SUMMARY:

Due to increases in the size of antivirus definitions over time, we suggest that Antigen and Forefront Server customers increase the timeout value for downloading these updates.  While the current default value of 5 minutes has worked well, recent changes in one engine highlight the need to monitor and adjust this value.

Additionally, we recommend applying the latest hotfix rollups to resolve a specific issue that could cause production outages for customers on slow and/or high-latency links.

BACKGROUND:

When we released the new version of the Norman engine (http://blogs.technet.com/fss/archive/2009/03/27/norman-engine-5-93-8-released.aspx), the size of the full update package increased by approximately 18MB.  Within 24 hours, we had received a small number of reports where one or more of the following symptoms occurred:

·         Mail queuing as a result of crashes in AntigenRealtime.exe/AntigenInternet.exe (Antigen 9) and FSCRealtimeScanner.exe/FSCTransportScanner.exe (Forefront Server).

·         Services failing to start due to crashes in service executables.

Our investigation determined that these crashes were a combination of several factors:

·         The download and install of the full package was timing out before it was completed.

·         An issue, resolved in our latest released code, allowed a partial install of the new engine and definitions to take place, leaving the system in a state where it had a combination of old and new files.

Working with our affected customers, we determined that this issue could be resolved by increasing the timeout value for the download and successfully updating to the latest version of the engine package.

ACTION:

The largest takeaway here is that customers should increase the download timeout to a value larger than 5 minutes.  This change should be made on all servers that download engine updates from the Internet and any that have slow and/or high-latency links to internal distribution servers. 

This value is stored in the registry.  Follow these steps to change it:

1.       Go to HKEYLocalMachine\Software\Sybari Software\Antigen for Exchange

2.       Locate the EngineDownloadTimeout key

3.       Open it up

4.       Change the DECIMAL value to 1500.

This will set the timeout to 25 minutes.  For more information about this value and making changes to it, refer to KB939411 (http://support.microsoft.com/kb/939411/en-us).

Additionally, the latest hotfix rollups for Antigen 9, Forefront Server for Exchange, and Forefront Server for SharePoint include code changes that minimize the possibility of engines being partially installed during a timeout.  We recommend that customers obtain and apply the following:

Antigen 9.0 with Service Pack 1 Hotfix Rollup 5:  http://support.microsoft.com/kb/957075

Forefront Server for Exchange with Server Service Pack 1 Hotfix Rollup 3:  http://support.microsoft.com/kb/951629

Forefront Server for SharePoint with Service Pack 2 Hotfix Rollup 1:  http://support.microsoft.com/kb/955982

Neil Carpenter
Senior Escalation Engineer, CSS Security Support Team

As you might guess, DNSBL stands for DNS Blocklist.  While it’s not a new technology, the usefulness of various DNS/RBL blocklists in fighting spam is indisputably immense.  Over the years I’ve heard both the success stories from folks who implemented RBLs in their Exchange server deployments, and I’ve heard some horror stories from the folks who’s IPs were maliciously or mistakenly added to RBLs and the difficulties they had working with blocklist providers to delist their IPs from the RBLs.    Another contributing factor to the overall painful experience with RBLs is the fact that you need to configure them with appropriate response codes and delisting logic etc.  It’s manual work and as such is very error-prone.  Also, some of the blocklist providers will expose their lists for free to small customers only. For example, they will allow only a certain number of queries against the blocklist per day and if the query volume exceeds the allowed (and very small in reality) free amount they will either block the queries (firewall) or ask the customer to receive the blocklists via paid subscription.   If you are going to use a free DNS blocklist, you need to make adjustments (lower expectations) regarding the quality of service.  Considering these factors, some Exchange admins prefer to stay away from blocklists because they just do not want to go through the headache generally associated with maintaining multiple RBL providers’ configurations. 

The Forefront DNSBL

So what’s up with the Forefront DNSBL?  What is it and how is it different from the rest?  In short, the Forefront DNSBL is an aggregated list of multiple feeds from various RBL providers combined into a single lookup and hosted by Forefront Online Security for Exchange (FOSE) on its own DNS infrastructure.  The list of feeds includes both Microsoft-internal contributing teams and external vendors (for example, Spamhaus).  Forefront DNSBL is already available to customers in the next generation of Forefront Security for Exchange Server (Beta 2) (you can get Beta2 here) and it is royalty-free (hey, we all like free stuff, do we not?) to Beta 2 customers.  So if you are thinking of evaluating Forefront Security for Exchange Server (Beta 2), I encourage you to download it and give it a shot. 

As you can see, there is nothing to configure, just a simple checkbox to enable/disable the DNSBL checking.  Similar to the basic Exchange 2007/2010 server RBL functionality, Forefront DNSBL has been implemented as an agent and executes based on the connecting IP address.  However, this is where the similarities end.  So what’s in the guts of Forefront DNSBL and how does it work?

While Forefront DNSBL agent also makes the trip to the DNS blocklist provider (maintained by FOSE), the DNS query itself has been encrypted.  You might ask why is it encrypted?  Well, due to the nature of DNS (which is not secure) and having an obligation to preserve our contributing vendors’ proprietary data from unauthorized access by the non-Forefront customers, we decided to hash the DNS query.  On the DNSBL provider end, the hosting DNSBL server runs the same algorithm to decrypt the incoming query and verify its integrity.  If the query is confirmed to be legitimate, (only the Forefront agent knows how to encrypt and decrypt the query) the DNSBL provider will service it.  If the query has been constructed incorrectly or the hash does not compute correctly, the returned query will contain NXDOMAIN response.  Yes, we go the extra mile in protecting our vendors’ intellectual property (RBL data) and will service only Forefront customers (As a legit Forefront customer, you really do not care whether the query is encrypted or not but you do care about the quality of service, right?). 

So the original query to the DNSBL provider is hashed.  However, the returned query is not and if a match is found on one of the contributing feeds, the DNSBL service provider will return the appropriate response.  For example, if the match is found on the FOSE internal blocklist, the returned query will contain 127.0.0.5 response.  If the match is found on Spamhaus’ XBL list, the return query will be 127.0.0.4 and if it’s found on SBL, the query will be 127.0.0.2.  Accordingly, the Forefront DNSBL agent will reject the e-mail transaction inside of SMTP session with a response explicitly crafted for the particular DNS query return code.  This is how the response looks like if the IP match was found on one of the blocklists:

There are 3 parts in the Forefront DNSBL response issued by the agent:

1.       Default machine code (understandable by the server’s SMTP stack)

2.       Default human-readable response string

3.       FSE-specific delisting information.                                                                                                               

The human-readable response string contains vital information about the blocklist (feed) name that contains a match for the IP address.  Having this information will help alleviate the pain of delisting if the IP was blocklisted mistakenly and expedite the delisting process and time.  

The FSE-specific delisting information references specific action for the end user to take.  In most cases, the end user needs to forward the NDR to the delist@frontbridge.com alias.  The forwarded message (NDR) will then be evaluated by the Forefront analysts (DNSBL support services) and corrective action will be taken to delist the IP from the appropriate blocklist.  If the IP was blocklisted by one of the external feeds, the delisting string will contain appropriate information about how to correct the problem.  In essence, delisting is a very easy and almost pain-free process as we made it as simple and straightforward as possible. 

Now let's talk about the effectiveness of the Forefront DNSBL.  Having multiple data feeds combined into a single database and a single lookup not only increases the efficacy and robustness of the solution but improves the performance of Exchange server because now it's a single DNS trip instead of multiple (if you have more than one RBL provider configured as most Exchange admins do).   Based on the feedback from Beta 2 customers, the contribution of Forefront DNSBL to overall spam rejection rate is around 90% (it varies by the geographical location/regions of the world).  This effectively means ~90% of all incoming e-mail transactions get immediately rejected at the gate without pushing unnecessary payload through the network layers.  This preserves network bandwidth and Exchange server processing time, which translates into money saved (Plus, the service is free.).

Quite frankly, it took me more time to write this blog than for a Forefront admin to enable and start using DNSBL!  The bottom line – Forefront DNSBL is maintenance-free, hands-off, built-in feature capable of producing very impressive results in antispam protection.  So, YEAH or NAY?  I’d say YEAH BABY!  Let me know if you disagree.

Alex Nikolayev
Program Manager, Forefront Server Security

Hey folks-

On October 26th we posted an article here to remind Antigen users about the end-of-life date for Antigen 8 for Exchange and SMTP Gateways and provide guidance for migrating to Antigen 9.  The article said the end-of-life date is December 1, 2009, but it should have said December 31, 2009.  The article has been corrected.

You can view the corrected article here: http://blogs.technet.com/fss/archive/2009/10/26/migrating-from-antigen-8-products-to-antigen-9-or-forefront-products.aspx

Keep fighting that malware!

Michel LaFantano
FSP UA Lead

Hi, my name is Scott, and I'm a technical writer in the Forefront Server Security (FSS) User Assistance (UA) group here on Long Island, New York. Every few months or so, we update our existing “legacy” documentation on our TechNet Web site, and this post is to make you aware of our last couple of updates. (p.s. By “legacy” content I mean products that are already supported in production environments, such as Antigen Version 9 and our Forefront Server Security Version 10 products).

My group works closely with the Customer Support Services (CSS) group, who are a great resource for obtaining feedback directly from our customers, and who often alert us about areas of our documentation that need improvement or additions that we should make. For example, just this past February 2009 we refreshed our content on TechNet to include information about using Forefront Security for Exchange Server (FSE) or Forefront Security for SharePoint (FSSP) in Hyper-V virtual environments. This info was added to the installation chapters of our user guides, and while adding it we made further improvements to this chapter as well. There were also several other smaller doc enhancements, such as clarifying how the General Options setting Scan on Scanner Update affects realtime proactive scanning.   

Our prior TechNet update was in August 2008 and was quite extensive. Among other things, we added:

·         A thorough troubleshooting appendix to the Antigen Enterprise Manager (AEM) User Guide.

·         For disaster recovery purposes, detailed back up and restore procedures to the user guides for FSE, FSSP, Antigen for Exchange and Antigen for SMTP Gateways, AEM, and Forefront Server Security Management Console (FSSMC).

Also, during the course of refreshing TechNet we collaborated with the CSS team to review existing Knowledge Base articles (or KBs) and some were updated and significantly improved, others were removed because we found outdated info, and some were rolled into the core docs where appropriate.  

So, that’s that, I just wanted to say a few words about our present and prior FSS TechNet updates. It’s also worth noting that the main page of the FSS TechNet Library is located at the following URL http://go.microsoft.com/fwlink/?LinkId=143540, that our TechNet Library always contains the “latest and greatest” versions of our documentation, and that we will continue to update our legacy content as needed. We are also working on updating our robust doc set for the “next generation” Beta 2 version of our FSE and FSSP products, and docs for our soon to be released Forefront Security for Office Communications Server (FSOCS) Version 10.2 product.

Finally, another good resource for obtaining info about our products is the Forefront Server Security Forums (http://social.technet.microsoft.com/Forums/en-US/category/forefrontserversecurity), where you can easily interact with other customers and trained support professionals. Note that a passport account is needed to access the Forums.

That's all for now. Hope that this information has been useful and thanks for reading.

Scott Floman

Technical Writer

With the variety of Forefront configuration options available, often our users have questions about how our products work together to form a comprehensive server protection solution. Microsoft’s Forefront Protection 2010 for Exchange Server engineers recently sat down to answer some of the most frequently asked questions about FPE. If you are interested in finding out more about FPE and Edge transport integration, reporting, policies, or spam quarantine access rights, head over to the updated Forefront Protection 2010 for Exchange Server (FPE 2010) FAQ on the TechNet wiki. You will find answers not only to users’ scenario questions but also a high-level overview of the Forefront Protection 2010 for Exchange Server product.

After looking through the FAQ, let us know what you think by leaving a comment on the wiki page or this blog post. Do you have questions we didn’t cover in the FAQ? Check out the full list of help documents in the TechNet FPE 2010 library at Microsoft Forefront Protection 2010 for Exchange Server.

Timothy Rich - Technical Writer for Office User Assistance