Chapter 17 - Troubleshooting overview

 

Applies to: Microsoft Antigen

This section contains troubleshooting information.

Getting help

To obtain technical support, visit the Microsoft Web site at Microsoft Help and Support.

Using diagnostics

Diagnostic logging is helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Antigen for SMTP Gateways is not working properly. Diagnostics can be set independently for each scan job by selecting the appropriate check box for each scan job in the Diagnostics area of the General Options work pane. The settings are: Additional Internet and Archive SMTP Mail. These options are disabled by default. For more information about these settings, see Chapter 4 - Antigen Administrator.

For information about collecting diagnostic information, see Appendix D - Using the Antigen diagnostic utility (AntigenDiag.exe).

Submitting malicious software files to Microsoft for analysis

If you suspect a file to contain malware or potentially unwanted software, you can submit it to Microsoft for analysis. You can use one of the following methods to submit malware files to Microsoft for analysis:

Submitting files through the Microsoft Malware Protection Center Portal

The following Web site enables users to submit files that are suspected of containing malware or potentially unwanted software to Microsoft for analysis:

https://go.microsoft.com/fwlink/?LinkId=196858

After you have accessed the Microsoft Malware Protection Center portal, on the Submit a sample page, follow the instructions for the portal submission process.

Note

When prompted, enter your Microsoft Software Assurance ID. This ensures that your malware submission is given a higher priority assignment in our submission queue as compared to those anonymously submitted. For more information on software assurance, visit the following Microsoft Web site: Software assurance information

Preparing files for submission

If your submission is larger than 10 megabytes or you want to submit multiple files for analysis, compress the file or files into a single .zip or .rar archive (must be less than 10 megabytes in size) and password protect the file with the password "infected" (without quotation marks).

When you submit the file, make sure that you include the following data:

  • Your name and email address
    Microsoft sends all responses to the email address that you use to submit the files. When you submit the archive file, Microsoft processes the file and then sends a determination of the files that it contains, based on the current Microsoft malware definitions. If it is necessary, adjust your incoming mail filters to ensure that you receive this message.
    If you want to add additional email contacts to receive updates about the status of the submission, also include these contacts and add the following note in the comments field: "Please Reply All".
  • Support case number (optional)
    A support case number is not required to submit files for analysis. However, if a support case is already open for this submission, you can include the case number.
  • Product that you are using
    Select Microsoft Forefront Server Security. (In the comments section, you may want to list a more specific product name, for example Microsoft Antigen for SMTP Gateways.)
  • False positives
    If the submission includes files that you believe were incorrectly determined to contain malware, select the I believe this file should not be detected as malware check box. Otherwise, the files are assumed to contain malware.
  • File to submit
    Click the Choose File button to browse to the file you want to submit for analysis.
  • Description of the malicious activity
    In the comments field, describe what the files did to make you suspect that it contained malware. Also include the operating system on which the suspected malware was found (for example, Windows Server 2003), as well as any additional information that may be helpful in analyzing the files.

About the response message

After you submit the malware files, we send you a response to confirm the receipt of the submission. We then follow up with the results of our analysis and with responses from our partners. If you want more frequent updates through sample review, such as for high-priority submissions, it is recommended that you open a support case.

Submitting files through Microsoft Customer Support Services

Microsoft Customer Support Services can submit files on your behalf. If you have an urgent malware situation that Antigen does not address, or if it is after regular business hours, it is recommended that you contact Customer Support Services for help. To do this, use the support information that was provided to you when you purchased Antigen, or visit the following Microsoft Web site:

https://go.microsoft.com/fwlink/?LinkID=159889

Attaching a disclaimer message that includes non-US-ASCII characters

When using the Add Outbound Disclaimer function to attach a disclaimer message to an outgoing e-mail message, the e-mail message may be unreadable if the disclaimer message includes non-US-ASCII characters.

By default, Antigen formats the e-mail message in the basic Internet encoding standard when Antigen adds a disclaimer message. The basic Internet encoding standard is the UTF7 encoding standard. However, many languages include characters that are not included in the UTF7 encoding standard. Therefore, non-US-ASCII characters are not represented correctly after Antigen processes the e-mail message.

By default, Antigen formats the e-mail message in the UTF7 encoding standard even if the original e-mail message from the sender is in a different character set. For example, Antigen does this even if the original e-mail message is in the ISO-8859-1 character set.

To prevent Antigen from forcing the disclaimer encoding type from the original format into UTF7, create the following registry key.

To prevent Antigen from forcing the UTF7 format

  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, expand the following registry subkey.

    HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for SMTP

  3. Right-click Antigen for SMTP, point to New, and then click DWORD Value.

  4. To name the new value, type ForceDisclaimerNonUTF7, and then press ENTER.

  5. Right-click ForceDisclaimerNonUTF7, and then click Modify.

  6. In the Value data box, type 1, and then click OK.

  7. Exit Registry Editor.

  8. Restart the Antigen services.

Rebuilding scan engines

Important

Before you rebuild a scan engine in Antigen, it is recommended that you first contact Microsoft Product Support Services (PSS) to help determine whether the problem that you experience requires a scan engine rebuild operation. For information about how to contact Microsoft PSS, visit the following Web site: https://support.microsoft.com/contactussupport/?ws=support

Symptoms that may require that you rebuild a scan engine include the following:

  • Scan engine files become locked. Therefore, a scan engine can no longer be automatically updated.
  • A scan engine generates an error message when it attempts to load.

When any of these symptoms occur, one of the following errors may be logged in the ProgramLog.txt file, located in the Antigen for SMTP folder.

  • ERROR: Could not create mapper object
  • INFORMATION: The engine_name engine was rolled back
  • ERROR: Scan engine was corrupted on download
  • ERROR: CheckCrc failed

To rebuild a scan engine

  1. Create the UNC update folder structure. To do this, follow these steps:

    1. Create a directory that is named Antigen.
    2. In the Antigen directory, create a directory that is named Engines.
    3. In the Engine directory, create a directory that is named x86.
    4. In the x86 directory, create a folder for the engine on which you are working. For example, create a folder that is named Microsoft.
    5. In the Engine Name directory, create a folder that is named Package.

    An example of a UNC update folder path is as follows:

    C:\Antigen\Engines\x86\Microsoft\Package

  2. Download the latest scan engine files. To do this, follow these steps:

    1. Save the Manifest.cab file to the Package folder for the engine that you are updating. An example of the path of this file in the directory is as follows:
      C:\Antigen\Engines\x86\Microsoft\Package\manifest.cab
      To obtain the Manifest.cab file, go to the following Microsoft Web site:
      https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/manifest.cab

    2. Extract the Manifest.xml file from the Manifest.cab file, and then open the Manifest.xml file by using a text editor, such as Notepad.
      Search for the "version=" string in the Manifest.xml file. After one of the instances of "version=" a 10-digit number is displayed.
      For example, locate the entry that resembles the following entry:
      version="0606080004"
      In this entry, the 10-digit number represents the update version number of the latest update. For this procedure, this update version number is represented by the update_version placeholder.

    3. Save the Microsoft_fullpkg.cab file to a directory that has the same version name within the Package folder. An example of the path of this file in the directory is as follows:
      C:\Antigen\Engines\x86\Microsoft\Package\0606080004\Microsoft_fullpkg.cab
      To obtain the Microsoft_fullpkg.cab file, go to the following Microsoft Web site:
      https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/update_version\microsoft_fullpkg.cab

      Important

      In this URL, replace update_version with the update version number that you located in step 2b. For example, use a URL that resembles the following sample URL:
      https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/0606080004\microsoft_fullpkg.cab

    4. Copy the Manifest.cab file in the Package folder, and then paste the file into the Version folder. An example of the final structure of the file is as follows:
      c:\Antigen\Engines\x86\Microsoft\Package\manifest.cab
      c:\Antigen\Engines\x86\Microsoft\Package\0606080004\manifest.cab
      c:\Antigen\Engines\x86\Microsoft\Package\0606080004\Microsoft_fullpkg.cab

  3. Update the engine. To do this, follow these steps:

    1. Open the Antigen Administrator.
    2. Under SETTINGS, click Scanner Updates.
    3. Select the engine on which you are working. For example, select Microsoft.
    4. Change Network Update Path to the parent directory of the x86 folder. For example, change this item to C:\Antigen\Engines.
    5. Click Save.
    6. Click Update Now.

Note

The third-party products that the preceding procedure discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Chapter 16 - File scanner updating overview

Appendix A - Antigen Utility