My ISP recently started providing 3 F-Secure AV copies to each of their customers. I installed it but noticed that updates timed out.
It turned out that Suricata, which runs in IPS mode, blocked the update. There were 3 Emerging Threats rules that alerted:
[1:2003614:4] ET VIRUS WinUpack Modified PE Header Inbound
[1:2009557:2] ET TROJAN Yoda’s Protector Packed Binary
[1:2012086:2] ET SHELLCODE Possible Call with No Offset TCP Shellcode
It seems that F-Secure uses some form of packed binaries for their updates that is often used by malware.
To allow the updates to go through without disabling the rules altogether, we can use suppressions. All the alerts happened in streams talking to IP addresses in the 184.108.40.206x range. Whois lookup suggested that F-Secure has 220.127.116.11/25 available, so I decided to suppress the rules for that entire block.
To add the suppressions, I added the following lines to my threshold.conf:
# f-secure update matching
suppress gen_id 1, sig_id 2009557, track by_src, ip 18.104.22.168/25
suppress gen_id 1, sig_id 2012086, track by_src, ip 22.214.171.124/25
suppress gen_id 1, sig_id 2003614, track by_src, ip 126.96.36.199/25
After a Suricata restart, the updates now work fine. If you run Suricata in IDS mode you may still want to add the suppressions to reduce the number of alerts.