Hello, my name is Tom Canino and I am the Lead Program Manager for the Forefront Server Security Rapid Response Engineering (RRE) team.  The Forefront RRE team is responsible for supporting Sybari Antigen, Microsoft Antigen, and Microsoft Forefront Server Security products.

Recently, I was playing with various upgrade scenarios and discovered something that is affecting a number of customers who appear to have moved from Sybari Antigen 8.0 for Exchange to Microsoft Antigen 9.0 for Exchange.

I had a template of settings I like to apply after installing a new system.  It was created with Sybari Antigen 8.0 and when I applied it to Microsoft Antigen 9.0, it appeared that everything was set up just as I like it.  Soon after, I noticed that I was not receiving engine updates!  I guess I got what I deserved for performing a template action that is not supported (Note:  This is also unsupported for 9.0 templates applied to 10.0).  Upon further investigation I discovered that my engine update path had been changed from http://www.microsoft.com/antigendl to http://www.sybari.com for each of my engines (except for the Antigen Worm List).

Here’s a brief synopsis of what is going on:  Microsoft Antigen 9.0 includes security enhancements that prevent malicious individuals from tampering with the files that are contained in the engine update.  These enhancements are not compatible with Antigen 8.0 thus, going to the 8.0 engine update site at Sybari.com results in engine update errors.  So, if you see that you are going to Sybari.com for engine updates (either via our update mechanism or some custom method), it is critical for the security of your systems that these URLs be changed to get engine updates from http://www.microsoft.com/antigendl.

We did some digging through the logs of the Sybari.com server and discovered that I am not alone.  There are many customers who are experiencing this same issue.  The problem is that these customers have not realized that they have not been updating their engines!  We went back through the logs as far as January of this year and have found IP addresses that are still hitting the Sybari site as of April.

So, you checked your settings and you see that this has happened to you.  “What do I do now?”, you ask.  First, create a new template for your settings using Antigen 9.0, verifying that the engine update paths are pointing to http://www.microsoft.com/antigendl.  Next, apply the new template to all of your severs.  Lastly, monitor your server (you do monitor your server don’t you?  No?  Well then, that’s another blog) to make sure that you are receiving engine updates.

Kelly Borndale and Matt Perotti (also members of the Forefront RRE team) contributed to this blog.

 

Tom Canino
Lead Program Manager
Forefront Server Security