1. No category

technical document f-secure configuration best

TECHNICAL DOCUMENT
Reference Nr.
20151211/CI/2
Written by
C ostas Ioannou
Latest update
21/1/2016
F-SECURE CONFIGURATION BEST PRACTICE
AGAINST ZERO-HOUR MALWARE
F-SECURE C LIENT SECURITY (CS)
F-SECURE SERVER SECURITY (SS)
F-SECURE EMAIL AND SERVER SECURITY (ESS)
The following document is a best-practice configuration for making sure that you get
the maximum protection level from F-Secure solution against ransomware and zerohour malware to maximum.
Many settings are proposed to be locked. This means that end-user at the user interface cannot change the setting and thus disable a protection setting.
F-secure Policy Manager Console can work in ‘Antivirus Mode’ and in ‘Advanced
Mode’. Some of the settings can be configured only in ‘Advanced Mode’. We indicate
which settings are configured in Antivirus mode and which can only be configured in
Advanced Mode.
Under each configuration setting (or set of settings) you will find a brief explanation
of what this setting accomplishes.
T ABLE OF C ONTENTS
Best Practice for F-secure Client Security and F-secure Server Security ............................ 3
Policy Manager Console Antivirus Mode ................................................................. 3
Policy Manager Console - Advanced Mode .............................................................. 5
Best Practice for F-secure E-mail and Server Security .................................................. 7
E-mail traffic on Exchange.................................................................................... 7
Administrator’s web User Interface ...................................................................... 7
Policy Manager Console Advanced Mode ................................................................ 8
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
2
Disclaimer
The information contained in this document is meant to help the reader in the combat against
specific malware. Although utmost care has been taken for the correctness of the information,
Inter Engineering does not accept any responsibility for the use, misuse or inability to use the
information in this document. Due to the nature of the subject the information provided in
this document is or will become incomplete over time. It is the sole responsibility of the
reader to judge whether or not to use the information herein and to accept the consequences.
If you disagree with this then you should not use this document.
The aim of this document
This document aims to provide the reader a configuration guide on how F-Secure Anti Malware software can contribute to protection of an organization against zero-hour malware.
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
3
BEST PRACTICE
FOR
F-SECURE CLIENT SECURITY
AND
F-SECURE SERVER SECURITY
Policy Manager Console Antivirus Mode
Automatic Updates
Automatic Updates > Enabled Automatic Updates = Checked & Locked
- end-user cannot disable automatic updates.
Status > Automatic Updates > Virus Definition Version (column)
- Check that latest updates are installed on all hosts
Real Time protection
Real-Time Scanning > Real Time scanning enabled = Checked & Locked
- end-user cannot disable real-time scanning
Real-Time Scanning > Custom Action on infection = Quarantine Automatically
(Locked)
- end-user does not leave infected code in the hard drive by mistake
Real-Time Scanning > Files to scan = Files with these extensions
- it is recommended to perform only specific extensions (the default in Policy
Manager Console) in order to avoid performance issues at the endpoint.
Real-Time Scanning > Included Extensions = Default and Locked
- IMPORTANT: This setting must NOT be locked on the Root policy domain level,
because it will not allow F-secure installers to add new extensions if needed. It
should be locked on Policy Domains under the Root policy domain level.
- Currenlty, default included extensions in policy manager console (PMS v12)
are:
o C OM EXE SYS OV? BIN SC R DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF C PL
WIZ HTA PP? PWZ POT MSO PIF AC M ASP AX C NV C SC DRV INI MDB MPD MPP MPT OBD
OBT OC X PC I TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE
VBE WSC C HM EML PRC SHB LNK WSF {* PDF ZL? XML ANI BAT C MD DOC DOT JOB LSP
MHT PHP PPT SWF WMA WMV WMF WRI XLS XLT C LASS DOC X DOC M DOTX DOTM DOCB
XLSX XLSM XLTX XLTM XLSB XLAM PPTX PPTM POTX POTM PPAM PPSX PPSM SLDX
SLDM PUB
Zero-hour protection
Real-Time Scanning > Enable DeepGuard = Enabled and Locked
- zero-hour malware detection cannot be disabled by end user. Mandatory for
ransomware protection.
Real-Time Scanning > Action on System Modification attempt = Automatic: Do not
ask
Real-Time Scanning > Use server Queries to improve accuracy = Enabled and Locked
- additional method for zero-hour detection by cloud-looukups. Mandatory for
ransomware protection.
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
4
Real-Time Scanning > Use Advanced process monitoring = enabled and locked
- additional method for zero-hour detection. Mandatory for ransomware protection.
Email Scanning on Desktop
Email scanning on desktop is highly recommended especially if you don't have a
gateway solution or F-secure on Microsoft-Exchange (ESS). Supports IMAP, POP3,
SMTP scanning.
Email Scanning > Enable Incoming e-mail Scanning = enabled and locked
- Email scanning cannot be disabled by user
Email Scanning > Action on incoming infected attachments = Disinfect Attachment
(Locked)
- Attempt to disinfect infected attachment. Setting cannot be changed by enduser
Email Scanning > Action on malformed message parts = Remove Message Part
(Locked)
- Malformed parts cannot be scanned. Setting cannot be changed by end -user
Email Scanning > Scan inside compressed attachments = Enabled and Locked
- Scan inside archives (zip, rar, etc.). Setting cannot be changed by the end user
Web Traffic Scanning
Web Traffic scanning on desktop is highly recommended especially if you don't have
a gateway/proxy solution protecting web-traffic.
Web Scanning > HTTP Scanning Enabled = Only Included Content Types (Locked)
- Web traffic scanning cannot be disabled by end-user.
Web Scanning > Action on infection = Block (Locked)
- User cannot bypass an infected item and download it.
Browsing Protection > Browsing Protection Enabled = Checked and Locked
- Browsing protection protects browser from vulnerability exploits and blocks access to malicious URLs. Setting cannot be disabled by the end -user.
Browsing Protection > Allow users to continue t o blocked pages = Disabled and
Locked
- End-user cannot bypass the blocking of a malicious page.
Desktop Firewall
Firewall Security Levels > Enabled network quarantine = enabled and locked
- Network quarantine will block host’s access to the network if virus definitions
are old or RTS is disabled.
Firewall Security Levels > Active network quarantine on host if real-time scanning is
disabled = enabled and locked
- do not allow network access to endpoint if real-time scanning is disabled (except for updating).
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
5
Application Control > Do not prompt for applications that DeepGuard has identified =
enabled and locked
Application Control > Do not prompt for Applications that identified using Real-time
protection network = enabled and clear
Application Control > Do not prompt for applications identified by scan engines = enabled and clear
- Application Control does not allow unknown applications to connect to the network.
Web traffic scanning Advanced Protection
Web Traffic Scanning > Advanced Protection
- These settings can help you block java, flash, pdf, Silverlight, active-x, etc.
content from web-sites. You can implement an aggressive policy where you
block the active content from pages by default, and whitelist only the web sites you need in order to work. Note that this approach demands more administration than normal, because you need to whitelist sites that your users
are visiting.
Policy Manager Console - Advanced Mode
F-secure Antivirus > Plug-ins > confirm that All plugins (Antimalware engines) are
enabled
Real-time scanning
F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File
Scanning > Inclusions and Exclusions > Add Extensions Defined in Database = en abled + locked
- F-secure may include new extensions in database as new threats may rise.
Exclusions
F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File
Scanning > Inclusions and Exclusions > Excluded Objects Enabled = Disabled
(locked)
F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File
Scanning > Inclusions and Exclusions > Excluded Objects >Disallow User Changes =
enabled
F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File
Scanning > Inclusions and Exclusions > Excluded Processes Enabled = Disabled
(locked)
F-secure Antivirus > Settings for Real Time Protection > Scanning Options > File
Scanning > Inclusions and Exclusions > Excluded Processes = empty (locked)
-if you choose and need to enable exclusions the it’s better to define exclusions (objects, processes, paths) into PMC and keep these ‘locked’ so the end user may not add exclusions at the local UI.
E-mail Scanning on desktop level
F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Incoming
Email Scanning > Action on Disinfection Failure = Remove attachment (Locked)
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
6
-
if disinfection of attachment fails, then remove the complete attachment.
F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common >
Inclusions and Exclusions > Included Extensions > Check included extensions that
have the default extensions to scan.
- Default extensions are: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT
VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ POT MSO PIF . ACM ASP
AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK
WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML
PRC SHB LNK WSF {* PDF ZL? XML ANI BAT CMD DOC DOT JOB LSP MHT PHP
PPT SWF WMA WMV WMF WRI XLS XLT CLASS DOCX DOCM DOTX DOTM
DOCB XLSX XLSM XLTX XLTM XLSB XLAM PPTX PPTM POTX POTM PPAM PPSX
PPSM SLDX SLDM PUB
F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common >
Inclusions and Exclusions > Included Extensions for Compressed Files > check that
they are the default
- Default extensions are: ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common >
Inclusions and Exclusions > Add Extensions Defined in Database Updates = Enabled
(locked)
- F-secure may automatically add extensions for scanning based on new threats
rise.
F-Secure Antivirus > Settings for E-mail Scanning > Scanning Options > Common >
Inclusions and Exclusions > Excluded Extensions > Check for any 'dangerous' excluded extensions – (see list of included extensions above)
Automatic Updates
F-Secure Automatic Update Agent > Settings > Communications > Ask Before Download = no (Locked)
- prevent end-user from stopping downloads
Zero-hour Detection
F-Secure DeepGuard > Settings > Exploit protection = enabled (locked)
- protects browser from exploit attempts
F-Secure DeepGuard > Settings > Applications > Check for any 'suspicious'/'unknown' application that is allowed by DeepGuard to run
F-Secure Real-Time Protection Network Client > Participate in the Real-Time Protection Network = yes (Locked)
F-Secure Real-Time Protection Network Client > Client is enabled = Yes (Locked)
F-Secure Real-Time Protection Network Client > Excluded Domains (Check for any
'suspicious' domain)
- Real-Time Protection Network is F-secure’s Cloud is one of Deep Guard’s
methods for detecting zero-hour malware.
F-Secure Network Filter > Excluded Applications > check for any application that is
not necessary to be included here.
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
7
BEST PRACTICE
F-SECURE E-MAIL AND SERVER SECURITY
E-MAIL TRAFFIC ON EXCHANGE
FOR
Administrator’s web User Interface
Attachment Stripping
Transport Protection > Inbound Mail > Attachments > Strip attachments from Inbound e -mail
messages = enabled
Transport Protection > Inbound Mail > Attachments > Strip these attachments = Disallowed
Files
Transport Protection > Inbound Mail > Attachments > Action on disallowed attachments =
Drop Attachment
Transport Protection > Inbound Mail > Attachments > Disallowed Files =
*.bat,*.cmd,*.com,*.exe,*.hta,*.js,*.jse,*.pif,*.scr,*.shs,*.vbe,*.vbs,*.{*
Transport Protection > Inbound Mail > Attachments > Quarantine stripped attachments = e nabled
-
strip incoming dangerous attachments (executables and scripts)
Incoming Virus protection
Transport Protection > Inbound Mail > Viruses > Scan inbound e-mail messages for viruses =
enabled
Transport Protection > Inbound Mail > Viruses > Heuristic scanning = enabled
Transport Protection > Inbound Mail > Viruses > Action on infected messages = drop attac hment
Transport Protection > Inbound Mail > Viruses > Quarantine infected messages = enabled
Transport Protection > Inbound Mail > Grayware > Scan inbound e-mail messages for grayware = enabled
Transport Protection > Inbound Mail > Grayware > Action on Grayware = Drop attachment
Transport Protection > Inbound Mail > Grayware > Quarantine dropped grayware = enabled
Transport Protection > Inbound Mail > Archives > Scan archives = enabled
Transport Protection > Inbound Mail > Archives > List of files to scan inside archive s = unsafe
files
Transport Protection > Inbound Mail > Archives > Unsafe files = *.ACM, *.APP, *.ARJ, *.ASD,
*.ASP, *.AX, *.BAT, *.BIN, *.BOO, *.BZ2, *.CAB, *.CHM, *.CMD, *.CNV, *.COM, *.CPL,
*.CSC, *.DLL, *.DO?, *.DRV, *.EML, *.EXE, *.GZ, *.HLP, *.HTA, *.HTM, *.HTML, *.HTT,
*.INF, *.INI, *.JS, *.JSE, *.LHA, *.LNK, *.LZH, *.MDB, *.MP?, *.MSG, *.MSO, *.OBD, *.OBT,
*.OCX, *.OV?, *.P?T, *.PCI, *.PDF, *.PGM, *.PIF, *.PP?, *.PRC, *.PWZ, *.RAR, *.RTF, *.SCR,
*.SHB, *.SHS, *.SYS, *.TAR, *.TD0, *.TGZ, *.TLB, *.TSP, *.TT6, *.VBE, *.VBS, *.VSD,
*.VWP, *.VXD, *.WB?, *.WIZ, *.WML, *.WPC, *.WS?, *.XL?, *.XML, *.ZIP, *.ZL?, *.{*,
Treatment of Archives files (zip, rar, etc.)
Transport Protection > Inbound Mail > Archives > Excluded these files = <blank>
Transport Protection > Inbound Mail > Archives > Limit max levels of nested archives to 3 /
enabled
Transport Protection > Inbound Mail > Archives > Detect disallowed files inside archives =
disallowed files / enabled
-
enable this setting with caution as it can be resource intensive. On the other
hand it will strip archives (zip, rar, etc.) which contain disallowed (executables
and scripts).
Transport Protection > Inbound Mail > Archives > Action on archive with disallowed files =
drop archive
Transport Protection > Inbound Mail > Archives > Action on max nested archives = drop archive
Transport Protection > Inbound Mail > Archives > Action on password protected archives =
drop archive
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com
8
-
beware that this setting will block password protected archives (zip, rar, etc.)
Transport Protection > Inbound Mail > Archives > Quarantine dropped archives = enabled
Miscellaneous Options
Transport Protection > Inbound Mail > Other > Intelligent File type recognition = enabled
-
intelligent file type recognition recognizes file types based on their content and
not on their filename extension.
Transport Protection > Inbound Mail >
abled
Transport Protection > Inbound Mail >
= drop the whole message
Transport Protection > Inbound Mail >
message
Transport Protection > Inbound Mail >
Other > Limit max levels of nested message to 3 / e nOther > Actions on mails with exceeding nesting levels
Other > Actions on malformed mails = drop the whole
Other > Quarantine problematic messages = enabled
Storage Protection Real-time scanning
Storage Protection > Real-time scanning > Viruses >
Storage Protection > Real-time scanning > Viruses >
folders
Storage Protection > Real-time scanning > Viruses >
Storage Protection > Real-time scanning > Viruses >
Storage Protection > Real-time scanning > Viruses >
Storage Protection > Real-time scanning > Viruses >
ments = enabled
Scan mailboxes = scan all mailboxes
Scan public folders = scan all public
Scan these attachments = unsafe files
Exclude these attachments = <blank>
Actions > Try to disinfect = disabled
Actions > Quarantine infected attach-
Policy Manager Console Advanced Mode
F-Secure Content Scanner Server > Settings > Virus Scanning > Scan Engines > All engines
enabled
F-Secure Content Scanner Server > Settings > Virus Scanning > Action if Engine Malfunctions
= Return Scan Error
F-Secure Content Scanner Server > Settings > Virus Scanning > Scan Inside Archives = Enabled
F-Secure Content Scanner Server > Settings > Virus Scanning > Suspect Max Nested A rchives = Treat as Unsafe
F-Secure Content Scanner server > Settings > Virus Scanning > Suspect Password Protected
Archives = Treat As Unsafe
F-Secure Content Scanner server > Settings > Virus Scanning > Scan extensions inside a rchives > check that they are the default extensions
-
default extensions: ACM APP ARJ ASD ASP AX BAT BIN BOO BZ2 CAB CHM
CMD CNV COM CPL CSC DLL DO? DRV EML EXE GZ HLP HTA HTM HTML HTT
INF INI JS JSE LHA LNK LZH MDB MP? MSG MSO OBD OBT OCX OV? P?T PCI
PDF PGM PIF PP? PRC PWZ RAR RTF SCR SHB SHS SYS TAR TD0 TGZ TLB TSP
TT6 VBE VBS VSD VWP VXD WB? WIZ WML WPC WS? XL? XML ZIP ZL? {*
F-Secure Content Scanner server > Settings > Virus Scanning > Extensions Allowed in Pas sword Protected Archives = <empty>
___________________________________________________________________________________________________________
Negreponti 5
413 35 Larissa, Greece
Tel. (+30) 2410-670030
Fax.(+30) 2410-670006
email [email protected]
URL: www.inter-datasecurity.com

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz