RELEASE NOTES F-Secure and Server Security version build 739 (RTM)

(1)

RELEASE NOTES

F-Secure® E-mail and Server Security

version 11.00 build 739 (RTM)

This product includes software written by Tim Hudson ([email protected]). This product includes optional Microsoft SQL Server 2008 R2 SP1 Express Edition. Copyright © 2010 Microsoft Corporation. All rights reserved.

This product may be covered by one or more F-Secure patents, including the following: GB2353372, GB2366691, GB2366692, GB2366693, GB2367933, GB2368233, GB2374260

1. General

This document contains late-breaking information about F-Secure E-mail and Server Security 11.00 Standard and Premium. We strongly recommend that you read the entire document before installing the software.

F-Secure continuously improves documentation. Refer to the latest version of this document online: http://download.f-secure.com/webclub/fsess-11.00-rtm-release-notes.htm

2. Product contents

F-Secure E-mail and Server Security provides protection for your Microsoft® Windows Server®,

Microsoft® SharePoint Server, Microsoft® Exchange Server, Microsoft® Small Business Server, Citrix® XenApp, and Windows Terminal servers. The solution can be licensed and deployed as F-Secure Server

Security (Standard) or F-Secure Server Security Premium, on per-server basis, or F-Secure E-mail and Server Security (Standard) or F-Secure E-mail and Server Security Premium, on per-user or

terminal connection basis.

This new F-Secure E-mail and Server Security solution release includes the following features:

 Virus & spyware protection – protects your computer against viruses, trojans, spyware, rootkits and other malware.

 DeepGuard™ – proactive, instant protection against unknown threats. It monitors application

behavior and stops potentially harmful activities in real-time.

 Web traffic scanning – detects and blocks malicious content in web traffic (HTTP protocol) to

provide additional protection against malware.

 Browsing protection – protection for your terminal users against web browser exploits and rogue web sites.

(2)

 Anti-Virus for Microsoft Exchange – protects incoming, outgoing, and internal mail traffic and

Exchange public folders from malware and other security threats and provides content and attachment filtering. In addition, Exchange 2013 DAG support and other Exchange 2013-related enhancements are introduced in this release.

 Spam Control – detects and filters spam messages from e-mail traffic providing real-time protection against all types of spam, regardless of its content, format or language.

 Offload scanning agent – allows to offload malware scanning to F-Secure Scanning and

Reputation Server in Virtual and Cloud Environments.

 Software Updater -- keeps your system and applications up-to-date by installing patches as they

are released by vendors.

 Anti-Virus for Microsoft SharePoint – real-time protection for the Microsoft SharePoint servers,

scanning the uploaded and downloaded content for malware and other security threats.

 EMC CAVA support - provides Anti-Virus configuration when working in EMC CAVA environment.

The table below shows which features are enabled with different product licenses.

Feature F-Secure Server Security (Standard) F-Secure Server Security Premium F-Secure E-mail and Server Security (Standard) F-Secure E-mail and Server Security Premium

Virus & spyware

protection ● ● ● ●

DeepGuard™ ● ● ● ●

Web traffic scanning ● ● ● ●

Browsing protection ● ● ● ●

Anti-Virus for Microsoft

Exchange ● ●

Spam Control ● ●

Offload Scanning Agent ● ● ● ●

Software Updater ● ●

Anti-Virus for Microsoft

SharePoint ●

EMC CAVA support ●

The solution is available in the following languages: English, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Polish, Spanish (Latin America), and Swedish.

3. What’s new

3.1 New features and improvements

 Software Updater -- keeps your system and applications up-to-date by installing patches as they

are released by vendors.

 Anti-Virus for Microsoft SharePoint – real-time protection for the Microsoft SharePoint servers,

(3)

 EMC CAVA support - provides Anti-Virus configuration when working in EMC CAVA environment.

 Exchange 2013 DAG support and other Exchange 2013-related enhancements.

 New languages: Chinese Traditional and Chinese Simplified.

3.2 Fixed issues

This section lists important issues fixed in this release:

 CTS-93989: Neighbourcast problem

 CTS-94056: Too many broadcasts in Neighborcast function of Client Security 11  CSEP-1340: Incorrect information about update size in statistics

 CSEP-1129: Exchange 2007..2013 transport agent should support IPv6 addresses/ranges/masks  CSEP-844: Ex2013: Transport agent cannot be installed if server does not have Client access role  CSEP-845 Ex2013: Transport statistics calculates service mails

 CSEP-846 : Ex2013: Internal mails are calculated as inbound in statistics  CSEP-847: Ex2013: Transport statistics are reset on computer restart  CSEP-775 ESS notification settings can't prevent sending notifications  CSEP-744 / CTS-91772 Error logged after latest CSS update

 CTS-92935 / CSEP-902: Manual Scan doesn't show list of files currently being scanned  CSEP-932: FQM cleans all headers before sending item to Hospital

 CSEP-1234 and CSEP-1322: Do not localize "Offload Scanning Agent"  CSEP-1037: When installing via Push install or MSI, ORSP is always installed  CSEP-1195 / CTS-93595 Edge transport high CPU usage and crashing

 CSEP-1318 / CTS-93988 ESS 10.50 - FTR incorrectly recognize text file as bat, cmd or vbs  CSEP-1229 / CSEP-1229: Server Security 10.50 // Installation failed - Ascendancy component

F-Secure DAAS2 cannot be installed

 CSEP-1348: ESS WebUI: read-only mode isn't read only

 CSEP-1389: OpenSSL needs updating to 1.0.1f, if using TLS 1.2 or DTLS

4. System requirements

Before you install the product, we recommend that you review sections in this topic to ensure that your network, hardware, software, and other system components meet the requirements.

Note: The minimum hardware requirements may not be sufficient if you run multiple services on the same

system.

4.1 System requirements for F-Secure E-mail and Server Security installation

To install F-Secure E-mail and Server Security, the following minimum hardware and system requirements are recommended.

Hardware

Computer: Any computer that meets the requirements for the supported operating system.

Disk space: 10 GB or more is recommended.

Internet connection: Internet connection is required to receive updates and use cloud-based detection.

4.2 Supported Operating Systems

The product can be installed on a computer running one of the following operational systems:  Microsoft® Windows Server 2003 (see Note)

(4)

 Microsoft® Windows Server 2008  Microsoft® Windows Server 2008 R2

 Microsoft® Small Business Server 2003 (see Note)  Microsoft® Small Business Server 2003 R2 (see Note)  Microsoft® Small Business Server 2008

 Microsoft® Small Business Server 2011, Standard edition  Microsoft® Small Business Server 2011, Essentials  Microsoft® Windows Server 2012

 Microsoft® Windows Server 2012 Essentials  Microsoft® Windows Server 2012 R2

All Microsoft Windows Server editions are supported except:  Windows Server for Itanium processor

 Windows DataCenter and HPC editions for specific hardware  Windows Storage editions

 Windows MultiPoint Server  Windows Home Server

Note: All operating systems are required to have the latest Service Pack installed.

Note: For performance and security reasons, you can install the product only on NTFS partition. Note: Important information concerning Windows 2003 Server support

Microsoft has announced that they will end their Extended Support for Windows 2003 Server product line 14th_{of July 2015. After this date, Microsoft will no longer release any Security updates nor Hot fixes for} Windows 2003 Server product line.

F-Secure Server Security and F-Secure E-mail and Server Security will support Windows 2003 Server until 24th_{of July 2016.}

F-Secure highly recommends customers to update their operating systems and use only Windows versions that receive security updates from Microsoft. The latest operating system version always provides the best protection technologies, is fully maintained by the vendor and receives timely security updates and

improvements. F-Secure cannot guarantee the best protection and performance for customers running Windows 2003 Server after 14th_{of July 2015. This is because malware can use vulnerabilities in the} operating system that are no longer fixed by Microsoft.

4.3 Supported Microsoft Exchange Servers

F-Secure E-mail and Server Security can be installed on a computer running the following Microsoft Exchange Server versions:



Microsoft® Exchange Server 2003 with the latest service pack (see Note)



Microsoft® Exchange Server 2007 (64-bit version) with the latest service pack



Microsoft® Exchange Server 2010 service pack 2, service pack 3



Microsoft® Exchange Server 2013 w/o service pack, service pack 1



Microsoft® Small Business Server 2003 (see Note)



Microsoft® Small Business Server 2008



Microsoft® Small Business Server 2011, Standard edition

The product supports the following roles of Microsoft Exchange Server 2007/2010:



Edge Server role

(5)



Mailbox Server role



Combo Server (Mailbox Server and Hub Server roles)

Note: Important information concerning Exchange Server 2003 support

Microsoft has announced that they will end their Extended Support for Exchange Server 2003 product line on 8th of April 2014. After this date, Microsoft will no longer release any Security updates nor Hot fixes for Exchange Server 2003 products.

F-Secure E-mail and Server Security will support Exchange Server 2003 until 24th of July 2016.

Note: The 32-bit version of Microsoft Exchange Server 2007 is not supported.

Important: The Collaboration Data Objects for Exchange (CDOEX) update is required if you plan to install

F-Secure E-mail and Server Security on Microsoft Exchange Server 2007 running on Microsoft Windows Server 2008 R2. The update and installation instructions are available in Microsoft Knowledge Base article

98270. It is important to note that the CDOEX update must be installed before installing Microsoft

Exchange Server 2007 SP3.

4.4 Cluster environments

F-Secure E-mail and Server Security 11.00 can be installed on Microsoft Exchange Server clusters. The following cluster configurations are supported:



Microsoft® Exchange Server 2003 Active-Passive clustering



Microsoft® Exchange Server 2003 Active-Active clustering



Microsoft® Exchange Server 2007 Cluster Continuous Replication (CCR) model



Microsoft® Exchange Server 2007 Single Copy Cluster (SCC) model

 Microsoft® Exchange Server 2010 Database Availability Groups  Microsoft® Exchange Server 2013 Database Availability Groups

4.5 SQL Server requirements

F-Secure E-mail and Server Security 11.00 requires Microsoft® SQL Server for the quarantine management. The following versions of Microsoft SQL Server are recommended to use:



Microsoft® SQL Server 2005 (Enterprise, Standard, Workgroup or Express Edition) with the latest service pack



Microsoft® SQL Server 2008 (Enterprise, Standard, Workgroup or Express Edition)



Microsoft® SQL Server 2008 R2 (Enterprise, Standard, Workgroup or Express Edition)



Microsoft® SQL Server 2012 (Enterprise, Business Intelligence, Standard, or Express Edition) Microsoft SQL Server 2008 R2 SP1 Express Edition is distributed with the product and can be installed during F-Secure E-mail and Server Security 11.00 Setup.

Note: Microsoft .NET Framework version 2.0 and Microsoft Windows Installer 4.5 are required to install

Microsoft SQL Server 2008 R2 SP1 Express Edition. They can be downloaded from Microsoft Download

Center. If you plan to have Microsoft SQL Server on the same server, install these components before

installing F-Secure E-mail and Server Security.

Important: We do not recommend using MSDE or Microsoft SQL Server 2005/2008/2008R2 Express

Edition if you are planning to use the centralized quarantine management or if your organization sends and receives a large amount of e-mails. For more information about the limitations of the Microsoft SQL Server 2005/2008/2008R2 Express Edition or MSDE, see the product manual.

(6)

4.6 Supported terminal servers

F-Secure E-mail and Server Security 11.00 supports the following terminal server platforms:



Microsoft Windows Terminal/RDP Services (on the above mentioned Windows Server platforms)



Citrix® Presentation Server 4.5



Citrix® XenApp 5.0



Citrix® XenApp 6.0  Citrix® XenApp 6.5

4.7 Supported Microsoft SharePoint servers

F-Secure E-mail and Server Security can be installed on a computer running the following Microsoft SharePoint Server versions:



Microsoft® SharePoint 2013 with the latest service pack



Microsoft® SharePoint 2010 with the latest service pack

4.8 Centralized management requirements

The following versions of F-Secure Policy Manager are required if you plan to centrally manage F-Secure Server Security or F-Secure E-mail and Server Security (Standard) installations:

 F-Secure Policy Manager (Windows) 10.10 or newer, 11.20 is recommended  F-Secure Policy Manager (Linux) 10.10 or newer, 10.40 is recommended

The following versions of F-Secure Policy Manager are required if you plan to centrally manage Premium editions of F-Secure Server Security or F-Secure E-mail and Server Security installations:

 F-Secure Policy Manager (Windows) 11.10 or newer, 11.20 is recommended  F-Secure Policy Manager (Linux) 10.30 or newer

Note: Software Updater management functionality is available only with the Windows version of F-Secure

Policy Manager.

4.9 Other requirements

To administer the product with F-Secure Web Console, one of the following web browser software is required:

 Microsoft Internet Explorer 7.0 or later  Mozilla Firefox (up-to-date versions)  Google Chrome (up-to-date versions)

Any other Web browser supporting HTTP 1.0, SSL, Java scripts and cookies may be used as well. Before you log in to F-Secure Web Console, check that JavaScript and cookies are enabled in the browser. You need to add the address of F-Secure Web Console (https://127.0.0.1:25023/) to the Trusted sites in the Internet Explorer security options to make sure that F-Secure Web Console works properly.

5. Setup and configuration

5.1 Installation instructions

Note: Before you install F-Secure Server Security or F-Secure E-mail and Server Security, uninstall any

(7)

To install the product, you need to log in with administrator-level privileges.

5.2 Installation instructions in Virtual Environments using the F-Secure Offload

Scanning Agent

If you want to deploy F-Secure E-mail and Server Security in virtual environment using the Offload Scanning Agent to minimize the performance impact to virtualization infrastructure, you need to select the installation of the Offload Scanning Agent during the installation.

For detailed instructions of installation of this feature, please refer to the F-Secure Security for Virtual and Cloud Environments deployment guide.

Note: Please note that you need to have the Scanning and Reputation Server in place for this functionality

to work.

5.3 Remote installation

Remote installation with F-Secure Policy Manager is possible for F-Secure Server Security only. To deploy F-Secure E-mail and Server Security, you need to make the attended installation either locally or over the remote desktop connection.

5.4 Compatibility with F-Secure Policy Manager

The product is not compatible with older versions of F-Secure Policy Manager. For compatibility information, please refer to Centralized management requirements.

5.5 Upgrade installation

You can upgrade F-Secure E-mail and Server Security from the previous versions of F-Secure products by running the setup program and following the installation instructions. You can upgrade the following product versions:

 F-Secure Anti-Virus for Windows Servers 9.0  F-Secure Anti-Virus for Citrix Servers 9.0

 F-Secure Anti-Virus for Microsoft Exchange 9.0 or 9.10  F-Secure Server Security 9.20, 10.00, 10.01 or 10.50

 F-Secure E-mail and Server Security 9.20, 10.00, 10.01 or 10.50 Refer to the manual for detailed upgrade instructions.

Note: Upgrade or reinstall the product above similar PSB products is not supported. Uninstall PSB Sever

Security or PSB E-mail and Server Security before installing this product.

5.6 Using pre-installed Microsoft SQL Server

Microsoft SQL Server 2008 R2 SP1 Express Edition is distributed with the product and included in the product installation package. If you need to use F-Secure E-mail and Server Security with your own installation of Microsoft SQL Server, make sure that you select the Mixed mode in the Authentication mode page. To change the authentication mode after the installation, refer to the Microsoft SQL Server

documentation.

5.7 Reconfiguration of Quarantine storage

During the installation, F-Secure E-mail and Server Security is configured to exclude all its working folders from the real-time file scanning to prevent interferences with any operation of the e-mail scanning. If the location of the Quarantine storage folder is changed in future, you need to reconfigure the product to

(8)

exclude the folder from the real-time file scan. Refer to the manual for detailed instructions on adding such exclusions.

5.8 Uninstallation instructions

To uninstall F-Secure Server Security or F-Secure E-mail and Server Security, use Programs and Features (former Add or Remove Programs) from the Windows Control Panel. Restart the server after uninstalling all the components.

Note: Some files and directories may remain under the product installation directory

(%ProgramFiles(x86)%\F-Secure), programs data directory (%ALLUSERSPROFILE%\F-Secure), and user’s temporary directories (%TEMP%) after you uninstall the product. We recommend that you remove these directories and files manually.

6. Known issues

6.1 Installation and uninstallation

Admin.pub cannot be located during installation on Windows Server Core edition (CTS-69882) When installing the product on Windows Server Core platform, the Browse button in the Setup wizard is not functioning because the common Windows dialog is missing. As the workaround, you can enter the path to the admin.pub file manually.

Entering full license key does not activate On Access Scanning and On Demand Scanning immediately (CTS-70470)

When your evaluation version of the product expires and you enter the full license key, access and on-demand scanning may not be activated immediately and thus not provide full server protection. It may take up to half an hour before the product gets fully functional. In order to speed up the license activation process, you can restart FSGKHS service or reboot the server.

Shifting evaluation license from one product edition to another is not supported

You cannot register the evaluation installation of F-Secure Server Security with the full license key for F Secure E-mail and Server Security or vice versa. If you want to purchase a license for different product, uninstall the evaluation product first.

Setup displays "STSADM.EXE - Application Error" dialog when user enters account with not enough permissions (CSEP-1362)

In some cases, you can experience appearance of an alienated dialog even though the error has been handled by the usual error handling service. Closing the dialog shows the error then in the correct dialog.

Anti-Virus for Microsoft SharePoint Working folder is not deleted (CSEP-1390)

Working folder created during setup is not deleted due to missing permissions. You still can delete it manually, taking ownership and granting Full Control permissions.

Uninstallation status Failed: F-Secure Management Agent could not get the results for the previous installation... (CSEP-1395)

In some cases, the uninstallation from PMC will produce the above status message. This status message does not reflect the real status. The uninstallation is successful but it produces the confusing message.

(9)

At uninstallation: call the STSADM.EXE may fail (CSEP-1345)

Uninstallation of Anti-Virus for Microsoft SharePoint tries to change SharePoint anti-virus settings back. This operation may fail, if the user that runs uninstallation does not have permissions to change settings (a special account is used for that). After uninstallation completes, please login to SharePoint Management Console and make sure “Scan on upload” and “Scan on download” anti-virus settings are switched off.

6.2 Anti-Virus for Microsoft SharePoint

Quarantine is not supported

The current release of Anti-Virus for Microsoft SharePoint blocks infected or malware files in real-time: on uploading or downloading. It does not put such files to quarantine. Use Anti-Virus at file level for

disinfection or quarantining the files in question.

Scanning on demand is not supported

The current release of Anti-Virus for Microsoft SharePoint blocks infected or malware files only on accessing them: when the file is downloading from the SharePoint database. It does not provide manual (on-demand) or scheduled scan of the SharePoint database.

The setting "list of files to be excluded from scan inside archives” for AV4SP doesn’t work (CSEP-1393)

Although an extension is specified in the list of files to be excluded, such files are anyway scanned inside archives.

6.3 Virus and Spyware Protection

Scanning big folders does not disinfect found malware if scanning is interrupted (CTS-68901) When a manual scan task that was started from the Web Console is interrupted, the admin-defined actions may not take place for found malware or spyware items. You need to run the manual scanning again and wait until it is completed for the actions to take place.

EFS encrypted file cannot be scanned via scheduled scanning (CTS-88303/CSEP-221)

Scheduled scan fails to scan an encrypted file with eicar.com inside and returns the error "file cannot be opened". There can be many users on a server and every user can have own encrypted files. To scan such files, scanning must run under user credentials, while scheduled scan runs under the local system account. Workaround is to use manual scan for those files.

6.4 DeepGuard

DeepGuard installation requires Microsoft Windows 2003 Server reboot

If the product is installed with DeepGuard protection component on Microsoft Windows 2003 Server platforms, you need to restart the server to finalize the installation.

DeepGuard 5 does not work on Windows Server 2003 64-bit

The 64-bit version of Windows Server 2003 does not include upgraded driver support routines of

Microsoft's PatchGuard, which prevents kernel modifications. This makes this specific version of Windows incompatible with DeepGuard. If you are using the 64-bit version of Windows Server 2003, we recommend that you upgrade your operating system to benefit from our award winning DeepGuard technology.

(10)

Change in Browsing protection settings may look ineffective due to caching

Sometimes it may seem that a change in Browsing protection settings is not applied, because the browser finds the page content from the cache. Use Ctrl-F5 to ignore the cache and reload the content.

Browsing protection search results

Browsing protection does not show safety ratings on search result pages that use HTTPS.

6.6 Web Traffic Scanning

Web Traffic Scanning does not handle encrypted traffic

The current version of NIF-based Web Traffic Scanning cannot handle the content of encrypted network traffic, e.g. HTTPS protocol.

Web Traffic Scanning causes download speed to decrease (CTS-90775/SPT-255)

In some cases, the download speed is affected by Web Traffic Scanning resulting in slow download speeds.

6.7 Web Console

Manual Scanning does not allow to scan mapped network drives/shares (CTS-70572)

When you log in to Web Console, it does not load the full user profile, so you cannot scan a network drive or share from the manual scanning page. Scan network drives/shares with “Virus and spyware scanning” menu from F-Secure icon in the system tray or with the “Scan Folder for Viruses” menu from Windows Explorer.

Internet Explorer 8 may show the security warning on the login page (CTS-70956)

If the session expires, the Web Console returns to the login page automatically. When this happens, Internet Explorer 8 may show the security warning about content that may be delivered using non-secure connection. You can ignore this warning.

Web Console might delay on refreshing the page automatically

Sometimes after you change and save a new setting (for example, Language of the user interface), there may be a few second delay while the Web Console tries to automatically refresh the page.

6.8 Cluster environments

Messages may not be scanned when Exchange is moved from one cluster node to another (CTS-62925)

When Exchange cluster groups are moved from one node to another, while the product is running on Active-Passive cluster environment, F-Secure Anti-Virus for Microsoft Exchange service can be down for a short time. While the service is down, some e-mail messages may not be scanned on the transport level. However, all e-mail messages and attachments are scanned without interruptions on the storage level.

Incorrect quarantine statistics are shown when Web Console is open on the passive node (CTS-63021)

Quarantine and other product statistics are not updated on the passive node as some of the product services are down or suspended. Therefore, when you connect to the Web Console on the passive node, the product status and statistics are not shown correctly. We strongly recommend that you connect to the

(11)

Web Console using the name or IP address of the cluster instead of the name or IP address of the cluster nodes.

6.9 Disclaimers

Disclaimers are not added to messages release from quarantine (CTS-67265)

Disclaimers are not added to outbound mails that are manually released from the Quarantine, since it is not possible to say if they are safe or not.

Disclaimer is not added to TNEF mails with empty body (CTS-70123)

Disclaimer is not added to TNEF encoded mails with empty body that have no text and no attachments. This problem occurs only on Microsoft Exchange Server 2007.

Disclaimer is not added to mails if sender/recipient is in the list of trusted senders/recipients (CTS-70124)

If the e-mail sender or recipient is included to the Trusted Senders or Trusted Recipients list, the disclaimer is not added to the message.

6.10 Quarantine

Recipients are not listed for quarantined attachments that are blocked in real-time (CTS-73434) If malicious or disallowed attachments are blocked during real-time scanning in the Exchange store, they are listed in the Quarantine Query without the name of the corresponding recipient mailbox where they have been blocked. However, the information about the mailbox that contains the malicious or disallowed attachment can be found in the product alerts.

7. Contact information and feedback

We look forward to hear your comments on the functionality, usability and performance. Please report any technical issues via:

 F-Secure support web site: http://support.f-secure.com

 F-Secure Community: http://community.f-secure.com/t5/Business/ct-p/Business_Security_Solutions

Before sending us a report about your issue, run F-Secure Support Tool FSDiag.exe on the host that is running F-Secure Server Security or F-Secure E-mail and Server Security.

This utility gathers basic information about hardware, operating system, network configuration and installed F-Secure and third-party software. You can run the F-Secure Support Tool from the Web Console as follows:

1. Log in to the Web Console.

2. Type https://127.0.0.1:25023/fsdiag/ in the address field of the browser. (If you are accessing the server remotely, use the real IP address of the server instead of 127.0.0.1).

3. F-Secure Support Tool starts automatically and the dialog displays the data collection progress. 4. When the tool has finished collecting the data, click Report to download and save the collected

data

You can also run the FSDiag.exe utility under F-Secure\Common folder. The tool generates a file called FSDiag.tar.gz.

(12)

8. F-Secure license terms

F-Secure license terms are included in the software. You must read and accept them before you can install and use the software.