Appendix H - Antigen security updates and configuration changes overview
Applies to: Microsoft Antigen
Antigen for SMTP Gateways includes many security updates and configuration changes from earlier releases. This section details security and configuration information and will be updated as necessary to reflect new changes in Antigen for SMTP Gateways.
Security policy changes
Security has been improved, by reducing the privileges when Antigen services and processes start. This helps prevent malformed data from exploiting any security issues within the Antigen for SMTP Gateways code or the third-party scanning engines. All services and processes run in the Local System account. In Windows Server 2003, when services and processes start, Antigen for SMTP Gateways removes all privileges, except those that are required by the services and processes to do their work. In Windows 2000 Server, privileges cannot be removed, but they can be disabled. In Windows 2000 Server, when services and processes start, all privileges not necessary to perform the tasks are disabled.
The only privileges enabled are:
- SeImpersonatePrivilege
- SeChangeNotifyPrivilege
- SeSecurityPrivilege
There are now restricted access control lists (ACLs) on resources. The security to Antigen for SMTP Gateways resources has been improved to prevent unauthorized access. With this change, only users who are part of the Administrators group have access to administer Antigen for SMTP Gateways.
The ACLs that are applied to Antigen for SMTP Gateways resources are described in the following table.
| Resource type | Resource | ACL set |
|---|---|---|
File |
<Installation path> |
SYSTEM – Full Access Administrators group – Full Access |
Registry |
HKLM/Software/xxxxx/xxxxx |
SYSTEM – Full Access Administrators group – Full Access |
DCOM |
AntigenIMC AntigenMonitor AntigenService AntigenStatisticsService AnigenStore AntigenStoreEvent |
SYSTEM – Full Access Administrators group – Full Access |
General Options changes
The following describes default changes to General Options settings:
- **Engine Error Action—**In Version 9, the default action has been changed from Skip to Delete.
- **Internet Scan Timeout Action—**In Version 9, the default action has been changed from Skip to Delete.
- **Delete Corrupted Compressed Files—**In Version 9, the default setting has been changed from Off to On.
- **Max Program Log Size—**As of Version 9 with SP1, the default value has been changed from 0 (no limit to the maximum size) to 25600 KB.
Note
These changes affect new installations only. The default settings are not changed during an upgrade from a previous version of Antigen.
The following are new General Options settings:
- **Illegal MIME Header Action - Internet—**This setting was added in Version 9.
- **Treat multipart RAR archives as corrupted compressed—**This setting was added in Version 9 with SP1.
- Treat high compression ZIP files as corrupted compressed— This setting was added in Version 9 with SP1.
- Treat concatenated gzips as corrupted compressed— This setting was added in Version 9 with SP1.
For more information about these General Options settings, see "General Options" in Chapter 4 - Antigen Administrator.
Other Antigen changes and updates
The following describes other changes and updates:
- **QuarantineTimeout—**The registry setting QuarantineTimeout has been added to override quarantine after a scan job time-out. The value is a DWORD type. If the registry value is not present or if it is present and its value is not zero, messages that cause a scan job time-out are quarantined. If the registry value is present and its value is zero, the message is not quarantined.
- **ScanAllAttachments—**The registry setting ScanAllAttachments defaults to 1 for all new installations of Antigen for SMTP Gateways 9. This configures Antigen for SMTP Gateways to scan all attachments for viruses by default. The value of this setting will not change during upgrades from Antigen for SMTP Gateways 8.0. For more information about this setting, see the "Scanning files by type" section of Chapter 6 - Configuring SMTP Scan Jobs.
- **AV Scan Engine Mappers—**The engine mappers used in versions of Antigen for SMTP Gateways prior to version 9 are not compatible with Antigen for SMTP Gateways 9. After upgrading to Antigen for SMTP Gateways 9, the primary network update path is changed to point to the Microsoft Web site https://antigendl.microsoft.com/antigen. The secondary update path is set to null.
- **Winmail.dat Scanning—**The SMTP Scan Job scans winmail.dat files for viruses. These files are used for several purposes, for example, facilitating replication between servers (IPM replication messages). If Antigen for SMTP Gateways modifies any of these winmail.dat files, the public folder replication process fails. To avoid this from happening, you can set a new DWORD registry key named DoNotScanIPMReplicationMessages to 1 and the SMTP Scan Job will not scan IPM replication messages.
- **FTP Engine Updates—**Engine updates via the File Transfer Protocol (FTP) server are no longer supported. Updates must be done using HTTP or locally using a UNC share.
- **Antigen Central Manager and Antigen Quarantine Manager—**The Antigen Central Manager and Antigen Quarantine Manager have been removed from Antigen 9. All of the functions of the Antigen Central Manager and Antigen Quarantine Manager can now be handled through the Antigen Enterprise Manager. For more information about the Antigen Enterprise Manager, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.
Appendix G - Backing up and restoring Microsoft Antigen for SMTP Gateways |