Appendix H - Antigen security and configuration updates overview

Applies to: Microsoft Antigen

Antigen includes many security updates and configuration changes from earlier releases. This section details security and configuration information and will be updated as necessary to reflect new changes in Antigen.

Security policy changes

Security has been improved by reducing the privileges when Antigen services and processes start. This helps prevent malformed data from exploiting any security issues within the Antigen code or the third-party scanning engines. All services and processes run in the Local System account. In Windows Server® 2003, when services and processes start, Antigen removes all privileges except those that are required by the services and processes to do their work. In Windows 2000 Server, privileges cannot be removed, but they can be disabled. In Windows 2000 Server, when services and processes start, all privileges not necessary to perform the tasks are disabled.

The only privileges enabled are:

• SeImpersonatePrivilege
• SeChangeNotifyPrivilege
• SeSecurityPrivilege

There are now restricted access control lists (ACLs) on resources. The security to Antigen resources has been improved to prevent unauthorized access. With this change, only users who are part of the Administrators group have access to administer Antigen.

The ACLs that are applied to Antigen resources are described in the following table:

General Options changes

The following describes default changes to General Options settings:

• **Engine Error Action—**In Version 9, the default action has been changed from Skip to Delete.
• **Internet Scan Timeout Action—**In Version 9, the default action has been changed from Skip to Delete.
• **Realtime Timeout Action—**In Version 9, the default action has been changed from Skip to Delete.
• **Delete Corrupted Compressed Files—**In Version 9, the default setting has been changed from Off to On.
• **Max Program Log Size—**As of Version 9 with SP1, the default value has been changed from 0 (no limit to the maximum size) to 25600 KB.

The following are new General Options settings:

• **Illegal MIME Header Action - Internet—**This setting was added in Version 9.
• **Treat multipart RAR archives as corrupted compressed—**This setting was added in Version 9 with SP1.
• Treat high compression ZIP files as corrupted compressed— This setting was added in Version 9 with SP1.
• Treat concatenated gzips as corrupted compressed— This setting was added in Version 9 with SP1.

For more information about these General Options settings, see "General Options" in Chapter 4 - Using the Antigen Administrator.

Other Antigen changes and updates

The following describes other changes and updates:

**QuarantineTimeout—**The registry setting QuarantineTimeout has been added to override quarantine after a scan job time-out. The value is a DWORD type. If the registry value is not present or it is present and its value is not zero, messages that cause a scan job time-out will be quarantined. If the registry value is present and its value is zero, the message will not be quarantined.

**ScanAllAttachments—**The registry setting ScanAllAttachments will default to 1 for all new installations of Antigen. This will configure Antigen to scan all attachments for viruses by default. The value of this setting will not change during upgrades from Antigen 8.0. For more information about this setting, see the “Scanning files by type” section of Chapter 6 - Configuring Manual Scan Jobs, Chapter 7 - Configuring Realtime Scan Jobs, or Chapter 8 - Configuring SMTP Scan Jobs.

**AV Scan Engine Mappers—**The engine mappers that are used in pre-9 versions of Antigen are no longer compatible with Antigen. After upgrading a pre-9 version of Antigen, the primary network update path will be changed to point to the Microsoft® Web site (https://antigendl.microsoft.com/antigen). The secondary update path will be set to null.

**Winmail.dat Scanning—**The SMTP Scan Job scans winmail.dat files for viruses. Microsoft Exchange Server uses winmail.dat files for several purposes. One of the uses is to send winmail.dat files between servers to facilitate replication (IPM replication messages). If Antigen modifies any of these winmail.dat files, the public folder replication process will fail. To prevent this, you can set a new DWORD registry key named DoNotScanIPMReplicationMessages to 1, and then the SMTP Scan Job will not scan IPM replication messages.

**ESE Mode—**Antigen no longer supports ESE mode. During an upgrade from a pre-9 version of Antigen, the mode will be changed to VSAPI mode. No notification or warning appears during this change. Because Antigen uses VSAPI mode, you no longer need to disable Antigen before applying an Exchange service pack or hotfix.

**FTP Engine Updates—**Engine updates via the File Transfer Protocol (FTP) server are no longer supported. Updates must be done by using HTTP, or locally, by using a UNC share.

**Exchange 5.5 Not Supported—**Antigen does not support Exchange 5.5.

**Antigen Central Manager and Antigen Quarantine Manager—**The Antigen Central Manager (ACM) and Antigen Quarantine Manager (AQM) have been removed from Antigen. All of the functions of the ACM and AQM can now be handled through the Microsoft Antigen Enterprise Manager (AEM). For more information about the AEM, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.