Just as a heads up.

We are seeing cases where the Microsoft scan engine is failing to update in Forefront Protection for Exchange with the following errors.

6019 GetEngineFiles An error occurred while testing the scan engine.

6012 GetEngineFiles An error occurred while loading the scan engine. Scan Engine: Microsoft. Error Code: 0x80004005.

This only seems to be effecting FPE and not other products that the Microsoft engine is included with.

We are working to resolve this issue and it should be resolved automatically once the cause is found. I will update this post if there is any change to how the fix will be delivered.

The only Impact is that the engine fails to update. All other engines are updating correctly and this should not effect mail flow and the other engines should provide coverage for new viruses.

We are in the process of adding this information to our setup documents.

-When implementing FOPE or O365/Live@EDU and you have mail coming to your on premise servers, you need to turn off any SPF checking at your mail server/firewall. The connecting server will always be one of the Forefront Online servers and any domains with SPF configured hard fail will end up getting deleted. Forefront Online has its own spf check so you are still protected.

My first FOPE centered blog.

One common issue with FOPE (this also happens in FSS/Antigen) is the 0 day Virus’s that pretend to be a legitimate mail from other senders.

These tend to be small emails asking you to open the file in a zip attached to the email. The file will look like a pdf but its really an executable named “delivery.pdf                    .exe”

These exe files are not caught by any engine right away so some customers see them come through.

There are multiple ways you can block these messages (SPF, policy rules) But I suggest the following.

My first question is always “Do you have any reason to allow executable files via email?” I have yet found a customer that says they need exe’s in emails.  If your email policy allows blocking these message types then I suggest you set up two rules to lower your chances of getting any viruses.

Inbound reject rule (deletes any inbound mail with a compressed file that contains executable attachments)

The 2nd rule is to block files not in compressed files that fit he header information that matches an executable type.

If you have issues logging into any of the Forefront Management Consoles with an Error 500 you most likely changed the service account password.

To verify this is due to a password issue you can check the event logs for

Event ID 10004, Distributed COM

DCOM got error “1326” and was unable to logon <account name> in order to run the server:

{9738A91E-222B-4F3F-8962-6B01144D6ACB}

If that’s there you need to go into Com+ applications under component Services.

Get the properties of the MFSMC.Services object and change the password on the Identity page.

That should resolve the error.

The most common reason we do not filter spam in FPE is that we honor the ms-exch-bypass-anti-spam permission on connectors.

The most common scenario is that the bypass is enabled for anonymous connections.

This is simple to fix with some PowerShell commands to remove the permissions from the connectors.

In exchange PowerShell.

Get-ReceiveConnector

Take the names you get and run
Get-ReceiveConnector " Receive_Connector_name" | Get-ADPermission -User "NT Authority\Anonymous Logon"|fl

You are looking for this

You can then remove the right for bypass by running the following on any connector with the bypass right
Get-ReceiveConnector " Receive_Connector_name" | Remove-ADPermission -User "NT Authority\Anonymous Logon" -ExtendedRight ms-exch-bypass-anti-spam

Checking again with Get-ReceiveConnector " Receive_Connector_name" | Get-ADPermission -User "NT Authority\Anonymous Logon"|fl shows that bypass has been removed from the rights for anonymous.

You can then do the same thing for each connector and recycle transport to make the changes take effect.

Updates to this issue will be posted to http://blogs.technet.com/b/fss/ 

Last night we pushed out an update that resolves this issue. Updating your engines should resolve this issue and you can go back to your previous configuration.

During our testing we have discovered that there is a potential to download the Cloudmark engine update even when there is not an update.

This is being looked at but for now it is recommended that you set Cloudmark to update only every 24 hours to avoid lowering your detection rate as the microupdate folder get deleted with each update.

This issue is due to how Antigen processes updates and is not due to the Cloudmark engine itself.

We believe this will be resolved with a package update and no hotfix will be needed.

*Updated to include default folder path for Cloudmark*

If you are having issues with timeouts after updating your Cloudmark engine between Friday and Saturday afternoon this post should help you out.

On Friday night we released a Cloudmark engine that had an issue being validated by scan engine test.

This results in a rollback update loop that can cause timeouts and mail flow issues on Antigen 9.x servers.

Forefront Protection for Exchange is not effected by this update.

We rolled the engine back this weekend so no new issues should occur,

if you happen to still have the bad engine on your server you will need to delete the Cloudmark engine folder manually and re-download the re-packaged update.

By default the engine folder is located at c:\Program files\Microsoft Antigen for Exchange\engines\x86\Cloudmark

If you are on a cluster the folder would be <clusterdrive>:\AntigenCluster\Engines\x86\Cloudmark

The new update should then download and resolve your issue.

Hope that helps.

We have been seeing some Antigen 9.x servers up past rollup-3 that are still not updating to Kaspersky 8.

As of last week, customers still running Kaspersky5 started getting errors during attempted updates.

This is normally due to one or more files being missing in the following directories.

%databasepath%\Engines\localenginemapping.cab

%databasepath\Engines\Metadata\universalmanifest.cab

Database path is your install path \ Data on a standalone server

or

<drive>:\Antigencluster\Data on a cluster server.

You should have copies of These files in your Antigen install files directory.

If you do not please open a free case to get copies of these files to get Kaspersky up to date.

We have had a few strange detection issues last week due to some non-standard configurations.

1. Spam filtering not working for User X

This one was due to a setting in content filtering.

There is a setting called AntispamBypassEnabled  for each user.

In forefront the agent log will show a content bypass enabled, skipping for every mail to that user.

You can find and fix this setting by doing the following…

 

[PS] C:>get-mailbox USERMAILBOXNAME | fl *spam*,*

SCL AntispamBypassEnabled : False

SCLDeleteThreshold :

SCLDeleteEnabled :

SCLRejectThreshold :

SCLRejectEnabled :

SCLQuarantineThreshold :

SCLQuarantineEnabled :

SCLJunkThreshold :

SCLJunkEnabled :

The above settings will bypass organization level settings.

In this case, the user was set to true for bypass. So nothing got deleted or rejected or put in junk.

2. The next issue was a customer that had everything up and running but no scanning on real-time.

There is a per-database setting for VSAPI. You can find the keys in the following registry locations.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\EXCHANGE-SERVERNAME\DATABASENAME-GUID-OF-YOUR-DATABASE]

"VirusScanEnabled"=dword:00000000

"VirusScanProactiveScanning"=dword:00000000

0 = no scanning

1= scanning

This issue is starting to pop up in a few environments with connectivity issues to https:\\crl.microsoft.com

It looks like we implemented code access security into our Mail Pickup service.

The issue is some firewalls or proxies might not allow this site to be accessed by network service or they might outright block the site.

The issue manifests itself as the FSEMailPickup service trying  to start and then stopping.

If you are starting the service from the services panel you get a “Service did not respond” error.

Your Security auditing might show access denied or some other error for winhttp.

Quick workaround.

Disable CAS checking by modifying the “FSEMailPickup.exe.config” file

Add the following line under  <runtime>

              <generatePublisherEvidence enabled="false"/>

This will bypass the issue.

Long term.

As this is implemented in more products you should make sure you allow the crl site to be accessed by adding an exclusion to whatever is blocking it in your environment.

Tracking what is blocking this might have to be done by getting a network trace while it is trying to start.

I get these issues every few months.

SharePoint or Exchange Admin getting files deleted due to Large uncompressed size or large compressed size virus.

We have a few KB’s on this but there is some detail that is missing.  I also realized today that the keys documented in KB 972072 are missing another file size setting.

Forefront for SharePoint / Exchange has 3 file size settings that restrict compressed file uploads.

Compressed means any container file, For example: Office 2007+ documents are compressed and would be subject to these settings.

Proactively you would want to set these keys to reflect the file size limits in your environment.

The compressed file limits are as follows.

Compressed file size: This is the total size of the file you are uploading. By default this is set to 25mb.

Uncompressed Size: This is the total size of ALL the files once extracted. This is set by default to 100mb

Uncompressed File Size: This is the size limit for any 1 file in the compressed file.  This is set by default to 20mb.

So you could have a 24mb xlsx file that extracts to 90mb, but if one file in that document is 21mb, it will trigger the file size limit.

Here the keys responsible for these files in SharePoint. In exchange it would be in the Forefront for exchange Key in HKLM\Software.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\SharePoint

or

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint

MaxUncompressedFileSize – Default is 100mb in bytes

MaxCompressedSize  - Default is 26mb in bytes

MaxCompressedArchivedFileSize – Default is 20mb in bytes

You would want to set these keys to reflect the file size limits in your environment

If your upload limits are set to 50mb you would want to set the maxcompressed file size to at least 52428800 (Decimal)

You would expect those files to be over 100mb uncompressed so you should set MaxUncompressedFileSize at 209715200 (200mb) or more.

And you can increase the MaxCompressedArchivedFileSize to 52428800 as well.

Just wanted to give everyone a heads up.

Some customers are reporting a failure (less than 5% of the time) downloading engines.

The next time a download occurs it will download just fine.

We are looking into the cause and the fix will be automatic as it is an issue with our download site.

There has been some major confusion on the setting under advanced options in Forefront Protection for exchange called “Rescan messages already scanned by Forefront Online protection for Exchange”

By default it looks like this

Now this looks like by default we do not scan messages if we see they came through FOPE.

That’s not true. By default its unchecked so everything is scanned.

If you want to skip scanning for spam or viruses you set it up like this

If you wanted to only scan for viruses and skip scanning for spam you would check rescan messages already virus scanned.

Note: By default we mark messages that are spam 8 or 9, cleaned messages are –1

We enable spam scanning for exchange when we install but, with an scl rating of “–1” or 8/9 exchange would not be scanning these messages for spam.

Disabling spam scanning by doing this will allow exchange anti-spam agents to scan as well.

We have seen customers disable this and continue to see spam being caught, but by the exchange anti-spam agents and not ours.

You can disable this in exchange if it is causing you an issue.

We are tracking an issue where Norman updates on Forefront Protection for Exchange are failing with a version downloaded is older than the local version message. Event ID 6014, Source GetEngineFiles.

The workaround for this issue is to delete the numbered folder in the Data\Engines\x86\Norman\Package\ directory located in "c:\Program Files(x86)\Microsoft Forefront Protection for Exchange Server\" by default

The first update can fail with a 404 file not found but the 2nd update will work.

We are investigating the cause of this issue.

All updates to this issue will be updated on http://social.technet.microsoft.com/wiki/contents/articles/norman-engine-issue-since-the-9th-of-september-2010-on-forefront-protection-for-exchange-server.aspx

Information and links on this wiki page.

http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-vb-wf-forefront-and-antigen-mitigation.aspx

This is spreading quickly. I expect that most Antigen users are already filtering but if you have 2007 or 2010 there is some more information there.

I had a question on how we can change the default action for spam to allow end users to manage what is spam and is not spam.

In AntiSpam configuration under policy management

By default our settings are quarantine at SCL 5-8 and reject at SCL 9.

To allow your end users to manage there own spam you need to set SCL 5 to 9 to stamp header and continue processing.

This will stamp the header and these messages will end up in your junk mail folder and you can configure false detects as allowed senders.

I decided to write up a filter guide as there seems to be some confusion with the new interface in FPE. The screens are from FPE but the guidance is good for filtering in all of our products.

With Forefront Protection for Exchange we have drastically changed the interface for our filtering.  I will be going over the filtering interface as well as discussing best practice for filtering.

The first thing you will notice is the removal of the “File” option for one off filters.

Everything is in a list now so you are creating a list for each set of filters you want to make.

I will walk through a filter list creation for file types.

Under policy management select filter lists.

Click on create

And choose the type of filter type (again in Antigen/FSS it was Filtering shuttle with content, keyword, file allowed senders and filter lists broken into new pages)

As you can see in FPE you now have a wizard to walk you through list creation.

We are picking inspect the header for this post. This will create a * filter with options for file types.

In the the next part you set your filter list name and the type of files.

Here is where you need to be careful to select file types you know you need to block. In this screen you would want to stay away from zip file format as office 2007-2010 files have a zip file header.

If you need to block zips you need to set up a skip filter first. I will be going over that in another blog post.

The next set of file types.

I would be very carful about some of the image filters

A JPG filter could wipe out all email with a signature that has images in them.

WMF is also used in 2007/2010 office documents.

The most important one here would be the Microsoft Transport Neutral Encapsulation Format File type. This is the contents of every piece of mail at the hub level in a 2007/2010 organization. If you filter on this you might need to update your resume as you will start deleting every mail that comes through that server.

I would keep EICAR virus Test File out of the list as it is harmless and you might have need for it later.

Again make sure what you are deleting is not needed in your environment.

This is where you set your action when caught. If you were setting a skip detect you would set it here for each scan. My test box has both roles so you see every scan.

And here you can see the finished filter list.

I would suggest that if you are not sure of what a file type does you create two filters. Have one set to delete for files you know you do not want. And another with files you think you might not want. Set the filter up for skip detect and then monitor what it catches. Once you are comfortable you can move more file types into the delete list.

Hope this information was of some use.

I would recommend FPE customers do this.

By default when our Anti-spam agent finds something as clean we mark it SCL -1

This can cause a lot of issues with Exchange Blocked senders and it also blocks out any chance of IMF catching something.

This is covered in the Important notes section of our documentation.

• FPE marks messages that it believes to be legitimate with an SCL rating of -1. As a result, on Exchange Server 2007, the end user blocked senders feature may not be enforced for these messages. If this occurs, as a workaround, you can set the extended option CFAllowBlockedSenders to 'true'. This changes the SCL rating from -1 to 0 and allows Exchange Server 2007 to enforce the end user blocked senders feature.  

The workaround is to change our clean scl stamp to 0

This is done in our power shell.

You need to create a new extended option:

PS> New-FseExtendedOption –Name CFAllowBlockedSenders –Value true

PS> Get-FseExtendedOption –Name CFAllowBlockedSenders

should return:

Name                                                    Value

-------                                                    -------   

CFAllowBlockedSenders              True

Mytob and mydoom variants seem to be on the rise in the last week.

These files are named in a way to fool users into thinking the file is something other than an executable.

in this example a quick look at the file in postcard.zip might make you think it is a htm file

But if you look at the file type it shows it is an application. Some older tools will show a IE icon, helping to further fool users into opening it.

The file in the above example has two extensions.

document.htm____________________________________________________________.exe

Mitigation

No scanner can protect you 100% of the time. Even with a product like Forefront\Antigen (that provides you up to 5 engines to scan with) you still have the time between the introduction of the virus and the engines providing detections for it.

I suggest at minimum filtering out dual extension executables by adding a filter for *.*.* executable file type. Action can be clean (users get the zip but the attachment is now a .txt file) or purge it completely.

If your network policy is that no exe files are to come in by email then you can put a * exe file type filter in place with a purge option to reduce confusion from your end users.

If your policy lets internal users send exe files but you feel safe blocking exe files incoming from the internet you can use our filtering to block incoming exe files (<in>* exe file types) as described here http://technet.microsoft.com/en-us/library/bb795068.aspx

Forefront Management console (FSSMC) has various jobs for configuring your server.

The main job is the general options settings.

This configures items in general options for Antigen/forefront servers.

Other settings such as filter lists, scan engine selection and anything that has a template tied to it is covered by the template redistribution job.

I will go over my personal recommendations for deploying templates below.

Configuring your source client(s):

The best option is to take a source server for each role where forefront/antigen is installed and configure this server exactly the way you want the other servers in your environments.

The template.fdb has the following information

Make sure you are updating the live job. You can make sure you are doing this correctly by hiding the template view by making sure it is unchecked

Set each setting and then close the client when you are satisfied with the setup

Creating the template:

I suggest doing the following to create templates

After configuring the server the way you want, set up some time to stop the services for exchange and delete the Template.fdb from Data directory of the forefront\Antigen folder.

Starting the services will then create a new template.fdb that you can use for deploying to other servers.

Deploying your template:

In the forefront Management console open up the Job Management/Packages page

Upload your template.fdb and name the job something you can identify

Select what you want to be pushed out from the template.

Click finish and your package is ready to be deployed.

Under Job Management\Jobs

Select Deployment job (top level)

And select Create.

Name the new job something you can identify.

Select the deployment package for the servers you are targeting..

You can schedule the install or not.

Email notifications for success or failure of the job.

Click next

Select the servers you would want to deploy this to (in this example.. the hub servers) and save it

You then end up with the console looking like this

You can run that to deploy the template.

I suggest doing this to a single server and then when you are happy with it expand it to more servers.

We are seeing a few calls from people that have upgraded to Antigen for Exchange SP2.

These calls have AntigenService.exe hanging. This can create issues updating, connecting with the client and mail flow issues.

This issue is caused when we initialize the cloud mark engine.

There is a hot fix rollup for SP2 at http://support.microsoft.com/kb/975355 that addresses this issue. The current KB does not have this issue listed but we are working on changing this.

make sure your engines have updated after October.

SP2 has a mapper (packaged with the engines) requirement that was released two months before SP2 came out.

we have seen a case that had a customer not updating for a year and this caused the engines to not load after the upgrade to service pack 2.

If you have written into support lately you should have seen something like this in the signature of the engineer you were working with

In 10 days we will be removing these engines from our update servers.

One thing that customers need to be aware of

If they have the “Box Set” license that comes with Antigen, CAVet, Microsoft, Norman, Sophos

they will be running with only the Microsoft updated engine as of the first.

The solution to this is to request a new license file that will unlock the Kaspersky, VirusBuster and Command engine and Cloud Mark for Anti-Spam.

The instructions for the license is in the link above.l

Issue:

Constant StatisticsManagerServer event id 100 on the passive node of a 2003 cluster (maybe on a SCC cluster in 2008 as well)

Cause:

Antigen Statistics Service needs to access the statistics.xml located in the %data% folder of the Antigen install.

On a passive node this xml file is located on the shared drive that is controlled by the active node. This causes a failure to start for the service.

The service is starting because something is making a call to it.

In most cases there is monitoring software that loads up our Scan counters for performance monitor.

Other issues could stem from FSSMC collecting scan data from the passive node.

Workaround:

Monitoring software. This is expected behavior and the process loading these counters need to be configured to not monitor Antigen on passive nodes.

FSSMC: If you are using FSSMC to monitor the passive node you can try re-deploying the agent to the passive node.