti-Virus for Microsoft Exchange/Internet Mail/Lotus Domino/Firewalls found a virus in .zip but could not disinfect it. Why?
A: F-Secure Anti-Virus for Microsoft Exchange can not disinfect files inside archives. However, an infected archive file is placed to the F-Secure Content Scanner Server quarantine folder (\Program Files\F-Secure\Content Scanner Server\Quarantine) and an administrator can extract and remove malicious code from it manually using F-Secure Anti-Virus for Workstations or Servers.

NOTE! F-Secure Anti-Virus for Workstation or Server does not disinfect inside archives automatically. You have to extract it and remove malicious code from it manually.
Q: Can F-Secure Anti-Virus for Firewalls scan and strip attachments from partial messages?
A: Some gateways and mail servers reject messages that are too large. Therefore, a user might want to split the message into smaller parts that can be combined back together on the receiving end. F-Secure Anti-Virus for Firewalls cannot handle these partial messages as a single file, as parts may go through the gateway with delays and not necessarily even in the correct order. However, if F-Secure Anti-Virus for Firewalls finds malicious code from one of the message parts, that part is dropped and the message cannot be combined back together. It is highly recommended to restrict partial messages on a firewall side to ensure that the system has high-level protection against malicious code.
Q: Can I use remote installation to install F-Secure Anti-Virus for Microsoft Exchange, FSAV for Internet Mail, FSAV for Firewalls and FSAV for Lotus Domino?
A: No you can not. F-Secure Anti-Virus for Mail Servers and Gateways products can not be installed remotely at the moment.
Q: Can I install CSS to support multiple F-Secure Anti-Virus Mail Server and Gateway products?
A: Yes, you can.

Install first CSS with the keycode for one product then run the same setup program and enter the keycode for the other product you want the CSS to support to additionally install components required. When running setup.exe for the second time (with the second product's key code), the setup program will ask to confirm the installation of the first product and you just need to enter again the keycode for it.

This (multiple keycodes feature) is supported in CSS 6.01 and later.
Q: F-Secure Anti-Virus for Firewalls strips the entire message, what is wrong?
A: Apparently, users send e-mail in Microsoft Exchange Rich Text or HTML format. When e-mail is not in plain text format, the e-mail program creates special attachments that carry extra information about the message body, formatting styles, any pictures it might have, used fonts and so on. For example, if Microsoft Exchange Rich Text format is used, Microsoft Outlook creates an attachment called Winmail.dat that includes the encoded message body and even attached files. If HTML format is used, Microsoft Outlook sends the message body as text/html part and all other message parts that are used in the message – for example images and multimedia files - as plain attachments.For security reasons, F-Secure Anti-Virus for Firewalls treats anything but plain text e-mail parts as attachments, thus stripping the Winmail.dat file and the other MIME message parts, if "Strip Attachments" setting is set to strip "All Files". To solve the problem, set "Strip Attachments" to strip "All Attachments except Allowed" and add Winmail.dat to the list of allowed attachments. This way F-Secure Anti-Virus for Firewalls does not remove Winmail.dat, but it is able to remove all other attachments embedded in the message.
Q: I cannot contact some web or FTP sites. Why?
A: A site cannot be accessed at all or in some cases the FTP authentication fails.

Possible reasons:
Connection to the site timed out or was refused at the remote end. The site in question has a faulty or nonexistent entry in the DNS so that the reverse DNS lookups do not work properly. According to Check Point, this may be a security vulnerability and can be circumvented only by adding the site IP addresses and names in question to FireWall-1 machine’s host (\winnt\system32\drivers\etc\hosts) file or – preferably – adding the correct DNS data for those machines.
Q: I get "Cannot reach the content security server" messages over and over again in FireWall-1 log. What's wrong?
A: Possible reasons:

  • The security server in Check Point FireWall-1 has crashed. It may still appear in the Unix process listing as in.aXXXXd, yet it might have been crashed. Stop and start the FireWall-1 (fwstop; fwstart) – sometimes you will need to do a restart.
  • There is a network problem between the FireWall-1 and F-Secure Anti-Virus for Firewalls. Check that data can be transferred from FireWall-1 to F-Secure Anti-Virus for Firewalls and vice versa. Check that ping works to both hosts.
  • F-Secure Anti-Virus for Firewalls has crashed. Check if F-Secure Management Agent and F-Secure Anti-Virus for Firewalls are running and restart them if necessary.
Q: Slow performance running HTTP scanning. What can be a reason?
A: Force all the network cards link speed/dublex value to 100 Mbps full duplex. This can to increase HTTP scanning performance in some cases.