Many of you may have noticed warning notifications about the upcoming end-of-life date for several antivirus engines and the Spamcure antispam engine being generated by Antigen and Forefront Server Security. These notifications are intended to ensure that you take the appropriate steps to keep your antivirus and antispam protection up to date when these engines are retired. (For more information, read the most recent blog article about the upcoming engine changes.)
We have received several requests, however, for information about disabling these notifications that are generated by Antigen for Exchange and SMTP Gateways and Forefront for Exchange, SharePoint, and Office Communications Server related to deselecting the antivirus engines about to be retired. This article provides instructions for deselecting engines from scan jobs, which will disable the notifications for affected Forefront and Antigen products.
To stop these notifications, you must stop using the engines that are being discontinued in the Forefront/Antigen products. The steps to disable the engines in the products are listed below. If you are aware of the engine retirement and wish to suppress the errors temporarily without disabling the engines, you need to contact Microsoft support for help.
Follow these steps to completely disable the specific antimalware engines within the Forefront and Antigen products.
Note: The steps below need to be followed for the AhnLab, CA, and Sophos, and the Spamcure engines, which are being retired on December 1, 2009. Customers using SpamCure need to ensure that they are using Antigen 9 with service pack 2 that was released on July 1, 2009. For additional information, refer to Antimalware Engine Notifications and Developments.
To properly disable an engine and definition updates, you will need to:
1. Remove the engine from all antivirus scan jobs.
2. Disable definition updates for the engine.
3. Remove the engine from the Quick Scan job. (This step is not necessary for Antigen SMTP only installations as the Quick Scan functionality is disabled in this configuration.).
1. To remove the engine from all antivirus scan jobs
a. Open the Forefront/Antigen Administrator.
b. Under Settings, select Antivirus.
c. Deselect the engine you want to remove under “File Scanners” for each scan job that is listed there.
d. Click the Save button.
2. To disable engine updates
b. Under Settings, select Scanner Updates.
c. Select the engine you want to disable updates for and click the Disable button on the right-hand side to disable scheduled updates for this engine.
3. To remove an engine from the Quick Scan job
b. Under Operate, click on Quick Scan.
c. Deselect the engine under File Scanners.
IMPORTANT: Customers using Antigen version 9 with Service pack 2 (released as of July 1st) need to apply Rollup 1 that was released in October 2009. The rollup contains a needed fix for an issue regarding notifications when Antigen is installed on a SMTP only configuration. For more information on the fix as well as the download location, please see the following Kb (http://support.microsoft.com/kb/975355#4).
Program Manager - Forefront Server Protection
Is there a way to do this automatically in large (100+) server environments?
We have followed the steps, but we still get the update notifications. Any ideas?
We also have followed these steps on an Exchange 2007 SP1 + Windows 2008 SP1 + Forefront SP2 and are still getting the messages on our mailbox and front-end servers.
We have followed the steps as stated above, but we are get the update notifications again. Please help us to resolve this?
We also have followed these steps but still get the message every day. 2007sp2
We have followed these steps, but we still get the update notifications everyday. Is there a way to fix this?
I only get notifications from two Exch 2007 SP2 server which are only running as HT servers. I've followed the instruction as far as I can but can't do step three as there is no Quick Scan for HT servers. On all my other servers, as soon as the obsolete engines were unselected and had the updates disable, they disappeared from the list of available engines. The problem I'm seeing seems to match the Antigen9 issue which the above rollup resolves. Does an equivalent rollup exist for ForeFront?
Same issue here. Wish Microsoft reviewed comments to there blog to nip these issues in the but.
The following information applies to deployments that are on the following product versions: Antigen 9.2 , Forefront for Exchange 10.2 and Forefront for SharePoint 10.3.
We have received a few comments from our blog readers about receiving multiple expiry notifications for engines in our products which have been retired recently. We responded on the blog with steps to resolve this issue for the majority of circumstances. However, through support and the blog, we have identified a small number of cases in which the steps alone did not resolve the issue.
We are working on resolving the issue and will post a follow up shortly.
Program Manager – Forefront Server Protection
Here's a possible solution to annoying disable engine notifications.
I say 'possible' only because I personally haven't implemented it, so I can't vouch that it works. If anyone's tried it please post any issues/success you had.
After tried the steps in this blog without success, I tried the fix on blogs/technet.com/dblanch site and it worked perfectly.
I haven't tried the new Rollup 1 for SP3 that just came out. Maybe that fixes it?
The following information applies to deployments that are on the following product versions: Antigen 9.2 , Forefront for Exchange 10.2 and Forefront for SharePoint 10.3:
The latest product updates for the above mentioned products implement changes that should address continued end-of-life notification issues that were brought to our attention. Please see the links for more information on the updates:
1. Rollup 1 for Forefront for Exchange Server with service pack 2 ( http://support.microsoft.com/kb/978297 )
2. Rollup 1 for Forefront for SharePoint with service Pack 3 ( http://support.microsoft.com/kb/978300 )
3. Rollup 2 for Antigen 9 for Exchange and SMTP with service pack 2 ( http://support.microsoft.com/kb/980586 )
For cases where the rollups do not address the issue , we would want to get additional information and would encourage you to contact support. Additionally , the rollups include a back end registry switch that would allow you to forcibly switch off the notifications.
In order disable the notifications after installing the appropriate rollup, create a DWORD registry key HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server\ExpirationNotifications and set it to a 0 (zero) which indicates ‘off’. No need to recycle services for the functionality to work. If the key doesn't exist, then the default value would be 1, meaning the feature is on.
The Rollup did not fix the notifications. However, the ExpirationNotifications registry addition did fix the problem. Do you still want people who had this issue to contact support? Do you need more information as to why this still occurs after the Rollup is installed?
Also, Doug's registry change (http://blogs.technet.com/dblanch/archive/2010/01/13/forefront-obsolete-notifications.aspx) fixed the issue for us without installing the Rollup. His fix also got rid of the warning Event ID 7001 (Not all the engines selected in the Forefront Administrator for scanning have been enabled for signature updates.)
Which registry change is preferred? I'm leaning towards Doug's, as it has stopped the end-of-life notification as well as the not-all-engines warnings.
We do not understand why the rollup did not fix this problem. If you would like us to troubleshoot this further please contact our CTS (formerly CSS) group. If not, you can use the workaround described in Doug’s article.