We’re excited to announce that a new solution for multi-server management of Forefront Server Protection products is now available for download!

The Microsoft® Forefront® Protection Server Script Kit provides multi-server management for Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint®. In addition to the ability to manage multiple Forefront servers from a single location, this Solution Accelerator provides easily extensible command-line scripts that help enable server discovery, configuration, deployment, and integration with existing management technologies. It also offers basic reporting capabilities to detect configuration drift and monitor server statistics.

Download the Forefront Protection Server Script Kit

Supported Products

·         Forefront Protection 2010 for Exchange Server

·         Forefront Protection 2010 for SharePoint

Configuration Management and Reporting

·         Capture server configuration snapshots and push snapshots to any number of servers

·         Compare configuration of any number of servers or baselines

·         Obtain statistics from one or many servers, including information about infected files, detected malware, server health, and more

·         See summary and/or server detail views

Ease of Use

·         Discover Forefront Protection Servers and export information to a .CSV file

·         Use customizable Windows PowerShell™ scripts to enhance your existing automation

Full documentation in the TechNet library

http://technet.microsoft.com/en-us/library/ff830371.aspx 

After you check out this new Solution Accelerator—and we hope you will—tell us what you think. Please send your honest and constructive feedback to secwish@microsoft.com.

Jeff Sigman
Sr. Program Manager

Hi, my name is Scott Floman, and I'm a technical writer in the Forefront server protection Information Experience (iX) group. I want to again share with you some information about the documentation we have available, which docs are useful for what purposes, and where to find them.

We deliver our content in several ways, primarily via product help (.chm file), as .doc files on Internet download centers, and especially via the Web on TechNet. The “latest and greatest” versions of our documentation always reside on TechNet, so that is always the recommended starting point.

The main TechNet entry page for the various Forefront server protection products is:

http://technet.microsoft.com/en-us/library/bb932383.aspx

From this page you can access the following products:

Forefront Protection 2010 for Exchange Server (FPE)

Forefront Protection 2010 for SharePoint (FPSP)

Forefront Security for Exchange Server (FSE)

Forefront Security for SharePoint (FSSP)

Forefront Security for Office Communications Server (FSOCS)

Forefront Server Security Management Console (FSSMC)

Antigen

The history here is that our Sybari Antigen Version 9 products, which protect either Exchange messaging or SharePoint collaboration environments, evolved into our Microsoft Forefront Server Security Version 10 products (FSE and FSSP), which also offered the FSOCS product to protect against Internet Messaging (IM)-based malware. The FSSMC product can be used to manage our Antigen, FSE, and FSSP products in a multiple server environment.   

The latest version of our Exchange and SharePoint-based antimalware protection products are FPE and FPSP. FPE is currently available. The Release Candidate (RC) version of FPSP is also available, and the General Availability release of this product is currently planned for later this spring.

The FPE and FPSP documents are grouped into several main categories, all of which can be accessed from the main FPE and FPSP pages linked above.

Release Notes—Read this content to learn important information about the current release of the product, including new features and known issues.

Planning and Architecture—Read this content to plan and deploy your deployment and operation of the product. This section is a work in progress but is a high priority as we are continuing to add content in this area. 

Deployment—Read this content to install and deploy the product, or to uninstall the product. Upgrading, post-installation configuration steps, and licensing information is also included. This is another area we’re aiming to bulk up in the upcoming months, specifically how to best deploy our products in multi-server environments.  

Operations—Read this content to configure and operate the product. This is our largest section and it primarily describes our easy-to-use administration console, which includes customizable configuration settings, filtering options, and monitoring features and reports. FPE also offers antispam protection and integration with the Forefront Online Protection for Exchange (FOPE) product. FPE and FPSP can also be configured via Windows PowerShell, a command-line shell and task-based scripting technology that enables the automation of system administration tasks. (There is an overview topic about using Windows PowerShell in our Technical Reference section but the bulk of our documentation in this area must be obtained by accessing help from the Forefront Management Shell.)   

Technical Reference—Read this content for technical reference information that pertains to the product. In addition to the overview topic about Windows PowerShell recently referenced, you can obtain a sample answer file for performing unattended installations, information about the various Microsoft Forefront services, file types used in creating file filters, macros that can be used to insert information into e-mail notifications and replacement text for deleted files, event IDs that are reported, and so on.  

Troubleshooting—Read this content for information and tools to troubleshoot issues relating to the product.

Management pack for Microsoft System Center Operations Manager 2007—Read this content to learn how to monitor your system with Microsoft System Center Operations Manager 2007.

When reading a topic, you should be aware of any subtopics that exist within the Table of Contents (TOC) that appears on the left side of the screen. These subtopics may or may not be applicable to the topic you are reading; depending on the task that you are trying to complete, all of the information may be self-contained in the main topic. However, if this is not the case, you should drill-down to the sub-topics and also view any links that appear in the “Related Topics” area at the bottom of the page. 

Well, that’s pretty much all I have for now, I hope that this blog entry has provided a useful overview of how to best access and use the documentation for our various products, particularly our FPE and FPSP offerings.  

Also, another good resource for information is the Forefront Server Security Forum (http://social.technet.microsoft.com/Forums/en-US/category/forefrontserversecurity/) where you can read and answer questions about our products. A passport account is needed to access the Forum.

There are other Microsoft forums, blogs, and online technology sites that might prove useful as well; for more information, read this blog article:

http://blogs.technet.com/fss/archive/2009/03/10/other-blogs-and-content-of-interest-for-fss-users.aspx

Lastly, I want to call your attention to the TechNet wiki, which you can access at the following URL: http://social.technet.microsoft.com/wiki/

This is a brand new community where Microsoft employees and customers can post technical articles and interact with one another, much like how Wikipedia works. We’re excited about the possibilities of this wiki, which we feel will be a great resource of information, so please stop by and check it out.

Again, thanks for your time, and feel free to e-mail me with any feedback.

Scott Floman
Technical Writer
Forefront Server Protection
scfloman@microsoft.com

Microsoft Forefront Protection 2010 for Exchange Server (FPE) ¹ is a leading solution for securing your messaging environment. Its antimalware solution is a proven security product that has helped many customers to secure their e-mail system.

A multi-engine solution provides the maximum protection for our customers, but it also requires we take dependencies on multiple engine partners. The engines Forefront leverages remain in service for many years, most were created when only 32-bit machines were available, and some partners are still developing their native 64-bit engine.  To release a 64-bit engine is not an easy task, for instance, this often involves porting and testing a large volume of assembly code.

Forefront made a cautious decision to preserve 32-bit scanning processes until the next release. One reason to do this is the 32-bit engines are field proven to be stable. Another reason is that we provide a shield so that the 32-bit scanning processes remain transparent for our customers. Forefront customers receive the same level of malware protection regardless if the scanning processes are 32-bit or 64-bit.

Now that the world is moving toward 64-bit architecture – Windows 2008 R2, Exchange 2007, Exchange 2010, and Office 2010 only support 64-bit releases and some of our engine partners have had 64-bit engines running in the field for some time now, we believe we are ready to move to a native 64-bit solution. Besides aligning with Server and Office applications, a 64-bit application has the advantage of being able to leverage more virtual memory (up to 8 TB) than a 32-bit application (up to 2 GB). This will allow Forefront to scan increasingly large files in memory and allow customers to scale out in a high volume traffic environment.

The upcoming releases – Microsoft Forefront Protection for SharePoint 2010 (FPSP) and Microsoft Forefront Protection for Exchange Server 2010 with Service Pack 1 – will be entirely native 64-bit solutions. For those engines that are not yet available in 64-bit, or that have not been thoroughly tested in the field, we continue to provide the same level of malware protection by hosting the 32-bit version of those engines in a separate process. These upcoming releases will also have the ability to seamlessly switch to the native 64-bit version of these engines without affecting the Forefront deployment or involving additional administrative tasks when the engines become available.

1.       Former releases include Microsoft Forefront Security for Exchange 2007, Microsoft Forefront Security for SharePoint 2007, Microsoft Antigen for Exchange, Microsoft Antigen for SharePoint.

Carolyn Liu
Senior Program Manager

A new version of the Norman engine was released through the Forefront Server Security Rapid Update system on March 26, 2009. The Norman update package was made available for download at approximately 8:30 am EST on that day.

Release Details

This is the first new Norman engine release since we rolled back the 5.93.6.0 engine on February 26, 2009 in response to the increase in memory usage by that engine version (see blog entry Update on the recent Norman antivirus engine issue). Since then and up until March 26, we have been distributing the Norman 5.93.1.0 engine and providing daily signature updates for that version.

The Norman 5.93.8.0 engine that was released on March 26, 2009 incorporates several important changes and does so in a way that does not result in a significant increase in memory usage requirements.

§  The engine initialization time has been decreased significantly. In our test environments, we do not see timeouts or delayed load times by the Norman engine.

§  The root cause of many drwatson reports and intermittent Norman engine crashes on engine unload has been resolved in the 5.93.8.0 engine.

Update Package Details

The following information can be used to verify that the update package containing the 5.93.8.0 Norman engine has been successfully downloaded.

Forefront Server Security or Antigen 9 Products and Service Pack Releases

In the Forefront Server Security Admin client, navigate to the SETTINGS…Scanner Updates panel. The following update version or greater should be displayed for the Norman engine:         

                  Update Version:                               0903260002

**Due to the engine version formatting in place, the Engine version will still show as 5.93.0. The verification steps described below for Antigen 8.0 customers can be used to verify the correct version of the actual Norman engine file.

Stirling Wave

In the Forefront Server Security Admin client, navigate to the Overview…Dashboard panel and look for the following information for the Norman Virus Control engine:               

Engine Version:                                5.93.8.0

Antigen 8.0

The release of the new Norman engine for Antigen 8.0 customers is planned for Monday, March 30, 2009.

Antigen 8.0 customers can check the version properties on the nse_w32.dll after the update has been posted to verify that the new Norman engine has been downloaded. The version should equal 5.93.8.0. The nse_w32.dll file can be found under the product installation folder along the following path:

…\Data\Engines\x86\norman\bin

Other Release Notes

The size of the Norman update package has increased by approximately 30 MB. Customers who have limited network bandwidth between the product installation and the Microsoft download center may experience longer download transmission times. If timeouts occur, the default timeout setting for engine updates can be increased by setting a registry key. The following KB article provides instructions for doing this: http://support.microsoft.com/kb/939411/en-us.

Applies To

Antigen 9.0 for Exchange, Antigen 9.0 for SMTP Gateways, Forefront Security for Exchange, Forefront Security for SharePoint, Forefront Security for Office Communications Server and the Forefront Security for Exchange and Forefront Security for SharePoint product versions that are part of the Stirling Wave release, Antigen 8.0 for Microsoft Exchange, Antigen 8.0 for Microsoft SharePoint, and Antigen 8.0 for IM. 

Molly Gilmore

Program Manager - Forefront Server Security

We distribute the Microsoft Antimalware engine and partner with 7 Engine Vendors from around the world to provide maximum antivirus coverage. Each of those partners is continually generating signatures to mitigate new viruses. We make sure those signature updates are available to our Customers 24 hours a day, 7 days a week.

Our goal is to pull all available engine signature updates and have them posted on distribution servers in our MS.COM data centers (ready for retrieval by the FSS Client) within 15 minutes of the time the engine partner makes the update available. In addition, we validate the stability of the new signature databases and sign the update packages to ensure authenticity of the update before it’s loaded into the FSS client.

Our operational measurements indicate that we regularly meet our goals, and usually do better. For the Customer, this means that if the FSS product is configured to retrieve updates every 15 minutes, the Customer should have the engine signature updates within a half hour of its being posted by the engine provider.

****

Each of the engine vendors provides news on the threats they’ve mitigated on their websites (see links below) and some publish the dates/times the new signatures were made available.

http://global.ahnlab.com/

http://www.authentium.com/threatmatrix/

http://www.ca.com/us/securityadvisor/

http://www.kaspersky.com/avupdates
http://www.norman.com/Virus/en-us

http://www.sophos.com/security/

http://www.virusbuster.hu/en

Windows Live OneCare Update Forum: http://forums.microsoft.com/WindowsOneCare/ShowForum.aspx?ForumID=1259&SiteID=2

Molly Gilmore

Program Manger

Forefront Server Security team

The Forefront Server team is pleased to announce that Antigen 8 for SharePoint Service Pack 1 and Antigen 8 for IM Service Pack 1 are now available for download.  It is important for customers to upgrade to these service pack releases before the AV engine mix is changed on December 1^st, 2009 (as announced on July 1^st, 2009).  Previous builds of the product will still function after December 1^st, but only one engine will be updating (Norman).

Another important thing to note is that these service packs update engines from the MICROSOFT.COM download location used by all the other Forefront Server products.  This is important as the SYBARI.COM update location will no longer be available as of 2/1/2010.

The service packs can be downloaded from the Microsoft Volume Licensing Service Center by opening the “Servers” group and finding the corresponding Forefront Server product.  Antigen 8 for SharePoint SP1 (part number X16-09934) can be found under “Forefront Security for SharePoint with Service Pack 3”.  Antigen 8 for IM SP1 (part number X16-09863) can be found under “Forefront Security for Office Communications Server”.

Avoid any gaps in your multi-engine AV protection.  Upgrade today!

Tom Canino

Lead Program Manager

Forefront Server Team

Hello –this is Kelly Borndale, a PM from the Forefront Services/Ops Team!

Due to growing threats, the size of files downloaded within the antivirus engine definition update packages has grown over time (previously mentioned here).  In order to get definition updates to Antigen and Forefront Server products as efficiently as possible, we have begun to move parts of our definition updates to a content distribution network (CDN).  This brings the larger parts of the definition updates to servers located closer to you, in the Internet sense.  It also allows your servers to download definition updates faster, during “normal” definition production times, as well as in the event of an outbreak, when definition production would occur more frequently.

Previously, there had been concern about how CDNs would work with our product’s frequent update pattern.  CDNs are historically very good at having cached copies of files which don’t change very frequently, but what happens when you have files that change frequently, such as our manifest and metadata files?  Internally, we had concerns about our clients getting old update information because of file age and the constant re-writing of our metadata and manifest files.  We wanted to make sure that the latest definition updates were always available, but, we also needed to make sure that we could react to surges in definition update size or frequency, on the fly

Working with our Operations team, we came up with a plan to address these concerns.  We’ve set up our file cache policies to make sure that all the manifest and metadata requests go directly to our origin servers.  These are the servers where our back-end definition processing service publishes definition updates directly to, meaning these files are not served via the CDN.  This alleviates any concerns about the CDN’s handling of frequently changing files, as the CDN isn’t the entity providing these files.

This change is largely invisible to anyone using the product line.  We’ve worked to come up with a solution that will work with in-market products, as well as upcoming releases.  That said, there is one customer scenario that may be affected by this change.  If the server that downloads the definition packages from the Internet is behind a firewall that restricts outbound access via port 80 to the Internet, definition updates may fail.  To work around this, make sure that your Antigen and Forefront Servers are able to send http traffic to the Internet.  If there are security concerns around opening up the outbound traffic for your Antigen or Forefront Servers, redistribution servers can be used as a tool to bring updates from the Internet into your internal network. This set up has a redistribution server accessing the Internet over port 80. The redistribution server then hosts the packages, internally, for the mail servers.  This allows you to continue to restrict the mail server’s access to the Internet.  For information on configuring distribution servers, please read the following help topics:

For FSE: http://technet.microsoft.com/en-us/library/bb795083.aspx

For Antigen: http://technet.microsoft.com/en-us/library/bb914037.aspx

For FSSMC: http://technet.microsoft.com/en-us/library/bb878182.aspx

K.Borndale

IT/Ops Program Manager

Today, Microsoft released a new version of Forefront Online Security for Exchange (FOSE) (Release 9.1). FOSE online filtering helps protect inbound and outbound e-mail traffic from spam and viruses.  FOSE can be used to provide an additional layer of protection for your Microsoft Exchange messaging infrastructure.

Read more about the new release on the Forefront Team blog here.    

Michel LaFantano

FSS UE Team

Hello Forefront and Antigen users.  I want to call your attention to a blog posted recently by Andy Day of our exceptional support team about real-time block lists or RBLs.  He recently posted an article about some changes to the Spamhaus RBL that may impact some of our users.  You can find the details here: http://blogs.technet.com/fssnerds/archive/2009/07/06/spamhaus-update.aspx

The FSS Nerds blog is another great resource for information and tips about Forefront Server Security products. 

 Enjoy.

Michel LaFantano

FSS User Assistance team

Today we are excited to announce formal support for Forefront Server Security for Exchange SP1 and Forefront Server Security for SharePoint SP1 running on the Hyper-V platform. This is part of a larger announcement that affects multiple Microsoft products, including Microsoft Exchange Server and Microsoft SharePoint Server.

Both products have been tested to confirm that all the functional aspects have the same behavior in Hyper-V virtual server environments as on physical servers.  They are also approved for any hypervisor based virtualization technology certified under the Microsoft Server Virtualization Validation program. 

This post provides an overview of deployment and operational considerations when running on Hyper-V. This information will also be made available as a TechNet article at a later date.

System Requirements:

The minimum server and client requirements for Forefront Security for Exchange and Forefront Security for SharePoint are essentially the same when installing in a virtual Hyper-V environment.   The application, OS, and hardware platform versions are limited, however, to those that are supported by Microsoft Exchange and Microsoft SharePoint on the Hyper-V platform.

For more details about Exchange and SharePoint support recommendations on Hyper-V, you should refer to the documents “Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments” and “Using SharePoint Products and Technologies in a Hyper-V virtual environment.”

Running Forefront in a guest virtual machine does not change the basic deployment, configuration, and operation guidance for the product. Refer to the Best Practices Guides and Operations Guides available on Microsoft TechNet for additional deployment and configuration considerations.

Forefront virtualization guidelines:

Once Exchange’s requirements for running in a Hyper-V environment have been met, there are specific guidelines for Forefront that must be followed:

Host specific:

• The host machine must have enough hardware resources to accommodate the virtual machines being deployed and their intended roles, and should be deployed with no other roles other than to provide virtualization.
• Memory and CPU intensive applications should not be run on the same host machine as the guest hypervisor.
• File level anti-virus scanning should be disabled on directories hosting the guest VHDs.

Guest specific:

• Guest VHD disks must be fixed.
• For performance reasons, it is recommended you choose SCSI or iSCSI based storage to host Forefront’s database files, preferably separately from the guest OS.
• File level anti-virus scanning should exclude all necessary Exchange and Forefront directories. 
• Snapshots in guest virtual machines is strongly discouraged and not supported.

Performance considerations:

Adding Forefront to an Exchange environment will add resource utilization on top of what Exchange, the guest OS, and host resource will be using.  To ensure that your virtual environment can handle the anticipated load from Exchange and Forefront, it is helpful to measure the performance counters before and after Forefront has been installed.  You can follow these steps to take these measurements:

• Prior to installing Forefront, take baseline performance counters on each of your virtualized Exchange servers.  We recommend you take counters based on (1) time of day, and (2) severity of load over several days to establish a general baseline.  You may also want to stress test your virtualized Exchange servers to understand the upper limits of CPU, disk I/O, and memory utilization requirements.
• Once Exchange performance figures have been established, install Forefront, re-take performance counters as described above, and note the differences.  This will give you an idea of the overhead Forefront will be adding to your environment.
• Based on the differences, you may want to adjust your virtual hardware requirements.  This may include allocating more memory, CPU affinity, and/or improved disk I/O.  Memory and CPU utilization are usually the most heavily impacted.
• Video settings within the guest OS should also be set to “best performance” to minimize guest CPU utilization.  Any unnecessary virtual hardware that will not be used by the guest or host OS or applications should be removed.
• Be cautious when adjusting process counts (Transport or Realtime), as this can quickly deplete memory resources in your guest virtual machine.  For example, Transport is set by default to 4 process counts.  If all 4 are in use, then the number of selected scan engines is multiplied by the number of Transport processes in use plus the size of the files being scanned.  For example:

(4) Transport Processes  X  (5) Scanner Engines @ 100mb each + File sizes = Memory utilization

Note: This is an example only and real world results will vary depending on multiple factors.

If you increase the Transport or Realtime process counts, add more scanner engines, and increase the engine bias, memory will quickly be exhausted.  In most cases, the default number of process counts is adequate; however, you should consult the best practice guide for further information on fine tuning these settings.  Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.

Krishnan Venkatasubramanian

Project Manager, Forefront Server Security

Hi. My name is Noreen Lynch, and I am a Dev Lead on the Forefront Server Security team. I’ve been working on our Forefront security product (formerly Antigen) for almost 7 years. Our team is located on Long Island, in New York. The best part of my job is the chance to work with an amazing group of people. We have a great team here that has worked together through many challenges and has consistently delivered a great product.

But enough about our team, what I really want to talk about is how our bias setting works within our multiple scan engine architecture. By default, each scan job within Forefront Server Security will be configured to scan with 5 scan engines, with a bias setting of “Favor Certainty”. But what does that mean – what exactly is the “bias”?

In a nutshell, the bias is what is used to decide how many engines will be used to scan a file. The calculation for how many engines to use takes into account both the bias selection in the Forefront Administrator, as well as how many engines are selected for that scan job. The bias setting range in our Administrator is from Maximum Certainty to Maximum Performance. Maximum Certainty uses every engine selected for the scan job for each scan. This gives the slowest performance, but the highest degree of certainty that a virus will be caught. At the other end of the spectrum is Maximum Performance, which scans each item with only one of the selected engines. This gives the fastest performance, but the least certainty. The Neutral setting is in the middle, scanning each item with at least half of the selected engines. This provides better performance than Maximum Certainty, but less certainty.

So, what is the difference between Maximum Certainty and Favor Certainty? For Maximum Certainty, EVERY engine selected in the client is used for EVERY scan. If that engine is currently being updated, all scans will wait for the engine update to complete. In most cases, the time needed to wait for the update to finish is minimal (the time does not include the time to download the new engine, but only a small portion of the entire update process). However, mail will queue until the update completes. With Favor Certainty, every available engine that is selected in the Administrator is used for every scan, but in this case, if an engine is being updated and a scan request is made, the scan will be done with all remaining engines. Only one engine can be updated at a time, so all but that one engine will be used for the scan. Mail will not queue. Favor Certainty is our default (and recommended) setting.

Some creative things can be done with the engine settings within an organization. If an administrator feels that scanning with 5 engines on a single server is too taxing, but still wants to ensure maximum certainty, the load can be spread across multiple servers. If, for example, all incoming mail goes through an Edge server, and then a Hub server, the Edge server could be configured to scan with 3 scan engines with a bias of Maximum Certainty, and the Hub server could be configured to scan with a different set of engines, also with a bias of Maximum Certainty.

The configuration option “Optimize for Performance by Not Rescanning Messages Already Virus Scanned - Transport” needs to be turned off in General Options to disable the “Transport Stamp” feature to allow mail to be scanned at each hop. This ensures that each incoming mail will be scanned by all selected engines, but the scanning will occur on two different servers.

The scanning load can also be shared if there are two servers in the organization, a Gateway/Hub and a Mailbox server. A hidden option exists that allows the Transport Stamp to be ignored at the Mailbox server. The hidden registry key, “DisableAVStamping” can be enabled to force messages scanned in transport to also be scanned at the Mailbox. This key needs to be added as a DWORD key under Forefront Server Security\Exchange Server (contact your PSS representative if you need help adding this key). Then, a certain set of engines can be enabled at the Gateway/Hub server and a different set at the Mailbox server. Again, this will allow all messages to be scanned by all selected engines.

I’ve simplified our bias calculation since I recommend the Favor Certainty setting. But for the Neutral, Favor Performance, and Maximum Performance settings, a nifty algorithm is used under the covers to determine which engine(s) to scan with. The calculation, based on mailflow within your environment, ranks each engine based on its past performance and its age. This information allows Forefront to weight each engine so that better performing engines are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and statistically best performing engines have more influence in the scanning process.

More information on this topic can be found in our Forefront User’s Guide.

Noreen Lynch

Forefront Server Security Dev Lead

Forefront Security for Office Communications Server integrates multiple antimalware engines from Microsoft and industry-leading partners to provide comprehensive protection against the latest threats.  People often ask us what the big deal is about using multiple engines in our Forefront products.   Well, multiple engines provide many advantages, which include:

-          Increasing the chance that any single threat to your instant messaging environment will be caught.

-          Providing redundancy against scan failures or defects in individual engines.

-          Eliminating downtime during engines updates – if an engine goes offline for updates, the remaining engines continue to scan IM traffic.

We continually monitor antimalware engine quality and detection rates using internal and 3^rd party independent testing organizations to ensure we are providing comprehensive protection for customers.  Recently, we’ve worked with AVTest.org, an independent third-party testing lab, to provide insight into how different response times are between the engine set in Forefront Security for Office Communications Server and leading single-engine products. 

AVTest.org tested lab response times for 244 “in the wild” viruses and variants that appeared from October-December 2008.  Results were provided for the Forefront Security for Office Communications Server engine set, as well as three leading single-engine vendors.  Results showed that while 169 of the viruses were proactively detected by all labs, 75 showed significant variation in detection times.  For these, the Forefront Security for Office Communications Server engine set had an average detection time of less than one hour.  The three competitive single-engine solutions had average detection times of 34 hours, 32 hours and 124 hours respectively.  The results show that Forefront Security for Office Communications Server multi-engine solution provides much faster, more effective protection against the latest threats than single-engine vendors.  Detailed data about the test is shown in the chart below:

Brita Jenquin

Sr. Product Manager

Forefront Security Products

Hi, my name is Alex Nikolayev and you might remember me for my previous work with Exchange server Transport.  Having an unconditional love for Transport, I moved to Forefront Server Security team to help with delivering cool new features to protect it from all sorts of malware (spam included). 

Over the years, talking about the spam problem and how to get it under control, we were referencing four major pillars that contribute to the overall strategy and success in the fight against spam:

1.       Effective Legislation,

2.       Innovative Technologies,

3.       Industry Cooperation and Collaboration,

4.       User Education.

While I can’t really talk about the legislation (I’m not a lawyer) and user-ed (this needs to be done by every Forefront admin in every Exchange organization), I want to tell you about the new antispam technologies Forefront team delivers in close collaboration with the industry partners.

Forefront Server Security is well known for integrating the most efficient antimalware engines into the product, so it’s no wonder we decided to do the same for the antispam.  The new Beta 2 release of Forefront Server Security 2010 comes with features that were jointly developed with our external partners.  So what is under the FSE 2010 Beta 2 hood? 

Today I will talk about the new content filter.  I know it’s an impossible task to cover a wealth of new information in a single blog so this time I will provide only a high level “introductory” overview of what it is and how it functions (do not worry, I will write more blogs about the filter internals, best deployment and configuration practices, and how to get the most out of it). 

The new Forefront content filter is a result of collaborative work between my team and Cloudmark^®.  At the heart of the filter is the Cloudmark Authority® Engine which is natively integrated into Forefront’s antispam framework.  It functions exactly the same way as the antispam content filter engine in Exchange 2007 by verifying the content of the message for spamminess.  The engine produces a raw spam score that is normalized by the content filter agent (actually by the adaptor which does the translation from the raw spam score to SCL) and at the end the content filter agent stamps an SCL value onto the message.  The SCL value is in the same format as the SCLs previously stamped by the Exchange 2007 and Forefront 2007 content filter agents.  So if you have any custom agents acting upon an SCL value on the message, they will continue to function without the need for modification.  The biggest difference in SCL assignments is the SCL range distribution.  Do not expect to see a lot of SCLs between SCL:5 and SCL:9 and do not expect to see anything in the range between SCL:1 and SCL:4 inclusively.  The bulk of messages will be assigned either SCL:-1 or SCL:9.  This means no more garbage in the Junk E-mail Folder!  Sure, occasionally there could be a couple of messages with an SCL:5 or SCL:6, but the bulk of e-mail will be correctly classified as the legitimate or unsolicited bulk e-mail.  Look at the chart below (from the real data supplied by one of the Forefront Beta 2 TAP customers who is running with the Beta 2 build in production):

As you can see, almost 100% of all incoming mail was classified either as good mail or spam!  These results may vary depending on the deployment configuration, but the general trend is that you won’t see a whole lot of messages with SCLs between 0 and 8.

You might ask what about the accuracy of the engine and whether you can trust these results?  Just recently, the Forefront Security for Exchange running on Beta 2 build with the new Cloudmark-based content filter was rigorously tested by the West Coast Labs on live spam for 2 weeks. At the end of the test, FSE was awarded a Checkmark certification as a Premium product. Throughout the testing cycle the filter maintained a detection rate of 99%. 

I realize it’s quite a departure from the model and behavior we all got so used to – open the Junk E-Mail Folder in the morning and comb through the junk triaging it for potential false positives…  Guess what – no more junk with the new Forefront content filter so you’ll get your time back! 

Now keep in mind that this is not a silver bullet against spam.  Spammers constantly find ways to penetrate through the best defenses and deliver spam.  However, with our new Forefront Content Filter backed by Cloudmark’s technology with real-time response via Global Threat Network™ and advanced fingerprinting algorithms allowing for identification of spam mutations in real time, you will feel much safer and better protected from new spam outbreaks.

Hey folks,

We get lots of questions on our forums and lots of calls to our support staff about installing FSE and Antigen on clustered Exchange servers.  Obviously, installing on clustered servers is a whole different animal from installing on single servers and requires additional guidance.

In response to that need, our UA team produced cluster install guides in 2008 for FSE and Antigen.  These guides give you system requirements, step-by-step installation guidance for installing on several different types of clustered servers, upgrading guidance, and step-by-step guidance for uninstalling FSE and Antigen from clustered servers.

The guides can be found in our technical library on TechNet:

Forefront Security for Exchange Server: http://technet.microsoft.com/en-us/library/bb892168.aspx

Antigen for Exchange: http://technet.microsoft.com/en-us/library/bb913988.aspx

Our excellent support team has also written many Knowledge Base articles about installing FSE and clusters that you may want to review before installing FSE on clustered servers or if you are having problems with FSE on clustered servers.  These include:

·         http://support.microsoft.com/kb/939365

·         http://support.microsoft.com/kb/950586

·         http://support.microsoft.com/kb/943616

·         http://support.microsoft.com/kb/941272

·         http://support.microsoft.com/kb/929081

If you have feedback on the guides or any of our documentation, please send us a note at fss-ue@microsoft.com.

Be safe out there-

Michel LaFantano

FSS User Experience team

Yesterday, we released beta versions of the next generation of Forefront Security for Exchange Server and Forefront Security for SharePoint products.  We’ve made significant investments in improving how you can deploy, manage, protect, monitor and troubleshoot your messaging and collaboration environments with Forefront, and these beta releases are meant to give you an idea of what to expect with the next versions of these products. 

One of the most important additions to these next-gen versions is the integration with the Forefront code name “Stirling” management infrastructure.  This new console and dashboard will provide management across multiple instances the Forefront Server products, in addition to managing Forefront client, and network edge protection products.  This integration will allow administrators to centrally configure settings and generate reports across all the managed products.  I am even more excited about something new being introduced as part of the Stirling system that we call “Dynamic Response.”  It is an innovative Microsoft technology built into each component of "Stirling" that collects and shares data from all of these protection points to help better identify threats -- and then allows administrators to take preventative actions in an orchestrated or automated fashion.  This will go a long way towards addressing some of today’s most common challenges in effectively managing security across your enterprise.

You’ll see the integration with our new Stirling console beginning with the beta of Forefront Security for Exchange Server – Forefront Security for SharePoint integration with the Stirling will be available in a future beta release.   You’ll also find a newly updated, intuitive management client that ships with the stand-alone versions of Forefront Security for Exchange Server and Forefront Security for SharePoint.  This client is designed to be consistent with our Stirling Server user experience and focused on making administration and troubleshooting of Forefront Security for Exchange Server and Forefront Security for SharePoint easier than ever before. 

Finally, this early beta release will showcase the new Powershell support we’ve built pervasively into both products. We consistently hear from customers the desire for programmatic interfaces that will allow them to integrate some aspects of managing their Forefront Security environments with their existing infrastructure.  With this release you will have new options for retrieving incident logs and quarantine data, as well as configuring system settings via Powershell. 

You can check out the new beta releases here.  Take it for a test drive and send us your feedback… we want to hear from you.  Additionally, please stay tuned to this site as this is where we will unveil many more new Forefront Server features over the coming months! 

Brett Tanzer

Product Unit Manager

Forefront Server Security

Microsoft Long Island Development Center

www.microsoft.com/longisland

Hello.

My name is Frank Trujillo, and I want to inform everyone that the Forefront Protection 2010 for Exchange Server (FPE) capacity planning tool is now available. As in the previous version of the tool, it is Excel-based and provides a workflow that makes hardware recommendations based on your preferred security configuration and desired environment. 

The tool has been revised to align with the capacity planning guidance for Exchange Server 2010. In addition, we have added a few key options for FPE configuration that impact performance. These show up in the tool as different levels of keyword filtering, file filtering, and engine and performance settings – previously referred to as “bias” settings. We now support 4 core server configurations as well as 8 core server configurations with a couple of different scanning process configurations.

We have also introduced relative performance graphs to understand the performance impact of virtualized environments and various operating system and Exchange version combinations. This can be viewed in the Comparative Performance tab in the tool. 

Finally, we changed how we communicate information in the graphs associated with the existing environments. Now each of the data streams end based on the maximum capacity of that configuration.   As an example, for an Enterprise Reference Architecture (ERA), the maximum supported incoming message rate on an Edge Server with 4 cores and 4 scan processes, using a subset of 5 engines, is approximately 22 messages per second; where the maximum message rate for the same server configuration based on a dynamic subset of 5 engines is 34 messages per second.  

The testing methodology for the product has also been slightly modified. A represented set of messages was created based on data from different customer verticals and then combined to create a near worse-case message mix that would generate the most tax on the deployed system. Actual 4 core and 8 core servers were leveraged in the targeted deployment architecture where the measurements were obtained.  

You can download a free copy of the FSE capacity planning tool at the following URL:

http://go.microsoft.com/fwlink/?LinkId=191021.     

After downloading the tool, you should first read the Directions and Readme tabs for complete information on using the tool. A Resources tab is also provided with links to obtain additional data to help make an informed decision during the planning stage.

Please keep in mind, however, that the FPE tool is not a replacement for thorough Exchange capacity planning. The expectation is that the deployment architecture adheres to the Exchange Server 2007 capacity planning guidelines.

Feedback or enhancement requests about the tool are appreciated. You can send comments directly to frankt@microsoft.com.  

Thanks for reading.

Frank Trujillo
Senior Program Manager - Forefront

Forefront Protection 2010 for Exchange Server will soon be available in 11 languages: US English, Japanese, German, French, Italian, Spanish, Korean, Simplified Chinese, Traditional Chinese, Brazilian Portuguese, and Russian. This is the same set of languages that were available in Forefront Security for Exchange Server 2007 but there is a big difference. In the 2007 release the product was single language, which means you had to choose which language you wanted and stick with it. In the 2010 release we are using multilingual technologies to simplify the user experience.

How does it work from a user's perspective? It is easier than ever, just download “the” package for Forefront Protection 2010 for Exchange Server (there is only 1 package, no need to choose a language) and run it. If your language is in the list, the product will display everything in the language you are currently using. If your language is not in the list, it will be displayed in English.

Multilingual technologies can be particularly helpful for very large multinational organizations distributed geographically. Imagine a mail security administrator working in the US feeling right at home because everything shows up in English; then when the 24x7 shift changes and it is time for the administrator working in Japan to work with the product, he will be able to run it comfortably in Japanese; finally when the administrator in France takes over, she will have no difficulties because the product will be displayed in French. We are talking about the same installation of the product, running in the same machine, not multiple installs. This benefit is directly available from the default installation; there are no additional patches or language packs to apply.

The language displayed is based on the user settings in Windows. For the above scenario to work correctly, all that needs to be done is for each administrator to have different accounts and use the control panel in Windows to select their language (which we expect to be the case for the multinational scenario described here).

The only caveat I should mention in our multilingual scenario is in the defaults for user-configurable text, for example, the message that is sent out as a replacement when a virus is detected. This text is configured at install time using the language for the person running setup. Users can later configure it to any language they want, possibly a multilingual message if appropriate, but that is a manual step that needs to be done afterwards. The language used at install time will also affect minor items such as names in the Start menu and service names.

There are a few questions that may arise due to these localization changes:

Q: Can I see a different language on a server running a localized administrator console?  For example, can I view the English Forefront administrator console on a server where Windows is configured to display German text?

A: Yes, the Forefront administrator console will be displayed in the language of the current user. Even if the server is configured to display German text by default, you can access the server using an account configured for displaying English. Forefront will respect the account preferences rather than the server default. 

Q: I only need one language, so how will this change impact disk space on my server? Can I just delete the other language packs?

A: The language packs take up about 4 MB per language, which should not have a big impact on your server.  If you do need to free up some space, you can delete the language files that are not used.

For example, if the ja-jp, de-de, fr-fr, it-it, es-es, ko-kr, zh-cn, zh-tw pt-br and ru-ru folders are all deleted, the only effect is that the program will always be displayed in English but everything else in Forefront Protection 2010 for Exchange Server will run exactly the same as it did before deleting the folders.

Eusebio Rufian-Zilbermann

Hello.  My name is Mitch Hall, and I am a program manager on the Forefront Server Security team.  Today, we are proud to announce the release of Forefront Security 2010 for Exchange Server Beta 2 (FSE), which can be used with  Exchange 2007 SP1 and Exchange 2010 beta 1.  FSE provides industry leading antimalware protection by simultaneously using up to 5 individual antimalware engines.  Protection is provided for both viruses and spyware. Protection is provided by 4 separate types of scanning processes: Transport, Realtime, Scheduled, and On-demand.  Each type of scan can be configured to use a different set of engines, providing a balance of protection and performance.

FSE has additional antispam capabilities using the newly integrated Cloudmark engine. This engine along with connection, keyword, and file filtering provides a broad array of scanning and filtering capabilities.  This solution provides industry leading spam protection.

FSE’s new UI delivers monitoring, configuration, and management capabilities. The monitoring section provides a dashboard displaying the individual engine status information. It also includes incidents and quarantine management screens. The monitoring section also provides for the configuration of incident and event notifications.  The tasks section provides the ability to scan individual mailboxes or public folders. The Protection Settings panel allows the configuration of the scan processes, antispam , connection and recipient filtering. There is also a section for building file, sender, keyword, and domain filters.  Finally, it contains sections for scan and engine update settings.

FSE’s UI is built on top of a fully scriptable PowerShell interface. This interface provides access to the full range of management capabilities through a programmatic interface. This interface can be leveraged for interactive use through the Forefront PowerShell console, or programmatically though PowerShell scripting or other .Net based programming language.  Common tasks can be automated and integration can be achieved through this flexible interface.

The introduction of the Microsoft Forefront Management Console, codename Stirling, provides central management of client and server protection technologies through a unified interface.  This interface allows administrators to create security policies that can be applied to different groups of clients and servers.  Multiple policies can be created and associated with a group of nodes.  This allows the administrator to create different policies settings for FSE Hub servers and FSE Mailbox servers.

The Stirling user interface provides a dashboard view that shows Protection Status, Policy Status, and security risk views. Stirling’s centralized data includes statistics, incidents, and quarantine for all nodes under management. This allows for the centralized management of incidents and quarantine across an enterprise.  In addition to FSE’s traditional on premise antispam solutions, integration with Forefront Online Security for Exchange (formerly known as EHS) provides a hybrid on premise/hosted solution. This server provides a hosted scanning option with on premise management. This integration is currently offered via FSE integration with Stirling management. Details about Forefront Online Security for Exchange can be found at: http://www.microsoft.com/online/exchange-hosted-services.mspx

Forefront Security 2010 for Exchange Server Beta 2 release is a great milestone in our commitment to deliver industry leading malware and spam protection with an integrated management experience.

Additional information can be found on our TechNet site:

http://technet.microsoft.com/en-us/evalcenter/cc339029.aspx

http://technet.microsoft.com/en-us/forefront/stirling/default.aspx

The following Beta 2 downloads are now available:

Forefront Security for Exchange Server:   

http://www.microsoft.com/forefront/serversecurity/exchange/en/us/next-generation.aspx

Forefront Security for SharePoint:

http://www.microsoft.com/forefront/serversecurity/sharepoint/en/us/next-generation.aspx

Forefront Stirling Management Server: http://www.microsoft.com/Forefront/stirling/en/us/default.aspx

Forefront Client Security:  

http://www.microsoft.com/forefront/clientsecurity/en/us/next-generation.aspx

Forefront Threat Management/ISA:    

http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/default.aspx

Mitch Hall

Program Manager

Forefront Server Security

Hey Folks,

As you start looking at the new release of Forefront Protection 2010 for Exchange Server (FPE) and consider deploying it in your Exchange environment, you will need to know about migrating from previous versions of Forefront Security for Exchange Server (FSE).

There is no direct upgrade from FSE to FPE, but we have written some guidance that will help you migrate from FSE to FPE in your environment. The guidance can be found in our Forefront Server Protection TechNet library at: http://technet.microsoft.com/en-us/library/ee707326.aspx

Michel LaFantano

Forefront Server Protection UA

Hi, my name is Suzanne Greenberg, and I am a technical writer for the Forefront Server Protection products. I want to let you know about the recent release of two tutorial videos that introduce the Forefront Protection 2010 for Exchange Server (FPE) Administrator Console.

In the first video, Noreen Lynch, Senior Development Lead, introduces the FPE administrator console, describes the various features of the new console, and shows you how to navigate through various functions for monitoring your FPE server.

You can view the video on TechNet Edge here: http://edge.technet.com/Media/Forefront-Protection-for-Exchange-Console-Overview/

The second video is a continuation of the first, and Noreen continues the tour of the FPE administrator console. In this video, she focuses on configuring various policy management and task settings.

You can view the video on TechNet Edge here: http://edge.technet.com/Media/Forefront-Protection-for-Exchange-Console-Overview-Part-2/

These tutorial videos will help you get up to speed quickly on using the FPE administrator console.

Stay tuned, because there are more FPE and Forefront Protection 2010 for SharePoint (FPSP) videos to come!

Suzanne Greenberg

Forefront Server Protection

Hi this is Steve Lindsay from the Tools and Infrastructure team.

Today we had some potential future bloggers/technology guru's in our midst from East Islip High School. They helped write this post and took all the pictures and followed the posting process from beginning to end to bring you this introduction to some of our team members.

Steve Lindsay,

Signing out...

Microsoft recently released an update on the evolution of the Forefront security management strategy, which will help Forefront Protection 2010 for Exchange (FPE) and Forefront Protection 2010 for SharePoint (FPSP) customers streamline how messaging and collaboration security is managed across the enterprise. 

As part of this strategy, we will be releasing a service pack update to Forefront Server Security Management Console (FSSMC) in the second half of 2010 that will provide centralized management for FPE and FPSP servers in your environment.  The service pack will be provided to all FPE and FPSP customers at no additional cost.  New features in this release will include:

-          Improved user interface

-          Support for Exchange 2010 and Database Availability Group (DAG) Clusters

-          Improved user experience for managing servers deployed outside of the firewall   

We will also be delivering a Forefront Server Script Kit for administrators who want to use Remote PowerShell to configure and report on multiple deployments of FPE and FPSP.   This will allow customers to create server discovery, policy distribution, data collection, and centralized reporting scripts for use with their existing management infrastructures.  The script kit will be posted for free download on the Solution Accelerators site when it becomes available in the second half of 2010. 

In the meantime, if you are interested in getting an early look at the FSSMC Service Pack, you can request to be part of our Customer Advisory Group.   

Brita Jenquin
Sr. Product Manager
Forefront Protection Suite

Hey everyone,

I want to announce and tell you a bit about our plans to provide multi-node management for Forefront Protection 2010 for Exchange Server (FPE) and Forefront Protection 2010 for SharePoint (FPSP). Our new Forefront Protection Server Management Console (FPSMC) 2010 is in the works and aForefront Protection Server Script Kit (FPSSK) will be available for download shortly.

FPSMC 2010 delivers on multi-server node management through an easy to use graphical interface for server discovery, configuration deployment, reporting, quarantine management, update deployment and integration with Forefront Online Protection for Exchange (FOPE). FPSMC is expected to be available as a free download in Q4 2010.

The Forefront Protection Server Script Kit (FPSSK) will also soon be available for download. The FPSSK provides a set of extensible, easy to use command-line scripts that enable server discovery, configuration deployment, reporting and integration with existing management technologies. FPSSK will be available as a free download on July 30^th.

Look for updates on the FPE and FPSP website by the end of July for more information about the FPSSK and FPSMC 2010!

Thanks,

Mike Chan

Forefront Server Team