We have already announced the changes of engines availability due on the 1st of December, it´s important to understand that the SpamCure antispam engine by Mail Filters will also be retired. We have invested in new antispam technology through a partnership with Cloudmark that provides a better overall antispam experience including higher detection rates, lower false positives, improved submission experience and enhanced service experience. 

Customers will be able to take advantage of these new enhancements and engine changes after deploying the Antigen service packs released on July 1, 2009: Antigen 9 with SP2.

What does this mean? Any Antigen 9 installation using SpamCure must be upgraded to the latest version of Antigen (Antigen 9 with SP2) before the 1st of December to be able to switch to Cloudmark.

At the moment of writing (2^nd of October) Antigen 9 with SP2 is the latest update, it already integrates the antispam engine Cloudmark.

Please review “Forefront server Security Engine revision FAQ” on the Engine Revision Overview and FAQ for more information.

This blog explains a problem with file transfers in Office Communications Server. The symptoms are that files are being blocked between two clients, but Forefront is not logging any incidents and no notifications are being generated.

In order to find out more details about what's happening, we first need to create diagnostics logging in Forefront. See below how to enable diagnostics logging

- Create following DWORD registry value, and set the value to 4:

  Path: [HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\Office Communications Server]

  Name: "DiagnosticLoggingLevel"

- Go to SETTINGSàGeneral Options in the Forefront Administrator UI and enable the “Additional IM” setting.

The following error pattern might be logged in the Forefront Programlog.txt (…\Microsoft Forefront Security\Office Communications Server\Data):

A network trace could indicate that the OCS server was trying to establish a connection on port 6892 to the client, but the client did not respond in any  of these connection attempts to complete the TCP hand-shake:

You can use a tool such as Microsoft’s Network Monitor to create a network trace. This tool is easy to use, even if you’re new to it. Simply use the play and stop buttons to record/stop recording network traffic.

First we need to understand that the port range used to transfer files between 2 OCS clients is 6891 – 6900. Communication over these ports is only initiated when file transfers are taking place. That’s why running "netstat –nao" will only reveal which port Forefront is using, while the file transfer is in progress. Two minutes after the file transfer is completed, this port will be closed again.

So in order for file transfers to be successful, we need to ensure that the client machine is able to accept inbound connections on port range 6891 – 6900. In this example, the local firewall on the client machine was configured to block all incoming connections from the OCS server. Once the firewall rules were changed to allow this traffic, file transfers worked as expected between clients (via the Forefront for OCS server).

After resolving the issue, make sure to disable diagnostics logging again. See below how to enable diagnostics logging

- Edit following DWORD registry value, and set the value to 0:

  Path: [HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\Office Communications Server]

  Name: "DiagnosticLoggingLevel"

- Go to SETTINGSàGeneral Options in the Forefront Administrator UI and disable the “Additional IM” setting.

Kind regards,

Paul Gruner

Security Support Engineer

Applies to:

Microsoft Forefront Security for Office Communications Server, Version: 10.2.0308.0 and above.

Although Microsoft doesn’t recommended any particular RBL (Realtime Block List) provider for use with Antigen products, Spamhaus is one of the most widely-known providers on the market.

It’s come to our attention recently that Spamhaus has phased out the old SBL-XBL list, which has now been replaced by the ZEN list (named after a guard dog).

Here’s a comparison of the currently available Spamhaus lists (source: www.spamhaus.org):

So, what does this mean for you as an administrator of Antigen?

If you’re already using Spamhaus as a RBL list in some way, you need to decide whether to use only the ZEN list, or a combination of the SBL, XBL and PBL lists. Really, if you are happy with blocking the content of all 3 lists, it makes sense to go with Spamhaus’ recommendation of using just the ZEN list. This will improve your lookup responses, as you’ll only need to make one lookup per mail, rather than a potentially 3 lookups (one per SBL, XBL and PBL list).

You should also delete any SBL-XBL list that you have enabled (sbl-xbl.spamhaus.org), since it is no longer in use. This is important to do; otherwise it can cause delays while Antigen is waiting for the corresponding RBL lookup to come back.

Note that Spamhaus provides a free service to smaller customers only. Before using Spamhaus as a RBL service within Antigen, please check to see if you qualify for free usage on the Spamhaus DNSBL Usage page. Otherwise you’ll have to get yer wallet out...

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

Ever seen the programlog.txt just stop logging? Me neither until the last couple of days.

To backtrack a bit, the programlog.txt is the most used and most important of all of the Antigen/Forefront Server logs. It lives in the \Data subfolder of any Forefront Server installation and in the main installation folder for Antigen for Exchange/SMTP. It is essentially a kind of extended event log for Antigen/Forefront only. It’s critical that information can be written to this log, since if something goes wrong this is the first point of reference for troubleshooting (at least amongst CSS engineers).

Getting back to the problem...I was troubleshooting a customer issue the other day and found that I could not get the Transport Diagnostics to work at all (in Forefront for Exchange). No DIAGNOSTICS:  entries were being written to programlog.txt as they should have been.

In the end, it turned out that the processes trying to write to the programlog (instances of FSCTransportScanner.exe) were running under the Network Service (this is normal for these processes), which in turn did not have write access to the Program Files (x86)\Forefront Server Security directory, nor its subfolders/files. Once the Network Service was granted write access to this directory (and permissions were inherited by all subfolders/files), Forefront was able to write DIAGNOSTICS:  (and other) entries to the programlog.

Checking the account for FSCTransportScanner.exe in Task Manager

In the above screenshot, the FSCTransportScanner.exe process is running under the Network Service.

Adding the Network Service with Write access to the Forefront install directory

If you are experiencing the issue and do not see the account that runs the process with the above permissions, add it.

So, if you ever do notice that the programlog (or other Antigen/Forefront files) have stopped logging, or seem to be missing some information, check that the User Names under which Antigen/Forefront Server processes are running do have write access to files in the install directory and subfolders/files. Task Manager is a quick way to do this.

Easy when you know how...hopefully this will save some time for one of ye in the future.

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

Good day everybody,

some weeks ago I dealt with a request that took me quite sometimes and lots of tests, I thought I should share this on our blog as to save someone´s head hake.

The request was: I want to set a File Filter to prevent Standard Users from sending or receiving any BMP attachment. I also have the Managers who should not be restricted by this filter, that is, Managers should be able to send and receive any file”.

Now, there are some points to be aware of in Forefront for Exchange (FSE):

-          Unlike Antigen, in FSE there´s only one RealTime Scan Job. You can choose which mailboxes the RealTime scan job should apply to.

-          All mails, even between users on the same Storage Group, will go through a Hub server (and therefore a Transport Scan Job).

-          “…After scanning each message on the Exchange 2007 Transport role, FSE applies a secure antivirus stamp. This prevents duplicate scanning on the Mailbox server role when the message is deposited into the Store…” (see Ex_Best_Practices.doc )

We first took these steps:

-          We created a File Filter to block all files called “*” on the Real Time Scan Job , where “File Types” is “BMP”

be aware that we didn’t create any File Filter at the Transport Scan Job level, otherwise we wouldn’t be able to differentiate between standard users and Managers.

-          We also, disabled Virus Scanning and Content Filtering from the Real Time Scan Job (in Operate/Run Job), so that Real Time Scan Job would only check for File Filtering.

-          We then applied the Real Time Scan Job to  Standard Users, and made sure Managers were excluded (in Settings/ScanJob, highlight  Realtime Scan Job, under Mailboxes check Selected, hit the icon…

…and choose which users the scan job should apply to.

What we achieved with these was:

-          Managers were able to send and receive BMP files (AS REQUESTED)

-          Standard users could not send any BMP file (AS REQUESTED*)

-          All users (both Managers and Standard Users) could receive incoming mail with any attachment (NOT AS REQUESTED).

By analyzing the logs we noticed that messages were scanned and Stamped at the SMTP level, then once in the mailbox server no Real Time Scan Job was performed.

-          In order for the Real Time Scan Job to be performed, and File Filtering be applied  we had to set the registry key DisableAVStamping to 1 (see Ex_Best_Practices.doc )

DisableAVStamping [registry]

After scanning each message on the Exchange 2007 Transport role, FSE applies a secure antivirus stamp. This prevents duplicate scanning on the Mailbox server role when the message is deposited into the Store.

It is recommended that you use the secure antivirus transport stamp as designed. You should turn it off only if you plan to use different engines or filtering settings on the Transport server and the Mailbox server. Otherwise, needless duplicate scanning occurs.

The "DisableAVStamping" registry key permits you to override the recommended default setting. This causes the Transport stamp to be suppressed, and the Mailbox server to treat the message as not having been previously scanned.

To override the default, add a new DWORD, called "DisableAVStamping" with a value of "1". This value is not present by default and is assumed to be "0" (the default).

FSE stores registry values in the following locations:

For 32-bit systems:

·      HKLM\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server

For 64-bit systems:

·      HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

After that we managed to achieve what we wanted.

Final consideration: this filter would add some extra load on the mail box server, which is what the FSE design tries to avoid, performing all scanning at the Transport Scan Job,

however as it is just a File Filter the additional scan load is not so great, and this solution allowed us to achieve both our goals.

* Be aware that a mail may or may not be scanned by the Realtime scanjob, depending on the load on the server (especially on busy servers). This is behaviour is due to race conditions. The impact of race conditions is beyond the scope of this blog article. Maybe I’ll save that for another time J.

Regards

Fulvio Spanedda

Senior Support Engineer Antigen/Forefront

Microsoft CSS Security

Customers often ask us the best way to update their scan engines in their specific environment, so I’m writing this blog to go through the main scenarios that customers face and to discuss how to best choose an update method that suits your individual needs.

Note: This blog targets current, fully released Antigen and Forefront server products (FSE, FSSP, FSOCS and Antigen 9). It does not cover older, legacy Antigen products, or the future Forefront product wave that is code-named ‘Stirling’.

To start with, here’s a table that shows possible and recommended engine update methods for common scenarios:

Let’s now discuss these methods and explain when each is most appropriate to use:

·         A: Direct HTTP Updates from Microsoft Servers

·         B: UNC Hub Updates

·         Combining Direct HTTP Updates and UNC Updates for Redundancy

·         C: Pushing out Updates via FSSMC

·         D: Manual Download of Engine Files with UNC Updates

·         General Notes

·         Abbreviations

A: Direct HTTP Updates from Microsoft Servers

This is the default, enabled update method for our products. A process called GetEngineFiles.exe takes the default HTTP path (from SETTINGSàScanner Updates in the Administrator UI) and adds a bit more to it, in order to download engine files directly from Microsoft update servers.

If you are only using a few Antigen / Forefront servers and do not have a license for FSSMC, then this may be the best option for you.

B: UNC Hub Updates

For this method, at least one server (our update ‘hub’ – not to be confused with an Exchange 2007 Hub Role J) still needs to download engines from a Microsoft HTTP update server. This can be any Antigen 9 or Forefront (FSE/FSSP/FSOCS) product that has internet access. You then share the ‘Engines’ folder within that installation, so that other Antigen / Forefront servers can use a UNC path to update from the hub (rather than from Microsoft HTTP servers):

This helps to reduce internet bandwidth usage and also to speed up downloads on the local LAN.

Depending on your internal network speed and number of servers dependent on the hub, you might want to setup more than one hub, e.g. one per site.

In order to avoid possible contention for engine folder writes, you must also enable the ‘Redistribution Server’ setting on any hub servers. This is found under SETTINGSàGeneral Options in the Administrator UI.

Combining Direct HTTP Updates and UNC Updates for Redundancy

Antigen 9 or Forefront (FSE/FSSP/FSOCS) products permit up to 2 update locations per scan engine. Use these to your advantage to provide redundancy in your environment. Depending on your specific needs, you might choose any one of these combinations for your Network Update Paths (NUP):

·         Set the Primary NUP to the HTTP default location, but point the Secondary NUP to a share on another server to retrieve updates from another servers (UNC path), should the HTTP path become unavailable;

·         Set the Primary NUP to update from your UpdateHub1 (via UNC) to take advantage of your speedy LAN. Set the Secondary NUP to the HTTP default location, should UpdateHub1 not be available;

·         Set the Primary NUP to update from your UpdateHub1 (via UNC) to take advantage of your speedy LAN. Set the Secondary NUP to your UpdateHub2 for redundancy.

Note: a Secondary NUP is only used when the Primary NUP is unavailable. If the Primary NUP is available but does not have any new updates, the Secondary NUP is not checked.

C: Pushing out Updates via FSSMC

You can use FSSMC to do the following, with regard to engine updates:

·         Download and cache the latest 5 Update Versions for any engine;

·         Deploy new engines automatically to any Forefront servers that you specify;

·         Poll Forefront servers to see if they have the latest Update Version or not (automatic comparison).

FSSMC is the recommended way to update multiple Antigen 9 and Forefront (FSE/FSSP/FSOCS) servers in a large organisation. It is used in place of HTTP/UNC updates (methods A and B above), as it proactively pushes new updates out to all managed Antigen 9 or Forefront (FSE/FSSP/FSOCS) products. Make sure that you have disabled all local updates on each Antigen and Forefront server before using FSSMC to deploy updates to them.

FSSMC is available through normal MS channels. For more information, please use these links:

·         FSSMC Home

·         FSSMC Forum

Note that FSSMC does not support FSOCS at this time.

D: Manual Download of Engine Files with UNC Updates

You’ll see that this is almost always down as the “Last Resort” in the table above, because it really does take a lot of hassle to set up. Ideally, you’d use a script to frequently check for and download new engines (2 files per engine; manifest.cab and <Engine>_fullpkg.cab).

This method also has the disadvantage of you needing to download the full engine package each time, whereas all of the aforementioned methods do not (they will frequently use incremental update packages). Full updates can comprise of 15-60MB of data, so this method is not only a pain to setup, but is also bandwidth-intensive. Still, it may be your only option in an environment where you have no direct access to the internet or other Antigen 9 or Forefront (FSE/FSSP/FSOCS) product installs.

The idea is to download and present the engine files to a folder structure similar to that of the Engines folder in any Antigen 9 or Forefront (FSE/FSSP/FSOCS) product. Whether you choose to download files manually or write a script to do this, the steps you’ll need to follow to download and house engine files will be the same:

1.       On the download server (machine that does have internet access), create the download folder structure, sharing the top-level folder (if necessary). Use this structure format:

You will have one EngineName folder per engine (!) and the UpdateVersion folder name will depend on the currently available engine (see step 3 to retrieve the Update Version per engine).

2.       Download the manifest.cab for each engine. This needs to be saved into both the EngineName and the UpdateVersion folders. Here are the links to the various manifest.cab files:

3.       Open the manifest.cab and parse the manifest.xml file within, looking for the value of the “version” element:

4.       You can now complete the download folder structure by creating the UpdateVersion subfolder for each engine, as you now know the update version number from each manifest.xml.

5.       Download the engine package CAB by amending and retrieving the following URL:

 FOREFRONT: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/<Engine>/

Package/<UpdateVersion>/<Engine>_fullpkg.cab

 ANTIGEN: http://antigendl.microsoft.com/antigen/x86/<Engine>/Package/<UpdateVersion>/

<Engine>_fullpkg.cab

...where <Engine> is the name of the engine that you are retrieving and <UpdateVersion> is the “version” element’s value from manifest.xml, e.g.

FOREFRONT: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Microsoft/

Package/0904080003/Microsoft_fullpkg.cab

ANTIGEN: http://antigendl.microsoft.com/antigen/x86/Microsoft/Package/0904080003/

Microsoft_fullpkg.cab

Each CAB file should be saved to the corresponding UpdateVersion subfolder.

6.       Next, copy the entire engine source folders to the isolated environment (assuming there is no direct access to the machine that you used for downloads). You may even need to copy the files across on a USB stick to do this, maintaining the same folder structure.

7.       Wherever your final engine source folders are located, next share the top level folder. You should end up with a folder structure like this:

Note that the same manifest.cab appears in 2 places and <Engine>_fullpkg.cab only needs to be in the UpdateVersion subfolder. Check that this is the same for every engine that you need to update.

8.       In the Antigen 9 or Forefront (FSE/FSSP/FSOCS) Administrator UI, go to SETTINGSàScanner Updates and set the Primary Network Update Path for each engine to your UNC share, i.e. \\server1\MyShareName$

9.       For each engine, now either click on the Update Now button to trigger an immediate download of the engine from the engine source folders, or alternatively schedule updates per engine.

General Notes

·         Important: the Manual Download method (D) requires manual intervention on your part; therefore it would only be supported by CSS on a best-effort basis, should you run into any issues. CSS does not provide any scripts to support this method at present.

·         Manifest.cab files expire within a certain time limit for added security (varies per engine; usually within a few days).

·         At the current time of writing, Antigen 9 or Forefront (FSE/FSSP/FSOCS) update files are interchangeable, so you can use Forefront engines for Antigen 9 and vice-versa. This means that you can use one hub to serve both Antigen and Forefront installations via UNC (or only need to download one set of files if you are updating manually).

·         Even if you are running a Forefront (FSE/FSSP/FSOCS) product on a x64 platform, the paths to engines will contain “x86”, since all engines are 32-bit.

·         The name of the Kaspersky engine for manual updates should be ‘Kaspersky5’ (not ‘Kaspersky’).

·         The name of the Virus Buster engine for manual updates should be ‘VBuster’ (not ‘Virus Buster’ or ‘VirusBuster’).

Abbreviations

CSS - (Microsoft) Customer Service and Support

FSE - Forefront Server Security for Exchange

FSOCS - Forefront Security for Office Communications Server 2007

FSSMC - Forefront Server Security Management Console

FSSP - Forefront Server Security for Sharepoint

NUP - Network Update Path

UNC - Universal Naming Convention. Example path: \\server1\MyShareName$

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

Here are the latest versions as of today (28^th of October 2009) of Antigen  and Forefront Server Security products with relevant kb articles.

Latest versions are always the “recommended ones”, support specialists may ask you to upgrade your system to the latest versions before start troubleshooting.

Installation to the latest version: is normally performed with the latest Service Pack (which is usually a full package and contains the full version of the product). Rollups are then installed on top of the Service pack.

Upgrade to the latest version: is normally performed by updating to the latest Service Pack then to the latest Rollup available for that Service Pack.

However, some updates come in the form of Full Packages, that is you just need to install it to get the latest available version of the product.

If you are installing on a cluster there are specific instructions to follow, please refer to the relevant Knowledge Base articles.

Service Packs and Rollups packages are cumulative; i.e. they contain fixes from previous SP and Rollup packages.

Anyway, we strongly recommend you to always read the kb articles coming with upgrades.   

Thanks and Regards

Fulvio Spanedda

MCSE 2003 + Security

Senior Support Engineer - Microsoft CSS Security

Antigen/Forefront Server Security support - Madrid

Following article explains how Exchange Intelligent Message Filtering (IMF) and Antigen Advanced Spam Manager (ASM) work together. Specifically how SCL ratings are assigned

 IMF Options

Blocking spam with the IMF is a two-stage process. The filter scans the mail and gives each message a Spam Confidence Level rating from zero to nine, with zero meaning “not spam” and the SCL rating increasing based on the “spaminess” of a message. This SCL rating is then used to determine how the mail is handled. Mail can be handled at two points:

•        At the Gateway – messages can be rejected or archived (quarantined) at the entry point, based on the SCL rating. This mail is not seen by the end user.

•        In the message store – messages are routed to the Outlook 2003 Junk E-Mail folder based on the SCL rating.

The following would be a typical scenario:

•        Gateway set to archive all mail with an SCL rating of 7 or higher.

•        Message store set to send all mail with an SCL rating between 4 and 6 to the Junk E-Mail folder.

•        All remaining mail (SCL from 0 to 3) is delivered as usual to the Inbox.

The specific SCL ratings can be changed as the mail administrator sees fit. In addition, the gateway can be set to “Take No Action,” meaning all mail over the message store threshold will go to the Junk E-Mail folder.

Advanced Spam Manager (ASM) Options

The SpamCure engine does not provide a range of SCL ratings. Because it uses highly accurate specific signatures, rather than a calculation that yields results within a range, it uses a yes/no mechanism. Mail detected as spam is given an SCL rating of 9. Mail not detected as spam is set to 0. ASM also provides various ways to handle mail, such as quarantining, subject line stamping and so forth. But for this illustration, we will assume use of the Outlook 2003 Junk E-Mail folder.

Running IMF and ASM Together

When IMF and ASM are installed on the same gateway, the IMF engine will scan messages first. As part of this scan, an SCL rating is applied to each mail. It then gets passed to ASM, which also scans the message. The way the SCL is designed, a higher rating always takes precedence over a lower rating, so ASM will never lower a score provided by IMF. This means that decisions made by IMF remain valid, even if the SpamCure engine misjudges a spam and rates it a zero.

Let’s put together a typical scenario to better understand how the parts all play together. For our illustration, we will play the role of email administrator and make the following settings:

•        The IMF Gateway option is set to reject all messages that receive an 8 or 9 SCL rating. These are very high spam content ratings and there is only a slim chance of a false positive receiving a rating as high as 8 or 9.

•        The message store is set to put all mail with SCL ratings between 5 and 7 into the Junk E-Mail folder.

•        All messages with SCL from 0 to 4 go to the Inbox.

•        Advanced Spam Manager is configured to use SCL ratings on all mail it detects as spam.

We can now easily trace the sequence of events as mail enters our dual spam net environment.

1.       As mail enters, it is scanned by IMF, the first net. All mail that receives an SCL rating of 8 or 9 is rejected. All remaining mail receives an SCL rating from 0 to 7.

2.       Mail is passed to ASM. It makes spam decisions that are completely independent of those made by the IMF. The following events can happen.

a)      Mail is determined to be spam by ASM. The SCL rating is set to 9. Mail is caught in the second net.

b)      Mail that IMF determined was not spam (0-4) is scanned by ASM. Anything missed by the first net can be caught by ASM in the second net.

c)       Mail that ASM does not consider spam maintains the SCL rating from IMF. Therefore, spam that the second net missed is nevertheless still caught in the first net.

3.       Mail reaches the message store. All mail that IMF has tagged within the store threshold of 5-7 and any mail tagged with a SCL rating of 9 by ASM is routed to the users’ Junk Mail Folders. All mail with SCL of 4 or below goes to the Inbox.

Of course, any of the parameters above can be changed. For instance, you may wish to consider some of the following:

•        Do not reject any mail at the gateway to avoid even the slightest chance of missing a legitimate email.

•        Set the gateway to archive SCL 8 and 9 messages, rather than reject them. This way, they can be retrieved if needed.

•        Raise or lower the message store rating to fine tune the messages that are routed to the Junk E-Mail folder.

Related articles:

·         Exchange IMF: http://technet.microsoft.com/en-us/exchange/bb288484.aspx  

·         Configuring the Exchange Intelligent Message Filter: http://technet.microsoft.com/en-us/library/bb914061.aspx

·         How to verify the Intelligent Message Filter SCL rating in Outlook 2003: http://support.microsoft.com/kb/895091

·         Anti-Spam updates in Forefront Security for Exchange Server: http://support.microsoft.com/kb/941271/en-us

·         Information about the types of anti-spam updates that are available for Exchange 2007: http://support.microsoft.com/kb/925474/en-us

·         Anti-Spam and Antivirus Functionality: http://technet.microsoft.com/en-us/library/aa997658(EXCHG.80).aspx

·         Understanding Anti-Spam and Antivirus Mail Flow: http://technet.microsoft.com/en-us/library/aa997242(EXCHG.80).aspx

·         Managing Anti-Spam and Antivirus Features: http://technet.microsoft.com/en-us/library/aa996604(EXCHG.80).aspx

·         How to Configure Anti-Spam Automatic Updates: http://technet.microsoft.com/en-us/library/bb125199.aspx

Applies to:

Microsoft Antigen for Exchange 9.0

Microsoft Antigen for Exchange 9.0 Service Pack 1

Microsoft Antigen for SMTP 9.0

Microsoft Antigen for Exchange 9.0 Service Pack 1

Cheers,

Paul Gruner

Microsoft CSS (Customer Service and Support)

Microsoft recently released Rollup 5 for Antigen 9 SP1, which contains a particularly important fix for Exchange 2000 / 2003 clusters. The full issue behind this fix is documented in KB957015. Essentially, the ‘fix’ adds a new Antigen Cluster Resource (‘AntigenClusRes’) to each EVS group. I’d like to add some more meat to the fix description in the KB-article to help guide cluster administrators through the install/upgrade procedure for this new Rollup.

What does AntigenClusRes do?

‘AntigenClusRes’, or the Antigen Cluster Resource, manages the replication of Antigen registry values between active and passive nodes during failover. Without this resource, it is possible for the Antigen registry to get into an inconsistent state under certain circumstances.

I see that both a standard hotfix and a full install package are available. Which should I use?

You will only need the full install package if you are planning to perform a fresh install of Antigen.

Where can I get Rollup 5 from?

You can either request the package directly from the Rollup 5 for Antigen 9 SP1 KB article page (simplest and quickest method), or if you require additional advice as well, open a case with Customer Service and Support (CSS).

Ok – I’ve got the package. How should I install it?

This will depend upon whether you’re deploying the standard hotfix package, or the full install package:

Full install package (fresh installs only – not recommended for upgrades)

1.       Review and ensure compliance with the Prerequisite mentioned below.

2.       Install the full package, as per the Antigen Cluster Installation Guide (setup will run just like any other Antigen version).

3.       Check in Cluster Administrator that you can see AntigenClusRes resource present for each EVS. See Checking for the Antigen Cluster Resource below for more information.

Hotfix package (upgrades-only)

1.       Make sure that you are running at least Antigen 9 SP1 prior to installing the hotfix.

2.       Review and ensure compliance with the Prerequisite mentioned below.

3.       Run the hotfix package on all nodes.

4.       ê On each active node, change a command prompt to the %Program Files%\Microsoft Antigen for Exchange folder and run the command antutil /disable. This will bring the EVS offline automatically.

5.       ê On each active node, run the command antutil /enable. This will automatically bring the EVS online again, will register the AntigenClusRes resource type and install the AntigenClusRes cluster resource for the current EVS.

6.       Check in Cluster Administrator that you can see AntigenClusRes resource present for each EVS. See Checking for the Antigen Cluster Resource below for more information.

ê Warning: do not bring the EVS offline or online manually, since this will result in the Antigen Cluster Resource not being created.

Prerequisite:

In order for this resource to be created, the name of the Physical Disk Resource on which Antigen database files reside (often the same disk as Exchange) must contain the corresponding physical drive letter followed by a colon ( e.g. X:). If this is not the case, the Antigen Cluster Resource will not be created for the EVS.

Examples:

·         If EVS1 is associated with a Physical Disk Resource called ‘XDisk’ and physical drive X:, the Antigen Cluster Resource will not be created for the EVS.

·         If EVS2 is associated with a Physical Disk Resource called ‘Disk Y:’ and physical drive Y:, the Antigen Cluster Resource will be created for the EVS.

Note: if you are not able to rename your shared disks in Cluster Admin, contact Customer Service and Support (CSS) for further advice.

Checking for the Antigen Cluster Resource:

Once Rollup 5 is installed and you’ve completed all of the appropriate steps above, you should see the AntigenClusRes resource entries in Cluster Administrator. They will be named as AntigenClusRes<EVS_name>.

Here’s a screenshot from a cluster with 3 EVS instances, so we have 3 AntigenClusRes resource entries:

Cheers,

Andy Day

Hello, my name is Robert McCarthy and I am a support engineer for the Antigen and Forefront Server product set.

Since the advent of Antigen, its hallmark feature has been the ability to incorporate multiple third party scan engines into our scan jobs. This makes Antigen, and Forefront Server alike, the most complete antivirus application available.

Since being introduced to Antigen in 2001, I have seen functionality develop and improve based on customer feedback, functionality requests, and the visions of our dedicated product groups. Today Forefront for Exchange 2007 notably differs from Antigen in 2001 but our multi-scan engine functionality remains. Although this provides our customer base the most comprehensive AV on the market, it does present a unique circumstance to our administrators; the need to confirm which of our multitude of scan engines has appropriate signatures available for each of the vast array of virus, worms, and the their newest variants.

The question usually encompasses the following; “I read about the following e-mail virus, will Antigen/Forefront catch this?”

Because each engine vendor may apply a unique name to the same malware, this question is not always easy to immediately answer, especially if the administrator does not have a sample.

Without an actual malware sample, the responsibility of the MS engineer at this point is to research each engine vendor’s public AV libraries for the referenced malware, as well as identify any unique alias that a vendor may use to label that malware.

With that being said, I would like to provide the following public resources enabling an administrator to save their company the cost of opening a support case with Microsoft. These are links to each engine vendor’s AV libraries.

Norman - http://www.norman.com/Virus/List_of_detected_viruses/en-us

Sophos - http://www.sophos.com/security/analyses/viruses-and-spyware/

CA Vet - http://www.ca.com/us/anti-virus.aspx

Authentium Command - http://www.authentium.com/threatmatrix/

AhnLab - http://global.ahnlab.com/

VirusBuster - http://www.virusbuster.hu/en/viruslab/

Kaspersky - http://www.kaspersky.com/viruswatchlite?hour_offset=-8

MSAV- https://www.microsoft.com/security/portal/submit.aspx

In the event you are indeed able to provide a sample of what you believe may be malware, Microsoft’s Malware Protection Portal provides a virus submission component enabling our engineers to quickly analyze the file and provide appropriate feedback.

Of course our support staff is always happy to assist if you have any additional questions or concerns.

Thanks and keep fighting the good fight…

Rob McCarthy

CSS Security Support Engineer

The virus world has always seen a battle between virus makers and anti-virus vendors, each trying to outwit each other through their speed and technology. Antigen and Forefront products incorporate proprietary and 3^rd-party anti-virus scan engines that use heuristics and pattern (definition) technology to scan and detect viruses.

When a new virus is released into the wild, it may initially be caught by an anti-virus (AV) vendor’s heuristic definitions, but if not the vendor will first need to locate and analyse a sample of the virus. The vendor then releases a new pattern file or ‘definition’ as part of an engine update, which will allow for detection of the virus.

Antigen and Forefront products encompass up to 8 AV scan engines (up to 5 can be enabled at any one time). This multi-engine approach gives your users a high level of protection against all, and particularly new threats, where time is of the essence.

No AV protection is (or probably ever will be) 100% secure, and as an administrator you may run into one of the following scenarios:

·         False-negatives (virus is not detected)

·         False-positives (non-virus is detected)

I’ve written this blog to give you the initial actions and troubleshooting steps that you should take (in relation to Antigen 9/Forefront Server 10 products) in each of these scenarios. Please read on below and if you’re not au fait with certain terms in this blog, I’ve also given you a Mini Glossary at the end as well J.

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

Reporting False-negatives to Microsoft CSS (Customer Service and Support)

FAQ: “A virus got past Antigen/Forefront (without being detected). How can I provide protection for this virus in the future?”

On the rare occasion that you find a virus getting past Antigen/Forefront, the first thing s that you’ll want to do are to make sure that no user has been infected and then take measures to ensure that the same virus will not get through again. A local AV product (on your user’s desktop PC) should help to achieve the former and you can use the following steps to tackle the latter:

1.       Do not open/execute the file

2.       Update your engines

3.       Check your selected engine and Bias

4.       Submit the virus

5.       Check vendor sites for coverage

6.       Use filters

7.       Check your local AV

! Note: If your local AV cannot remove an infection, consult the Microsoft Malware Protection Center for removal advice and/or open a support case with Microsoft CSS to receive assistance.

1.       Do not open/execute the file - ...unless you have good reason to believe that it has been cleaned (you do this at your own risk!). I like to state the obvious where security’s concerned J.

2.       Update your engines – Make sure that your scan engines are up-to-date in the Antigen/Forefront Administrator console (click on SETTINGSàScanner Updates). To troubleshoot engine updates, try reviewing the ProgramLog.txt and search any errors on http://support.microsoft.com/. Without the latest engine updates, your system will not be protected against the latest threats!

3.       Check your selected engine and Bias – one or two of your engines may already provide coverage for a specific new virus...but have you enabled these engines?

Similarly, your Engine Bias may prevent Antigen/Forefront from detecting the virus.

Let’s assume you have enabled 4 engines and are currently using a ‘Neutral’ Engine Bias. This setting will pick 2 of your 4 engines for each scan (50%). If only 1 or 2 engines currently provide detection against a new virus, you cannot guarantee that these engines will scan every mail with this bias.

Increasing the Engine Bias has a (usually minor) impact on performance, but in an outbreak situation you will probably want to sacrifice performance for added security. I would recommend the ‘Max Certainty’ Engine Bias in this situation. Antigen/Forefront will then scan each message with every enabled engine.

Please refer to the Antigen and Forefront User Guides for more information on engine selection and Engine Bias.

4.       Submit the virus – if you are able to obtain a copy of the virus (maybe from a quarantine area within the user’s local AV product), please package it for submission to Microsoft as per KB952163. I recommend opening a support case for submission over sending directly to the email address provided, as this allows us to provide you with feedback and facilitates tracking.

5.       Check vendor sites for coverage – most of the Antigen/Forefront AV vendors provide up-to-date information on the threats that they cover. You can find the latest threats and coverage at the Microsoft Malware Protection Center, for instance. As Microsoft polls all vendor sites constantly, you should expect Antigen/Forefront releases of any new vendor signature version within 30 minutes of a vendor release (after Microsoft has tested, repackaged and signed them for redistribution to you). Once a vendor has released a new definition for a virus, keep an eye on your Antigen/Forefront engine updates, as per point 1. You can also check for new updates immediately by using the ‘Update Now’ button in the Scanner Updates panel.

When comparing different vendor sites, note that each vendor will call a virus its own specific name. What Microsoft calls ‘Win32/Conficker.B’ for example, is also known as ‘Win32/Conficker.A’ (CA), ‘Mal/Conficker-A’ (Sophos), ‘Trojan.Win32.Agent.bccs’ (Kaspersky) and ‘W32.Downadup.B’ (Symantec).

Depending on the extent of the threat that you perceive, you may wish to run a Manual Scan on your Storage Groups (once you have corresponding updates in place), singling out 1 or 2 updated scan engines that now have definitions in place and can delete any instances of the virus. For more information on running a Manual Scan, please see the Antigen and Forefront User Guides.

6.       Use filters  - File, Subject Line and even Keyword Filters can be very effective in blocking viruses in the short-term (until definitions are available), particularly if you are facing a high number of infected mails/files entering your environment. File Filters are usually the easiest type to implement, but in the case that the virus attachment name varies significantly try using other filter types to home-in on the mail.

Please refer to the Antigen and Forefront User Guides for more information on filtering.

7.       Check your local AV – Microsoft believes in a multi-layered approach to security (as do I!). Even though you have taken steps to stop the virus getting past Antigen, it’s also important to check that your local AV clients (AV product on each user’s PC, such as Forefront Client Security) are up-to-date and also provide coverage for the virus.

Reporting False-positives to Microsoft CSS (Customer Service and Support)

FAQ: “Antigen/Forefront detected a legitimate business file as a virus. How can I retrieve this file and prevent future detections of this nature?”

You might also find that a scan engine is detecting/deleting a file that you believe not to be infected. This is most common with a scan engine’s heuristic components that look for patterns in files to determine what is highly likely to be a virus. This is most useful before a pattern/definition has been released for a new virus. Occasionally heuristics (and other definitions) can pick up legitimate files as well and the scan engine may need some fine-tuning.

You would usually see false-positives detections only occurring with one specific scan engine at any one time. If multiple engines are detecting the file as a virus, the detection is most probably correct (it’s a virus!).

We recommend that you open a support case with CSS to report any suspected false positive. The support engineer will work with you to reproduce the detection and escalate the issue to the vendor(s) in question. The vendor then has the final call to correct their definition files as they see fit. If all goes well, you can expect a corrective engine update from Microsoft within a day or two.

To help with analysis and find you the quickest solution, please consider these points:

1.       Do not open/execute the file

2.       Record engine details

3.       Submit the affected file

4.       Consider disabling the engine

5.       Command false-positives

1.       Do not open/execute the file - ...unless you have good reason to believe that it is clean (you do this at your own risk!).

2.       Record engine details – note the detecting engine and the engine details (Signature Version, Engine Version and Update Version). These are important details for your submission to Microsoft. Don’t forget to give us the virus name as well!

3.       Submit the affected file – CSS will need a copy of the file to reproduce the detection. You may well be able to retrieve this from the Antigen/Forefront Quarantine (if you had enabled the ‘Quarantine Files’ option on the relevant scanjob). As I mentioned, it’s best to submit false-positive detections through a support case. Please use the guidelines in KB952163 to package the file to send through to us.

4.       Consider disabling the engine – depending on the frequency of these unwanted detections and the importance of the affected mails; you may wish to temporarily disable the scan engine in question until the issue has been corrected. Using the multiple engines within Antigen/Forefront, you should be able to swap a current disabled engine for the culprit engine, so that you still have the same number of scan engines enabled overall.

5.       Command false-positives – the Command engine has a number of different heuristic features. If these are producing many false-positives for you for any reason, consider the advice in KB963033, which tells you how they (heuristic detections only) may be disabled.

Mini-Glossary:

Definitions for this blog entry:

AV – Anti-Virus

AV Vendors – Anti-Virus Vendors. These are companies that produce and update AV scan engines, and are affiliated with Microsoft. Antigen/Forefront products use engines from these vendors.

CSS – Customer Service and Support. The division of Microsoft that, amongst other things, handles support cases.

Definition – a set of characteristics that match a specific virus.

(Scan) Engine Update – a scan engine package that is downloaded from the internet to provide the latest AV pattern files/definitions. Engine updates are usually scheduled in Antigen/Forefront to run at least daily (I personally recommend hourly for AV engines).

Engine Version – The engine vendor’s version number of the underlying technology of the scan engine. This is the component that breaks down the content and scans it with the current virus definitions.  This number will typically only change every few months or longer.

Pattern file – file containing patterns or definitions that match specific viruses.

ProgramLog.txt – This is the main log for all Antigen/Forefront activity. It includes information that you’ll also see in the Application event log...but also a whole lot more. You’ll find the latest entries at the end of the log, so if you’re checking why an engine update hasn’t updated properly, scroll to the end and look for ERROR: or WARNING: entries around the time of the update. These are the default locations for the ProgramLog:

Signature Version – The engine vendor’s version number for the current set of definitions files. Each vendor increments their version Signature Version numbers with each engine update. This number will update from every couple of days to hourly, depending on the AV vendor.

Support Case – An “incident”, “call” or problem occurrence, opened by a customer with Microsoft to investigate a specific product issue. Microsoft Customer Service and Support (CSS) handles support cases. You can visit the main Microsoft Support page to browse support options and to open support cases by phone or online.

Update Version – Microsoft’s own number to represent the signature version in a standard format (standard for all Antigen/Forefront engines).

This blog entry gives you an overview of licensing for Antigen 9 and Forefront Server Security products, such as FSE and FSSP.

Your product’s expiration date can depend on several factors. Historically, Antigen licensing was controlled by a file called license.cfg (located in the product’s main install folder). This file determined whether your installation was licensed or running in evaluation mode and also when your licensed copy expired. Antigen 9 and the advent of the Forefront Server range of products has led to some changes on the licensing front, so I will go through these by product:

Antigen 9.0.1055 (RTM, SP0)

The license.cfg file determines entirely the license type (Evaluation or Subscription). It’s simple, but worth pointing out that the package available for the 30-day trial only contains the evaluation version of license.cfg. Subscription packages from Microsoft on hard media (CDs and DVDs) and from the Microsoft Volume Licensing Site for example, do contain the “fully licensed”, Subscription version of license.cfg.

If you have a “fully licensed” version of license.cfg and wish to upgrade your evaluation installation to a Subscription version, simply rename the current license.cfg to license.old (in the product’s main install folder), copy in the new (and fully licensed) license.cfg into the same folder, then run the following command at a DOS prompt (also in the same install folder, where AntigenStarter.exe is located):

                antigenstarter l                                (that’s ‘l’ for license at the end)

The duration of the Subscription license is 3 years after initial installation. I’m talking about product functionality here and not contractual agreement, to be clear. To extend the length of your licensed product, upgrade to SP1 (or above) and follow the instructions below to enter your valid Expiration Date.

Antigen 9.1.1097.0 (SP1) and higher

The initial licensing behaviour when you install SP1 is the same as in Antigen 9.0.1055. SP1 introduced a new licensing option, however. Once you have installed SP1, open the Antigen Administrator and go to Help>Product License. A pop-up window will appear where you can enter your License Agreement Number for Antigen and also the Expiration Date for this agreement:

ì Note that the above screenshot displays the date in DD/MM/YYYY format. The date format may vary, depending on your Regional Settings.

If you enter the date to coincide with your License Agreement here, this will overrule the original 3-year license date and become effective immediately. This is the recommended way set-up the expiration date in Antigen 9 SP1.

Forefront Server Security (FSE, FSSP)

The initial installation of Forefront Server Security will normally be as an evaluation version. In Forefront, license.cfg does not steer the install type (Evaluation or Subscription). Instead we see a move towards other Microsoft products, where a Product Key must be entered in order to fully license the product. This is done in the Forefront Server Security Administrator console (when you open it or) under Help>Register Forefront Server:

Once activated, you can also enter your 7-digit License Agreement Number and Expiration Date in the Forefront Server Security Administrator console, under Help>Register Forefront:

ì Note that the above screenshot displays the date in DD/MM/YYYY format. The date format may vary, depending on your Regional Settings.

As in Antigen 9 SP1 and above, this new Expiration Date overrules the existing 3-year date to reflect your actual agreement with Microsoft.

The following table should help to sum how licensing works in Antigen 9 and Forefront Server Security 10:

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)

‘Illegal Mime Header’ is an important feature in Antigen/Forefront. This blog entry describes the expected functionality of this feature from the Antigen 9 for Exchange/SMTP with SP1 and Forefront for Exchange RTM (SP0) releases.

The ‘Illegal Mime Header’ feature is basically a check on the internet headers of the SMTP message to confirm that they are consistent with the current RFC specifications. Without this check, Antigen/Forefront might not be able to correctly scan the message, which would in turn expose a security risk.

The introduction of this check allows Antigen/Forefront to either a) confirm conformity with the current RFC specificationsand let the message be scanned, or b) confirm that the message headers do not meet the current RFC specifications (the default action in this scenario would be to delete the message in question). Despite the name, this applies to all internet headers (not just MIME headers).

Setting-up the ‘Illegal MIME Header Action’ in Antigen/Forefront

You can change the ‘Illegal MIME Header Action’ in the SETTINGSàGeneral Options panel of the Antigen/Forefront Administrator console:

The default setting, ‘Purge’, will make Antigen/Forefront delete the entire message, if an illegal internet header is detected. The other possibility here is to ‘Ignore’ the detection, meaning that the message will be subjected to further scanning and may then reach the end user. We recommend that you stick with the default ‘Purge’ action, unless you have a good business reason to ‘Ignore’ . Consult Microsoft CSS (Customer Service and Support), if you are in any doubt.

Note that this option only affects SMTP level traffic (on your Internet/SMTP/Transport scanjob), as this is the only scanjob where internet headers are present in a message.

Duplicate/Multiple/Repeat Internet Headers

One common occurrence that we see from customer is a duplicate internet header of some kind. If the repeated header is identical to the first one, Antigen/Forefront will not return ‘IllegalMimeHeader’. If the repeated header is in any way different to the first one, alarm bells ring and Antigen/Forefront will purge the message (assuming that the action is set to ‘Purge’ in the General Options panel).

RFCs provide many important industry-wide standards and guidelines, but they do not (completely) dictate how a mail application reads a mail. In the case of duplicate or multiple headers, RFC822 (section 4.1, ‘Syntax’) notes that:

“This specification permits multiple occurrences of most fields. Except as noted, their interpretation is not specified here, and their use is discouraged.”

There is therefore no RFC standard to determine which duplicate header the mail application should accept and which should be ignored. Here is a header extract from a sample mail:

To: user@mycompany.com

From: “A N Other” <another@anothercompany.com>

Subject: Click on the attachment for fun fun fun!!

Message-ID: <yyhh339c2fgl2a602c6109f22f6516@/www.anothercompany.com >

Content-Type: text/plain; charset="utf-8"

Sender: another@anothercompany.com

MIME-Version: 1.0

Content-Transfer-Encoding: 8Bit

Content-Type: multipart/alternative;

       boundary="----_=_NextPart_001_01C97BB3.7EC1CDCC"

We can see that the ‘Content-Type’ header has been repeated, but that the two lines are not identical. This poses a potential security risk, as an AV product may take header instance #1 and scan it as clean, but the end user's mail client may read header instance #2 and interpret the contents in a different way. This could possibly expose malicious content in the mail (e.g. a virus).

Antigen/Forefront will detect a non-identical repeat header as an ‘Illegal Mime Header’ in this instance, so that there is no threat to the end user.

Reporting a false-positive Illegal Mime Header detection

Microsoft CSS (Customer Service and Support) can investigate any perceived false-positive detection on an individual case basis (but this may be at cost to you, if the detection is deemed valid). It is worth checking RFC basics before you open a support case with us, however. Look for repeat header entries (as explained above) and also consider using the Internet Engineering Task Force’s RFC822/MIME checker: Message Lint. This tool allows you to enter the whole message header and will return any errors and warnings found by comparing them to the relevant RFCs. Watch out for “ERROR: missing mandatory header” and “WARNING: duplicate header” entries in particular, which will usually flag the reason why Antigen/Forefront is detecting the mail as ‘IllegalMimeHeader’.

Cheers,

Andy Day

Microsoft CSS (Customer Service and Support)