Microsoft Forefront Server Security Blog

Meet the Forefront Team - Introducing Dave Friedman - Release Manager

Hi Everyone, Steve Lindsay here again from the Tools and Infrastructure team.

Today I'm introducing a new series called 'Meet the Forefront Team'. This series will be a video pod-cast series of interviews with members of the Forefront Team.

Our first interview is with Dave Friedman who is the Release Manager for the Forefront Server Security products. Enjoy the video and let us know if you want to see more video interviews like this one.

Among other things, Dave talks about the new Forefront Beta preview and the "Stirling" suite.

In the video Dave mentioned a couple of sites you can visit to get more involved in the Forefront Beta and TAP programs. Links are provided to these sites below.

Forefront TAP program : http://connect.microsoft.com/site/sitehome.aspx?SiteID=504

Microsoft Forefront Code Name "Stirling" Homepage : http://www.microsoft.com/stirling

Getting the most out of Antigen’s Anti-Spam features

Hello – Andy Day from the EMEA Antigen/Forefront Support Team here to give you some tips on oiling your anti-spam engine in Antigen for Exchange/SMTP. Let the spring cleaning commence...

Over recent years, spam has emerged as a more prominent pain point than the traditional virus concerns that any company will have. Spammers are always trying to get the upper hand on anti-spam vendors, bringing out new ways to bypass scanners and hit as many inboxes as possible (sure, why wouldn’t they?...they get paid for doing that, after all!)

So, as an Antigen for Exchange administrator, how do you tweak the ASM component (Anti-Spam Manager) to maximise your spam protection, in order to outwit the spammers?

Well, first of all, you are probably using one or both of these Antigen ASM features already:

·         Spamcure anti-spam engine

·         RBLs (Realtime Block Lists)

Alongside these features, you may also have implemented the IMF feature in Exchange (Intelligent Message Filter).

All of these features and technologies are preventative measures. A configuration guide can be found in the Antigen Spam Manager Best Practices guide. The key points from this guide are to:

1.     Configure the Spamcure engine to check for updates every 15 minutes

 Spam is more dynamic than (other) malware; therefore anti-spam updates tend to be released more frequently than anti-virus updates. It is common to see several anti-spam engine version releases every hour, so getting Spamcure to check for updates this frequently is strongly advised.

2.     Configure RBL services

RBL lists, (non-Microsoft) lists of known spam mailhosts that are updated in realtime, are a good way of blocking spam from the source. Always try to use a reputable service here and be aware that free services may not always be the best. Note that Microsoft does not recommend any specific RBL providers. In Support, we do see a lot of customers using www.spamhaus.org and www.spamcop.net, which might be a good place to start. Please ensure that you observe any usage terms and conditions when using these 3rd-party lists.

RBLs rely heavily upon DNS lookups (of mailhosts), so if there is any latency in doing this, you could see SMTP mail queuing on your server. As a rule of thumb, it’s best to limit RBL lookups by using a maximum of 1-3 RBL providers.

3.     Configure the Exchange Intelligent Message Filter

OK, this isn’t strictly an Antigen feature, but we strongly recommend its use in conjunction with Antigen. The Spamcure engine and other filtering features on the SMTP scanjob can be used to set a SCL Rating on messages. Basically, if you enable the SCL Rating option for a feature in Antigen, any detection on that feature will cause Antigen to set a SCL Rating of 9 for the message. The SCL scale ranges from 0 (definitely not spam) to 9 (definitely spam).

Exchange 2003’s IMF feature allows you to set a threshold for the SCL Rating. You can also set a SCL threshold in Outlook that can steer spam messages into Outlook’s Junk Mail Folder (also governable via a GPO).

An example of how these 3 technologies might work together is setting the IMF threshold to 8 and the Outlook threshold to 5. Here, messages tagged with a SCL Rating of 0-4 will go through to users’ inboxes, 5-7 will go to users’ Junk Mail Folders and 8-9 will be deleted by IMF. As Antigen sets only ‘9’ values for the SCL rating, any Antigen-tagged messages will therefore be deleted by IMF.

For more information on Exchange’s Intelligent Mail Filter, click here. 

4.       Submit Spam Messages: False Positives (legitimate emails that were falsely detected as spam) and False Negatives (spam emails that were not detected) should be submitted ASAP to Mail Filters.

As an administrator, you’ve experienced that no technology is perfect and it’s expected that some false-positives and false-negatives will crop up from time to time. Sending these to Mail Filters (our partner company that produces the Spamcure engine) through the appropriate addresses is an efficient way to flag the problem without having to open a Microsoft Support case.

·         Send False Positives to Spam.mail-filters "at" antigen.microsoft.com

·         Send False Negatives to Notspam.mail-filters "at" antigen.microsoft.com

From these Best Practices, the key actions to take away are to make sure that Antigen is checking for Spamcure updates every 15 minutes and submit false positives/negatives to the above addresses.

If you’re working in a large organisation, you may find that a lot of spam seems to get through (even though the actual detection rate is still pretty high), due to the sheer volume of mail that you receive every day. Consider setting-up a designated spam Mailbox or shared Public Folder to collect false negatives from users.

Before opening any support cases for false negatives, we recommend that you cover the 2 areas above, since we’re likely to suggest that you do this J.

In the case that Spamcure or other ASM components don’t seem to be working as they should, take a look at my troubleshooting tips and extra features that can help to provide additional spam defence:

Further Troubleshooting

If you want to minimise your dependency on Microsoft Support, you can always try to troubleshoot the issue by yourself.

For Spamcure-related issues, try to determine from any errors whether the problem relates to the download of the engine (the first part of the update process), or to the integration of a new engine into Antigen (the second part of the update process); then follow these steps:

Engine Download Issues:

·         Check that you can reach the file being downloaded through Internet Explorer.

·         Confirm that any proxy settings entered in the Antigen Administrator are still valid.

·         In general, try to stagger engine updates by 10-15min per engine.

Engine Integration Issues:

·         Make sure that the engine has updated at least once following install, to avoid this error:

"ERROR: Could not load SpamCure mapper."

·         Try rebuilding the scan engine, as per KB920304.

Secondary Defence

Antigen also gives you various filtering features that can be used in either a preventative or reactive manner to block spam.

·         Mailhost Filtering

·         ‘Content’ Filtering

o   Sender/Domain Filtering

o   Subject Line Filtering

·         Keyword Filtering

There’s a lot of information and syntax about filtering already explained in the Antigen for Exchange User Guide, so I won’t repeat it here. However, you might consider setting some filters for basic pre-emptive defence and perhaps more importantly to block prominent spam mail that got through. It’s not worth the effort to do this for every undetected spam, of course, but if you’re facing a sudden wave of similar spam, this could  warrant a Subject Line or Keyword Filter until engine definitions become available.

Following the guidance I outlined, we hope you find Spamcure is filtering out most of your spam just fine and you won’t really need to tackle this troubleshooting or use these extra features for this reason. If you do, however, I hope this post has been useful to you.

Kind Regards,

Andy Day

CSS Security Support Engineer (Antigen/Forefront Server Security)

East Islip High School technology students introduce some of the Forefront Team.

Hi this is Steve Lindsay from the Tools and Infrastructure team.

Today we had some potential future bloggers/technology guru's in our midst from East Islip High School. They helped write this post and took all the pictures and followed the posting process from beginning to end to bring you this introduction to some of our team members.

Steve Lindsay,

Signing out...

Danny Popper talks about the new Forefront beta preview

Hey everyone,

My name is Danny Popper, and I’m a Program Manager for Microsoft Forefront Security for Exchange Server.  On Wednesday, Brett (our Product Unit Manager) blogged about our brand new beta release of two Forefront Server Security products – Forefront Security for Exchange Server (FSE) and Forefront Security for SharePoint (FSSP).  Brett talked about our direction both from the broader Forefront division of security products as well as from the perspective of our two products.  I want to build on what Brett said, and I hope that I can fill in some of the details about how we’re going to achieve the visions he outlined.

This past week, we gave you your first peek at the next generation of FSE, and it’s super-exciting on a bunch of levels.  First, on a personal level, I’m one of the newer members of the team, having just graduated from school this past year.  Which means that this is the first software release since I’ve joined the team, and it’s amazingly gratifying to see months of work (well, more like a year for other team membersJ) actually go out to the public.  Second, this release of FSE is our first step in adding a whole bunch of features that you’ve been asking us for – in this beta1 release we’ve focused on making FSE incredibly easy to deploy and manage for IT administrators.  Third and most importantly, this beta release marks our first release with “Stirling,” Microsoft’s new suite for enterprise security and management. 

Our main focus in this beta preview is to greatly enhance the management experience.  Towards that end, the next generation FSE/FSSP gives you:

·         A complete Powershell interface to simplify your scripting experience.  We’ve built the next generation of FSE/FSSP with Powershell in mind, so that all settings and data are now accessible programmatically.

·         An updated administration GUI, aligning with the Forefront Suite (see below!).  Our GUI is not just updated, but rebuilt completely, in order to better expose all our functionality in a clear manner.

·         MSI deployment, supporting both attended and unattended installations

·         Enhancements to the mail-scanning pipeline

·         Support for Exchange 2007 SP1 and for Windows Server 2008

·         All the existing FSE/FSSP features that you expect from us – multiple leading antivirus engines for security in depth, true file type filtering, keyword filtering for specific words and phrases, a MOM pack to expose system health

But the most important part of this release is really our integration with Microsoft Forefront codename “Stirling”.  For a high level look at “Stirling”, make sure you don’t miss Brett’s post (and also check out the “Stirling” team’s blog).  But how does “Stirling” integrate with FSE and FSSP?

·          “Stirling” actually incorporates more than just FSE and FSSP; it also includes new versions of Microsoft Forefront Client Security (and don’t forget their blog) and Microsoft Internet Security and Acceleration Server (ISA, and their blog).

·         Both FSE and FSSP have their brand new GUI designed in the “Stirling” model, so that the transition between the individual products and the full suite is completely smooth.

·         In this beta for FSE, and the next beta for FSSP, you will be able to control all configurations for all FSE/FSSP nodes in your organization through a single “Stirling” console.  You can define policies for deployment, and maintain separate settings for different parts of your network topology, but still control this from a single central location.

·         In this beta for FSE, and the next beta for FSSP, you can view data and reports from across all FSE/FSSP nodes, both singly and aggregated over your network.

·         Finally, by integrating all these layers of network security, we can also provide what we call “Dynamic Response” – a system that analyzes and correlate information for all layers of your network in order to detect and respond to threats.

·         This is really only the tip of the iceberg for “Stirling”, so be sure to check up on all of its cool features as well.

As always, Forefront makes it easier!

This is only a first beta. 

We’d love for all of you to try it out, to get a feel for how we’ve improved management, and to see how we’ve integrated management and reports for multiple nodes and across protection technologies.  (And, of course, send us feedback on it, too!).  And before you know it, we’ll be back with another beta chock full of new features.

Remember, our goal is to make your life simpler.  It’s rare that a software team wants you to spend less time with its newer version than the previous one, but we really do want you to leave the worrying to us.

Between our new administrative interfaces, installers, and exciting new integration with the multi-workload “Stirling” project, we really hope that you can spend less time actively working with our software, and more time enjoying the peace of mind that your organization is being secured at every level. 

Danny Popper
Program Manager

Microsoft Forefront Security for Exchange Server

Forefront Security for SharePoint with Service Pack 2 was released today!

Hi all. My name is Steve Lindsay and I’m a developer in the tools and infrastructure test

group for Forefront Server Security. My role involves writing the test tools and

infrastructure used by the test team to write automated test plans against the Forefront

suite of products. I’ll be getting a little more involved with the blog over the coming

weeks but I thought I’d start by bringing you a quick post letting you know that we

released Forefront Security for SharePoint with Service Pack 2 today.

The goal of this release is to provide

support for the new Windows Server

2008 platform, expand the keyword

filtering capabilities by including

installable lists to help customers

filter out profanity and discriminatory

words in 11 languages, and provide a

roll-up of software fixes that help

facilitate the administration of this

security solution.

You should upgrade to Forefront Security for SharePoint with Service Pack 2 if you are

moving to Windows Server 2008 or want to take advantage of the new installable

profanity and discriminatory keyword lists.  You are also encouraged to upgrade to the

SP2 release to install a roll-up of the latest software fixes. 

Try the new Forefront Security for SharePoint with SP2 by visiting:

http://www.microsoft.com/forefront/sharepoint/en/us/try-it.aspx. 

Steve.

Take a First Peek at the Next Generation of Forefront Server Security Products

Yesterday, we released beta versions of the next generation of Forefront Security for Exchange Server and Forefront Security for SharePoint products.  We’ve made significant investments in improving how you can deploy, manage, protect, monitor and troubleshoot your messaging and collaboration environments with Forefront, and these beta releases are meant to give you an idea of what to expect with the next versions of these products. 

One of the most important additions to these next-gen versions is the integration with the Forefront code name “Stirling” management infrastructure.  This new console and dashboard will provide management across multiple instances the Forefront Server products, in addition to managing Forefront client, and network edge protection products.  This integration will allow administrators to centrally configure settings and generate reports across all the managed products.  I am even more excited about something new being introduced as part of the Stirling system that we call “Dynamic Response.”  It is an innovative Microsoft technology built into each component of "Stirling" that collects and shares data from all of these protection points to help better identify threats -- and then allows administrators to take preventative actions in an orchestrated or automated fashion.  This will go a long way towards addressing some of today’s most common challenges in effectively managing security across your enterprise.

You’ll see the integration with our new Stirling console beginning with the beta of Forefront Security for Exchange Server – Forefront Security for SharePoint integration with the Stirling will be available in a future beta release.   You’ll also find a newly updated, intuitive management client that ships with the stand-alone versions of Forefront Security for Exchange Server and Forefront Security for SharePoint.  This client is designed to be consistent with our Stirling Server user experience and focused on making administration and troubleshooting of Forefront Security for Exchange Server and Forefront Security for SharePoint easier than ever before. 

Finally, this early beta release will showcase the new Powershell support we’ve built pervasively into both products. We consistently hear from customers the desire for programmatic interfaces that will allow them to integrate some aspects of managing their Forefront Security environments with their existing infrastructure.  With this release you will have new options for retrieving incident logs and quarantine data, as well as configuring system settings via Powershell. 

You can check out the new beta releases here.  Take it for a test drive and send us your feedback… we want to hear from you.  Additionally, please stay tuned to this site as this is where we will unveil many more new Forefront Server features over the coming months! 

Brett Tanzer

Product Unit Manager

Forefront Server Security

Microsoft Long Island Development Center

www.microsoft.com/longisland

Where Legends are Realized

The clocks were striking thirteen. The Xbox 360 was unoccupied. On the other hand, several people were gathering around the pool table, ping pong table, and the foosball table. The parties at the foosball table as usual were having a decisive battle, as witnessed by their fierce howling. Ignoring the noise, I went pass the coke machine and the coffee machine, and took a carton of milk from the fridge and settled at a nearby table overlooking a coarse horizon --- my usual pick has been occupied by a whole team having lunch. I leisurely pushed a straw into the milk, and started sipping.

My name is CHIO Ka In, I am a Software Developer in the Access & Security Division. I am a fresh graduate from The Chinese University of Hong Kong, and I would like to share my feelings with you here after joining the team for a mere period of four months.

A peek of our pantry.

Microsoft has deployed one of its fastest growing establishments in Zizhu Shanghai, an area that associates itself with high technology companies. Every day, the majority of us are shuttled from various points in the metropolis back here. Nearby the complex are other technology complexes, universities, and some flat ground with occasional short buildings. There are also vile winds which roast people in the summer and chill people up in the winter.

As a fresh graduate, I cannot deny that the most common question asked is "How's work?", and I cannot help but respond "Well! I love this place and the things I am doing here." I better not repeat what many thousands have said about their love about here, but go onto share what we do here.

So what do we do?

I arrived to learn that the team will be working on Forefront Server Security Management Console, a product supporting the Forefront Server Security software series, which means software shipped around the globe. It’s already shipped now. The daily work of the development is centered on some technical discussions and, undoubtedly, programming aspects. We know very well that "All non-trivial programs contain at least one bug", thus we are well-supported by our software testers who spend a good amount of time to help testing our products. Our program managers in turn help to make strategic decisions in planning out a product, and taking up the responsibility of interacting with our clients. Lastly, our group manager, who acts like a captain of a ship, takes care of the high level decisions, remote and painstaking decisions, and drives the team into efficiency here. Although we all have our different tasks, we do not really always have a clear cut of the tasks. Every morning, the leadership team comprising of software development engineers, developers and program managers stay in the room to take care of the new tasks, meanwhile the rest of the team work on matters that come arriving endlessly. Meeting adjourned, the leadership team resumes their work. Sometimes, some teammates gather up to voice out and work out improvements of our working processes. After all, the team is still young. Inexperienced or malleability --- it is just a slightly differing perspective. Like a piece of white paper, every stroke and brush will be significant and obvious, and that is also where the fun lies.

Much said.

I dumped the carton box into the bin, and filled a cup with longans, “Sigh… Eat and sleep and eat and sleep… I could use the massage chair in next room.”

That’s where I’m heading to.

To be precise, the “next room” meant to be two corridors away. Along the path, we can see what everybody is doing with the low cubicle’s height. It is often these moments as such, and even lavatory visits, that I got distracted into momentous chatters with the other teams. The gossips from the next cubicle always bring laughter and ease the then rather tense working atmosphere. I can ramble on more, but I really prefer to that massage chair now.

The legends speak of the free food and drinks, relaxed atmosphere and casual dress code in Microsoft.

Here, such legends are realized right here in front of me, and we can even create new ones.

CHIO Ka In

Software Development Engineer

Access & Security Division

Servers and Tools Business China

The New Keyword Filter Example Lists

Hi. My name is Marv Goldberg and I’m a technical writer for Forefront Server Security. I’ve been in the team for three years now, and I want to tell you a bit about the new “example lists”.

Once upon a time, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint shipped with so-called “seed lists.” These were pre-populated filter lists for profanity, racial discrimination, sexual discrimination, and spam that laid the foundation for creating your own lists. Starting with release 10.0, those were removed from the products for a variety of reasons.

However, with the advent of Microsoft Forefront Security for Exchange Server with Service Pack 1 (and soon to be shipped in Microsoft Security for SharePoint with Service Pack 2), we now offer “example lists” for profanity.

Example lists are provided in eleven languages: English, German, Japanese, French, Spanish, Portuguese, Korean, Italian, Russian, Simplified Chinese, and Traditional Chinese. Choose any number of these languages to install, with the knowledge that you may update your selection at any time. Since the example lists are an optional component, they must be installed separately once the Forefront product is up and running.

To install one or more of these lists, follow these steps:

1. Find the file called KeywordInstaller.msi in the Forefront installation folder and double-click it. You may also launch it from Start/Run. This file is only present on computers that have a full Forefront installation (that is, not one that’s defined as Administrator-only).
2. Since many people will find portions of the lists offensive, be sure that you thoroughly read and understand the license agreement/disclaimer before accepting it.
3. You are then presented with a list of available language files. You may select one, all, or any combination. The files you select are extracted and placed into a folder called Example Keywords in the database directory (which, by default is c:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\Data).
4. After the files have been extracted, import them into your filters. Here’s how:

a.       Open the Forefront Server Security Administrator and click Filter Lists on the FILTERING section of the Shuttle Navigator.

b.      Select the filter list into which you will be importing data. (Or create a new filter list.)

c.       Click Edit. The Edit Filter List dialog box appears.

d.      Click the Import button. A File Explorer window will open to allow you to navigate to the location to which you extracted the files.

e.       Select a file to import, and then click Open.

f.       The file will be imported into the middle pane of the Import List editor to allow you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.

g.      When you have moved all the desired items, click OK to return to the Edit Filter List dialog box.

h.      You can now import another file, if desired, by clicking Import and repeating the procedure.

i.        When you are finished importing files, click OK to return to the Filter Lists pane.

j.        </