Forefront Security for Exchange Server - Release Notes

  • Article

 

Applies to: Forefront Security for Exchange Server

Microsoft Forefront Security for Exchange Server, Version SYBARI_PRODUCT_MAJOR.

(Build SYBARI_BUILD_MAJOR)

Thank you for using Microsoft Forefront Security for Exchange Server, antivirus protection for Microsoft Exchange servers. This Readme file contains important information regarding the current version of the product. It is highly recommended that you read the entire document.

To view the latest updated Readme.htm, see: https://go.microsoft.com/fwlink/?linkid=91952.

What's in this file

Important Notes

New Features

Known Issues

Documentation

Frequently Asked Questions

The Eicar Antivirus Test File

Important Notes

  1. The Forefront Server Security Administrator console may display a license expired notice after upgrading FSE. This message is only reported if you have configured an alternate DatabasePath during the upgrade (the default DatabasePath is: Program Files(x86)\Microsoft Forefront Server Security\Exchange Server\data). You may need to re-select the engines that were previously configured and restart the Microsoft Forefront services.

    This issue can be resolved prior to upgrading FSE by copying the engineinfo.cab file to the current location of the Engines folder (by default, the location is: Microsoft Forefront Server Security\Exchange Server\data\Engines). Because engineinfo.cab is embedded in the installation executable, you should copy setup.exe to a temporary location on disk and then type the following command to extract its contents:

    **setup.exe /x:**extractpath

    Note that if you are typing an extract path containing spaces, you must enclose quotes around the path. For example: setup.exe /x:"c:\Program Files(x86)\Microsoft Forefront Server Security\Exchange Server\data\Engines".

  2. Upgrades from releases earlier than 10.0 are not supported.

  3. When applying upgrades and hotfixes, the shutdown order, as given in the User Guide, has been changed. You should first stop all Exchange services and then stop any Forefront Server Security services that might still be running.

  4. The standard Forefront Security for Exchange Server license includes a number of antivirus scan engines. After a fresh install, four random engines will be selected for scanning, along with the Microsoft engine. Once the product has been installed, the Forefront Server Security Administrator can be used to change the engine selection. A maximum of five engines can be selected per scan job.

  5. After a fresh install, new signature files must be downloaded to ensure the most up-to-date protection. An hourly scanner update for each licensed engine will be scheduled. These updates will start 5 minutes after Forefront Security for Exchange Server services are started. However, if a proxy is being used for scanner updates, these scheduled updates will fail until all the proxy information has been entered. Use the Forefront Server Security Administrator to enter proxy username and password. Under "SETTINGS", General Options, Scanner Updates, enter the appropriate information into Proxy Username and Proxy Password (the Proxy Server Name and Proxy Port should have been entered during installation; if not, you can enter them here also). Once this is done, use the 'Update Now' button on the Scanner Updates work pane to perform an immediate scanner update for each engine.

    Note

    You should successfully update at least one engine before the installation is considered complete.
    Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not create mapper object".

  6. To verify that Microsoft Forefront Security for Exchange Server has been correctly installed with default protection enabled, click "Operate", and then "Run Job" in the Shuttle Navigator. You should see the following:

    • On a server that contains a Mailbox role, there should be a Realtime Scan Job enabled, and a Manual Scan Job.

    • On a server that includes a Transport role (such as a Hub Transport, Edge, or Mailbox/Hub Transport server) there should be a Transport Scan Job enabled.

  7. Microsoft Forefront Security for Exchange sets an optimization tag on Mailbox servers to skip the scan at the Store if mail is going to be sent to a Hub Transport server. When using this configuration, Microsoft Forefront Security for Exchange must also be installed on Hub Transport servers, otherwise outgoing mail will not be scanned.

  8. To enable scheduled background scanning, perform the following steps:

    • Click "OPERATE" in the Navigation Shuttle, and then click "Schedule Job". The "Schedule Job" pane appears on the right.

    • The top portion of the Schedule Job pane shows the Background Scan Job and indicates if the Scheduler is enabled or disabled.

    • When you select the Background Scan Job, the bottom portion of the Schedule Job pane shows its scheduling information and configuration.

    • To schedule a Background Scan, simply select the date, time, and frequency and click "Save". Click "Enable" if the Scheduler is not already enabled.

    • Background Scanning now supports additional scoping options which determine which messages are scanned whenever a background scan is started. To modify these options, select “SETTINGS” in the Navigation Shuttle, and then select General Options. The General Options settings appear in the right pane. Select the desired scan scoping options under "Background Scanning".

    • By default, Realtime Mailbox server scanning does not include the scanning of message bodies. To include message body scanning, select “SETTINGS” in the Navigation Shuttle, and then select General Options In the right pane (under “Scanning”) select the “Body Scanning – Realtime” option.

    • Verify that the Realtime Scan Job is enabled on the OPERATE/Run Job pane.

  9. The Forefront Server Security Administrator cannot be used to manage servers running versions earlier than release 10.0.

  10. Microsoft Forefront Security for Exchange Server is not supported on two-node active/active Exchange cluster configurations.

  11. If the Sharepoint Portal Alert service is on the server and running, an upgrade or uninstall of Microsoft Forefront Security for Exchange Server might require a reboot.

  12. To enable the Forefront Server Security Administrator to connect to a remote Forefront server, the "Anonymous Logon" group must be granted remote access permission. To make this change, run 'dcomcnfg'. Expand Component Services, right click My Computer, and then select Properties. On the COM Security tab, click Edit Limits and add remote access to the "Anonymous Logon" user.

    On WinXP SP2, an additional setting change must be made to allow the Forefront Server Security Administrator application. Open Control Panel, and then open 'Security Center'. Click Windows Firewall, and on the Exceptions tab, click 'Add Program'. Select Forefront Server Security Administrator from the list, and then click OK to return to the Exceptions tab. Select the checkbox for Forefront Server Security Administrator, and then click 'Add port'. Give the port a name, enter '135' for the port number, and select TCP. Click OK twice.

    If there is concern about opening port 135 to all computers, it can be opened for only the Forefront Server servers. When adding port 135, click 'Change Scope' and select 'Custom List'. Type in the IP addresses of all Forefront Server servers you want to connect to.

  13. When installing an antivirus solution using the VSAPI2, the VirusScan registry key is created to save information concerning the VSAPI library. If this key is present when you attempt to install Microsoft Forefront Security for Exchange Server, the installation will fail. You will need to delete the key before attempting to reinstall Forefront Security for Exchange Server.

    The registry key you will need to delete is:

    HKEY_LOCAL_MACHINE->System->CurrentControlSet->Services-> MSExchangeIS->VirusScan

    Delete the entire VirusScan key.

    Additionally, VSAPI will not allow you to run multiple antivirus software solutions concurrently.

  14. Files compressed into multipart RAR volumes are subject to the uncompressed file size limit specified by the registry key MaxUncompressedFileSize. The default value of this limit is 100MB. If any file exceeds the limit, any multipart RAR volume which contains the file, or a part of the file, will be deleted. For more information, see MaxUncompressedFileSize in the "Registry Keys" section and the discussion of "Treat Multipart RAR Archives as Corrupted Compressed" in the "Forefront Server Security Administrator" section of the "Forefront Security for Exchange Server User Guide".

  15. To prevent Forefront from requiring a reboot during an upgrade or uninstall, shut down the MOM agent (or any other monitoring software) and make sure that any command prompts or Explorer windows do not have the Forefront installation folder or any of the subfolders open. After the upgrade or uninstall is complete, start the MOM agent again.

  16. Microsoft Forefront Security for Exchange Server does not support customers using their own procedure to download engine updates from the Microsoft web sites. Forefront provides the ability for a server to be used as a redistribution server, but this server must use Forefront to get the updates from Microsoft.

  17. Forefront Security for Exchange Server database path names (DatabasePath registry key) has a maximum size of 216 characters.

  18. If you change the install path, its name must be less than 170 characters.

  19. UNC paths specified for engine updates must not end with a backslash ("\").

  20. When Microsoft Forefront Security for Exchange Server is installed on an Edge Transport server that is not a member of a domain, the InternalAddress setting will be empty.

  21. Notifications and Deliver From Quarantine functionality will not work if Microsoft Forefront Security for Exchange Server is installed on a Mailbox Only role and the server is a Domain Controller.

  22. Importing filter lists from a UTF-8 formatted file is not supported.

  23. It is recommended that you have the Transport Scan Job do file filtering, since Transport is able to retrieve mail from the Store before it is scanned by the Realtime Scan Job. Since all mail must go through the Hub Transport role, the same filters would be applied to all messages.

  24. Forefront will only install and run with the default setting of "Remote Signed" that Exchange places on the PowerShell execution policy. Changing it to a more restrictive policy such as "Restricted" or "AllSigned" is not supported by Forefront.

  25. To aid you in filtering for profanity with keywords, we have included example lists in various languages. This is an optional component of FSE and must be installed separately.

  26. Single node management of Forefront Security for Exchange Server is available using the Forefront Server Security Administrator. Multi-server management of Forefront Server Security through the Microsoft Forefront Security Management Console (FSSMC) is available.

    Important

    To remotely manage Forefront Security for Exchange Server v. 10.2, you must use FSSMC Rollup 3.

  27. In order to provide a consistent User Experience in the Microsoft Forefront Server Security Administrator Client, the servers involved should be configured with uniform locale settings. Specifically, the System Locale settings of the computer where the server is being run should match the User Locale settings of the computer where the client is being run. If these two locales do not match, connection will not be allowed.

  28. When installing Forefront Server Security for Exchange on a CCR cluster, the installation path must be the same for both nodes.

  29. In General Options, the Internal Address setting is limited to 64 kilobytes (KB) of text.

  30. When running Forefront Security for Exchange Server on a CCR cluster, the General Option "Redistribution Server" is selected, by default, after install. It must remain selected for proper engine replication.

  31. When uninstalling Forefront Security for Exchange Server, Active Directory must be available for the uninstall to work correctly.

  32. Before starting Information Store, please make sure to start the FSCConfigurationServer service. If this is not done, you may see a message stating that the Microsoft Exchange Information Store could not be started. In that case, start FSCConfigurationServer and then try starting Information Store again.

  33. If you want to have critical notifications sent, you must configure the Virus Administrator Address. This can be done in PowerShell. For example, if the address you wish to set is "admin@microsoft.com", open the Forefront PowerShell console and execute the command:

    Set-FSEAdvancedOptions -VirusAdministratorAddress "admin@example.com"

  34. If you disable worm list updates, a warning is written to the application log stating that not all engines are enabled for updates. You may receive this message even if you have enabled updates for all antivirus scan engines. It is recommended that you enable updates for the worm list.

New Features

Build SYBARI_PRODUCT_MAJOR.SYBARI_PRODUCT_MINOR.SYBARI_BUILD_MAJOR (Includes all features from Forefront Security for Exchange Server 10.1.0746):

  1. When Forefront Security for Exchange Server (FSE) adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Forefront Server Security Administrator; for more information about how to do this, see “E-mail notifications” in the Forefront Security for Exchange Server User Guide.

    Adding new scan engines

    When FSE adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.

    Deprecating scan engines

    When FSE is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete.

    Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes.

    After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.

    For more information regarding engine revisions, refer to Antimalware Engine Notifications and Developments.

Build 10.1.0746 (Includes all features from Forefront Security for Exchange Server 10.0.0566.0):

  1. Added support for Windows Server 2008.

  2. Added support for IPv6.

  3. A new General Option "Treat multipart RAR archives as corrupted compressed" has been added. When this option is enabled (the default setting), files determined by Forefront to be multipart RAR will be treated as corrupted compressed and acted on according to the "Delete Corrupted Compressed Files" General Option setting. When this option is disabled, Forefront will pass each file within the RAR volume to the scan engines. NOTE: if a file spans RAR volumes, Forefront will only be able to pass the partial file to the scan engines and file type filtering may not work.

  4. A new General Option "Treat high compression ZIP files as corrupted compressed" has been added. When this option is enabled (the default setting), if a zip archive is found to contain one or more highly compressed files, it will be treated as corrupted compressed, and acted on according to the "Delete Corrupted Compressed Files" General Option setting. When this option is disabled, any file within a zip archive that is highly compressed with either the Deflated64, Bzip2, or PPMD algorithms will be sent to the scan engines in its compressed form. In this case, the entire zip archive will not be treated as corrupted compressed as long as no other files are compressed using other high compression algorithms.

  5. If Microsoft Updates (MU) has not already been activated for the server, an option to opt into the MU program will be presented during the install.

  6. Forefront scheduled tasks will now be handled using Task Scheduler. Each repeated task will now show as one scheduled task in the Scheduled Tasks UI.

  7. A Profanity Keyword Setup package is now distributed as part of the Forefront for Exchange Server installation. When run, localized profanity keyword lists are extracted and can be imported into Forefront Administrator to be used for keyword filtering.

  8. New Health State Monitoring event log entries have been added to provide administrators with a higher-level view of the system and enable them to do proactive monitoring. The Forefront MOM pack has been enhanced to use these log entries to generate MOM alerts.

  9. A new Product Licensing Agreement and Expiration entry screen has been added. After you have activated your product, you should enter licensing information (obtained from Microsoft Sales). If you license your product, you can align when your product expires with your license agreement (otherwise, the expiration will be three years from the installation date). In addition, you can easily renew your license by entering a new expiration date. To license FSE, select Register Forefront Server from the Help menu. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product Licensing Agreement and Expiration dialog box appears. If you have activated FSE, only the Product License Agreement and Expiration dialog box appears. Enter your 7-digit License Agreement Number and an expiration date. You should enter a date that corresponds to the expiration of your license agreement. That will coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.

Build 10.0.0566.0 (includes all features from Antigen 9.0.1055):

  1. The default InternetProcessCount and RealtimeProcessCount values on fresh installs will be set to 4. The existing value will not be changed during upgrades. Note: Services will still need to be recycled for these values to take effect.

  2. The behavior of the "Max Container File Infections" General Option has changed. If the option is set to '0', and a filter match occurs within the container, the entire container will be deleted.

Build 9.0.1055 (Includes all features from Antigen 8.0.1517):

  1. For each scan engine, a secondary update path can be entered. If using the network update path to get an engine update fails for any reason, the secondary update path will be tried.

  2. A new General Option has been added that gives you the option to purge a message if any of the message body parts is deleted and there are no attachments.

  3. The default InternetProcessCount and RealtimeProcessCount values on fresh installs will be set to 2. The existing value will not be changed during upgrades. In addition, there are two new General Options in the UI to allow you to change these settings without editing the registry. Note: Services will still need to be recycled for these values to take effect.

  4. Separate notifications are now available for Spam/RBL, keywords, and sender/subject filters. Keyword filter notifications are available for the sender and recipients as well as the administrator. A new Spam Administrator is available for the Spam/RBL filters. Content Filter notifications are available for the sender and recipients, as well as the administrator, and include Sender and Subject Line filter notifications.

  5. Cluster support on Active/Passive clusters has been enhanced. Configuration data as well as scanner signature data are now associated with a Clustered Mailbox Server (formerly called Exchange Virtual Server). Registry data will be replicated on an Exchange Virtual Server basis.

Known Issues

  1. The FSCController Service is dependent on the NT Schedule service. The Schedule service must have the ability to start successfully for Microsoft Forefront Security for Exchange Server to initialize.

  2. A ZIP archive containing one or more files compressed with PKWARE's DCL-Implode or Deflate64(tm) algorithms will be treated as corrupted compressed.

  3. During a Hot Upgrade, you have the option to "Stop Waiting" if the upgrade is taking too long to process or if it has caused Forefront Security for Exchange Server to hang. However, if the "Stop Waiting" option is selected too soon after starting the process, there is a risk that Forefront Security for Exchange Server may be left in an off-line state. (Please allow 3-5 minutes before using the "Stop Waiting" option.) If this happens, the Exchange services may need to be recycled to restart Forefront Security for Exchange Server.

  4. The "Perform Updates at Startup" General Option setting will be cleared after an upgrade. If this setting was previously selected, use the Forefront Server Security Administrator to set this option back on after the upgrade.

  5. If the Service Control Manager is open, an install or upgrade may fail with "Setup failed in SetupRegistry".

  6. During the installation, when you are prompted by the Select Program Folder dialog for a program folder, either accept the default (Microsoft Forefront Server Security\Exchange Server) or enter the name of a totally new folder. Do not choose one from the list of Existing Folders, as all the current shortcuts in the selected folder will be replaced with the shortcuts for Forefront. (The original programs themselves will remain untouched; only the links to them in that Program Folder will be overwritten.)

  7. Installing Microsoft Forefront Security for Exchange Server in a folder that contains non-ASCII characters is not supported. Choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9) or the symbols :\/!#$%'()+,-.;=@[]^_`{}~.

  8. If you have multiple filter lists with names that differ only by case, they will not work properly.

  9. In the Forefront Security for Exchange Server User Guide, a correction has been made in the Read-Only Administrator section. The default database location is Program Files\Microsoft Forefront Security\Exchange Server\Data.

  10. If you create a user that is part of the Administrators Group with read-only access rights to FSE, when that user logs on and tries to open the Forefront Server Security Administrator, the following error will occur:

    ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied.

    This error is caused by a Windows Server 2003 SP 1 security enhancement. To work around this problem, follow these steps:

    1. Run DCOMCNFG from START/Run. The Component Services dialog box appears.

    2. Expand Component Services.

    3. Expand Computers, My Computer, and DCOM Config.

    4. Right-click FSCController, and then select Properties.

    5. Click the Security tab, and then click Edit in Launch and Activation Permissions.

    6. Add “Domain Users”, and click Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

    7. Click OK for both open dialog boxes.

  11. The "Messages Scanned" Statistics counter will not increment for each message if Keyword Filtering is unchecked in the Forefront Server Security Administrator.

Documentation

The documentation for this product is distributed in .chm format and is provided with this package. After installation, you can access help from the Forefront Server Security Administrator user interface via the Help menu or by pressing the F1 key. To ensure that you are accessing the latest, most comprehensive FSE documentation, go to the following URL: https://go.microsoft.com/fwlink/?LinkID=92952

Frequently Asked Questions

Regularly updated lists of frequently asked questions are available on Microsoft's web site (https://go.microsoft.com/fwlink/?LinkID=78562):

Q: How can I restrict who can administer Microsoft Forefront Security for Exchange Server?

A: The Forefront Server Security Administrator uses DCOM to connect to the Forefront Security for Exchange Server component. DCOM settings for the 'FSCController' application are set to initially allow the Administrators group and SYSTEM full access. You can change the "Access" and "Launch" settings in DCOM to restrict access. You do this by launching the DCOMCNFG.EXE program and selecting FSCController from the Application tab. Once completed, you will need to restart the Exchange Services.

Q: When I uninstall Microsoft Forefront Security for Exchange Server, there seems to be a file left behind. Is that by design?

A: When uninstalling Microsoft Forefront Security for Exchange Server, the process will not remove the file IsUnist.EXE from the Windows folder (for example, c:\windows). It is possible for this file to be shared and used by other applications. If you determine that no other application is using this file, you may safely remove it from your system.

The EICAR Antivirus Test File

Provided below is the code for the EICAR Standard Antivirus Test File.

To test your installation, copy the following line into its own text file and name it EICAR.COM.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When done, you will have a 69-byte or 70-byte file.

You can then attach this to an Exchange message for testing. Forefront Security for Exchange Server will report finding the EICAR-STANDARD-AV-TEST-FILE virus. If you have chosen the "Clean" or "Delete" action for virus filtering, Forefront Security for Exchange Server will also report the attachment as being deleted. The infected attachment will be removed from the test message or post and be replaced with a text file. The new file will contain something similar to the following string when viewed: "Microsoft Forefront Security for Exchange Server found a virus and deleted this file."

It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that installations function correctly. The antivirus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need.

Please delete the file when installation testing is completed so that unsuspecting users are not unnecessarily alarmed.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Windows, Forefront, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.