Forefront Security for SharePoint - Release Notes

  • Article

 

Applies to: Forefront Security for SharePoint

Microsoft Forefront Security for SharePoint, version 10.2

(Build 942)

Thank you for using Microsoft Forefront Security for SharePoint which helps provide antivirus and content filtering protection for Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0. This Readme file contains important information regarding the current version of this product. It is highly recommended that you read the entire document.

To view the latest, updated release notes, check: https://go.microsoft.com/fwlink/?LinkID=105825.

What's in this file

New Features

Important Notes

Known Issues

The EICAR Antivirus Test File

New Features

  • Enhanced Quarantine Database and Functionality
  • Enhanced Incident Database and Functionality
  • General Options Panel
  • GZip Support
  • Read-only Client
  • Summary Notification after Manual Scan
  • Filtering by File Size
  • Realtime and Manual Scan jobs
  • Resizable UI
  • Custom Job Templates
  • New Configuration Management Tools
  • Realtime Diagnostics "live" on Enable Scanjob
  • 100% Real-time and manual scanning of all Workspaces
  • In-Memory Scanning
  • Scan files by type
  • Remote Installation
  • Automatic Updates
  • Remote Administration
  • Virus Incident Notification and Reporting
  • PerfMon Statistics
  • Quarantine Database

Important Notes

  1. The Forefront Server Security Administrator console may display a license expired notice after upgrading FSSP. This message is only reported if you have configured an alternate DatabasePath during the upgrade (the default DatabasePath is: Program Files(x86)\Microsoft Forefront Server Security\SharePoint\data). You may need to re-select the engines that were previously configured and restart the Microsoft Forefront services.
    This issue can be resolved prior to upgrading FSSP by copying the engineinfo.cab file to the current location of the Engines folder (by default, the location is: Microsoft Forefront Server Security\SharePoint\data\Engines). Because engineinfo.cab is embedded in the installation executable, you should copy setup.exe to a temporary location on disk and then type the following command to extract its contents:
    setup.exe /x: extractpath
    Note that if you are typing an extract path containing spaces, you must enclose quotes around the path. For example: setup.exe /x:"c:\Program Files(x86)\Microsoft Forefront Server Security\SharePoint\data\Engines".

  2. When FSSP adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Forefront Server Security Administrator; for more information about how to do this, see “E-mail notifications” in the Forefront Security for SharePoint User Guide.
    Adding new scan engines
    When FSSP adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.
    Deprecating scan engines
    When FSSP is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete.
    Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes.
    After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.
    For more information regarding engine revisions, refer to Antimalware Engine Notifications and Developments.

  3. When Forefront Security for SharePoint cleans an infected file that has been checked into a document library, the file extension will not be changed. For example:
    If the file "eicar.com" is detected, the contents will be removed and replaced with deletion text, but the file extension will remain ".com" rather than being changed to "eicar.txt." If the same file is cleaned while it is nested inside a compressed file, however, the extension will be changed to ".txt."

  4. Upgrades from releases earlier than 10.0.0566.0 are not supported.

  5. The Forefront Security for SharePoint Notification Web Parts feature is not supported in this release.

  6. After a fresh install, new signature files must be downloaded to ensure the most up to date protection. An hourly scanner update for each licensed engine will be scheduled. These updates will start 5 minutes after Forefront Security for SharePoint services are started. However, if a proxy is being used for scanner updates, these scheduled updates will fail unless you use the Forefront Server Security Administrator to enter the proxy information. Once this is done, use the 'Update Now' button to perform an immediate scanner update for each engine.

    Note

    A successful update of at least one engine should occur before the installation is considered complete.
    Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not create mapper object".

  7. The standard Forefront Security for SharePoint license includes a number of antivirus scan engines. During a fresh install, five random engines will be selected for scanning. Once the product has been installed, the Forefront Server Security Administrator can be used to change the engine selection. A maximum of five engines can be selected per scan job.

  8. The Forefront Server Security Administrator cannot be used to manage servers running versions earlier than release 10.0.

  9. To enable the Forefront Server Security Administrator to connect to a remote Forefront server, the "Anonymous Logon" group must be granted the remote access permission. To make this change, run 'dcomcnfg'. Navigate to MyComputer in Component Services, right click My Computer and select Properties; choose the COM Security page. Under Access Permissions, click Edit Limits and add Remote Access to the "Anonymous Logon" user. On WinXP SP2, an additional setting change needs to be made to allow the Forefront Server Security Administrator application. Run Control Panel, choose 'Security Center'. Enter the Windows Firewall admin and go to the Exceptions tab. Choose 'Add Program', select Forefront Server Security Administrator from the list and click OK. Now, check Forefront Server Security Administrator in the list on the Exceptions tab. Choose 'Add port'; Add '135' for the port number, with TCP checked, and any name. Click OK.
    If there is concern about opening port 135 to all computers, it can be opened for only the Forefront Server servers. When adding port 135, click 'Change Scope' and Select 'Custom List'. Type in the IP addresses of all Forefront Server servers you want to connect to.

  10. Forefront Security for SharePoint is able to scan the first part of a multi-part RAR file. Any other part of a multi-part RAR will be treated as CorruptedCompressed, and be treated according to the "Delete Corrupted Compressed Files" setting.

  11. To prevent Forefront from requiring a reboot during Upgrade or Uninstall, please shut down the MOM agent (or any other monitoring software) and make sure that any command prompts or Explorer windows do not have the Forefront installation folder or any of its subfolders open. After Upgrade or Uninstall is complete the MOM agent should be started again.

  12. Microsoft Forefront Security for SharePoint does not support you using your own procedure to download engine updates from the Microsoft web sites. Forefront provides the ability for a server to be used as a redistribution server, but this server must use Forefront to get the updates from Microsoft.

  13. Forefront Security for SharePoint database path names (DatabasePath registry key) greater than 216 characters are not supported.

  14. Localized database path names (in the DatabasePath registry key) are not supported.

  15. When installing Microsoft Forefront Security for SharePoint, the length of the install path must be less than 170 characters.

  16. UNC paths specified for engine updates must not end with a backslash ("\").

  17. Importing filter lists from a UTF-8 formatted file is not supported.

  18. Microsoft Forefront Security for SharePoint is not supported when running on a server that has both Microsoft Exchange and SharePoint installed.

  19. Keyword filtering will analyze the contents of Excel files, as well as the Text/HTML/Word/PowerPoint types shown in the Forefront Server Security Administrator.

  20. The summary notification of a Manual Scan is sent to the Virus Administrator of the Realtime Scan job.

  21. Keyword Filtering lists are not available for download from Microsoft in this release.

  22. Single node management of Forefront Security for SharePoint is available via the Forefront Server Security Administrator. Multi-server management of Forefront Server for Sharepoint is available via the Microsoft Forefront Security Management Console. However, you cannot use more than one instance of FSSMC to manage multiple FSSP servers.

  23. If the password is changed on the account that was entered for SharePoint database access, the password must be changed on the FSSPController service using the Service Control Manager.

  24. In order to provide a consistent User Experience in the Microsoft Forefront Server Security Administrator Client, the machines involved should be configured with uniform locale settings. Specifically, the System Locale settings in the machine where the server is being run should match the User Locale settings in the machine where the client is being run. If these two locales do not match, date and time information will be presented in a combination of formats that may be confusing.

  25. In the Forefront Security for SharePoint User Guide, the term "SharePoint Services" includes the World Wide Web Publishing Service when discussing stopping and starting SharePoint services.

  26. You can move the Quarantine and Incidents databases. However, for FSSP to function properly, you must move both databases, and all related databases and support files.
    To move all the files

    1. Create a new folder in a new location (for example: C:\Moved Databases).
    2. Set the permissions for the new folder. Right-click the new folder, and then select Properties. On the Security tab, add “Network Service”, “WSS_ADMIN_APG” and “WSS_WPG” with Full Control privileges. Also, allow all permissions for Administrators and System.
    3. Stop World Wide Web Publishing Service, Windows SharePoint Services Timer and any Forefront Security for SharePoint services that might still be running after SharePoint is shut down.
    4. Copy the entire contents of the Data folder, including the subfolders, from the Forefront Security for SharePoint installation folder into the folder created in step 1. (This results in a folder called C:\Moved Databases\Data.)
    5. Change the path in one of these DatabasePath registry keys to point to the new Data folder location:
      For 32-bit systems: HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint\DatabasePath
      For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint\DatabasePath
    6. Restart the World Wide Web Publishing Service and Windows SharePoint Services Timer services.

Known Issues

  1. The FSCController service is dependent on the NT Schedule service. The Schedule service must have the ability to start successfully for Microsoft Forefront Security for SharePoint to initialize.
  2. Attachments compressed with PKWARE's DCL-Implode are not scanned.
  3. Attachments compressed with PKWARE's Deflate64(tm) are not scanned at this time.
  4. If the Service Control Manager is open, an install or upgrade may fail with "Setup failed in SetupRegistry".
  5. Installing Microsoft Forefront Security for SharePoint in a folder that contains non-ASCII characters is not supported. Please choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9) or the symbols :\/!#$%'()+,-.;=@[]^_`{}~
  6. Having multiple filter lists names that differ only by case will not work properly.
  7. In the Forefront Security for SharePoint User Guide, a correction should be made in the Read-Only Administrator section. The default database location is Program Files\Microsoft Forefront Security\SharePoint\Data on 32-bit servers, Program Files(x86)\Microsoft Forefront Security\SharePoint\Data on 64-bit servers.
  8. To prevent reboots, please ensure that the following services are stopped/disabled before running the upgrade:
    • MOM 
    • Perfmon
    • Eventvwr
    • SPTimer
  9. During the installation, when you are prompted by the Select Program Folder dialog for a program folder, either accept the default (Microsoft Forefront Server Security\SharePoint) or enter the name of a totally new folder. Do not choose one from the list of Existing Folders, as all the current shortcuts in the selected folder will be replaced with the shortcuts for Forefront. (The original programs themselves will remain untouched; only the links to them in that Program Folder will be overwritten.)
  10. Forefront Security for SharePoint should be uninstalled before WSS is uninstalled. Uninstalling WSS before Forefront will prompt that Exchange services and the IISAdmin service be stopped. Once the IISAdmin is stopped, Forefront for SharePoint can be uninstalled. However, the FFSPUsernameFilter will not be removed and this will cause non-SharePoint sites to hang. To get out of this state, the FFSPUsernameFilter can be removed manually. Launch IIS Manager->Web Sites and right click of "Properties" to remove FFSPUsernameFilter from the ISAPI filters. Once this is done, recycle the IISAdmin to release non-SharePoint sites to hang.
  11. If Office 2003 or Office 2007 is installed on the SharePoint server, uninstalling the Office product will cause the keyword filtering to stop functioning.
  12. Manual scan does not work on sites that use the Enterprise-Document Center and Publishing-Collaboration Portal templates. It will be detected by the Manual scan and it will not be cleaned

The EICAR Antivirus Test File

Provided below is the code for the EICAR Standard AntiVirus Test File.

To test your installation, copy the following line into its own text file and name it EICAR.COM.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When done, you will have a 69-byte or 70-byte file.

You can use this file to check into a SharePoint server for testing. Forefront Security for SharePoint will report finding the EICAR-STANDARD-AV_TEST-FILE virus. If you have "cleaning" enabled, Forefront Security for SharePoint will also report the attachment as being deleted. The infected attachment will be removed from the test message or post and be replaced with a text file. The new file will contain the following string when viewed: "Microsoft Forefront Security for SharePoint found a virus and deleted this file."

It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that installations function correctly. The antivirus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need.

Please delete the file when installation testing is completed so that unsuspecting users are not unnecessarily alarmed.

Information in this document, including URL and other Internet Web site references, is subject to change without notice.  Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious.  No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.  Complying with all applicable copyright laws is the responsibility of the user.  Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.  Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Windows, Forefront, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.