We are proud to announce the release of Forefront Security 2010 for SharePoint Beta 2 (FSSP).
· FSSP provides industry leading antimalware protection by simultaneously using up to 5 individual antimalware engines. Protection is provided for both viruses and spyware. Protection is also provided by 3 separate types of scanning processes: Realtime, Scheduled, and On-demand. Each type of scan can be configured to use a different set of engines, providing a balance of protection and performance.
· FSSP’s new UI delivers monitoring, configuration, and management capabilities. The monitoring section provides a dashboard displaying the individual engine status information. It also includes incidents and quarantine management screens. The monitoring section also provides for the configuration of incident and event notifications. The tasks section provides the ability to scan individual sites or site collections. The Protection Settings panel allows the configuration of the scan processes. There is also a section for building file and keyword filters. Finally, it contains sections for scan and engine update settings.
· FSSP’s UI is built on top of a fully scriptable PowerShell interface. This interface provides access to the full range of management capabilities through a programmatic interface. This interface can be leveraged for interactive use through the Forefront PowerShell console or programmatically though PowerShell scripting or other .Net based programming language. Common tasks can be automated and integration can be achieved through this flexible interface.
The central management console in the "Stirling" suite provides central management of client and server protection technologies through a unified interface.
The Stirling user interface provides a dashboard view that shows Protection Status, Policy Status, and security risk views. Stirling’s centralized data includes statistics, incidents, and quarantine for all nodes under management. This allows for the centralized management of incidents and quarantine across an enterprise.
Forefront Security 2010 for SharePoint Server Beta 2 release is a great milestone in our commitment to deliver industry leading malware and filtering protection with an integrated management experience.
Beta 2 Downloads of FSSP and other Forefront beta products are available here: http://www.microsoft.com/downloads/details.aspx?familyid=65BD5F8A-D94C-457A-9F88-2046597130E1&displaylang=en
Silver Sun
Program Manager
Forefront Security for SharePoint
Hi, my name is Alex Nikolayev and you might remember me for my previous work with Exchange server Transport. Having an unconditional love for Transport, I moved to Forefront Server Security team to help with delivering cool new features to protect it from all sorts of malware (spam included).
Over the years, talking about the spam problem and how to get it under control, we were referencing four major pillars that contribute to the overall strategy and success in the fight against spam:
1. Effective Legislation,
2. Innovative Technologies,
3. Industry Cooperation and Collaboration,
4. User Education.
While I can’t really talk about the legislation (I’m not a lawyer) and user-ed (this needs to be done by every Forefront admin in every Exchange organization), I want to tell you about the new antispam technologies Forefront team delivers in close collaboration with the industry partners.
Forefront Server Security is well known for integrating the most efficient antimalware engines into the product, so it’s no wonder we decided to do the same for the antispam. The new Beta 2 release of Forefront Server Security 2010 comes with features that were jointly developed with our external partners. So what is under the FSE 2010 Beta 2 hood?
Today I will talk about the new content filter. I know it’s an impossible task to cover a wealth of new information in a single blog so this time I will provide only a high level “introductory” overview of what it is and how it functions (do not worry, I will write more blogs about the filter internals, best deployment and configuration practices, and how to get the most out of it).
The new Forefront content filter is a result of collaborative work between my team and Cloudmark®. At the heart of the filter is the Cloudmark Authority® Engine which is natively integrated into Forefront’s antispam framework. It functions exactly the same way as the antispam content filter engine in Exchange 2007 by verifying the content of the message for spamminess. The engine produces a raw spam score that is normalized by the content filter agent (actually by the adaptor which does the translation from the raw spam score to SCL) and at the end the content filter agent stamps an SCL value onto the message. The SCL value is in the same format as the SCLs previously stamped by the Exchange 2007 and Forefront 2007 content filter agents. So if you have any custom agents acting upon an SCL value on the message, they will continue to function without the need for modification. The biggest difference in SCL assignments is the SCL range distribution. Do not expect to see a lot of SCLs between SCL:5 and SCL:9 and do not expect to see anything in the range between SCL:1 and SCL:4 inclusively. The bulk of messages will be assigned either SCL:-1 or SCL:9. This means no more garbage in the Junk E-mail Folder! Sure, occasionally there could be a couple of messages with an SCL:5 or SCL:6, but the bulk of e-mail will be correctly classified as the legitimate or unsolicited bulk e-mail. Look at the chart below (from the real data supplied by one of the Forefront Beta 2 TAP customers who is running with the Beta 2 build in production):
As you can see, almost 100% of all incoming mail was classified either as good mail or spam! These results may vary depending on the deployment configuration, but the general trend is that you won’t see a whole lot of messages with SCLs between 0 and 8.
You might ask what about the accuracy of the engine and whether you can trust these results? Just recently, the Forefront Security for Exchange running on Beta 2 build with the new Cloudmark-based content filter was rigorously tested by the West Coast Labs on live spam for 2 weeks. At the end of the test, FSE was awarded a Checkmark certification as a Premium product. Throughout the testing cycle the filter maintained a detection rate of 99%.
I realize it’s quite a departure from the model and behavior we all got so used to – open the Junk E-Mail Folder in the morning and comb through the junk triaging it for potential false positives… Guess what – no more junk with the new Forefront content filter so you’ll get your time back!
Now keep in mind that this is not a silver bullet against spam. Spammers constantly find ways to penetrate through the best defenses and deliver spam. However, with our new Forefront Content Filter backed by Cloudmark’s technology with real-time response via Global Threat Network™ and advanced fingerprinting algorithms allowing for identification of spam mutations in real time, you will feel much safer and better protected from new spam outbreaks.
Alex Nikolayev
Forefront Server Security
Hello. My name is Mitch Hall, and I am a program manager on the Forefront Server Security team. Today, we are proud to announce the release of Forefront Security 2010 for Exchange Server Beta 2 (FSE), which can be used with Exchange 2007 SP1 and Exchange 2010 beta 1. FSE provides industry leading antimalware protection by simultaneously using up to 5 individual antimalware engines. Protection is provided for both viruses and spyware. Protection is provided by 4 separate types of scanning processes: Transport, Realtime, Scheduled, and On-demand. Each type of scan can be configured to use a different set of engines, providing a balance of protection and performance.
FSE has additional antispam capabilities using the newly integrated Cloudmark engine. This engine along with connection, keyword, and file filtering provides a broad array of scanning and filtering capabilities. This solution provides industry leading spam protection.
FSE’s new UI delivers monitoring, configuration, and management capabilities. The monitoring section provides a dashboard displaying the individual engine status information. It also includes incidents and quarantine management screens. The monitoring section also provides for the configuration of incident and event notifications. The tasks section provides the ability to scan individual mailboxes or public folders. The Protection Settings panel allows the configuration of the scan processes, antispam , connection and recipient filtering. There is also a section for building file, sender, keyword, and domain filters. Finally, it contains sections for scan and engine update settings.
FSE’s UI is built on top of a fully scriptable PowerShell interface. This interface provides access to the full range of management capabilities through a programmatic interface. This interface can be leveraged for interactive use through the Forefront PowerShell console, or programmatically though PowerShell scripting or other .Net based programming language. Common tasks can be automated and integration can be achieved through this flexible interface.
The introduction of the Microsoft Forefront Management Console, codename Stirling, provides central management of client and server protection technologies through a unified interface. This interface allows administrators to create security policies that can be applied to different groups of clients and servers. Multiple policies can be created and associated with a group of nodes. This allows the administrator to create different policies settings for FSE Hub servers and FSE Mailbox servers.
The Stirling user interface provides a dashboard view that shows Protection Status, Policy Status, and security risk views. Stirling’s centralized data includes statistics, incidents, and quarantine for all nodes under management. This allows for the centralized management of incidents and quarantine across an enterprise. In addition to FSE’s traditional on premise antispam solutions, integration with Forefront Online Security for Exchange (formerly known as EHS) provides a hybrid on premise/hosted solution. This server provides a hosted scanning option with on premise management. This integration is currently offered via FSE integration with Stirling management. Details about Forefront Online Security for Exchange can be found at: http://www.microsoft.com/online/exchange-hosted-services.mspx
Forefront Security 2010 for Exchange Server Beta 2 release is a great milestone in our commitment to deliver industry leading malware and spam protection with an integrated management experience.
Additional information can be found on our TechNet site:
http://technet.microsoft.com/en-us/evalcenter/cc339029.aspx
http://technet.microsoft.com/en-us/forefront/stirling/default.aspx
The following Beta 2 downloads are now available:
Forefront Security for Exchange Server:
http://www.microsoft.com/forefront/serversecurity/exchange/en/us/next-generation.aspx
Forefront Security for SharePoint:
http://www.microsoft.com/forefront/serversecurity/sharepoint/en/us/next-generation.aspx
Forefront Stirling Management Server: http://www.microsoft.com/Forefront/stirling/en/us/default.aspx
Forefront Client Security:
http://www.microsoft.com/forefront/clientsecurity/en/us/next-generation.aspx
Forefront Threat Management/ISA:
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/default.aspx
Mitch Hall
SUMMARY:
Due to increases in the size of antivirus definitions over time, we suggest that Antigen and Forefront Server customers increase the timeout value for downloading these updates. While the current default value of 5 minutes has worked well, recent changes in one engine highlight the need to monitor and adjust this value.
Additionally, we recommend applying the latest hotfix rollups to resolve a specific issue that could cause production outages for customers on slow and/or high-latency links.
BACKGROUND:
When we released the new version of the Norman engine (http://blogs.technet.com/fss/archive/2009/03/27/norman-engine-5-93-8-released.aspx), the size of the full update package increased by approximately 18MB. Within 24 hours, we had received a small number of reports where one or more of the following symptoms occurred:
· Mail queuing as a result of crashes in AntigenRealtime.exe/AntigenInternet.exe (Antigen 9) and FSCRealtimeScanner.exe/FSCTransportScanner.exe (Forefront Server).
· Services failing to start due to crashes in service executables.
Our investigation determined that these crashes were a combination of several factors:
· The download and install of the full package was timing out before it was completed.
· An issue, resolved in our latest released code, allowed a partial install of the new engine and definitions to take place, leaving the system in a state where it had a combination of old and new files.
Working with our affected customers, we determined that this issue could be resolved by increasing the timeout value for the download and successfully updating to the latest version of the engine package.
ACTION:
The largest takeaway here is that customers should increase the download timeout to a value larger than 5 minutes. This change should be made on all servers that download engine updates from the Internet and any that have slow and/or high-latency links to internal distribution servers.
This value is stored in the registry. Follow these steps to change it:
1. Go to HKEYLocalMachine\Software\Sybari Software\Antigen for Exchange
2. Locate the EngineDownloadTimeout key
3. Open it up
4. Change the DECIMAL value to 1500.
This will set the timeout to 25 minutes. For more information about this value and making changes to it, refer to KB939411 (http://support.microsoft.com/kb/939411/en-us).
Additionally, the latest hotfix rollups for Antigen 9, Forefront Server for Exchange, and Forefront Server for SharePoint include code changes that minimize the possibility of engines being partially installed during a timeout. We recommend that customers obtain and apply the following:
Antigen 9.0 with Service Pack 1 Hotfix Rollup 5: http://support.microsoft.com/kb/957075
Forefront Server for Exchange with Server Service Pack 1 Hotfix Rollup 3: http://support.microsoft.com/kb/951629
Forefront Server for SharePoint with Service Pack 2 Hotfix Rollup 1: http://support.microsoft.com/kb/955982
Neil CarpenterSenior Escalation Engineer, CSS Security Support Team
A new version of the Norman engine was released through the Forefront Server Security Rapid Update system on March 26, 2009. The Norman update package was made available for download at approximately 8:30 am EST on that day.
Release Details
This is the first new Norman engine release since we rolled back the 5.93.6.0 engine on February 26, 2009 in response to the increase in memory usage by that engine version (see blog entry Update on the recent Norman antivirus engine issue). Since then and up until March 26, we have been distributing the Norman 5.93.1.0 engine and providing daily signature updates for that version.
The Norman 5.93.8.0 engine that was released on March 26, 2009 incorporates several important changes and does so in a way that does not result in a significant increase in memory usage requirements.
§ The engine initialization time has been decreased significantly. In our test environments, we do not see timeouts or delayed load times by the Norman engine.
§ The root cause of many drwatson reports and intermittent Norman engine crashes on engine unload has been resolved in the 5.93.8.0 engine.
Update Package Details
The following information can be used to verify that the update package containing the 5.93.8.0 Norman engine has been successfully downloaded.
Forefront Server Security or Antigen 9 Products and Service Pack Releases
In the Forefront Server Security Admin client, navigate to the SETTINGS…Scanner Updates panel. The following update version or greater should be displayed for the Norman engine:
Update Version: 0903260002
**Due to the engine version formatting in place, the Engine version will still show as 5.93.0. The verification steps described below for Antigen 8.0 customers can be used to verify the correct version of the actual Norman engine file.
Stirling Wave
In the Forefront Server Security Admin client, navigate to the Overview…Dashboard panel and look for the following information for the Norman Virus Control engine:
Engine Version: 5.93.8.0
Antigen 8.0
The release of the new Norman engine for Antigen 8.0 customers is planned for Monday, March 30, 2009.
Antigen 8.0 customers can check the version properties on the nse_w32.dll after the update has been posted to verify that the new Norman engine has been downloaded. The version should equal 5.93.8.0. The nse_w32.dll file can be found under the product installation folder along the following path:
…\Data\Engines\x86\norman\bin
Other Release Notes
The size of the Norman update package has increased by approximately 30 MB. Customers who have limited network bandwidth between the product installation and the Microsoft download center may experience longer download transmission times. If timeouts occur, the default timeout setting for engine updates can be increased by setting a registry key. The following KB article provides instructions for doing this: http://support.microsoft.com/kb/939411/en-us.
Applies To
Antigen 9.0 for Exchange, Antigen 9.0 for SMTP Gateways, Forefront Security for Exchange, Forefront Security for SharePoint, Forefront Security for Office Communications Server and the Forefront Security for Exchange and Forefront Security for SharePoint product versions that are part of the Stirling Wave release, Antigen 8.0 for Microsoft Exchange, Antigen 8.0 for Microsoft SharePoint, and Antigen 8.0 for IM.
Molly Gilmore
Program Manager - Forefront Server Security
Forefront Security for Office Communications Server integrates multiple antimalware engines from Microsoft and industry-leading partners to provide comprehensive protection against the latest threats. People often ask us what the big deal is about using multiple engines in our Forefront products. Well, multiple engines provide many advantages, which include:
- Increasing the chance that any single threat to your instant messaging environment will be caught.
- Providing redundancy against scan failures or defects in individual engines.
- Eliminating downtime during engines updates – if an engine goes offline for updates, the remaining engines continue to scan IM traffic.
We continually monitor antimalware engine quality and detection rates using internal and 3rd party independent testing organizations to ensure we are providing comprehensive protection for customers. Recently, we’ve worked with AVTest.org, an independent third-party testing lab, to provide insight into how different response times are between the engine set in Forefront Security for Office Communications Server and leading single-engine products.
AVTest.org tested lab response times for 244 “in the wild” viruses and variants that appeared from October-December 2008. Results were provided for the Forefront Security for Office Communications Server engine set, as well as three leading single-engine vendors. Results showed that while 169 of the viruses were proactively detected by all labs, 75 showed significant variation in detection times. For these, the Forefront Security for Office Communications Server engine set had an average detection time of less than one hour. The three competitive single-engine solutions had average detection times of 34 hours, 32 hours and 124 hours respectively. The results show that Forefront Security for Office Communications Server multi-engine solution provides much faster, more effective protection against the latest threats than single-engine vendors. Detailed data about the test is shown in the chart below:
Brita Jenquin Sr. Product Manager Forefront Security Products
Brita Jenquin
Sr. Product Manager
Forefront Security Products
The Forefront Security for Office Communications Server (FSOCS) RTM version was launched on March 16, 2009. The product engineering team would like to provide some insight into the evolution of this product as we’re very excited about this release and some of the new capabilities included that secure IM in key OCS 2007 and 0CS 2007 R2 scenarios. FSOCS secures all IM activity within OCS Enterprise and Standard edition deployment topologies in both OCS 2007 and OCS 2007 R2.
FSOCS is an evolution of the Antigen 8.0 for Live Communications Server product. Some of the same team members that worked on significant performance improvements on that product took on lead roles in developing and testing FSOCS. We heard customer feedback on the importance of providing a stable, performant product and so a lot of design and test effort was applied by the FSOCS engineering team into achieving this goal.
We collaborated closely with the Office Communications Server team to understand the behavior of some of the new OCS server roles FSOCS supports. For example, a key scenario that FSOCS secures is IM with external users. This requires securing the OCS Access Edge server role, which is typically deployed in the network perimeter. By supporting this role, IM between internal employees and federated organizations, or users of public IM networks, can be secured by FSOCS. In addition, IM will be scanned and filtered by FSOCS at the Edge in the scenario where an internal employee, who has an identity within Active Directory but who is logged in remotely at an airport outside of the VPN, is sending IM to colleagues inside the corporate network.
Additional integration was done to publish FSOCS performance counters that can be easily correlated with OCS performance counters so that administrators can view the end-to-end health and activity of their IM infrastructure. Support for new media content types generated by Office Communicator 2007 are included so that no IM content will be transmitted that has not been scanned by FSOCS.
These are just a few of the new features available in FSOCS. Look for more information on FSOCS and best practice recommendations on this blog going forward.
We’re hoping you download the evaluation version of FSOCS which can be found on the Microsoft FSOCS Download Page and is available in 11 different languages.
Feedback to the product team is welcome and there are several ways to reach us:
Microsoft Forefront Security for OCS TechNet Forum
Microsoft Connect Feedback Site for FSOCS
Hey folks,
I am a member of the FSS User Assistance (UA) team. To stay current with our products and related technologies, I read blogs and other online technology sites to keep up with new technologies, tips, and general info about security, messaging, and collaboration. I thought I would share some information about some blogs and other sites Forefront server security products users might find interesting and helpful.
Enjoy!
FSS Nerds: (http://blogs.technet.com/fssnerds/)
This blog is written by members of the FSS Customer Service and Support team. They use their blog to share tips about using Forefront server security and Antigen products. Recent posts have included tips on using the Antigen Spam Manager (ASM) in conjunction with Microsoft Exchange Intelligent Message Filtering (IMF), how to figure out if a new malware is being caught by the antimalware engines integrated in FSS and Antigen, and information about the Antigen/Forefront worm list. Check it out regularly for tips and tricks from the best support engineers in the business.
The Microsoft Exchange Team Blog: (http://msexchangeteam.com/)
Get all the news about Microsoft Exchange from the people who should know – the Exchange product team. Tips, tricks, what’s new; you name it, if it is about MS Exchange, you can probably find it here. Recent posts include info on updates to the installation guide, recent changes to Exchange’s support policy, and a sneak peek at E14 – the next generation of Exchange server. Check it out.
The Microsoft Security Response Center (MSRC): (http://blogs.technet.com/msrc/default.aspx)
Get the latest news on malware and other security issues from the MS Security Response Center. Recent posts include information on the Conficker worm and the March security bulletin from MSRC. Stay up on the latest threats to your messaging environment and other computer systems.
TechNet Magazine: (http://technet.microsoft.com/en-us/magazine/default.aspx)
This is not a blog, but rather an online magazine dedicated to Microsoft technologies. In the most recent edition you will find articles about Internet Explorer 8, Active Directory, Office Communications Server, and using Hyper-V virtual environments to increase server availability. There are also regular columns, news, and tips in every edition.
Henrik Walther’s blog: (http://blogs.msexchange.org/walther/)
Henrik Walther is a Microsoft Exchange MVP and MCSE Security/Messaging that works as a system specialist for Interprise Consulting A/S in Denmark. He writes about all things Exchange and is an excellent source for news, tips, and best practices for MS Exchange and messaging infrastructures.
The Microsoft SharePoint Team blog: (http://blogs.msdn.com/sharepoint/)
This is the official blog of the SharePoint development team. The team provides the latest news about SharePoint as well as tips, interviews, and information to help you get the most out of your SharePoint servers. Recent posts include information on the latest updates, an interview with product manager Arpan Shah who discusses SharePoint’s content management capabilities and other features, and information about the SharePoint developer challenge.
The Forefront TMG (ISA Server) Team blog: (http://blogs.technet.com/isablog/)
If you are using the Forefront Threat Management Gateway (TMG; formerly known as ISA server) on your Edge, this blog is for you. The TMG team and friends provide up to the minute information about configuring, tuning, and troubleshooting your TMG servers. Recent posts include information on using a “honey pot” to catch malware, several troubleshooting posts, and information on new articles in the TMG “Tales from the Edge” series. Peek over the Edge today!
The Forefront Server Security forums: (http://social.technet.microsoft.com/Forums/en-US/category/forefrontserversecurity/)
The Forefront Server Security forums are not blogs, but if you have a question about Forefront Security for Exchange Server (FSE), Forefront Security for SharePoint (FSSP), Forefront Security for Office Communications Server (FSOCS), Forefront Server Security Management Console (FSSMC), or Antigen you can post it here and enlist the help of our community of experts to answer your question. Even if you don’t have a question, you can learn a great deal about our products by reading the questions others post and the answers they receive.
Michel LaFantano
Forefront Server Security UA - Lead
My name is Paul Gruner, and I am a Customer Service and Support engineer at Microsoft. We often get questions about how Microsoft Exchange Intelligent Message Filtering (IMF) and the Antigen Advanced Spam Manager (ASM) work together.
The short answer is that when IMF and ASM are installed on the same gateway, the IMF engine will scan messages first. As part of this scan, a Spam Confidence Level (SCL) rating is applied to each mail. The message is then passed to ASM, which also scans the message. The way the SCL is designed, a higher rating always takes precedence over a lower rating, so ASM will never lower a score provided by IMF. This means that decisions made by IMF remain valid, even if the SpamCure engine misjudges a spam and rates it a zero.
For further details about both features, and for an illustration how both features play together, please read my post on the Microsoft CSS blog: How do Exchange IMF and Antigen Advanced Spam Manager work together?
Cheers,
Paul Gruner
Microsoft CSS (Customer Service and Support)
Hi, my name is Scott, and I'm a technical writer in the Forefront Server Security (FSS) User Assistance (UA) group here on Long Island, New York. Every few months or so, we update our existing “legacy” documentation on our TechNet Web site, and this post is to make you aware of our last couple of updates. (p.s. By “legacy” content I mean products that are already supported in production environments, such as Antigen Version 9 and our Forefront Server Security Version 10 products).
My group works closely with the Customer Support Services (CSS) group, who are a great resource for obtaining feedback directly from our customers, and who often alert us about areas of our documentation that need improvement or additions that we should make. For example, just this past February 2009 we refreshed our content on TechNet to include information about using Forefront Security for Exchange Server (FSE) or Forefront Security for SharePoint (FSSP) in Hyper-V virtual environments. This info was added to the installation chapters of our user guides, and while adding it we made further improvements to this chapter as well. There were also several other smaller doc enhancements, such as clarifying how the General Options setting Scan on Scanner Update affects realtime proactive scanning.
Our prior TechNet update was in August 2008 and was quite extensive. Among other things, we added:
· A thorough troubleshooting appendix to the Antigen Enterprise Manager (AEM) User Guide.
· For disaster recovery purposes, detailed back up and restore procedures to the user guides for FSE, FSSP, Antigen for Exchange and Antigen for SMTP Gateways, AEM, and Forefront Server Security Management Console (FSSMC).
Also, during the course of refreshing TechNet we collaborated with the CSS team to review existing Knowledge Base articles (or KBs) and some were updated and significantly improved, others were removed because we found outdated info, and some were rolled into the core docs where appropriate.
So, that’s that, I just wanted to say a few words about our present and prior FSS TechNet updates. It’s also worth noting that the main page of the FSS TechNet Library is located at the following URL http://go.microsoft.com/fwlink/?LinkId=143540, that our TechNet Library always contains the “latest and greatest” versions of our documentation, and that we will continue to update our legacy content as needed. We are also working on updating our robust doc set for the “next generation” Beta 2 version of our FSE and FSSP products, and docs for our soon to be released Forefront Security for Office Communications Server (FSOCS) Version 10.2 product.
Finally, another good resource for obtaining info about our products is the Forefront Server Security Forums (http://social.technet.microsoft.com/Forums/en-US/category/forefrontserversecurity), where you can easily interact with other customers and trained support professionals. Note that a passport account is needed to access the Forums.
That's all for now. Hope that this information has been useful and thanks for reading.
Scott Floman
Technical Writer
Hello, my name is Molly Gilmore and I’m a program manager on the Forefront Security Rapid Response Engineering team. I work closely with our antivirus engine partners on support and technical integration issues. Others on the team and I have been working closely with the Norman engineering team to resolve some of the issues reported recently as a result of long engine initialization times and increased memory usage by the Norman engine.
Here is the status update for Forefront Security for Exchange/SharePoint and Antigen customers affected by the recent memory usage increase by the Norman engine that was released on February 24, 2009 in update package 0902240003.
Symptoms:
On February 27, 2009, Microsoft Antigen customers began reporting significant increases in the amount of memory utilized by the Norman Virus Control engine. Memory required by Antigen scan jobs that had the Norman engine enabled started to exceed 350 MB per scanning process. For some customers, the impact was a significant reduction in available memory for other applications and processes and an allocation of all of the available system page pool by Antigen. There were also fail-over events reported by customers running Antigen in a clustered environment. The Antigen and Forefront Server (including the Stirling wave) product lines distribute the same version of the Norman engine, however, given the recommended server specifications for the Forefront Server products, which typically result in more memory available on a server, there were fewer Forefront Server customers who reported issues.
The timing of the increased memory utilization by the Norman engine coincides with the release of the 5.93.6 Norman engine version which was made available for customers to download on Tuesday, February 24, 2009 in update package 0902240003.
The Norman 5.93.6 engine release had incorporated performance improvements meant to reduce the time it takes for the Norman engine to initialize and load. The current, released versions of the Forefront Server and Antigen products will trigger an engine unload and reload every time a signature update for an engine occurs; reduction in engine load times means increased availability for the engine to be back online and scanning.
The root cause of the issue in the Norman 5.93.6 engine has been identified. Part of the intended performance improvements in Norman 5.93.6 included a change to store signature definition information that was previously written to disk to be kept in memory. The result was an average increase of about 50 MB of memory usage each time the Norman engine loaded. Each scan job running within Antigen (and Forefront Server) will load an instance of an enabled engine so that the cumulative result of an Antigen deployment with four Realtime scan jobs would be an additional ~200 MB of memory allocated by the Norman engine on the server.
Status:
The Norman release posted on February 24, 2009 containing the Norman 5.93.6 engine with the increased memory usage was rolled back on Thursday, February 26 to the Norman engine version originally posted on February 13, 2009. This happens automatically through our Rapid Update system. If you have downloaded a Norman update package with a version of 0902260005 or greater, then you have replaced the version of the Norman engine that requires higher amounts of memory with one that had been successfully deployed to customers previously. If you have downloaded the roll-back package, viewing the version properties of the Nse_W32.dll file that is part of the Norman engine should display a version number of 5.93.1.
The RRE team has worked with the Norman engineering team to identify a solution that will be incorporated into a new version of the Norman engine. Initial testing is underway at Microsoft to validate that the expected decrease in memory usage is available in the new Norman engine and that the improved Norman initialization times have been maintained. Once test results have been reviewed, we will update this blog with a description of the release and planned distribution dates to our customers through the Rapid Update distribution channel.
This issue applies to:
Antigen for Exchange, Antigen for SharePoint, Antigen for SMTP Gateways, Forefront Security for Exchange Server, Forefront Security for SharePoint, Forefront Security for Office Communications Server, and the Forefront Security for Exchange and Forefront Security for SharePoint product versions that are part of the Stirling wave release.
Please use the following link to download Rollup 2 for Microsoft Forefront Server Security Management Console.
http://support.microsoft.com/kb/960814
Issues that this hotfix package fixes
This hotfix package fixes the following issues:
Holly Kipp
Antigen/Forefront Support
PSS Microsoft Security
Please use the following link to download Rollup 5 for Antigen 9.0 with Service Pack 1.
http://support.microsoft.com/kb/957075
Listed below are the fixes included.
· 957010 (http://support.microsoft.com/kb/957010/ ) The Getenginefiles.exe process in Antigen 9.0 for Exchange with Service Pack 1 may stop responding, and this generates a Dr. Watson crash that references Bucket ID 604327993
· 957012 (http://support.microsoft.com/kb/957012/ ) Antigen 9.0 for Exchange with Service Pack 1 may falsely detect an attachment as an MP3 file
· 957015 (http://support.microsoft.com/kb/957015/ ) Antigen 9.0 for Exchange Service Pack 1 reaches a state in which all nodes contain Antigen registry values that point to the same shared disk on an Exchange Single Copy Cluster (SCC) cluster
· 957021 (http://support.microsoft.com/kb/957021/ ) Various 0X80005000 errors occur when Antigen 9.0 for Exchange Server does not receive a response or receives the wrong EVS name in a clustered Exchange Server environment
· 957069 (http://support.microsoft.com/kb/957069/ ) Antigen 9.0 for Exchange with Service Pack 1 will not stop scanning a nested MSG file that is in an e-mail message when it reaches its Max Nested Attachment limit as defined in the General Options panel
· 957079 (http://support.microsoft.com/kb/957079/ ) The Getenginefiles.exe process in Antigen 9.0 for Exchange with Service Pack 1 may crash during an engine download, and this generates a Dr. Watson crash that references Bucket ID 665956571
· 957152 (http://support.microsoft.com/kb/957152/ ) Antigen 9.0 for Exchange with Service Pack 1 cannot detect MP3 files when a file filter of *.* or *. is created and the file type that is selected is MPEG (MP3)
· 957155 (http://support.microsoft.com/kb/957155/ ) Antigen 9.0 for Exchange with Service Pack 1 scan job processes use a large amount of CPU resources, and a scan job may fail
· 957297 (http://support.microsoft.com/kb/957297/ ) A file list is disabled in Antigen 9.0 with Service Pack 1 when you change the name of an existing file list
· 957383 (http://support.microsoft.com/kb/957383/ ) The SpamCure scan engine in Antigen 9.0 with Service Pack 1 does not correctly initialize itself during the update of the SpamCure engine
· 957545 (http://support.microsoft.com/kb/957545/ ) The setting in the Minimum Unique Keyword Hits box does not work in Antigen 9.0 with Service Pack 1 when a keyword list is larger than 2,000,000 bytes
· 957547 (http://support.microsoft.com/kb/957547/ ) The AntigenDiag.exe tool does not collect engine version information in the verAntigen.csv file after you run the AntigenDiag.exe tool on a clustered server that has Microsoft Antigen 9.0 for Exchange with Service Pack 1 installed
· 957548 (http://support.microsoft.com/kb/957548/ ) You cannot customize certain deletion text messages in Antigen 9.0 with Service Pack 1
· 957592 (http://support.microsoft.com/kb/957592/ ) You cannot edit or configure filtering in Microsoft Antigen 9.0 for Exchange with Service Pack 1
· 957619 (http://support.microsoft.com/kb/957619/ ) The Antigen 9.0 scan engine update process fails on a computer that is running Antigen 9.0 for Exchange with Service Pack 1 or Antigen 9.0 for SMTP Gateways with Service Pack 1
· 957627 (http://support.microsoft.com/kb/957627/ ) A Dr. Watson error that has the Bucket ID of 332678223 is logged in the Application log on a computer that is running Microsoft Antigen 9.0 for Exchange with Service Pack 1
· 957751 (http://support.microsoft.com/kb/957751/ ) The AntigenService service stops responding during startup on an Exchange server that has Antigen 9.0 with Service Pack 1 installed
· 957943 (http://support.microsoft.com/kb/957943/ ) The AntigenInternet.exe process may crash on a computer that is running Microsoft Antigen 9.0 with Service Pack 1
· 958126 (http://support.microsoft.com/kb/958126/ ) You can configure Antigen 9.0 for Exchange with Service Pack 1 to block and quarantine a whole e-mail message that contains a virus and its attachment after you install Hotfix Rollup 5 for Antigen 9.0 with Service Pack 1
· 958232 (http://support.microsoft.com/kb/958232/ ) Messages that are opened in Outlook do not contain disclaimers that were configured on a server that has Antigen 9.0 with Service Pack 1 installed
· 959985 (http://support.microsoft.com/kb/959985/ ) The version statistics for MSAV, under Scanner Updates in Antigen 9.0 for Exchange Service Pack 1, do not update
· 959991 (http://support.microsoft.com/kb/959991/ ) Hotfix Rollup 5 for Antigen 9.0 with Service Pack 1 provides additional support for Exchange 2000 and Windows 2000 Server Single Copy Cluster (SCC) clusters
· 959992 (http://support.microsoft.com/kb/959992/ ) The Getenginefiles.exe process in Microsoft Antigen 9.0 with Service Pack 1 may stop responding, and this generates a Dr. Watson crash that has the Bucket ID 685554990
· 960001 (http://support.microsoft.com/kb/960001/ ) The AntigenClient.exe process in Antigen 9.0 for Exchange with Service Pack 1 crashes and generates a Dr. Watson crash that references Bucket ID 604327895
· 960005 (http://support.microsoft.com/kb/960005/ ) Error message when Antigen 9.0 for Exchange with Service Pack 1 starts its Antigen Statistics Server service: "The description for Event ID (0) in Source (Antigen Statistic Server) cannot be found
· 960006 (http://support.microsoft.com/kb/960006/ ) The GetEngineFiles.exe process may crash on a computer that is running Microsoft Antigen 9.0 for Exchange with Service Pack 1
· 960041 (http://support.microsoft.com/kb/960041/ ) An error message occurs when you try to install Hotfix Rollup 3 for Antigen 9.0 with Service Pack 1: "An error (-5011 : 0x80040707) has occurred while running
the setup"
· 960046 (http://support.microsoft.com/kb/960046/ ) The GetEngineFiles.exe process may incorrectly delete some files on a computer that is running Antigen 9.0 for Exchange with Service Pack 1 or Antigen 9.0 for SMTP Gateways with Service Pack 1
· 960080 (http://support.microsoft.com/kb/960080/ ) The Microsoft Exchange Information Store does not shut down on a clustered Exchange server when Antigen 9.0 for Exchange with Service Pack 1 is installed
Joe Anderson
Antigen Support Group
Here is some important news for customers using Sybari Antigen 8.0 for Exchange or Antigen 8.0 for SMTP Gateways to protect their Microsoft Exchange environment.
Microsoft has decided to extend the end-of-life for Sybari Antigen for Exchange 8.0 and Sybari Antigen for SMTP Gateways 8.0 from December 31, 2008 to December 31, 2009. This decision was made to accommodate the antivirus needs of customers who are still running versions of Exchange prior to Exchange 2000 and who have requested additional time to upgrade in 2009.
The terms of the Sybari Antigen for Exchange 8.0 and Sybari Antigen for SMTP Gateways 8.0 end-of-life extension are as follows:
If you are an existing Microsoft customer, please contact your Microsoft Account Manager to extend your license .cfg files for these products. If you are not an existing Microsoft customer, please send an e-mail to fssadm@microsoft.com to extend your license .cfg files for these products.
Hello. My name is Joe Anderson, and I work with the CSS Security Support Team.
Having firsthand experience with customers, I wanted to give some insight into things that we request when troubleshooting a particular issue. Below, I describe several of the common support scenarios and provide information about the type of diagnostics you will want to have on hand or be prepared to get before contacting support. I’ve also included some information about tools and utilities that are helpful in diagnosing problems.
Scenario 1.
What do I do if a virus gets past Antigen or Forefront?
While it doesn’t happen often, there’s always the chance that a virus outbreak will occur and the latest AV definitions are not able to detect a particular viral variant.
If this happens to you, you will want to lock down your messaging environment. Once you have your environment secure, you can follow knowledge base article KB952163 for the appropriate procedure to notify us about the undetected virus.
Scenario 2.
I have Antigen antispam protection, but too much spam is getting past the filters to the users’ inboxes. What do I do?
Spam can sometimes come in substantial waves. If you notice a big increase in the amount of spam that is hitting your environment or getting through to mailboxes, there are several troubleshooting steps you can take.
The first thing you should do is check to see that the antispam engine is being updated properly in the Antigen Administrator. If it is, then the likely problem is that the definitions have not yet been released for the spam variant hitting your environment.
In order to determine if the definitions are up to date, we usually request that you check the “update version” under “scanner updates” in the Forefront/Antigen administrator or run the “AntigenDiag” (see later in this article for details of what this contains) as this will tell us if updates are working or failing.
Other possible solutions and relief can be found in the following knowledge base article: KB920863
Scenario 3.
I have concerns about the functionality of Antigen/Forefront.
Depending on the issue, the bulk of our troubleshooting is done by reviewing the logs.
To help expedite the process, we usually ask customers to turn on additional diagnostics (These include: Additional Internet, Additional Realtime, Additional Manual) as well as set the “Max Programlog Size” setting to no more than 100000KB. All of the settings can be found in the General Options work pane in the Forefront/Antigen administrator.
While 100MB is a large size, it is important because the program log fills up quickly when additional diagnostics are turned on. The additional information provided when these settings are enabled is needed for extensive troubleshooting. If the program log size setting is left at a lower number, we run the risk of cutting off a part of the log that may be needed.
If you are opening up a ticket with support via a Web Incident, then a detailed summary of the problem and what steps you have already taken to try to resolve the issue will go a long way to helping the support engineer resolve your issue.
Helpful tools and utilities
Antigendiag.exe and FSCDiag.exe utility
The primary source for troubleshooting analysis is the
Antigendiag.exe / FSCDiag.exe. This utility gathers the following files:
· ADB / FDB files (contains the settings that allow us to reproduce the Antigen/Forefront environment as closely as possible).
· Event logs
· Programlog.txt and HRlog.txt (details the activity of the product including updates, detections and errors).
· Antigen/Forefront registry keys that tell us what’s turned on or not.
· Version information
· Dr. Watson logs and User Dumps (in case a dump is requested in performance related areas).
To Generate an Antigen/FSS Diagnostic
· Locate the install folder for Antigen or Forefront
· Double click on the AntigenDiag.exe (or the FSCDiag.exe if running Forefront)
· A command prompt will open
· Say YES to each question asked at the command prompt (not necessary in FSS)
· The subsequent diagnostic will be a zip file found in the following directories:
Antigen - C:\Program Files\Microsoft Antigen for Exchange\log\Diagnostics
Forefront – C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\log\Diagnostics
OneClick, Process Monitor and Performance Monitor
Antigen and Forefront install with a comprehensive set of proprietary diagnostic tools. It is often helpful, however, to employ the following auxiliary tools that will generate additional intelligence that can help shorten the troubleshooting path and lead to a faster resolution of the problem.
OneClick
In order to generate network traces, we can leverage OneClick. This tool will allow a user to more closely examine Antigen and FSS specific network activity and communications.
Among the functionality that can be examined with OneClick are virus engine updates, database queries, template distribution, notification activity, as well as a host of Exchange specific network activity.
Download: http://www.microsoft.com/downloads/details.aspx?familyid=9F37302E-D491-4C69-B7CE-410C8784FD0C&displaylang=en
Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon.
Troubleshooting for both Antigen and Forefront can require an administrator to more closely examine the properties and permissions of files and registry components as well as the status of process requests.
Download: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Performance Monitor
Performance Monitor is used to get statistical information about the hardware and software components of a server.
We can use this built-in tool to gather and analyze Antigen/FSS specific data. By adding Antigen/FSS counter objects and simultaneously introducing system counters, such as processor and memory usage, we can cross reference these values and determine Antigen/FSS’s tax on the server(s)
Download: Built in Windows tool; start->run->perfmon
Conclusion
As you can see, gathering the data and diagnostics described in this article allows us to find the quickest and most accurate path to finding a solution. Joe Anderson Antigen Support Group PSS Microsoft Security
Hello everyone. I wanted to remind Antigen and FSE/FSSP users that the engine and definition updates for the Computer Associates (CA) InoculateIT engine will end on September 29th, 2008.
On January 16th, 2007, the Computer Associates (CA) InoculateIT engine was combined with the Computer Associates VET engine. Since the engines were merged, Microsoft has continued to provide engine updates for the InoculateIT engine as a courtesy to customers using the engine.
The original engine changes were described in an announcement to users and a KB article that can be found at: http://support.microsoft.com/kb/931373. Although the original announcement said that engine support would be discontinued on June 30, 2007, support was extended to September 29th, 2008. Support for the engine will not be extended again, so please modify your configurations as soon as possible.
If you are still using the InoculateIT engine for antivirus scanning, you should disable it for all scan jobs and discontinue engine and definition updates for the engine. For information about engine updating, please read our documentation on TechNet.
· For Antigen: http://technet.microsoft.com/en-us/library/bb914037.aspx
· For Forefront for Exchange: http://technet.microsoft.com/en-us/library/bb795083.aspx
· For Forefront for SharePoint: http://technet.microsoft.com/en-us/library/bb795192.aspx
The merging of the InocoluteIT and VET engines provides the best features of both engines in a single package and allows Forefront users to run an additional engine for antivirus scanning while retaining the benefits of both CA engines.
Thanks for reading.
Michel LaFantanoFSS UE - Lead
Today we are excited to announce formal support for Forefront Server Security for Exchange SP1 and Forefront Server Security for SharePoint SP1 running on the Hyper-V platform. This is part of a larger announcement that affects multiple Microsoft products, including Microsoft Exchange Server and Microsoft SharePoint Server.
Both products have been tested to confirm that all the functional aspects have the same behavior in Hyper-V virtual server environments as on physical servers. They are also approved for any hypervisor based virtualization technology certified under the Microsoft Server Virtualization Validation program.
This post provides an overview of deployment and operational considerations when running on Hyper-V. This information will also be made available as a TechNet article at a later date.
The minimum server and client requirements for Forefront Security for Exchange and Forefront Security for SharePoint are essentially the same when installing in a virtual Hyper-V environment. The application, OS, and hardware platform versions are limited, however, to those that are supported by Microsoft Exchange and Microsoft SharePoint on the Hyper-V platform.
For more details about Exchange and SharePoint support recommendations on Hyper-V, you should refer to the documents “Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments” and “Using SharePoint Products and Technologies in a Hyper-V virtual environment.”
Running Forefront in a guest virtual machine does not change the basic deployment, configuration, and operation guidance for the product. Refer to the Best Practices Guides and Operations Guides available on Microsoft TechNet for additional deployment and configuration considerations.
Once Exchange’s requirements for running in a Hyper-V environment have been met, there are specific guidelines for Forefront that must be followed:
Host specific:
Guest specific:
Adding Forefront to an Exchange environment will add resource utilization on top of what Exchange, the guest OS, and host resource will be using. To ensure that your virtual environment can handle the anticipated load from Exchange and Forefront, it is helpful to measure the performance counters before and after Forefront has been installed. You can follow these steps to take these measurements:
(4) Transport Processes X (5) Scanner Engines @ 100mb each + File sizes = Memory utilization
Note: This is an example only and real world results will vary depending on multiple factors.
If you increase the Transport or Realtime process counts, add more scanner engines, and increase the engine bias, memory will quickly be exhausted. In most cases, the default number of process counts is adequate; however, you should consult the best practice guide for further information on fine tuning these settings. Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.
Krishnan Venkatasubramanian
Project Manager, Forefront Server Security
Microsoft is aware of an issue with the Microsoft AV engine not updating on some installations of Antigen and Forefront Server Security products. Not all installations of the products are experiencing this issue, however all products may be affected.
The issue arose because the aveMicrosoft.dll in one of the Microsoft AV engine updates was marked as hidden, causing all subsequent updates to fail when attempting to delete this file. When that occurs, the engine is rolled back. This means that installations experiencing this problem are running with an outdated version of the Microsoft AV engine.
To correct this problem, browse to the Microsoft AV engine folder (Install Path \ Exchange Server \ Engines \x86 \Microsoft ) and un-hide the “bin\aveMicrosoft.dll” file. You must then either manually update the Microsoft AV engine by clicking the Update Now button in Scanner Updates or allow the engine to be updated as scheduled. You do not need to shut down or recycle any services, but you will need to configure Windows Explorer to view Hidden Files.
Note:
While Microsoft has corrected the hidden file since the initial occurrence of this issue, the only way to correct an installation that is in this state is to do so manually by following the steps above. Microsoft will not be providing any hotfixes, engine updates, or program fixes to automatically correct this issue.
CSS Security Support Engineer (Antigen/Forefront Server Security) - Long Island
Microsoft Corporation
Forefront for Exchange SP1 Rollup3 has been released. The fixes that are included with in Forefront for Exchange SP1 Rollup3 are as follows.
Prior to full publication of Forefront for Exchange SP1 Rollup3 we are making our customers aware that this release of Forefront for Exchange is now available. Please Contact Microsoft support if you would like to install Rollup 3 for Forefront.
Rollup 3 resolves the following issues:
Chris Covino
Our anti-spam partner Mail-Filters changed the hosting location from which we retrieve anti-spam updates. Although Microsoft was notified that this change would take place at a future date, our partner was not properly informed that security restrictions within Microsoft operations would prevent this change from being transparent. As a result, attempts to work around the problem resulted in a dated .dat file being published that was part of the initial install of hosted vendor components within Microsoft operations.
Customers who believe they may be experiencing problems as a result of retrieving this update should verify in the client UI that they are running with an engine version later than August 5th. A manual update may be performed in the client to ensure that a recent update has been obtained. The StarEngine service must then be recycled in order for the engine to function properly.
Microsoft apologizes for this inconvenience and is reviewing its operational procedures in order to prevent this from occurring again.
Microsoft has resolved the recent SpamCure engine updating and detection issue that was seen in Antigen 8.0 and 9.x products since August 1, 2008. Please update the SpamCure engine. After the engine is successfully updated, detection rates should improve.
If, however, you are seeing a zero detection rate, you may be experiencing a separate issue. The SpamCure update from August 5, 2008 (14:42 US Eastern time) had a problem which prevents SpamCure from detecting any spam at all – even after updating SpamCure with newer updates. To resolve this:
1. Obtain an update dated after August 5, 2008 (14:42 US Eastern time) AND
2. Manually restart the StarEngine service after confirming Spam Cure signature updates are successful.
At this point, SpamCure starts catching spam as expected. This is a transient issue and is resolved after the service is restarted. Again we apologize for the inconvenience.
CSS Security Support Engineer (Antigen/Forefront Server Security)
Microsoft is aware of an issue with the SpamCure engine not updating and detecting spam in Antigen 8.0 and 9.x products since August 1, 2008. We are working with the engine vendor to resolve this issue and will continue to update this blog as more information becomes available.
Customers running the Antigen 8.0 and 9.x products may experience spam detection dramatically drop if they only use the SpamCure engine to detect spam. To attempt to detect spam while Microsoft works to resolve the issue, you can configure the following options within Antigen:
- Mailhost Filtering:
Add one or more RBL servers
Add known spamming Mailhosts to the Rejected Mailhosts
- Keyword Filtering:
Enable the default keyword lists
- Content Filtering:
Add known sender domains/subject lines of spam
We apologize for the inconvenience and do hope to have this issue resolved as quickly as possible.
Hello, this is Neil Carpenter. I’m an Escalation Engineer on the support side of our business and I work with Antigen and Forefront Security for Exchange Server and SharePoint.
We have been working on a hotfix rollup for Antigen 9.1 that will include a fix to help alleviate issues some of our customers have seen when using performance tools with Antigen. The hotfix will be ready soon, but we wanted to give our enthusiastic blog audience a heads up while we're still working on finalizing everything. When Hotfix Rollup 4 is available, this information will be cleaned up and included in a KB article.
Here are the details:
While investigating an issue where mail was queuing in the Exchange Information Store, we discovered an issue that affects customers running Antigen 9.1 Hotfix Rollup 3 when there are performance monitoring tools such as Perfmon, Perfwiz, and the MOM client running. This issue will manifest itself as mail queuing (and never un-queuing), particularly immediately after the store is restarted. In this particular instance, we were seeing this happen when we failed from one cluster node to another. This could also occur in non-cluster environments and it could occur if scanjobs are restarted for other reasons (such as scan timeouts).
Additionally, you may see entries in ProgamLog.txt similar to the following:
"ERROR: scanjobs.cpp::ConfigScanJobFile(): AddNewScanJob() Failed 0x80030021" "ERROR: scanjobs.cpp::CheckScanJobs(): ConfigScanJobFile() failed. hr[0x80030021]"
"ERROR: Unexpected, RetrieveScanJobIdentifier could not find the index" "ERROR: Problems retrieving ScanJob identifier from RegisterMonitor" "ERROR: antigenvsapi.cpp::VSAPINavigatorThread(): RegisterMonitor() returned 8000ffff"
You may also see instances where you open the Antigen administration console and scanjobs are not visible.
The root cause of this is a regression in the Antigen performance counters DLL that results in Antigen services being unable to access the configuration information for scanjobs; thus, when the server is in this state, scanning processes cannot be started and the admin console cannot access scanjob configuration information.
These symptoms will not occur in all instances.
Recommendations:
If a server is having this issue, you should be able to resolve the immediate issue by stopping all applications that are performing performance monitoring and restarting Exchange services.
If you are running services/applications that gather performance data on your Exchange Server with Antigen 9.1 Hotfix Rollup 3, you can mitigate this in the short-term by disabling Antigen performance counters. The following steps will disable those counters:
1. At c:\program files\microsoft antigen for exchange\
2. Enter command: antigenpmsetup -uninstall
3. You will also have to restart any application that loads performance counters. Rebooting the server will accomplish this; however, short of that, you can run 'tlist -m antigenpmdll.dll' to get a list. (Tlist is part of the debuggers package.)
This will be resolved in Rollup 4 when it is released. After Rollup 4 is available, we recommend re-enabling Antigen performance counters by running 'antigenpmsetup -install'.
Hi Everyone, Steve Lindsay here again from the Tools and Infrastructure team.
Today I'm introducing a new series called 'Meet the Forefront Team'. This series will be a video pod-cast series of interviews with members of the Forefront Team.
Our first interview is with Dave Friedman who is the Release Manager for the Forefront Server Security products. Enjoy the video and let us know if you want to see more video interviews like this one.
Among other things, Dave talks about the new Forefront Beta preview and the "Stirling" suite.
In the video Dave mentioned a couple of sites you can visit to get more involved in the Forefront Beta and TAP programs. Links are provided to these sites below.
Forefront TAP program : http://connect.microsoft.com/site/sitehome.aspx?SiteID=504
Microsoft Forefront Code Name "Stirling" Homepage : http://www.microsoft.com/stirling
Hello – Andy Day from the EMEA Antigen/Forefront Support Team here to give you some tips on oiling your anti-spam engine in Antigen for Exchange/SMTP. Let the spring cleaning commence...
Over recent years, spam has emerged as a more prominent pain point than the traditional virus concerns that any company will have. Spammers are always trying to get the upper hand on anti-spam vendors, bringing out new ways to bypass scanners and hit as many inboxes as possible (sure, why wouldn’t they?...they get paid for doing that, after all!)
So, as an Antigen for Exchange administrator, how do you tweak the ASM component (Anti-Spam Manager) to maximise your spam protection, in order to outwit the spammers?
Well, first of all, you are probably using one or both of these Antigen ASM features already:
· Spamcure anti-spam engine
· RBLs (Realtime Block Lists)
Alongside these features, you may also have implemented the IMF feature in Exchange (Intelligent Message Filter).
All of these features and technologies are preventative measures. A configuration guide can be found in the Antigen Spam Manager Best Practices guide. The key points from this guide are to:
1. Configure the Spamcure engine to check for updates every 15 minutes
Spam is more dynamic than (other) malware; therefore anti-spam updates tend to be released more frequently than anti-virus updates. It is common to see several anti-spam engine version releases every hour, so getting Spamcure to check for updates this frequently is strongly advised.
2. Configure RBL services
RBL lists, (non-Microsoft) lists of known spam mailhosts that are updated in realtime, are a good way of blocking spam from the source. Always try to use a reputable service here and be aware that free services may not always be the best. Note that Microsoft does not recommend any specific RBL providers. In Support, we do see a lot of customers using www.spamhaus.org and www.spamcop.net, which might be a good place to start. Please ensure that you observe any usage terms and conditions when using these 3rd-party lists.
RBLs rely heavily upon DNS lookups (of mailhosts), so if there is any latency in doing this, you could see SMTP mail queuing on your server. As a rule of thumb, it’s best to limit RBL lookups by using a maximum of 1-3 RBL providers.
3. Configure the Exchange Intelligent Message Filter
OK, this isn’t strictly an Antigen feature, but we strongly recommend its use in conjunction with Antigen. The Spamcure engine and other filtering features on the SMTP scanjob can be used to set a SCL Rating on messages. Basically, if you enable the SCL Rating option for a feature in Antigen, any detection on that feature will cause Antigen to set a SCL Rating of 9 for the message. The SCL scale ranges from 0 (definitely not spam) to 9 (definitely spam).
Exchange 2003’s IMF feature allows you to set a threshold for the SCL Rating. You can also set a SCL threshold in Outlook that can steer spam messages into Outlook’s Junk Mail Folder (also governable via a GPO).
An example of how these 3 technologies might work together is setting the IMF threshold to 8 and the Outlook threshold to 5. Here, messages tagged with a SCL Rating of 0-4 will go through to users’ inboxes, 5-7 will go to users’ Junk Mail Folders and 8-9 will be deleted by IMF. As Antigen sets only ‘9’ values for the SCL rating, any Antigen-tagged messages will therefore be deleted by IMF.
For more information on Exchange’s Intelligent Mail Filter, click here.
4. Submit Spam Messages: False Positives (legitimate emails that were falsely detected as spam) and False Negatives (spam emails that were not detected) should be submitted ASAP to Mail Filters.
As an administrator, you’ve experienced that no technology is perfect and it’s expected that some false-positives and false-negatives will crop up from time to time. Sending these to Mail Filters (our partner company that produces the Spamcure engine) through the appropriate addresses is an efficient way to flag the problem without having to open a Microsoft Support case.
· Send False Positives to Spam.mail-filters "at" antigen.microsoft.com
· Send False Negatives to Notspam.mail-filters "at" antigen.microsoft.com
From these Best Practices, the key actions to take away are to make sure that Antigen is checking for Spamcure updates every 15 minutes and submit false positives/negatives to the above addresses.
If you’re working in a large organisation, you may find that a lot of spam seems to get through (even though the actual detection rate is still pretty high), due to the sheer volume of mail that you receive every day. Consider setting-up a designated spam Mailbox or shared Public Folder to collect false negatives from users.
Before opening any support cases for false negatives, we recommend that you cover the 2 areas above, since we’re likely to suggest that you do this J.
In the case that Spamcure or other ASM components don’t seem to be working as they should, take a look at my troubleshooting tips and extra features that can help to provide additional spam defence:
Further Troubleshooting
If you want to minimise your dependency on Microsoft Support, you can always try to troubleshoot the issue by yourself.
For Spamcure-related issues, try to determine from any errors whether the problem relates to the download of the engine (the first part of the update process), or to the integration of a new engine into Antigen (the second part of the update process); then follow these steps:
Engine Download Issues:
· Check that you can reach the file being downloaded through Internet Explorer.
· Confirm that any proxy settings entered in the Antigen Administrator are still valid.
· In general, try to stagger engine updates by 10-15min per engine.
Engine Integration Issues:
· Make sure that the engine has updated at least once following install, to avoid this error:
"ERROR: Could not load SpamCure mapper."
· Try rebuilding the scan engine, as per KB920304.
Secondary Defence
Antigen also gives you various filtering features that can be used in either a preventative or reactive manner to block spam.
· Mailhost Filtering
· ‘Content’ Filtering
o Sender/Domain Filtering
o Subject Line Filtering
· Keyword Filtering
There’s a lot of information and syntax about filtering already explained in the Antigen for Exchange User Guide, so I won’t repeat it here. However, you might consider setting some filters for basic pre-emptive defence and perhaps more importantly to block prominent spam mail that got through. It’s not worth the effort to do this for every undetected spam, of course, but if you’re facing a sudden wave of similar spam, this could warrant a Subject Line or Keyword Filter until engine definitions become available.
Following the guidance I outlined, we hope you find Spamcure is filtering out most of your spam just fine and you won’t really need to tackle this troubleshooting or use these extra features for this reason. If you do, however, I hope this post has been useful to you.
Kind Regards,
Andy Day