© 1993-2017 F-Secure Corporation. All rights reserved.
Portions Copyright © 2004 BackWeb Technologies Inc.
Portions Copyright © 1997-2014 BitDefender.
This product includes software developed by the Apache Software Foundation (http://www.apache.org/).
Copyright © 2000-2004 The Apache Software Foundation. All rights reserved.
This product includes PHP, freely available from http://www.php.net/.
Copyright © 1999-2015 The PHP Group. All rights reserved.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
Copyright © 1998-2015 The OpenSSL Project. All rights reserved.
This product includes software written by Tim Hudson ([email protected]).
This product includes optional Microsoft SQL Server 2014 Express edition.
Copyright © 2014 Microsoft Corporation. All rights reserved.
This product may be covered by one or more F-Secure patents, including the following:
GB2353372, GB2366691, GB2366692, GB2366693, GB2367933, GB2368233, GB2374260
This document contains late-breaking information about F-Secure Email and Server Security 12.10 release. We strongly recommend that you read the entire document before installing the software.
F-Secure continuously improves documentation. Refer to the latest version of this document online at F-Secure website.
Important notice: This release of F-Secure Email and Server Security 12.10 Standard and Premium can be used with F-Secure Policy Manager (or managed with the local Web User Interface). This version cannot be used with the cloud-based F-Secure Protection Service for Business management portal.
F-Secure Email and Server Security provides protection for your Microsoft Windows Server, Microsoft SharePoint Server, Microsoft Exchange Server, Microsoft Small Business Server, Citrix XenApp, and Windows Terminal servers. The solution can be licensed and deployed as F-Secure Server Security (Standard) or F-Secure Server Security Premium, on per-server basis, or F-Secure Email and Server Security (Standard) or F-Secure Email and Server Security Premium, on per-user or terminal connection basis.
This new F-Secure Email and Server Security solution release includes the following features:
- Virus & spyware protection – protects your computer against viruses, trojans, spyware, rootkits and other malware.
- DeepGuard™ – proactive, instant protection against unknown threats. It monitors application behavior and stops potentially harmful activities in real-time.
- Web traffic scanning – detects and blocks malicious content in web traffic (HTTP protocol) to provide additional protection against malware.
- Browsing protection – protection for your terminal users against web browser exploits and rogue web sites.
- Anti-Virus for Microsoft Exchange – protects incoming, outgoing, and internal mail traffic and Exchange public folders from malware and other security threats and provides content and attachment filtering.
- Spam Control – detects and filters spam messages from email traffic providing real-time protection against all types of spam, regardless of its content, format or language.
- Email Quarantine Manager – allows dedicated users to release, reprocess, and delete quarantined emails and attachments from the the email quarantine.
- Offload scanning agent for virtual environments – allows to offload malware scanning to F-Secure Scanning and Reputation Server in Virtual and Cloud Environments.
- Software Updater – keeps your system and applications up-to-date by installing patches as they are released by vendors.
- Anti-Virus for Microsoft SharePoint – real-time protection for the Microsoft SharePoint servers, scanning the uploaded and downloaded content for malware and other security threats.
- EMC CAVA support – provides Anti-Virus configuration when working in EMC CAVA environment.
The table below shows which features are enabled with different product licenses.
|Feature||F-Secure Server Security||F-Secure Server Security Premium||F-Secure Email and Server Security||F-Secure Email and Server Security Premium|
|Virus & spyware protection||●||●||●||●|
|Web traffic scanning||●||●||●||●|
|Offload Scanning Agent||●||●||●||●|
|Anti-Virus for Microsoft Exchange||●||●|
|Email Quarantine Manager||●||●|
|Anti-Virus for Microsoft SharePoint||●|
|EMC CAVA support||●|
The solution is available in the following languages: English, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Polish, Spanish (Latin America), and Swedish.
- New features and improvements
- Support for Windows Server 2016
- Web Console visual and structural improvements
The Web Console navigation and terminology is revised to be more clear and self-descriptive. Some console pages and tabs have been combined to make the administration easier.
- Email Quarantine Manager web application
The new version has a new web application for the email quarantine management for help desk users. The application is aimed for users with limited access and no administrative privileges, and it provides a subset of quarantine management functionality. Web Console features are not affected by this application.
To deploy Email Quarantine Management application, see the configuration instructions that are provided with the product installer.
- Report-only option for on-demand and scheduled email scanning
Added support to scan email boxes in report-only mode. In this mode, email content is not modified, so no disinfection or other content-altering operations take place.
- Password-protected uninstallation
Administrator can set an uninstallation password for managed hosts, which can be configured via policies from the Settings > Centralized management view.
- Support to download software updates from Policy Manager
As of version 12.20, you can distribute software updates to managed endpoints with Policy Manager. Hosts use Policy Manager as the primary updates source and fall back to the vendor’s side if necessary.
- Other changes and improvements
Email and Server Security triggers alerts if F-Secure Quarantine Management (FQM) runs into problems.
The product comes with Microsoft SQL Server 2014 Service Pack 2 Express.
Note: This Email and Server Security version requires Policy Manager 12.30.
- Fixed issues
- This section lists important issues fixed in this release:
- CTS-97730: ‘Unknown’ attachment matches ‘All Files’ stripping condition
- CSEP-3037: Exchange ODS should report scan errors
- CSEP-2655: WebUI daemon logs rotation
- CSEP-3033: ESS WebUI does not detect the daylight saving changes
- Dropped features
- SQL Server 2005 is not supported any longer. The new format of the quarantine management database requires SQL Server 2008 or later. If you have used SQL Server 2005 for the quarantine management, update SQL Server to one of the recommended versions before you update Email and Server Security to version 12.10.
Before you install the product, we recommend that you review sections in this topic to ensure that your network, hardware, software, and other system components meet the requirements.
Note: The minimum hardware requirements may not be sufficient if you run multiple services on the same system.
- System requirements for F-Secure Email and Server Security installation
- To install F-Secure Email and Server Security, the following minimum hardware and system requirements are recommended.
- Any computer that meets the requirements for the supported operating system.
- 10 GB or more disk space is recommended.
- Internet connection is required to receive updates and to use cloud-based detection.
- Supported operating systems
- The product can be installed on a computer running one of the following operational systems:
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Small Business Server 2008
- Microsoft Small Business Server 2011, Standard edition
- Microsoft Small Business Server 2011, Essentials
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 Essentials
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2012 R2 Essentials
- Microsoft Windows Server 2012 R2 Foundation
- Microsoft Windows Server 2016 Standard
- Microsoft Windows Server 2016 Essentials
- Microsoft Windows Server 2016 Datacenter
- Microsoft Windows Server 2016 Core (SS/ESS only)
Note: Windows Server 2016 Nano is not supported.
All Microsoft Windows Server editions are supported except:
- Windows Server for Itanium processor
- Windows HPC editions for specific hardware
- Windows Storage editions
- Windows MultiPoint Server
- Windows Home Server
Note: All operating systems are required to have the latest Service Pack installed.
Note: For performance and security reasons, you can install the product only on NTFS partition.
- Supported Microsoft Exchange Servers
- F-Secure Email and Server Security can be installed on a computer running the following Microsoft Exchange Server versions:
- Microsoft Exchange Server 2007 (64-bit version) with the latest service pack
- Microsoft Exchange Server 2010 service pack 2, service pack 3
- Microsoft Exchange Server 2013 w/o service pack, service pack 1
- Microsoft Small Business Server 2008
- Microsoft Small Business Server 2011, Standard edition
- Microsoft Exchange Server 2016
The product supports the following roles of Microsoft Exchange Server 2007/2010:
- Edge Server role
- Hub Server role
- Mailbox Server role
- Combo Server (Mailbox Server and Hub Server roles)
Note: The 32-bit version of Microsoft Exchange Server 2007 is not supported.
Important: The Collaboration Data Objects for Exchange (CDOEX) update is required if you plan to install F-Secure Email and Server Security on Microsoft Exchange Server 2007 running on Microsoft Windows Server 2008 R2. The update and installation instructions are available in Microsoft Knowledge Base article 98270. It is important to note that the CDOEX update must be installed before installing Microsoft Exchange Server 2007 SP3.
Note: Microsoft Exchange Server 2013 SP1 requires a special fix, which allows third-party or custom-developed transport agents to be installed correctly. The fix and its installation instructions are available in Microsoft Knowledge Base article 2938053.
To use Email Quarantine Manager, you need Microsoft Internet Information Server up and running in your environment. This is available as part of Microsoft Exchange Server.
- Cluster environments
- F-Secure Email and Server Security can be installed on Microsoft Exchange Server clusters. The following cluster configurations are supported:
- Microsoft Exchange Server 2007 Cluster Continuous Replication (CCR) model
- Microsoft Exchange Server 2007 Single Copy Cluster (SCC) model
- Microsoft Exchange Server 2010 Database Availability Groups
- Microsoft Exchange Server 2013 Database Availability Groups
- Microsoft Exchange Server 2016 Database Availability Groups
- SQL Server requirements
- F-Secure Email and Server Security requires Microsoft SQL Server for the quarantine management. The following versions of Microsoft SQL Server are recommended to use:
- Microsoft SQL Server 2008 (Enterprise, Standard, Workgroup or Express Edition)
- Microsoft SQL Server 2008 R2 (Enterprise, Standard, Workgroup or Express Edition)
- Microsoft SQL Server 2012 (Enterprise, Business Intelligence, Standard, or Express Edition)
- Microsoft SQL Server 2014
- Microsoft SQL Server 2016
Microsoft SQL Server 2014 Service Pack 2 Express edition is distributed with the product and can be installed during F-Secure Email and Server Security setup.
Note: Microsoft .NET Framework version 3.5 SP1 with KB 956250 applied and Microsoft Windows Installer 4.5 are required to install Microsoft SQL Server 2014 Express. They can be downloaded from Microsoft Download Center. If you plan to have Microsoft SQL Server on the same server, install these components before installing F-Secure Email and Server Security. Microsoft .NET Framework version 4.0 is required for Microsoft SQL Server 2014 to work. During installation of Express edition, Microsoft .NET 4.0 is downloaded and installed, if it was not installed previously. The installation cannot be performed on remote desktop console and to Core Edition of Windows Server.
Important: We do not recommend using MSDE or Microsoft SQL Server Express edition if you are planning to use the centralized quarantine management or if your organization sends and receives a large amount of emails. For more information about the limitations of the Microsoft SQL Server Express or MSDE, see the product manual.
- Microsoft Internet Information Server
- To use Email Quarantine Management, an ASP. NET Web Application, IIS should be up and running, which is also a requirement for Exchange Server.
- Supported terminal servers
- F-Secure Email and Server Security supports the following terminal server platforms:
- Microsoft Windows Terminal/RDP Services (on the above mentioned Windows Server platforms)
- Citrix XenApp 5.0
- Citrix XenApp 6.0
- Citrix XenApp 6.5
- Citrix XenApp 7.5 & 7.6
- Supported Microsoft SharePoint servers
- F-Secure Email and Server Security can be installed on a computer running the following Microsoft SharePoint Server versions:
- Microsoft SharePoint 2010 with the latest service pack
- Microsoft SharePoint 2013 with the latest service pack
- Microsoft SharePoint 2016
- Centralized management requirements
- F-Secure Policy Manager 12.30 is required if you plan to centrally manage F-Secure Server Security or F-Secure Email and Server Security products.
- Browser requirements
- To administer the product with F-Secure Web Console, one of the following web browser software is required:
- Microsoft Internet Explorer 9.0 or later
- Mozilla Firefox (up-to-date versions)
- Google Chrome (up-to-date versions)
The same browsers are required to use Email Quarantine Manager.
Setup and configuration
- Installation instructions
- Note: Push installation through Policy Manager Console is not supported for clean installations of F-Secure Email and Server Security, only for upgrades.
Before you install F-Secure Server Security or F-Secure Email and Server Security, uninstall any potentially conflicting products, such as other antivirus or server security software.
To install the product, you need to log in with administrator-level privileges.
- Installation instructions in Virtual Environments using the F-Secure Offload Scanning Agent
- If you want to deploy F-Secure Email and Server Security in virtual environment using the Offload Scanning Agent to minimize the performance impact to virtualization infrastructure, you need to select the installation of the Offload Scanning Agent during the installation.
For detailed instructions of installation of this feature, please refer to the F-Secure Security for Virtual and Cloud Environments deployment guide.
Note: You need to have the F-Secure Scanning and Reputation Server in place for this functionality to work.
- Remote installation
- Remote installation with F-Secure Policy Manager is possible for F-Secure Server Security components only. To deploy F-Secure Email and Server Security, make the attended installation either locally or over the remote desktop connection.
- Centralized management installation
- To configure centralized management during the interactive installation, specify the F-Secure Management Server address in the form of host name or host IP address without protocol prefix and port suffix. Use the default HTTP port and HTTPS port values unless you have a non-standard environment.
- Upgrade installation
- You can upgrade F-Secure Email and Server Security from the previous versions of F-Secure products by running the setup program and following the installation instructions. You can upgrade the following product versions:
- F-Secure Server Security 11.00, 11.01 or 12.00
- F-Secure Email and Server Security 11.00, 11.01 or 12.00
Refer to the manual for detailed upgrade instructions.
Note: Upgrade or reinstall the product above similar PSB products is not supported. Uninstall PSB Sever Security or PSB Email and Server Security before installing this product.
- Using included Microsoft SQL Server
- Microsoft SQL Server 2014 Service Pack 2 Express edition is distributed with the product and included in the product installation package. If you do not have an installed version of Microsoft SQL Server, you can install and configure this version during the F-Secure Email and Server Security setup.
- Using pre-installed Microsoft SQL Server
- If you want to use F-Secure Email and Server Security with your own installation of Microsoft SQL Server, make sure that you select the Mixed mode in the Authentication mode page. To change the authentication mode after the installation, refer to the Microsoft SQL Server documentation.
- Reconfiguration of Quarantine storage
- During the installation, F-Secure Email and Server Security is configured to exclude folders used for quarantine from the file scanning to prevent interference with any operation of the email scanning. If the location of the Quarantine storage folder is changed in future, reconfigure the product to exclude the folder from the real-time file scan. Refer to the manual for detailed instructions on how to exclude folders.
- Installation and configuration of Email Quarantine Manager
- After installing Email and Server Security 12.10 with Anti-Virus for Microsoft Exchange on your server, see the following file for further instructions:
C:\Program Files(x86)\F-Secure\Quarantine Manager\tools\eqm\EQM installation instructions.htm
- Uninstallation instructions
- To uninstall F-Secure Server Security or F-Secure Email and Server Security, use Programs and Features in the Windows Control Panel. Restart the server after uninstalling all the components.
Note: Some files and directories may remain under the product installation directory (%ProgramFiles(x86)%\F-Secure), product data directory (%ProgramData%\F-Secure), and user’s temporary directories (%TEMP%) after you uninstall the product. We recommend that you remove these directories and files manually.
Note: Uninstalling F-Secure Email and Server Security does not uninstall Microsoft SQL Server 2014 Express and its prerequisites, if they were installed with the product. Use the corresponding item in Control Panel to uninstall it.
Note: To uninstall Email Quarantine Management, manually reconfigure Microsoft IIS in reverse order to the steps used during installation.
- Installation and uninstallation
- Admin.pub cannot be located during installation on Windows Server Core edition (CTS-69882)
When installing the product on Windows Server Core platform, the Browse button in the Setup wizard does not work because the common Windows dialog is missing. Enter the path to the admin.pub file manually to continue.
Some UI elements look messy during the product setup on Windows Server 2016 Core edition
When installing the product on Windows Server 2016 Core edition, checkbox and radio button elements in the product installer look messy.
Windows Defender has to be explicitly disabled on Windows Server 2016
When installing the product on Windows Server 2016, Windows Defender needs to be explicitly disabled or uninstalled.
Entering full license key does not activate On Access Scanning and On Demand Scanning immediately (CTS-70470)
When your evaluation version of the product expires and you enter the full license key, on-access and on-demand scanning may not be activated immediately and thus not provide full server protection. It may take up to half an hour before the product is fully functional. To speed up the license activation process, restart FSGKHS service or reboot the server.
Shifting evaluation license from one product edition to another is not supported
You cannot register the evaluation installation of F-Secure Server Security with the full license key for F Secure Email and Server Security or vice versa. If you want to purchase a license for a different product, uninstall the evaluation product first.
Setup displays “STSADM. EXE – Application Error” dialog when user enters account with not enough permissions (CSEP-1362)
In some cases if you use an account that does not have proper permissions, you can get an application error message. Close the message to get the correct dialog.
Uninstallation status Failed: F-Secure Management Agent could not get the results for the previous installation… (CSEP-1395)
In some cases, the uninstallation from Policy Manager Console produces this status message, which does not reflect the real status. The uninstallation succeeds.
At uninstallation: call the STSADM. EXE may fail (CSEP-1345)
Uninstallation of Anti-Virus for Microsoft SharePoint tries to change SharePoint anti-virus settings back. This operation may not succeed if you use an account that does not have permissions to change SharePoint settings (changing these settings requires a special account). After the uninstallation completes, log in to SharePoint Management Console and make sure “Scan on upload” and “Scan on download” anti-virus settings are switched off.
- Anti-Virus for Microsoft SharePoint
- Quarantine is not supported
The current release of Anti-Virus for Microsoft SharePoint blocks infected files and malware in real-time – when they are uploaded or downloaded. It does move these files to quarantine. To disinfect or quarantine these files, use Anti-Virus at file level.
Scanning on demand is not supported
The current release of Anti-Virus for Microsoft SharePoint blocks infected files and malware in real-time and does not provide manual (on-demand) or scheduled scans of the SharePoint database.
The setting “list of files to be excluded from scan inside archives” for AV4SP doesn’t work (CSEP-1393)
Even though an extension is specified in the list of files to be excluded, files with the specified extension are scanned inside archives.
- Virus and Spyware Protection
- Scanning big folders does not disinfect found malware if scanning is interrupted (CTS-68901)
When a manual scan task that was started from the Web Console is interrupted, the admin-defined actions may not take place for found malware or spyware items. Run the manual scan again and wait until it is completed for the actions to take place.
EFS encrypted file cannot be scanned via scheduled scanning (CTS-88303)
The server can have many users and every user can have encrypted files. To scan these files, the scan must run under user credentials. The scheduled scan runs under the local system account and cannot decrypt these files. Guide each user to manually scan his/her encrypted files.
- Browsing Protection
- Browsing protection search results
Browsing protection does not show safety ratings on search result pages that use HTTPS.
- Web Traffic Scanning
- Web Traffic Scanning does not handle encrypted traffic
The current version of Web Traffic Scanning cannot handle the content of encrypted network traffic, for example HTTPS protocol.
- Web Console
- Manual Scanning does not allow to scan mapped network drives/shares (CTS-70572)
When you log in to Web Console, it does not load the full user profile, so you cannot scan a network drive or a share from the manual scanning page. Scan network drives and shares with “Virus and spyware scanning” menu from F-Secure icon in the system tray or with the “Scan Folder for Viruses” menu from Windows Explorer.
Web Console might delay on refreshing the page automatically
Sometimes after you change and save a new setting (for example, the language of the user interface), there may be a few second delay while the Web Console tries to automatically refresh the page.
- Cluster environments
- Messages may not be scanned when Exchange is moved from one cluster node to another (CTS-62925)
When Exchange cluster groups are moved from one node to another while the product is running on Active-Passive cluster environment, F-Secure Anti-Virus for Microsoft Exchange service can be down for a short time. While the service is down, some email messages may not be scanned on the transport level. However, all email messages and attachments are scanned without interruptions on the storage level.
Incorrect quarantine statistics are shown when Web Console is open on the passive node (CTS-63021)
Quarantine and other product statistics are not updated on the passive node as some of the product services are down or suspended. Therefore, when you connect to the Web Console on the passive node, the product status and statistics are not shown correctly. We strongly recommend that you connect to the Web Console using the name or IP address of the cluster instead of the name or IP address of the cluster nodes.
- Disclaimers are not added to messages released from quarantine (CTS-67265)
Disclaimers are not added to outbound mails that are manually released from the Quarantine, since it is not possible to say if they are safe or not.
Disclaimer is not added to TNEF mails with empty body (CTS-70123)
Disclaimer is not added to TNEF encoded mails with empty message bodies that have no text and no attachments. This occurs only on Microsoft Exchange Server 2007.
Disclaimer is not added to mails if sender/recipient is in the list of trusted senders/recipients (CTS-70124)
If the email sender or recipient is included in the Trusted Senders or Trusted Recipients list, the disclaimer is not added to the message.
- Recipients are not listed for quarantined attachments that are blocked in real-time (CTS-73434)
If malicious or disallowed attachments are blocked during real-time scanning in the Exchange store, they are listed in the Quarantine Query without the name of the corresponding recipient mailbox where they have been blocked. However, the information about the mailbox that contains the malicious or disallowed attachment is in the product alerts.
Contact information and feedback
We look forward to hearing your comments and feedback on the product functionality, usability and performance.
Please report any technical issues via:
- F-Secure support web site: http://support.f-secure.com
- F-Secure Community: http://community.f-secure.com/t5/End-point/bd-p/End-point_Security
Before sending us a report about your issue, run F-Secure Support Tool FSDiag.exe on the host that is running F-Secure Server Security or F-Secure Email and Server Security. This utility gathers basic information about hardware, operating system, network configuration and installed F-Secure and third-party software that helps us to analyze and solve the issue.
You can run the F-Secure Support Tool from the Web Console as follows:
- Log in to the Web Console.
- Type https://127.0.0.1:25023/fsdiag/ in the address field of the browser. (If you are accessing the server remotely, use the real IP address of the server instead of 127.0.0.1).
- F-Secure Support Tool starts automatically and the dialog displays the data collection progress.
- When the tool has finished collecting the data, click Report to download and save the collected data
You can also run the FSDiag.exe utility under %ProgramFiles(x86)%\F-Secure\Common folder. The tool generates a file called FSDiag.tar.gz.
F-Secure license terms
F-Secure license terms are included in the software. You must read and accept them before you can install and use the software.