A new version of Linux Security 7 is available. Please find the product package here:

f-secure-linux-security-7.02.73807.tgz (MD5, SHA1)

This release contains several bug fixes. For example, scanning speed for certain types of archive files has been improved, and the automated command-line-only installation now works properly. Have a look at the release notes for a more in-depth view of what has changed.

Please note that from now on, the product manual will be available for downloading separately, which makes it easier for us to keep it up to date. You can find it on the F-Secure Product Manuals web page, as well as here.

We recently made a small new feature for the Rescue CD. One of our customers had problems with a system file that was renamed by our virus scanner, but the detection was actually a false positive. Problem was of course promptly fixed in anti-virus databases, but since the system file was renamed, the machines in question failed to boot. To help this customer we implemented a new feature for Rescue CD that allows the user to run repair scripts from a USB stick when booting with the Rescue CD. Since this feature might be useful in some other situations too, we decided to make a new public release. Here are instructions on how to use the feature:

1. Copy the script (repair_script.sh) onto a USB stick, in a folder called fsecure/rescuecd (for example, in Windows this might be E:\fsecure\rescuecd\repair_script.sh). The script must be called repair_script.sh, and if the script is from F-Secure, it should have an accompanying gpg signature file (repair_script.sh.sig) which should also be copied to the same folder.

2. Insert the USB stick in the broken computer and boot the computer using Rescue CD 3.01.

3. When Rescue CD asks which partitions to scan, there is now a new option to run the repair script. Select that, and which partitions you want to run the script on, and continue.

4. If the script is not from F-Secure or the gpg signature is not correct, the script will still be shown, but Rescue CD will display a warning and ask if you still want to run the script.

5. After the script has ran, the results will be displayed and you have the option to continue with a file system scan or reboot the computer.

Please note that this version only supports running the repair script before the actual virus scan. So if you must run a repair script after a virus scan, you should first boot and scan the computer, and then insert the USB stick containing the repair script and reboot with Rescue CD.

The new version can be downloaded here.

checksums for f-secure-rescue-cd-release-3.01-14505.zip:
md5sum: 5c2b86cdb11f9d1cade3243818afb7ca
sha1sum: 8eb21784e780222c1823c09d9e21ac577888ba4c

It seems that some people have experienced problems with Rescue CD not mounting NTFS partitions for scanning.

If you encounter a display that looks like this It means that the partition was not mounted for some reason. In this case only one partition - hda1, but it could be multiple partitions. If mounting failed because the NTFS partition was marked dirty (windows had not been properly shutdown), there are ways to try and fix this.

The Best solution in this case is to detach the network cable or disable wireless and boot the Windows preferably into safe mode by removing the CD and pressing F8 in boot sequence and selecting “Safe Mode”. After Windows has booted, select shutdown. After machine has turned itself off, attach/enable network and boot into Rescue CD.

However, if your computer is so badly infected that booting to Windows will not work or it gets hung up till infinity and beyond, you might be able to mount the problematic partitions for scanning with following procedure.

Press Alt-F2 and into command prompt type
root!tty2:/# grep scan /tmp/mount_error_details.txt

You should get the commands that you can try to use for mounting dirty NTFS partitions.
ie.
mount -t ntfs-3g /dev/hda1 /mnt/scan/hda1 -oforce
mount -t ntfs-3g /dev/hda5 /mnt/scan/hda5 -oforce

With the df command you can verify if the mount succeeded and also check the partition information (how big it is and how much of it is used/free)

After you have verified that the partition you wish to scan is mounted, press Alt-F1 and press
enter to verify next and continue with scanning process.

The workaround is a bit complicated, I know. We will try to fix the issue in the next version of Rescue CD.

We released F-Secure Rescue CD 3.00 beta two weeks ago. After one more development sprint, here’s the actual release of F-Secure Rescue CD 3.00 for you!

Rescue CD scans the computer and renames all files containing malware to .virus file extension.

• Rescue CD will by default scan:
  • all hard drives in the computer
  • all USB drives attached to the computer
  • Windows FAT and NTFS drives
• Virus definition databases are updated automatically if the computer has an internet connection
• Virus definition databases can be updated manually by using a USB drive
• The Rescue CD Guide (pdf) has step by step instructions how to use the CD

Rescue CD is localized to English only.

The release package including an ISO image, the manual and release notes can be downloaded here. See the release notes for more information. Feel free to send us feedback!

details of f-secure-rescue-cd-3.00-release.zip:
size: 153MB
md5sum: ed690b558493c3096bb666ea19749316
sha1sum: 71017c8325e90aaf19f8d2cb2f235519239384c2

The next version of F-Secure Rescue CD is going to see the daylight in few weeks. And here comes a feature complete beta for you to try. The big changes compared to 2.00 include a proper manual for the product, ability to update databases manually with a USB stick, better hardware support (Knoppix version 5.3.1), upgraded NTFS driver (NTFS-3G 1.2506) and the ability to detect MBR viruses.

The beta package including an ISO image, the manual and release notes can be downloaded here. See the release notes for more information. Keep the feedback flowing!

details of f-secure-rescue-cd-3.00-beta.zip:
size: 151MB
md5sum: 8a66ca08ccdcb4759fae6bc9ce1818df
sha1sum: abdec0cd567880170c6e5fea2c780c549d82730a

Linux Security 7.01 has now been released, addressing the issue we blogged about last week. We urge all users to upgrade, even if you are using the Server Edition keycode. To prevent users from accidentally installing the old version, we have changed all keycodes - please contact your reseller to get the new 7.01 keycodes.

As the problem only occurred in certain circumstances, we have only received very few reports from customers that their systems have been affected. It was after investigating the first customer report that we decided to recall the product to minimize the potential impact on other customers. We would still like to hear from you if you think you have been affected - you can find our email address in the footer of the page.

With this version, we have also included Ubuntu 8.04 LTS as an officially supported platform.

You can download Linux Security 7.01 here, and please read the release notes:

• 32-bit package: f-secure-linux-security-7.01.72011.tgz (MD5, SHA1)
• 64-bit (x86_64) package: f-secure-linux-security-64bit-7.01.72011.tgz (MD5, SHA1)

We have discovered that the Linux Security 7.00 that we released just three weeks and a few days ago, contains a very serious bug that can have severe consequences for customer systems. The short version is: if you have installed Linux Security 7.00 and you are using the Client Edition keycode, please uninstall immediately to prevent further damage to your system. Below I have included the official recall notification sent to our maintenance notification mailing list and partners.

How could this happen? There really is no excuse to let this kind of things pass our testing. We have often boldly and proudly talked about our extensive testing and validation processes - and yet we failed to catch this bug. There were a number of things that went wrong, each of which should have caught this mistake. We do code reviews, automatic tests, manual validation, etcetera, and still at each of those steps human error made this possible. While researching this issue, most of our mistakes became very apparent to us, and steps have already been taken to prevent this and similar things from happening in the future, but we will still need to carefully examine this situation to figure out every possible way to fix our tools, processes and mindsets.

Here is the recall notification:

RELEASE RECALL

A serious issue has been discovered in the newly released F-Secure Linux
Security 7.00. The flaw only affects installations using the Client
Edition keycode. When triggered, the bug will cause serious data loss
and possibly render the system unusable by removing the entire /var
directory hierarchy. In other cases, random sub-directories of /var can
be silently deleted from the system. Installations using the Server
Edition keycode or running in evaluation mode are not affected.

To recover, the user must restore the /var directory from a backup.

F-Secure is urging all users of F-Secure Linux Security 7.00 Client
Edition to not make new installations and immediately uninstall it from
all systems to prevent further damage.

To check if your system is affected, run:

  grep “Device or resource busy” /var/opt/f-secure/fssp/dbupdate.log

If the command returns one or more rows, there is a high probability
that parts of your /var directory structure has been deleted and must be
restored from a backup.

F-Secure will release F-Secure Linux Security 7.01 within a few days,
that will fix this issue. A new notification will be posted when this
new version is available.

Greetings from HP Linux Forum 2008! Some members of our team are participating one of the biggest Linux events here in Helsinki, Finland.

The crowd here is a nice mix of traditional Linux nerds, some people a bit more business-oriented and some from public sector. Linux seems to be doing well - judging from the amount of participants - as the subjective estimate is that there are more people than last year.

Hot topics are of course still virtualization, just like last year, interoperability in heterogeneous environments and also the trend towards communities. There’s a nice SMS poll system in use here, showing the poll results on a big screen in real time. One poll showed that way over 80% of the participants were using both Linux and Windows in their companies. The Finnish Linux User Group’s prize went to the Ubuntu Finland community. Congratulations, well done!

There was a very good and entertaining speech from Teppo Sulonen, the CIO of City of Tampere. He was praising not only open source software, but openness in bigger sense. Three big cities in Finland have started working together on a common ICT infrastructure. The system is being implemented using common standards and open source technologies instead of the old style of all the cities building their own incompatible systems using proprietary technologies.

Karl Paetzel from HP commented that even if Linux necessarily isn’t in every corner of every datacenter, it is mainstream for almost every customer they talk with. So I think that even if the great coming of desktop Linux may not be here yet, it looks like Linux is very much mainstream in almost every other area.

Signing out,
Ripa

Linux Security 7 is now out and with it is a new version of Security Platform, v. 2.0. Security Platform is our scanning core. It contains the scanning daemon and everything else related to malware detection.

The scanning daemon, fsavd, has some new settings. These did not make it to the LS7 manual, mainly because we did not think too many people would be interested in peeking under the hood.

For those who are interested, here are the details:

First setting:
F-Secure Security Platform / Settings / Advanced / Archive Settings / Maximum archive size to decompress into memory (1.3.6.1.4.1.2213.48.1.100.10.10.10)
Any archive smaller than this size will be decompressed in memory while it is scanned. The default value is 50 MB. Valid values for this setting are 1 - 8000 MB

Second setting:
F-Secure Security Platform / Settings / Advanced / Archive Settings / Maximum archive size to decompress into temp file (1.3.6.1.4.1.2213.48.1.100.10.10.20)
Any archive larger than previous setting will be decompressed into a memory mapped temporary file. The default value is 100 MB. Valid values for this setting are 1 - 80000 MB.

These settings allow the user to fine tune the speed of scanning archives. Archive scanning is essentially a function of how much memory can be allocated to the task. Scanning is fastest when the whole archive can be decompressed into memory for scanning. Users can now allow fsavd to take as much memory as they feel comfortable with.

Some archives are so big they will not fit into memory. Those archives will be decompressed into a temporary file, which is mmap’ed in the scanning daemon. The 2nd setting specifies the maximum size for that temporary file.

We do scan archives even larger than can fit into the memory mapped temporary file, but that might be considerably slower because only a part of the archive can be decompressed at a time and might even need to be decompressed again if later analysis requires a part of the file to be re-examined.

In a nutshell: archive scanning is a compromise between speed and size. If you have lots of memory, you can have fast archive scanning. If you do not have a lot of memory but have a lot of disk space, you can have reasonably fast archive scanning. If you have neither, you are going to have slow archive scanning.

Third setting:
F-Secure Security Platform / Settings / Advanced / Archive Settings / Directory for temporary files (1.3.6.1.4.1.2213.48.1.100.10.10.30)
This setting specifies the directory where the memory mapped temporary files are created. The default directory is /tmp. The temporary files are unlinked immediately after they are created, so you will probably never see the files.

If you never want fsavd to create temporary files, set the 2nd setting equal to the 1st setting. Then all archive decompression will happen in memory.

Fourth setting:
F-Secure Security Platform / Settings / Advanced / Archive Settings / Maximum allowed compression ratio (1.3.6.1.4.1.2213.48.1.100.10.10.50)
Some archives do not contain real files but are maliciously constructed to cause havoc in an AV scanner by blowing up to an extremely large size. This setting allows fsavd to protect itself by issuing a scanning error for archives which have very large compression ratio. The default maximum compression ratio (decompressed size / compressed size) is 1000. Valid values for this setting are 1 - 1000.

Today we are proud to present a major piece of quality software, which we have improved, tested and polished with all of our skill, understanding, passion and love for the past 11 months. The release of Linux Security 7.00 has arrived. I’d like to highlight some of the improvements here:

• New web-based wizards have been added for manual scanning and configuring the integrity checking and rootkit protection features.
• A simplified, cleaned-up installer with less questions asked.
• A new kernel-level scanning result cache significantly improves the performance of on-access scanning.
• The new F-Secure Scanning Engine has been integrated.
• We added methods to completely disable specific components of the product, like the firewall or the web user interface. If you prefer using your distribution’s firewall configuration method, we will not interfere with it. If you prefer to not use the web user interface, there is no need to burden your system with it’s Java run-time environment.
• Firewall rules can now be applied to specific network interfaces.
• The F-Secure Gnome panel applet now notifies you of any security alerts.
• The client and server edition installer packages have been merged into a single installer to simplify distribution and installation. On the other hand, new 64-bit installer packages have been introduced to fully support new 64-bit distributions. Some things simply wouldn’t work with 32-bit compatibility libraries.
• If you’re still running F-Secure Antivirus for Linux 4.65, it’s now possible to upgrade to Linux Security 7.00 in command-line-only mode. If command-line scanning is all you need, this is for you.
• If you wish to integrate F-Secure’s cutting-edge scanning features with your own software, the Linux Security 7.00 release package contains an SDK for our daemon API, full with header files, a manual page, and example code in the C language.

With a large number of new Linux distributions added and a couple of old ones removed, this release is officially tested and supported on 33 different distribution versions. It should work on a few others, too, especially if installed in command-line-only mode.

Unfortunately the native Gnome scanning application, fsgav, had to be dropped before the release. Don’t worry, it will probably re-appear in a future version, once we’ve had time to smoothen it’s sharp edges a bit.

A full list of new features, changes and supported platforms can be found in the release notes. Please download your evaluation copy here:

As usual, the software can be evaluated for free for 30 days.

UPDATE: this build has been recalled. More information will be available here shortly.

If you wish to purchase licenses for your business, please get in touch with one of our sales partners or regional offices. End-user licenses should be available in the F-Secure eStore in the near future.