Forefront Security for Exchange Server Release Notes - Beta 2

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

Microsoft® Forefront™ Security for Exchange Server, Version 11.

(Build 0243.0)

Thank you for using Microsoft Forefront Security for Exchange Server (FSE). This readme file contains important information regarding the current version of the product. It is highly recommended that you read the entire document.

To view the latest updated Readme.htm, see:

What's in this file

This topic contains the following information:

Beta Issues

There are certain known issues with this beta release:

  • You should not install the FSE Beta 2 RF1 build (403.0) if you have done either of the following:

    • Renamed or removed the "Microsoft Exchange Server Security Group" Organizational Unit (OU) in the Active Directory forest where you will be deploying the product.

    • Moved the "Exchange Servers" object from the "Microsoft Exchange Server Security Group" OU in Active Directory.

    If either of the above situations apply, contact

  • The release cannot be installed on SCC clusters.

  • You cannot connect to another Forefront server (that is, there is no remote handling).

  • When FSE is uninstalled, Exchange services are stopped, resulting in a temporary interruption in mail flow. The services that are stopped are automatically restarted when FSE finishes uninstalling.

  • The profanity example lists provided in former versions of the product are not supported in this beta release.

  • Before uninstalling FSE, it is recommended that you first stop the Microsoft Exchange Information Store. During uninstall, FSE will wait two minutes for the Microsoft Exchange Information Store to stop; the uninstall could fail if the service is not yet stopped.

  • There are certain settings for the on-demand scan that can only be configured by using the Windows PowerShell Set-FSEOnDemandScan cmdlet. For more information about this cmdlet, see the PowerShell help for the Set-FSEOnDemandScan. The settings are as follows:

    -Engines - Selects the engines to be used in the scan

    -EngineUsagePolicy - Sets the intelligent engine selection policy

    -VirusAction - Sets the action to take if malware is encountered

    -VirusQuarantine - Indicates whether to quarantine malware files

    -MalwareDeletionText - Substitutes text for deleted malware files

    -FileFilteringDeletionText - Substitutes text for matched file filters

    -DocFiles As Containers - Scans .doc files as containers

    -BodyScanning - Causes the body of the message to be scanned

    -MaxContainerScanTime - The maximum time for scanning a container file

  • There are certain settings for on-demand filters that can only be configured by using the Windows PowerShell Set-FSEOnDemandFilter cmdlet. For more information about this cmdlet, see the PowerShell help for the Set-FSEOnDemandFilter. The settings are as follows:

    -Enabled - Enables the filter

    -Action - Sets the action to take if a filter is matched

    -Quarantine - Indicates whether to quarantine filter matches

  • To specify public folders for the Mailbox Realtime, Mailbox Scheduled, and Mailbox On-Demand scans, you must manually enter them; the scan target lists do not pre-populate at this time.

  • The ordered list feature of file filtering is not yet available.

  • The identify in header feature is not yet available.

  • In the event that the user interface is unable to open because of an Unhandled Exception, it is possible that the account used to access the Exchange server settings was improperly set. To update these credentials, in Control Panel click Administrative Tools, and then click Component Services. Expand Component Services, expand Computers, expand My Computer, and then open DCOM Config. Right-click the FSEAntispamSettings component and select Properties. Under the Identity tab, ensure that the User is an account that can manage the Exchange server. Re-enter the password and click OK. This ensures that the account is properly set.

  • If you change your engine update path to update from a redistribution server, you must use a UNC path.

  • The antispam-enabling check boxes in the Forefront Server Security user interface (UI) are not functioning correctly. Therefore, if you do not enable antispam functionality during installation and later want to enable it, that must be done with Windows PowerShell, not with the UI. Until antispam functionality is enabled, any changes that you make to the antispam settings with the UI will not be functional. This is the PowerShell command to enable antispam:

    Set-FSESpamFiltering -enabled $true

    Disabling antispam functionality must also be done with PowerShell. The command is:

    Set-FSESpamFiltering -enabled $false

    In order to successfully run these commands on an Edge server, you must be an Exchange Admin. To run them on a Hub server, you must be a Local Admin.

  • If antispam is enabled, the server requires Internet connectivity in order to be able to download the definition updates for the antispam engine. If you set your engine update path to point to a redistribution server, proxy information (including a proxy password, if needed) must still be entered, in order for the Cloudmark Antispam engine to obtain definition updates.

  • When you enable or disable antispam filtering, the Cloudmark Antispam engine is not affected. If you enable antispam filtering, you should ensure that the Cloudmark engine is also enabled (this is the default) in order that the latest engine updates are always downloaded and applied. If this is not done, the engine still continues to be used for scanning, but as time passes and its definitions become out of date, its effectiveness diminishes. If you disable antispam filtering, FSE continues to download updates for the Cloudmark engine unless you disable updating for that engine.

  • If a delivered quarantined message is still detected by the scan engines as being an infected file or filter match, it will again fail to be delivered to the intended recipients. FSE always scans delivered items for infected files, but you can disable filtering on items delivered from quarantine by setting the extended option QuarantineSecurity to 2. This is the Windows PowerShell command to create and set the extended option:

    New-FSSExtendedOption -name QuarantineSecurity -value 2

    To re-enable filtering on items delivered from quarantine, remove this extended option with the following PowerShell command:

    Remove-FSSExtendedOption –name QuarantineSecurity

  • In multi-node Exchange filtering (under Exchange/Filters/Configure) you may encounter problems with changes persisting if you have already initiated a previous save. You must close the policy editor, re-open the policy, and apply your changes again. To avoid this problem entirely, after making changes in the filtering area you should click Save and close. To make more changes re-open the policy.

  • E-mail notifications for "critical error" events are not being sent properly in this Beta release. In order to help you monitor these events, if a critical error is encountered, an error will be sent to the Windows Event Log.

  • The FSE on-demand scan does not work on the DF7 build of Microsoft Exchange.

Important Notes

  1. This beta release of FSE is only supported on English, German, and Japanese operating systems.

  2. Upgrades from the beta 1 or beta 2 releases of FSE, as well as releases earlier than 11.0 are not supported.

  3. .NET Framework 3.0 SP1 is a prerequisite for installation of FSE.

  4. FSE only supports five antivirus scan engines: Microsoft, Norman, CA, VirusBuster, and Kaspersky. After a fresh installation, all are selected for scanning. After the product has been installed, you can use the Forefront Server Security Administrator to change the engine selection.

    The following engines are no longer supported and should not be used: Sophos, Authentium, and AhnLab.

  5. After a fresh installation, new definition files must be downloaded in order to ensure the most up-to-date protection. An hourly check for updates for each licensed engine is scheduled. These updates start five minutes after FSE services are started. Engine updates can now be scheduled by category. By default, all the antivirus engines and the antispam engine have the same hourly schedule. However, if a proxy is being used for updates, these scheduled updates will fail until all the proxy information has been entered. Use the Forefront Server Security Administrator to enter a proxy username and a password. Under Global Settings, in Engine Updates, enter the appropriate information into Proxy Username and Proxy Password (the Proxy Server Name and Proxy Port should have been entered during installation; if not, you can enter them here also). Then, immediately update each scan engine by clicking Update Engines Now.


    • You should successfully update at least one engine before the installation is considered complete.

    • Until all the licensed engines have been successfully downloaded, errors may appear in the event log. These errors include "Could not create mapper object".

  6. To verify that FSE has been correctly installed with default protection enabled, use Task Manager. You should see the following in a default installation:

    • On a server that contains a Mailbox role, there should be four FSCRealtimeScanner.exe processes running, and there should be one FSCScheduledScanner.exe process running.

    • On a server that includes a Transport role (such as a Hub Transport, Edge, or Mailbox/Hub Transport server), there should be four FSCTransportScanner.exe processes running.

  7. The Forefront Server Security Administrator cannot be used to manage servers running versions earlier than release 11.0.

  8. If the SharePoint Portal Alert service is on the server and running, an upgrade or removal of FSE may require a restart.

  9. Files compressed into multipart RAR volumes are subject to the uncompressed file size limit. This limit is specified in Protection Settings, on the Global Settings - Advanced Options pane, in the Maximum uncompressed file size setting. The default value of this limit is 100 megabytes. If any file exceeds the limit, any multipart RAR volume that contains the file or a part of the file is deleted. You can also set its value by using Windows PowerShell. (For example: Set-FSEAdvancedOptions ‒UnCompressedFileSize 150).

  10. To prevent FSE from requiring a restart during an upgrade or uninstall process, shut down the Microsoft System Center Operations Manager (OpsMgr) 2007 for FSE agent (or any other monitoring software) and make sure that any command prompts or Windows Explorer windows do not have the FSE program folder or any of the subfolders open. After the upgrade or uninstall process is complete, start the OpsMgr agent again.

  11. FSE does not support customers using their own procedure in order to download engine updates from the Microsoft Web sites. FSE provides the ability for a server to be used as a redistribution server, but this server must use FSE in order to get the updates from Microsoft.

  12. FSE data folder path names (DatabasePath registry key) have a maximum size of 216 characters.

  13. If you change the program folder, its name must be less than 170 characters.

  14. UNC paths specified for engine updates must not end with a backslash (\).

  15. When FSE is installed on an Edge Transport server that is not a member of a domain, the Domain names used for identifying internal addresses setting will be empty.

  16. If FSE is installed on a Mailbox Only role and the server is a Domain Controller, Notifications and Deliver From Quarantine functionality do not work.

  17. Importing filter lists from a UTF-8 formatted file is not supported.

  18. If you are using file filters, it is recommended that you enable only the transport scan option for each filter. Since all mail must go through the hub transport, the same filters would be applied to all messages.)

  19. FSE only installs and runs with the default setting of "Remote Signed" that Exchange places on the PowerShell execution policy. Changing it to a more restrictive policy such as "Restricted" or "AllSigned" is not supported by FSE.

  20. When uninstalling FSE, Active Directory® must be available in order for FSE to uninstall correctly.

  21. The following are the default locations of the program directory, the data directory, and the engines directory:

    • Windows Server 2003 (x86):

      Program Folder: C:\Program Files\Microsoft Forefront Security for Exchange Server

      Data Folder: C:\Program Files\Microsoft Forefront Security for Exchange Server\Data

      Engines folder: C:\Program Files\Microsoft Forefront Security for Exchange Server\Data\Engines

    • Windows Server 2003 (x64), Windows Server 2008 (x64):

      Program Folder: C:\Program Files (x86)\Microsoft Forefront Security for Exchange Server

      Data Folder: C:\Program Files (x86)\Microsoft Forefront Security for Exchange Server\Data

      Engines folder: C:\Program Files (x86)\Microsoft Forefront Security for Exchange Server\Data\Engines

  22. When FSE is installed on a Mailbox server, the Transport Exclusion Flag is set to 1, and outgoing e-mail is not scanned for malware or filters at the Store. If you do not have FSE installed on your Transport servers, then e-mail that is being sent is not scanned. Mail is scanned at the Bridgehead, provided that FSE is installed there. That is, if FSE is installed on the Mailbox server only, and nowhere else, outbound mail is not scanned.

  23. When you configure a scheduled scan, the default is to scan only messages that have attachments. If you have also created subject line filters or sender-domain filters, those filters only apply to mail that has attachments, not to all mail. If you change the scheduled scan to scan all mail (by selecting the Scan message body check box in the Options section of the Antimalware - Mailbox Scheduled pane), then the filters apply to all mail. In other words, the filters are applied to whatever mail is being scanned for malware.

  24. Before stopping the FSE services, you should first stop all the Exchange services.

  25. There are a number of settings and situations that require you to restart services. In the event that FSE does not recognize the current settings, restart the FSE services.

  26. The Microsoft Forefront Server Security Controller Service is dependent on the Windows NT® Schedule service. The Schedule service must have the ability to start successfully in order for FSE to initialize.

  27. There is a limit of 800 elements in any spam list. The spam lists are: sender exception list, sender domain exception list, recipient exception list, IP allow list, IP block list, recipient block list, sender block list, and sender domain block list.

  28. Although it appears that the primary update path can be set independently for each engine, there is really only a single setting. That is, if you modify one engine's primary update path, you are actually modifying the primary update path for all engines. The same is true for the secondary update path.

New Features

Build 11.0.0243.0:

  1. Added support for PowerShell, the Windows command line shell that can be used to enter commands directly or to create scripts.

  2. Product installation is now done with the Windows Installer (MSI).

  3. There is a new job called the scheduled scan job, which was separated from the realtime scan job.

  4. The user interface has been revised.

  5. Antispyware scanning is now done with the Microsoft Antimalware Engine.

  6. Antispam functionality includes a built-in DNS block list, a new antispam engine (Cloudmark), and integrated management of the Exchange antispam agents.

  7. Exchange Hosted Filtering (EHF) is now integrated with the Stirling Console.

  8. FSE can be run on the Hyper-V platform.

Software Fixes

Build 11.0.0243.0:

Includes all software fixes from FSE 10.1.0746.0.

Known Issues

  1. A valid ZIP archive is detected as corrupted compressed.

    Reason: FSE currently does not support the PKWARE's DCL-Implode or Deflate64 algorithms.

    Workaround: None.

  2. The Update enabled engines on server startup setting is cleared after an upgrade.

    Workaround: Reselect the option in the Forefront Server Security Administrator. In the Protection Settings menu, under Global Settings, click Engine Updates. Select the Update enabled engines on server startup check box, and then click Save.

  3. Forefront services may still exist if the Service Control Manager is open during uninstall.

    Reason: FSE services may only get marked for deletion instead of actually being deleted if the Service Control Manager application is open.

    Workaround: Closing the Service Control Manager application or restarting the server allows the FSE services to be deleted.

  4. During the installation, choosing a directory from the list of existing folders when you are prompted by the Select Program Folder dialog box for a program folder, only replaces the current shortcuts in the selected folder with the shortcuts for FSE. (The original programs themselves will remain untouched; only the links to them in that program folder are overwritten.)

    Workaround: Either accept the default or enter the name of a totally new folder.

  5. FSE will not properly scan for viruses if installed to a folder with non-ASCII characters.

    Workaround: Choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9), or the symbols :\/!#$%'()+,-.;=@[]^_`{}~.

  6. In PowerShell, in the incident and quarantine records, time is displayed as Universal Time Coordinate (UTC), which might differ from local time.

  7. The delivery of an item from quarantine on the passive node of a CCR cluster does not work.

    Reason: The FSEMailPickup service is not automatically started on the passive node of a CCR cluster.

    Workaround: Start the FSEMailPickup service, using Service Control Manager, either before or after using the Send-FSEQuarantine PowerShell cmdlet.

  8. The MessagesScanned and MessagePartsScanned malware and filter statistics are not reset when you use the Clear-FSEReport PowerShell cmdlet.

    Workaround: None.

  9. If antispam is enabled during the installation of FSE on an Exchange Server 2007 hub, Exchange Management Console does not reflect it as having been enabled. If antispam is enabled with the Set-FseSpamFiltering cmdlet in Forefront Management Shell, Exchange Management Console correctly reflects it.

    Reason: FSCController does not have write access to the flag controlling whether Exchange Management Console displays antispam-related settings.

    Workaround: The flag controlling whether Exchange Management Console displays antispam-related settings can be set using the following Exchange Management Shell command:

    Set-TransportServer -Identity MachineName -AntispamAgentsEnabled $true

  10. Engine updates fail when FSE is installed on the Japanese version of the Microsoft Windows 7 operating system.

    Reason: This is possibly due to WinHttp failure.

    Workaround: None. This scenario is not supported at this time. It was supported in the Beta 2 build that supported Exchange 14 versions prior to DF7.


The documentation for this product is distributed in .chm format and is provided with this package. After installation, access help either from the Forefront Server Security Administrator interface or use the F1 key when running the Forefront Server Security Administrator.

Frequently Asked Questions

Regularly updated lists of frequently asked questions are available on Microsoft's Web site (


Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Forefront, SharePoint, Windows, Windows NT, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.