This article provides technical details for :Foundation Client Updates, including package acquisition, manual updates, FAST UPDATE details, and insight for troubleshooting.
When DefiniSec (or the managing Service Provider) releases an update for the :Foundation Client, you receive notification immediately after SSProtect Login*. This offers an option to apply the Update or defer the procedure to a later time. Unprivileged Users can do this once to avoid the hassle of updating before attending to immediate needs. Administrators and Delegates can defer an Update continuously.
Updates are not immediately available to Organization Users, and only become visible once an Administrator or Delegate releases it for Unprivileged User visibility. Procedural aspects of the Update are described in the article, Updating the :Foundation Client.
* Update prompts are not presented when SSProtect Login results from a request to access protected content or perform other actions that require authentication and authorization. In certain cases, the Update prompt is deferred to a subsequent Login operation.
Decoupling Operating System Updates
SSProtect does not rely on Windows Updates to retain protective integrity. While most Windows security applications utilize secure key storage (for example) and a mix of other host-local, managed services for sensitive data protection, SSProtect only utilizes related OS primitives as a secondary enhancement to our core protective technologies. This provides a defense-in-depth solution that avoids limitations in the underlying platform while minimizing technical dependencies. This reduces the need to apply critical Windows Updates in order to maintain effective protection (though of course other systems will be more directly affected).
When you have questions or concerns related to the software and Windows Update, contact our Support staff and we will work with you to enumerate dependencies and help you build a remediation plan if and when necessary.
Filesystem Drivers and :Shell In-Place Encryption
There are two different packages available - the Primary Package that includes a filesystem driver, and a limited-distribution Alternate Package that does not.
The filesystem driver is required for :Shell In-Place Encryption, which provides application-independent protection even when accessing and modifying content in a data file's native application container. Without the filesystem driver, you have to manually Release Protections (decrypt w/ proper Access Control) before accessing plaintext, which provides a window of opportunity for host-based attackers.
The Alternate Package is only available for qualified Users, typically aligned with low-sensitivity :Email use. If applicable to your needs, contact Support for consideration.
Manually Acquiring Install/ Update Packages
Updates are automatically delivered in response to end-user Update acknowledgment during SSProtect Login. If you need to manually acquire an update package, utilize the naming scheme described below. This allows you to form a URL for download since older packages are not indexed for public browsing.
Note that the Standard Update (as opposed to FAST UPDATE) package is the same as the installation package, resulting from the use of the Advanced Installer framework that manages Windows Installer requirements.
As expected. refer to the Download page for the latest available packages.
Install/ Update Package Naming
The Primary Package with the filesystem driver and the Alternate Package without the filesystem driver use similar names:
Primary Package Name: SSProtect Setup-va.b.c-x64.exe
Alternate Package Name: SSProtect-nf Setup-va.b.c-x64.exe
...where a.b.c is the version of the package.
The Alternate Package includes, "-nf" in the name, which stands for, "no filter". You can always tell the type of :Foundation Client by the original package name. This is included in the caption of all UI displays for convenience.
Older Update Packages
You can acquire older versions of the software directly from the Content Delivery Network using the following URLs:*
...where a.b.c is the version of the package.
Enter the proper URL in your browser to download older versions of the :Foundation Client.
* Packages are only available to users in the United States, and links will not resolve for other users.
SSProtect provides a facility to manually execute a software update, allowing you to choose the version you wish to target. This allows you to work through issues with automatic update notification. To manually update your :Foundation Client, proceed as follows:
- Login to SSProtect and navigate to the notification icon's context menu
- Click the notification icon and choose the License and Components item
- Choose Update Client then navigate to the package you wish to use
- Choose Open to start the process
SSProtect will execute the Update using the same logic that's invoked when you respond to a dynamic Update prompt. When the Update is complete, you may be prompted to manually restart the software using the Desktop Shortcut that's created during installation, or reboot.
Note that this procedure differs from removing an existing Client and re-installing from scratch, though this is always an option. However, when using the Primary Package, you may need to reboot. If you are not prompted to do so, it is not required.
Installation frameworks help application developers manage software install, update, maintenance, and uninstall procedures. On Windows, these frameworks wrap a more fundamental Windows Installer framework, (supposedly) simplifying software packaging and installation. This results in an installation process that keeps a detailed audit record of system changes which is required for proper application setup, configuration, licensing, troubleshooting, and most importantly proper and complete uninstallation.
In reality, there are cases when changes are simple, straightforward, and do not require the extensive capabilities of such a framework. When this is the case, SSProtect avoids the overhead associated with loading such resources and makes direct changes to materials that must be modified. SSProtect reporting will show the update through :Assess, a much more secure option than host-based records that can be modified by attackers. This approach greatly improves the speed at which an update can be executed - reducing the time required from upwards of a couple minutes down to several seconds - without any compromise.
FAST UPDATEs and Uninstall
SSProtect uninstall utilizes an Installer framework which, among other things, removes files that it initially installs. If however a target file's hash does not match the hash recorded with the source material, it doesn't get removed. Because FAST UPDATE modifies target files, without additional programmatic intervention, the uninstaller framework would not remove the modified item.
For this reason. FAST UPDATE keep copies of target files for convenience. The original content is copied to a local instance with, ".old" appended to the filename. This only happens once, and on uninstall the software restores this version before running the uninstaller framework software. This allows it to proceed without deviation and completely remove all materials.
Reverting FAST UPDATEs
FAST UPDATE also keeps a local backup of the most recent target file, also stored in the same folder with, ".prev" appended to the filename. This is overwritten each time FAST UPDATE executes (while, ".old" always holds the original file's content). This allows you to "back out" of any FAST UPDATE that results in unexpected issues. Revert by stopping SSProtect, removing the target file, and renaming the, ".prev" file by removing the suffix. Restart SSProtect and you will have reverted back to the version that existed prior to FAST UPDATE. Program Files are in:
Auditing Reverted Versions
Audit logs and reports won't show revert actions directly, however SSProtect records the client version at Login. This version comes directly from the resources bound to the executable. Thus, if you execute a FAST UPDATE then revert back to the previous state, :Assess event reports will show the successive Logins with different version data. This shows changes to the client file, though it will not show the person who made the changes.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v9.1.3 of the :Foundation Client