Considerations when using antivirus software on FF Edge Products

Last revision: April 2010

Authors

Jim Harrison – Program Manager, ISA SE

Yuri Diogenes – Security Support Engineer

Dan Herzog – Sr Support Escalation Engineer

Contributors and Tech Reviewers

Mohit Saxena – Security Tech Lead (ISA & IAG)

Masoud Hoghooghi – Security Escalation Engineer

Vic Singh Shahid – Security Escalation Engineer

Update

With the release of Forefront Threat Management Gateway (TMG) Medium Business Edition; Forefront TMG 2010; and Forefront Unified Access Gateway (UAG) 2010, we’ve updated this article to include these products. In an effort to keep this information as accessible as possible, we have divided this document into separate sections for each product.Before reading this article, we strongly recommend that you read the white paper “The Antivirus Defense-in-Depth Guide” at the Microsoft Download Center (https://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB\&displaylang=en). This guide provides an overview of antivirus technology, general recommendations, and best practices.

Support statement for antivirus and antimalware software on Forefront Edge products

Installation of antimalware is generally supported in accordance with commercially reasonable effort if the guidelines in this document are followed. Installation of additional firewall or network traffic monitoring mechanisms on Forefront edge products is not supported.

Customers who contact Microsoft Customer Support Services (CSS) may be asked to disable or remove an antivirus program in order to help identify issues. If the root cause of the issue is not caused by the antivirus application, customers are free to enable the software again after the issue is correctly diagnosed. This position is same for all other teams that sometimes need to disable the antivirus for troubleshooting purposes. For example:

  1. XGEN: Microsoft's Position on Antivirus Solutions for Exchange 2000 (https://support.microsoft.com/kb/306105).

  2. Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server(https://support.microsoft.com/kb/322941).

Common types of antimalware

There are two main types of antimalware application commonly used by customers:

  • File scanners—This type of application is responsible for scanning files residing on the disk, and checking whether they are virus-free. In this category we have three main types of scanning:

    • Memory-resident file-level scanning—This refers to a part of file-level antivirus software that is loaded in memory at all times. It checks all the files that are used on the hard disk, and in computer memory.

    • Process-level scanning—This type of scanning refers to a part of the antivirus software that performs scanning of in-memory processes, such as applications, services, etc.

    • On-demand file-level scanning—This refers to a part of file-level antivirus software that you can configure to scan files on the hard disk manually or on a schedule. Some versions of antimalware software start the on-demand scan automatically (after signatures are updated), to ensure that all files are scanned with the latest signatures.

  • Protocol-aware scanners—Because ISA Server and Forefront TMG Web proxy supports the ISAPI extensibility model, third-party companies can write antimalware filters that will operate on the data stream as it traverses the application. This mechanism is not supported on IAG 2007 and Forefront UAG.

  • Firewall or network behavior monitoring—Many antimalware products include some form of network monitoring. This might be a separate firewall mechanism, or something that integrates with Windows firewall mechanisms, such as Windows Filtering Platform.

Some of the definitions above are taken from the article “File-Level Antivirus Scanning on Exchange 2007” available at Microsoft TechNet (https://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx).

Note

Forefront Edge products do not support the use of firewall or network monitoring mechanisms that operate separate from the extensibility API provided by each product.

Besides those main types described above, there are some companies that offer a “combo”, which comes with both file and HTTP-stream solutions integrated. Depending on the type of antivirus that you are using, there will be different recommendations for daily operations and troubleshooting scenarios.

General recommendations

The file scanners mentioned in the previous section are a type of antivirus application that usually doesn’t offer many benefits when installed on a computer running Forefront Edge products. The main reason is that generally we do not use these products as a file share, or any other role that is not within product design boundaries. However, we understand that some companies require this type of antivirus for compliance reasons. For example, if the security policy and procedure of the company describes this is a mandatory requirement.

If you need to have this type of antivirus installed on an edge Forefront product, ensure that the following folders are excluded from antivirus scanning jobs (both real-time and scheduled jobs):

  • Exclude the application’s program files directory—Exclude this is to prevent file access contention when application services are starting, need to access data files such as error or logon pages, or need to access other components, such as RAS logon mechanisms. Program file locations are described in the sections for each product below.

  • Exclude the policy storage location—The reason for this is that running antivirus software against these files can cause file access contention with the Extensible Storage Engine (ESE), which might require you to restart the ADAM (LDS for TMG) service.

  • Exclude the logging destination—Exclude this because file scanning accesses the files exclusive of any other process. This might cause the logging mechanism to fail.

  • Exclude the cache file locations - Antivirus software can corrupt the log or the cache files if it locks the file for scanning while the Forefront application tries to access the file. For more information on issues that might arise if this occurs, see KB887311.

  • Exclude the application processes—AV scanning and behavioral monitoring software will adversely impact the application’s ability to process the traffic properly.

  • General Windows folders—Review the session Virus Scanning for computers that are running Windows Server 2003, Windows 2000, or Windows XP, at KB822158, and apply those recommendations.

ISA Server

Recommendations for ISA Server 2000, 2004, and 2006 are as follows:

  1. ISA Server does not support operation of Windows Internet Connection Firewall (ICF) or Internet Connection Sharing (ICS). MSKB 813915 discusses this limitation.

  2. The following table summarizes application processes and file paths that should be excluded from scanning.

Version Paths Processes

ISA Server 2000

ISA Server installation folder (can be changed during installation)
%ProgramFiles%\Microsoft ISA Server

ISA Server Log folder (may be changed by the ISA Server administrator)
%ProgramFiles%\Microsoft ISA Server\ISALogs

ISA Server Web cache folder (ISA Server administrator must define this)

ISA Server Report Summary Generator
%ProgramFiles%\Microsoft ISA Server\dailysum.exe

ISA Server Report Generator
%ProgramFiles%\Microsoft ISA Server\repgen.exe

ISA Server Control Service
%ProgramFiles%\Microsoft ISA Server\mspadmin.exe

ISA Server Web Content Download Service
%ProgramFiles%\Microsoft ISA Server\w3prefch.exe

ISA Server Firewall Service
%ProgramFiles%\Microsoft ISA Server\wspsrv.exe

ISA Server 2004/2006

ISA Server installation folder (can be changed during installation)
%ProgramFiles%\Microsoft ISA Server

SQL MSDE folders (not changeable)
%ProgramFiles%\Microsoft SQL Server

ISA Server Web cache (ISA Server administrator must define this)

ISA Server Report Summary Generator
%ProgramFiles%\Microsoft ISA Server\dailysum.exe

ISA Server Report Generator
%ProgramFiles%\Microsoft ISA Server\isarepgen.exe

ISA Server Diagnostic Logging Viewer
%ProgramFiles%\Microsoft ISA Server\isadlviewer.exe

ISA Server Storage Service
%ProgramFiles%\Microsoft ISA Server\isastg.exe

ISA Server Control Service
%ProgramFiles%\Microsoft ISA Server\mspadmin.exe

ISA Server Web Content Download Service
%ProgramFiles%\Microsoft ISA Server\w3prefch.exe

ISA Server Firewall Service
%ProgramFiles%\Microsoft ISA Server\wspsrv.exe

SQL 2003 MSDE
%ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe;
%ProgramFiles%\Microsoft SQL Server\MSSQL$MSFW\sqlservr.exe

Active Directory Lightweight Directory Services (Enterprise Edition only)
%WinDir%\System32\dsamain.exe

Intelligent Application Gateway (IAG) 2007

IAG recommendations are as follows:

  1. For Internet Information Services (IIS) recommendations, see Microsoft Knowledge Based article 821749.

  2. The folder and process exclusions for IAG are identical to those indicated for ISA Server 2006, with adjustments summarized in the following table:

    Paths Processes

    IAG installation folder
    c:\whale-com\e-gap\

Forefront TMG

Forefront TMG recommendations are as follows:

  1. Forefront TMG operates in collaboration with Windows Firewall through the Windows Filtering Platform mechanisms. Thus, unlike ISA Server, Windows Firewall must be enabled on the computer where Forefront TMG operates.

  2. For installations in which Exchange 2007 or Exchange 2010 Edge roles are deployed concurrently with Forefront TMG, you must also consider the instructions provided at https://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx.

  3. The following table summarizes paths and processes that should be excluded from antivirus scanning for Forefront TMG Medium Business Edition and Forefront TMG 2010.

Version Paths Processes

Forefront TMG Medium Business Edition

Forefront TMG installation folder (can be changed during installation)
%ProgramFiles(x86)%\Microsoft ISA Server

SQL 2005 Express and SQL 2005 Reporting Services
%ProgramFiles(x86)%\Microsoft SQL Server\

TMG Malware scanning cache (may be changed by TMG administrator)
%SystemRoot%\Temp\ScanStorage

TMG Log Folder (may be changed by the TMG administrator)
%ProgramFiles(x86)%\Microsoft ISA Server\Logs

TMG Log Queue (may be changed by the TMG administrator)
%ProgramFiles(x86)%\Microsoft ISA Server\Logs

TMG Reporting Folder
(Forefront TMG administrator must define this)

TMG Web cache
(Essential Business Server): D:\urlcache
(default): not defined

Internet Information Services (IIS)
%SystemDrive%\InetPub

TMG Report Summary Generator
%ProgramFiles(x86)%\Microsoft ISA Server\dailysum.exe

TMG Report Generator
%ProgramFiles(x86)%\Microsoft ISA Server\isarepgen.exe

TMG Diagnostic Logging Viewer
%ProgramFiles(x86)%\Microsoft ISA Server\isadlviewer.exe

TMG Storage Service
%ProgramFiles(x86)%\Microsoft ISA Server\isastg.exe

TMG Administration Component
%ProgramFiles(x86)%\Microsoft ISA Server\mspadmin.exe

TMG Firewall Service
%ProgramFiles(x86)%\Microsoft ISA Server\wspsrv.exe

TMG Web Content Download Service
%ProgramFiles(x86)%\Microsoft ISA Server\w3prefch.exe

SQL 2005 Express and SQL 2005 Reporting Services
%ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
%ProgramFiles(x86)%\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
%ProgramFiles(x86)%\Microsoft SQL Server\90\Shared\sqlwriter.exe

Active Directory Lightweight Directory Services
%WinDir%\System32\dsamain.exe

Internet Information Services management
%WinDir%\System32\inetsrv\inetinfo.exe
%WinDir%\System32\inetsrv\w3wp.exe

Forefront TMG 2010

TMG installation folder (may be changed during installation):
%ProgramFiles%\Microsoft Forefront Threat Management Gateway

TMG SQL Express and SRS installation folders (not changeable)
%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS%ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW

TMG Malware scanning cache (may be changed by TMG administrator)
%SystemRoot%\Temp\ScanStorage

TMG Log Queue (may be changed by the TMG administrator)
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\Logs

Web cache—(TMG administrator must define this)

TMG Report Summary Generator
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\dailysum.exe

TMG Report Generator
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\isarepgen.exe

TMG Diagnostic Logging Viewer
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\isadlviewer.exe

TMG Managed Control Service
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\IsaManagedCtrl.exe

TMG Storage Service
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\isastg.exe

TMG Administration Component
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\mspadmin.exe

TMG Firewall Service
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\wspsrv.exe

TMG Web Content Download Service
%ProgramFiles%\Microsoft Forefront Threat Management Gateway\w3prefch.exe

SQL 2008 Express and SQL 2008 Reporting Services
%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\sqlservr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.ISARS\MSSQL\Binn\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10.MSFW\MSSQL\Binn\sqlservr.exe

Active Directory Lightweight Directory Services
%WinDir%\System32\dsamain.exe

Note that any path using “%ProgramFiles%\Microsoft Forefront Threat Management Gateway” may have been changed during Forefront TMG installation.

Forefront UAG 2010

Forefront UAG recommendations are as follows:

  1. For Internet Information Services (IIS) recommendations, see https://support.microsoft.com/kb/821749.

  2. The folder and process exclusions for Forefront UAG are identical to those indicated for Forefront TMG 2010, with the following adjustments:

Version Paths Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%\Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe

Forefront UAG Monitoring Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe

Forefront UAG Session Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe

Forefront UAG File Sharing
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe