Microsoft Forefront Server Security Blog

Microsoft support policies and recommendations for Forefront Security products in a Hyper-V virtual environment

Today we are excited to announce formal support for Forefront Server Security for Exchange SP1 and Forefront Server Security for SharePoint SP1 running on the Hyper-V platform. This is part of a larger announcement that affects multiple Microsoft products, including Microsoft Exchange Server and Microsoft SharePoint Server.

Both products have been tested to confirm that all the functional aspects have the same behavior in Hyper-V virtual server environments as on physical servers.  They are also approved for any hypervisor based virtualization technology certified under the Microsoft Server Virtualization Validation program. 

This post provides an overview of deployment and operational considerations when running on Hyper-V. This information will also be made available as a TechNet article at a later date.

System Requirements:

The minimum server and client requirements for Forefront Security for Exchange and Forefront Security for SharePoint are essentially the same when installing in a virtual Hyper-V environment.   The application, OS, and hardware platform versions are limited, however, to those that are supported by Microsoft Exchange and Microsoft SharePoint on the Hyper-V platform.

For more details about Exchange and SharePoint support recommendations on Hyper-V, you should refer to the documents “Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments” and “Using SharePoint Products and Technologies in a Hyper-V virtual environment.”

Running Forefront in a guest virtual machine does not change the basic deployment, configuration, and operation guidance for the product. Refer to the Best Practices Guides and Operations Guides available on Microsoft TechNet for additional deployment and configuration considerations.

Forefront virtualization guidelines:

Once Exchange’s requirements for running in a Hyper-V environment have been met, there are specific guidelines for Forefront that must be followed:

Host specific:

• The host machine must have enough hardware resources to accommodate the virtual machines being deployed and their intended roles, and should be deployed with no other roles other than to provide virtualization.
• Memory and CPU intensive applications should not be run on the same host machine as the guest hypervisor.
• File level anti-virus scanning should be disabled on directories hosting the guest VHDs.

Guest specific:

• Guest VHD disks must be fixed.
• For performance reasons, it is recommended you choose SCSI or iSCSI based storage to host Forefront’s database files, preferably separately from the guest OS.
• File level anti-virus scanning should exclude all necessary Exchange and Forefront directories. 
• Snapshots in guest virtual machines is strongly discouraged and not supported.

Performance considerations:

Adding Forefront to an Exchange environment will add resource utilization on top of what Exchange, the guest OS, and host resource will be using.  To ensure that your virtual environment can handle the anticipated load from Exchange and Forefront, it is helpful to measure the performance counters before and after Forefront has been installed.  You can follow these steps to take these measurements:

• Prior to installing Forefront, take baseline performance counters on each of your virtualized Exchange servers.  We recommend you take counters based on (1) time of day, and (2) severity of load over several days to establish a general baseline.  You may also want to stress test your virtualized Exchange servers to understand the upper limits of CPU, disk I/O, and memory utilization requirements.
• Once Exchange performance figures have been established, install Forefront, re-take performance counters as described above, and note the differences.  This will give you an idea of the overhead Forefront will be adding to your environment.
• Based on the differences, you may want to adjust your virtual hardware requirements.  This may include allocating more memory, CPU affinity, and/or improved disk I/O.  Memory and CPU utilization are usually the most heavily impacted.
• Video settings within the guest OS should also be set to “best performance” to minimize guest CPU utilization.  Any unnecessary virtual hardware that will not be used by the guest or host OS or applications should be removed.
• Be cautious when adjusting process counts (Transport or Realtime), as this can quickly deplete memory resources in your guest virtual machine.  For example, Transport is set by default to 4 process counts.  If all 4 are in use, then the number of selected scan engines is multiplied by the number of Transport processes in use plus the size of the files being scanned.  For example:

(4) Transport Processes  X  (5) Scanner Engines @ 100mb each + File sizes = Memory utilization

Note: This is an example only and real world results will vary depending on multiple factors.

If you increase the Transport or Realtime process counts, add more scanner engines, and increase the engine bias, memory will quickly be exhausted.  In most cases, the default number of process counts is adequate; however, you should consult the best practice guide for further information on fine tuning these settings.  Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.

Krishnan Venkatasubramanian

Project Manager, Forefront Server Security

Microsoft AV Scan Engine Updating Issue

Microsoft is aware of an issue with the Microsoft AV engine not updating on some installations of Antigen and Forefront Server Security products. Not all installations of the products are experiencing this issue, however all products may be affected.

The issue arose because the aveMicrosoft.dll in one of the Microsoft AV engine updates was marked as hidden, causing all subsequent updates to fail when attempting to delete this file. When that occurs, the engine is rolled back.   This means that installations experiencing this problem are running with an outdated version of the Microsoft AV engine.

To correct this problem, browse to the Microsoft AV engine folder (Install Path \ Exchange Server \ Engines \x86 \Microsoft ) and un-hide the “bin\aveMicrosoft.dll” file. You must then either manually update the Microsoft AV engine by clicking the Update Now button in Scanner Updates or allow the engine to be updated as scheduled. You do not need to shut down or recycle any services, but you will need to configure Windows Explorer to view Hidden Files.

Note:

While Microsoft has corrected the hidden file since the initial occurrence of this issue, the only way to correct an installation that is in this state is to do so manually by following the steps above. Microsoft will not be providing any hotfixes, engine updates, or program fixes to automatically correct this issue.

Holly Kipp

CSS Security Support Engineer (Antigen/Forefront Server Security) - Long Island 

Microsoft Corporation

Forefront for Exchange SP1 Rollup 3 has been released

Forefront for Exchange SP1 Rollup3 has been released.  The fixes that are included with in Forefront for Exchange SP1 Rollup3 are as follows.

Prior to full publication of Forefront for Exchange SP1 Rollup3 we are making our customers aware that this release of Forefront for Exchange is now available.  Please Contact Microsoft support if you would like to install Rollup 3 for Forefront. 

Rollup 3 resolves the following issues: 

• 954564: The scan engines are not updated in Forefront Security for Exchange Server SP1, and a Dr. Watson event is logged.
• 954578: Sender notifications are not sent in Forefront Security for Exchange Server Service Pack 1 if the "From" field in the original e-mail message header has multiple lines.
• 951761: Rollup version not displayed in the Forefront Help menu - About Forefront.
• 951936: The General Options screen goes blank in Forefront for Exchange when you use the Tab key to scroll through the options.
• 951920: The Forefront Administrator crashes when attempting to close it while the "License Information" pop-up is open.
• 951921: The FSCController service cannot start-up successfully if a corrupt .fdb configuration file is loaded.
• 954092: Engine Updates taking more than 5 minutes to download do not complete.
• 951922: FSCDiag.exe now collects process and PID information from your Forefront server.
• 951923: Forefront for Exchange may see the following issue: ADGetStorage - Could not bind to Active Directory configuration context. Error code: 80005000.
• 952040: Forefront for Exchange will now scan for WMV files that have had their extensions renamed.
• 952039: Forefront for Exchange does not manually scan Public Folders if non-MAPI Public Folders are in the organization.
• 954577: The Start menu shortcut that points to Forefront for Exchange does not work in the German version of Windows Server 2008.
• 954565: Nested .msg attachments are not detected as nested attachments in e-mail messages in Forefront Security for Exchange Server Service Pack 1.
• 954093: The Filter List order is not updated on scan jobs when you delete and recreate a filter list of the same name.
• 953965: Forefront for Exchange may corrupt messages when attaching messages whose subject lines match a file filter set to Delete/Remove.
• 954561: You are unable to update scan engines through a proxy on a computer that is running Forefront Security for Exchange Server SP1.
• 954094: FSCDiag does not collect engine version info in the verForeFront.csv file when installed on a cluster.
• 954907: E-mail messages are not sent when you are running Forefront Security for Exchange Server Service Pack 1.
• 954934: Added a log message upon failure of setting up an active/passive Forefront cluster.
• 954911: A scan job fails on a computer that is running Forefront Security for Exchange Server Service Pack 1.
• 954941: E-mail messages start to build into a queue and the Fsctransportscanner.exe process uses lots of memory when Forefront Security for Exchange Server SP1 is running.
• 953956: Forefront for Exchange false detecting winmail.dat files as corruptedcompressedfile virus
• 954942: You cannot collect data when you try to use the Forefront Server Security Management Console on an SCC cluster that has Forefront for Exchange with Service Pack 1 installed.
• 955010: The FSCDiag.exe utility does not collect the correct data in Forefront Security for Exchange Server Service Pack 1.

Chris Covino

CSS Security Support Engineer (Antigen/Forefront Server Security) - Long Island

Microsoft Corporation 

Spam Detection Issue - 2nd Update

Our anti-spam partner Mail-Filters changed the hosting location from which we retrieve anti-spam updates.  Although Microsoft was notified that this change would take place at a future date, our partner was not properly informed that security restrictions within Microsoft operations would prevent this change from being transparent.  As a result, attempts to work around the problem resulted in a dated .dat file being published that was part of the initial install of hosted vendor components within Microsoft operations.

Customers who believe they may be experiencing problems as a result of retrieving this update should verify in the client UI that they are running with an engine version later than August 5th.  A manual update may be performed in the client to ensure that a recent update has been obtained.  The StarEngine service must then be recycled in order for the engine to function properly.

Microsoft apologizes for this inconvenience and is reviewing its operational procedures in order to prevent this from occurring again.

Holly Kipp

CSS Security Support Engineer (Antigen/Forefront Server Security) - Long Island 

Microsoft Corporation

Spam Detection Issue - Update

Holly Kipp

Spam Detection Issue

Microsoft is aware of an issue with the SpamCure engine not updating and detecting spam in Antigen 8.0 and 9.x products since  August 1, 2008. We are working with the engine vendor to resolve this issue and will continue to update this blog as more information becomes available.

Customers running the Antigen 8.0 and 9.x products may experience spam detection dramatically drop if they only use the SpamCure engine to detect spam. To attempt to detect spam while Microsoft works to resolve the issue, you can configure the following options within Antigen:

-          Mailhost Filtering:

Add one or more RBL servers

Add known spamming Mailhosts to the Rejected Mailhosts

-          Keyword Filtering:

Enable the default keyword lists

-          Content Filtering:

Add known sender domains/subject lines of spam

We apologize for the inconvenience and do hope to have this issue resolved as quickly as possible.

Holly Kipp

Antigen 9.1 Hotfix Rollup 3 and Performance Monitor

Hello, this is Neil Carpenter.  I’m an Escalation Engineer on the support side of our business and I work with Antigen and Forefront Security for Exchange Server and SharePoint.

We have been working on a hotfix rollup for Antigen 9.1 that will include a fix to help alleviate issues some of our customers have seen when using performance tools with Antigen.  The hotfix will be ready soon, but we wanted to give our enthusiastic blog audience a heads up while we're still working on finalizing everything.  When Hotfix Rollup 4 is available, this information will be cleaned up and included in a KB article.

Here are the details:

While investigating an issue where mail was queuing in the Exchange Information Store, we discovered an issue that affects customers running Antigen 9.1 Hotfix Rollup 3 when there are performance monitoring tools such as Perfmon, Perfwiz, and the MOM client running.  This issue will manifest itself as mail queuing (and never un-queuing), particularly immediately after the store is restarted.  In this particular instance, we were seeing this happen when we failed from one cluster node to another.  This could also occur in non-cluster environments and it could occur if scanjobs are restarted for other reasons (such as scan timeouts).

Additionally, you may see entries in ProgamLog.txt similar to the following:

"ERROR: scanjobs.cpp::ConfigScanJobFile(): AddNewScanJob() Failed 0x80030021"
"ERROR: scanjobs.cpp::CheckScanJobs(): ConfigScanJobFile() failed. hr[0x80030021]"

"ERROR: Unexpected, RetrieveScanJobIdentifier could not find the index"
"ERROR: Problems retrieving ScanJob identifier from RegisterMonitor"
"ERROR: antigenvsapi.cpp::VSAPINavigatorThread(): RegisterMonitor() returned 8000ffff"

You may also see instances where you open the Antigen administration console and scanjobs are not visible.

The root cause of this is a regression in the Antigen performance counters DLL that results in Antigen services being unable to access the configuration information for scanjobs; thus, when the server is in this state, scanning processes cannot be started and the admin console cannot access scanjob configuration information.

These symptoms will not occur in all instances.

Recommendations:

If a server is having this issue, you should be able to resolve the immediate issue by stopping all applications that are performing performance monitoring and restarting Exchange services.

If you are running services/applications that gather performance data on your Exchange Server with Antigen 9.1 Hotfix Rollup 3, you can mitigate this in the short-term by disabling Antigen performance counters.  The following steps will disable those counters:

1.   At c:\program files\microsoft antigen for exchange\

2.   Enter command: antigenpmsetup -uninstall

3.   You will also have to restart any application that loads performance counters.  Rebooting the server will accomplish this; however, short of that, you can run 'tlist -m antigenpmdll.dll' to get a list.  (Tlist is part of the debuggers package.)

This will be resolved in Rollup 4 when it is released.  After Rollup 4 is available, we recommend re-enabling Antigen performance counters by running 'antigenpmsetup -install'. 

Meet the Forefront Team - Introducing Dave Friedman - Release Manager

Hi Everyone, Steve Lindsay here again from the Tools and Infrastructure team.

Today I'm introducing a new series called 'Meet the Forefront Team'. This series will be a video pod-cast series of interviews with members of the Forefront Team.

Our first interview is with Dave Friedman who is the Release Manager for the Forefront Server Security products. Enjoy the video and let us know if you want to see more video interviews like this one.

Among other things, Dave talks about the new Forefront Beta preview and the "Stirling" suite.

In the video Dave mentioned a couple of sites you can visit to get more involved in the Forefront Beta and TAP programs. Links are provided to these sites below.

Forefront TAP program : http://connect.microsoft.com/site/sitehome.aspx?SiteID=504

Microsoft Forefront Code Name "Stirling" Homepage : http://www.microsoft.com/stirling

Getting the most out of Antigen’s Anti-Spam features

Hello – Andy Day from the EMEA Antigen/Forefront Support Team here to give you some tips on oiling your anti-spam engine in Antigen for Exchange/SMTP. Let the spring cleaning commence...

Over recent years, spam has emerged as a more prominent pain point than the traditional virus concerns that any company will have. Spammers are always trying to get the upper hand on anti-spam vendors, bringing out new ways to bypass scanners and hit as many inboxes as possible (sure, why wouldn’t they?...they get paid for doing that, after all!)

So, as an Antigen for Exchange administrator, how do you tweak the ASM component (Anti-Spam Manager) to maximise your spam protection, in order to outwit the spammers?

Well, first of all, you are probably using one or both of these Antigen ASM features already:

·         Spamcure anti-spam engine

·         RBLs (Realtime Block Lists)

Alongside these features, you may also have implemented the IMF feature in Exchange (Intelligent Message Filter).

All of these features and technologies are preventative measures. A configuration guide can be found in the Antigen Spam Manager Best Practices guide. The key points from this guide are to:

1.     Configure the Spamcure engine to check for updates every 15 minutes

 Spam is more dynamic than (other) malware; therefore anti-spam updates tend to be released more frequently than anti-virus updates. It is common to see several anti-spam engine version releases every hour, so getting Spamcure to check for updates this frequently is strongly advised.

2.     Configure RBL services

RBL lists, (non-Microsoft) lists of known spam mailhosts that are updated in realtime, are a good way of blocking spam from the source. Always try to use a reputable service here and be aware that free services may not always be the best. Note that Microsoft does not recommend any specific RBL providers. In Support, we do see a lot of customers using www.spamhaus.org and www.spamcop.net, which might be a good place to start. Please ensure that you observe any usage terms and conditions when using these 3rd-party lists.

RBLs rely heavily upon DNS lookups (of mailhosts), so if there is any latency in doing this, you could see SMTP mail queuing on your server. As a rule of thumb, it’s best to limit RBL lookups by using a maximum of 1-3 RBL providers.

3.     Configure the Exchange Intelligent Message Filter

OK, this isn’t strictly an Antigen feature, but we strongly recommend its use in conjunction with Antigen. The Spamcure engine and other filtering features on the SMTP scanjob can be used to set a SCL Rating on messages. Basically, if you enable the SCL Rating option for a feature in Antigen, any detection on that feature will cause Antigen to set a SCL Rating of 9 for the message. The SCL scale ranges from 0 (definitely not spam) to 9 (definitely spam).

Exchange 2003’s IMF feature allows you to set a threshold for the SCL Rating. You can also set a SCL threshold in Outlook that can steer spam messages into Outlook’s Junk Mail Folder (also governable via a GPO).

An example of how these 3 technologies might work together is setting the IMF threshold to 8 and the Outlook threshold to 5. Here, messages tagged with a SCL Rating of 0-4 will go through to users’ inboxes, 5-7 will go to users’ Junk Mail Folders and 8-9 will be deleted by IMF. As Antigen sets only ‘9’ values for the SCL rating, any Antigen-tagged messages will therefore be deleted by IMF.

For more information on Exchange’s Intelligent Mail Filter, click here. 

4.       Submit Spam Messages: False Positives (legitimate emails that were falsely detected as spam) and False Negatives (spam emails that were not detected) should be submitted ASAP to Mail Filters.

As an administrator, you’ve experienced that no technology is perfect and it’s expected that some false-positives and false-negatives will crop up from time to time. Sending these to Mail Filters (our partner company that produces the Spamcure engine) through the appropriate addresses is an efficient way to flag the problem without having to open a Microsoft Support case.

·         Send False Positives to Spam.mail-filters "at" antigen.microsoft.com

·         Send False Negatives to Notspam.mail-filters "at" antigen.microsoft.com

From these Best Practices, the key actions to take away are to make sure that Antigen is checking for Spamcure updates every 15 minutes and submit false positives/negatives to the above addresses.

If you’re working in a large organisation, you may find that a lot of spam seems to get through (even though the actual detection rate is still pretty high), due to the sheer volume of mail that you receive every day. Consider setting-up a designated spam Mailbox or shared Public Folder to collect false negatives from users.

Before opening any support cases for false negatives, we recommend that you cover the 2 areas above, since we’re likely to suggest that you do this J.

In the case that Spamcure or other ASM components don’t seem to be working as they should, take a look at my troubleshooting tips and extra features that can help to provide additional spam defence:

Further Troubleshooting

If you want to minimise your dependency on Microsoft Support, you can always try to troubleshoot the issue by yourself.

For Spamcure-related issues, try to determine from any errors whether the problem relates to the download of the engine (the first part of the update process), or to the integration of a new engine into Antigen (the second part of the update process); then follow these steps:

Engine Download Issues:

·         Check that you can reach the file being downloaded through Internet Explorer.

·         Confirm that any proxy settings entered in the Antigen Administrator are still valid.

·         In general, try to stagger engine updates by 10-15min per engine.

Engine Integration Issues:

·         Make sure that the engine has updated at least once following install, to avoid this error:

"ERROR: Could not load SpamCure mapper."

·         Try rebuilding the scan engine, as per KB920304.

Secondary Defence

Antigen also gives you various filtering features that can be used in either a preventative or reactive manner to block spam.

·         Mailhost Filtering

·         ‘Content’ Filtering

o   Sender/Domain Filtering

o   Subject Line Filtering

·         Keyword Filtering

There’s a lot of information and syntax about filtering already explained in the Antigen for Exchange User Guide, so I won’t repeat it here. However, you might consider setting some filters for basic pre-emptive defence and perhaps more importantly to block prominent spam mail that got through. It’s not worth the effort to do this for every undetected spam, of course, but if you’re facing a sudden wave of similar spam, this could  warrant a Subject Line or Keyword Filter until engine definitions become available.

Following the guidance I outlined, we hope you find Spamcure is filtering out most of your spam just fine and you won’t really need to tackle this troubleshooting or use these extra features for this reason. If you do, however, I hope this post has been useful to you.

Kind Regards,

Andy Day

CSS Security Support Engineer (Antigen/Forefront Server Security)

East Islip High School technology students introduce some of the Forefront Team.

Hi this is Steve Lindsay from the Tools and Infrastructure team.

Today we had some potential future bloggers/technology guru's in our midst from East Islip High School. They helped write this post and took all the pictures and followed the posting process from beginning to end to bring you this introduction to some of our team members.

Steve Lindsay,

Signing out...

Danny Popper talks about the new Forefront beta preview

Hey everyone,

My name is Danny Popper, and I’m a Program Manager for Microsoft Forefront Security for Exchange Server.  On Wednesday, Brett (our Product Unit Manager) blogged about our brand new beta release of two Forefront Server Security products – Forefront Security for Exchange Server (FSE) and Forefront Security for SharePoint (FSSP).  Brett talked about our direction both from the broader Forefront division of security products as well as from the perspective of our two products.  I want to build on what Brett said, and I hope that I can fill in some of the details about how we’re going to achieve the visions he outlined.

This past week, we gave you your first peek at the next generation of FSE, and it’s super-exciting on a bunch of levels.  First, on a personal level, I’m one of the newer members of the team, having just graduated from school this past year.  Which means that this is the first software release since I’ve joined the team, and it’s amazingly gratifying to see months of work (well, more like a year for other team membersJ) actually go out to the public.  Second, this release of FSE is our first step in adding a whole bunch of features that you’ve been asking us for – in this beta1 release we’ve focused on making FSE incredibly easy to deploy and manage for IT administrators.  Third and most importantly, this beta release marks our first release with “Stirling,” Microsoft’s new suite for enterprise security and management. 

Our main focus in this beta preview is to greatly enhance the management experience.  Towards that end, the next generation FSE/FSSP gives you:

·         A complete Powershell interface to simplify your scripting experience.  We’ve built the next generation of FSE/FSSP with Powershell in mind, so that all settings and data are now accessible programmatically.

·         An updated administration GUI, aligning with the Forefront Suite (see below!).  Our GUI is not just updated, but rebuilt completely, in order to better expose all our functionality in a clear manner.

·         MSI deployment, supporting both attended and unattended installations