Microsoft Forefront Security for Exchange Server, Version 10 with Service Pack 1.

(Build 0746)

Thank you for using Microsoft Forefront Security for Exchange Server, antivirus protection for Microsoft Exchange servers. This Readme file contains important information regarding the current version of the product. It is highly recommended that you read the entire document.

To view the latest updated Readme.htm, see: http://go.microsoft.com/fwlink/?linkid=91417.

What's in this file

Requirements

Special Note for Deliver from Quarantine Security

Important Notes

New Features

Software Fixes

Known Issues

Documentation

Frequently Asked Questions

The Eicar Anti-Virus Test File

Requirements

Note:
All minimum system memory and disk space requirements for Microsoft Exchange Server 2007 must be met before installing Forefront Security for Exchange Server. Too little available memory or disk space may impact the ability of Forefront to scan large files.

Minimum Server Requirements:

  • Microsoft Windows Server 2003 or Microsoft Windows Server "Longhorn"

  • Microsoft Exchange Server 2007

  • 1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended). Note: with each additional scan engine used, more memory is needed for each scanning process.)

  • 2 GB of available disk space

  • Intel processor (1 GHz)

Minimum Workstation Requirements:

  • Windows 2000 Professional or Windows 2003

  • 6 MB of available memory

  • 10 MB of available disk space

  • Intel processor

Special Note for Deliver From Quarantine Security

The new General Option "Deliver from Quarantine Security" has been added to give administrators more flexibility for handling messages and attachments that are forwarded from Quarantine. The options for this setting are "Secure Mode" and "Compatibility Mode."

  • Secure Mode is the default. It causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches.

  • Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing a special "Tag" text in the subject line of all messages that are delivered from Quarantine.

During installation, you are now asked if you would like to run in "Secure Mode" or "Compatibility Mode." If you would like Forefront Security for Exchange Server to continue to allow messages and attachments to be delivered from Quarantine without being rescanned for filter matches, select "Compatibility Mode." If you would like messages and attachments to be rescanned, select "Secure Mode." This setting applies to the Realtime and Transport Scan Jobs.

You can customize the subject line "Tag" text used when messages are delivered from quarantine by using the new registry key "ForwardedAttachmentSubject". The subject line Tag text can be changed to a unique string for the organization or changed into a local language.

Note:
If the General Option "Deliver from Quarantine Security" is set to "Secure Mode," old messages that were delivered from Quarantine may be re-detected and Quarantined if they are scanned again by the Realtime scanner.

If the General Option "Deliver from Quarantine Security" is set to "Compatibility Mode" and the subject line tag text is changed, filters will be applied to messages already in the organization that were tagged with old tag text in the subject line if they are re-scanned.

No matter which mode is selected, all inbound messages will be scanned and filtered by the Forefront Security for Exchange Server Transport scan job.

By default, a Manual Scan will not perform file filtering on messages that were forwarded from Quarantine. If you want to run a Manual Scan and have forwarded attachments detected again, you must create the "ManuallyScanForwardedAttachments" registry value and set it to 1.

Important Notes

  1. Upgrades from releases earlier than 10.0 are not supported.

  2. When applying upgrades and hotfixes, the shutdown order, as given in the User Guide, has been changed. You should first stop all Exchange services and then stop any Forefront Server Security services that might still be running.

  3. The standard Forefront Security for Exchange Server license includes 8 antivirus scan engines: Microsoft, Norman, Sophos, Command, Kaspersky, VBuster, AhnLab, and Computer Associates. After a fresh install, five random engines will be selected for scanning. Once the product has been installed, the Forefront Server Security Administrator can be used to change the engine selection. A maximum of 5 engines can be selected per scan job.

  4. After a fresh install, new signature files must be downloaded to ensure the most up-to-date protection. An hourly scanner update for each licensed engine will be scheduled. These updates will start 5 minutes after Forefront Security for Exchange Server services are started. However, if a proxy is being used for scanner updates, these scheduled updates will fail until all the proxy information has been entered. Use the Forefront Server Security Administrator to enter proxy username and password. Under "SETTINGS", General Options, Scanner Updates, enter the appropriate information into Proxy Username and Proxy Password (the Proxy Server Name and Proxy Port should have been entered during installation; if not, you can enter them here also). Once this is done, use the 'Update Now' button on the Scanner Updates work pane to perform an immediate scanner update for each engine.

    Note:
    You should successfully update at least one engine before the installation is considered complete.

    Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not create mapper object".
  5. To verify that Microsoft Forefront Security for Exchange Server has been correctly installed with default protection enabled, click "Operate", and then "Run Job" in the Shuttle Navigator. You should see the following:

    • On a server that contains a Mailbox role, there should be a Realtime Scan Job enabled, and a Manual Scan Job.

    • On a server that includes a Transport role (such as a Hub Transport, Edge, or Mailbox/Hub Transport server) there should be a Transport Scan Job enabled.

  6. Microsoft Forefront Security for Exchange sets an optimization tag on Mailbox servers to skip the scan at the Store if mail is going to be sent to a Hub Transport server. When using this configuration, Microsoft Forefront Security for Exchange must also be installed on Hub Transport servers, otherwise outgoing mail will not be scanned.

  7. To enable scheduled background scanning, perform the following steps:

    • Click "OPERATE" in the Navigation Shuttle, and then click "Schedule Job". The "Schedule Job" pane appears on the right.

    • The top portion of the Schedule Job pane shows the Background Scan Job and indicates if the Scheduler is enabled or disabled.

    • When you select the Background Scan Job, the bottom portion of the Schedule Job pane shows its scheduling information and configuration.

    • To schedule a Background Scan, simply select the date, time, and frequency and click "Save". Click "Enable" if the Scheduler is not already enabled.

    • Background Scanning now supports additional scoping options which determine which messages are scanned whenever a background scan is started. To modify these options, select "SETTINGS" in the Navigation Shuttle, and then select General Options. The General Options settings appear in the right pane. Select the desired scan scoping options under "Background Scanning".

    • By default, Realtime Mailbox server scanning does not include the scanning of message bodies. To include message body scanning, select "SETTINGS" in the Navigation Shuttle, and then select General Options In the right pane (under "Scanning") select the "Body Scanning - Realtime" option.

    • Verify that the Realtime Scan Job is enabled on the OPERATE/Run Job pane.

  8. The Forefront Server Security Administrator cannot be used to manage servers running versions earlier than release 10.0.

  9. Microsoft Forefront Security for Exchange Server is not supported on two-node active/active Exchange cluster configurations.

  10. If the Sharepoint Portal Alert service is on the server and running, an upgrade or uninstall of Microsoft Forefront Security for Exchange Server might require a reboot.

  11. To enable the Forefront Server Security Administrator to connect to a remote Forefront server, the "Anonymous Logon" group must be granted remote access permission. To make this change, run 'dcomcnfg'. Expand Component Services, right click My Computer, and then select Properties. On the COM Security tab, click Edit Limits and add remote access to the "Anonymous Logon" user.

    On WinXP SP2, an additional setting change must be made to allow the Forefront Server Security Administrator application. Open Control Panel, and then open 'Security Center'. Click Windows Firewall, and on the Exceptions tab, click 'Add Program'. Select Forefront Server Security Administrator from the list, and then click OK to return to the Exceptions tab. Select the checkbox for Forefront Server Security Administrator, and then click 'Add port'. Give the port a name, enter '135' for the port number, and select TCP. Click OK twice.

    If there is concern about opening port 135 to all computers, it can be opened for only the Forefront Server servers. When adding port 135, click 'Change Scope' and select 'Custom List'. Type in the IP addresses of all Forefront Server servers you want to connect to.

  12. When installing an antivirus solution using the VSAPI2, the VirusScan registry key is created to save information concerning the VSAPI library. If this key is present when you attempt to install Microsoft Forefront Security for Exchange Server, the installation will fail. You will need to delete the key before attempting to reinstall Forefront Security for Exchange Server.

    The registry key you will need to delete is:

    HKEY_LOCAL_MACHINE->System->CurrentControlSet->Services-> MSExchangeIS->VirusScan
    Delete the entire VirusScan key.

    Additionally, VSAPI will not allow you to run multiple antivirus software solutions concurrently.

  13. Files compressed into multipart RAR volumes are subject to the uncompressed file size limit specified by the registry key MaxUncompressedFileSize. The default value of this limit is 100MB. If any file exceeds the limit, any multipart RAR volume which contains the file, or a part of the file, will be deleted. For more information, see MaxUncompressedFileSize in the "Registry Keys" section and the discussion of "Treat Multipart RAR Archives as Corrupted Compressed" in the "Forefront Server Security Administrator" section of the "Forefront Security for Exchange Server User Guide".

  14. To prevent Forefront from requiring a reboot during an upgrade or uninstall, shut down the MOM agent (or any other monitoring software) and make sure that any command prompts or Explorer windows do not have the Forefront installation folder or any of the subfolders open. After the upgrade or uninstall is complete, start the MOM agent again.

  15. Microsoft Forefront Security for Exchange Server does not support customers using their own procedure to download engine updates from the Microsoft web sites. Forefront provides the ability for a server to be used as a redistribution server, but this server must use Forefront to get the updates from Microsoft.

  16. Forefront Security for Exchange Server database path names (DatabasePath registry key) has a maximum size of 216 characters.

  17. If you change the install path, its name must be less than 170 characters.

  18. UNC paths specified for engine updates must not end with a backslash ("\").

  19. When Microsoft Forefront Security for Exchange Server is installed on an Edge Transport server that is not a member of a domain, the InternalAddress setting will be empty.

  20. Notifications and Deliver From Quarantine functionality will not work if Microsoft Forefront Security for Exchange Server is installed on a Mailbox Only role and the server is a Domain Controller.

  21. Importing filter lists from a UTF-8 formatted file is not supported.

  22. It is recommended that you have the Transport Scan Job do file filtering, since Transport is able to retrieve mail from the Store before it is scanned by the Realtime Scan Job. Since all mail must go through the Hub Transport role, the same filters would be applied to all messages.

  23. Forefront will only install and run with the default setting of "Remote Signed" that Exchange places on the PowerShell execution policy. Changing it to a more restrictive policy such as "Restricted" or "AllSigned" is not supported by Forefront.

  24. To aid you in filtering for profanity with keywords, we have included example lists in various languages. This is an optional component of FSE and must be installed separately.

  25. Single node management of Forefront Security for Exchange Server is available using the Forefront Server Security Administrator. Multi-server management of Forefront Server Security through the Microsoft Forefront Security Management Console is available.

  26. In order to provide a consistent User Experience in the Microsoft Forefront Server Security Administrator Client, the servers involved should be configured with uniform locale settings. Specifically, the System Locale settings of the computer where the server is being run should match the User Locale settings of the computer where the client is being run. If these two locales do not match, connection will not be allowed.

  27. When installing Forefront Server Security for Exchange on a CCR cluster, the installation path must be the same for both nodes.

  28. In General Options, the Internal Address setting is limited to 64 kilobyte (KB) characters.

  29. When running Forefront Security for Exchange Server on a CCR cluster, the General Option "Redistribution Server" is selected, by default, after install. It must remain selected for proper engine replication.

  30. When uninstalling Forefront Security for Exchange Server, Active Directory must be available for the uninstall to work correctly.

  31. When Forefront Security for Exchange Server is installed on a Microsoft Windows Server "Longhorn" computer, you may see this item in the event log: "Faulting application setup.exe_InstallShield." This is an InstallShield error with no consequences. It does not impact the system and should be ignored.

  32. The CA InoculateIT scan engine is no longer available as a separate engine. This engine and its functionality have been merged with the CA Vet engine.

New Features

Build 10.1.0746

(Includes all features from Forefront Security for Exchange Server 10.0.0566.0):

  1. Added support for Microsoft Windows Server "Longhorn".

  2. Added support for IPv6.

  3. A new General Option "Treat multipart RAR archives as corrupted compressed" has been added. When this option is enabled (the default setting), files determined by Forefront to be multipart RAR will be treated as corrupted compressed and acted on according to the "Delete Corrupted Compressed Files" General Option setting. When this option is disabled, Forefront will pass each file within the RAR volume to the scan engines. NOTE: if a file spans RAR volumes, Forefront will only be able to pass the partial file to the scan engines and file type filtering may not work.

  4. A new General Option "Treat high compression ZIP files as corrupted compressed" has been added. When this option is enabled (the default setting), if a zip archive is found to contain one or more highly compressed files, it will be treated as corrupted compressed, and acted on according to the "Delete Corrupted Compressed Files" General Option setting. When this option is disabled, any file within a zip archive that is highly compressed with either the Deflated64, Bzip2, or PPMD algorithms will be sent to the scan engines in its compressed form. In this case, the entire zip archive will not be treated as corrupted compressed as long as no other files are compressed using other high compression algorithms.

  5. If Microsoft Updates (MU) has not already been activated for the server, an option to opt into the MU program will be presented during the install.

  6. Forefront scheduled tasks will now be handled using Task Scheduler. Each repeated task will now show as one scheduled task in the Scheduled Tasks UI.

  7. A Profanity Keyword Setup package is now distributed as part of the Forefront for Exchange Server installation. When run, localized profanity keyword lists are extracted and can be imported into Forefront Administrator to be used for keyword filtering.

  8. New Health State Monitoring event log entries have been added to provide administrators with a higher-level view of the system and enable them to do proactive monitoring. The Forefront MOM pack has been enhanced to use these log entries to generate MOM alerts.

  9. A new Product Licensing Agreement and Expiration entry screen has been added. After you have activated your product, you should enter licensing information (obtained from Microsoft Sales). If you license your product, you can align when your product expires with your license agreement (otherwise, the expiration will be three years from the installation date). In addition, you can easily renew your license by entering a new expiration date. To license FSE, select Register Forefront Server from the Help menu. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product Licensing Agreement and Expiration dialog box appears. If you have activated FSE, only the Product License Agreement and Expiration dialog box appears. Enter your 7-digit License Agreement Number and an expiration date. You should enter a date that corresponds to the expiration of your license agreement. That will coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.

Build 10.0.0566.0 (includes all features from Antigen 9.0.1055):

  1. The default InternetProcessCount and RealtimeProcessCount values on fresh installs will be set to 4. The existing value will not be changed during upgrades. Note: Services will still need to be recycled for these values to take effect.

  2. The behavior of the "Max Container File Infections" General Option has changed. If the option is set to '0', and a filter match occurs within the container, the entire container will be deleted.

Build 9.0.1055 (Includes all features from Antigen 8.0.1517):

  1. For each scan engine, a secondary update path can be entered. If using the network update path to get an engine update fails for any reason, the secondary update path will be tried.

  2. A new General Option has been added that gives you the option to purge a message if any of the message body parts is deleted and there are no attachments.

  3. The default InternetProcessCount and RealtimeProcessCount values on fresh installs will be set to 2. The existing value will not be changed during upgrades. In addition, there are two new General Options in the UI to allow you to change these settings without editing the registry. Note: Services will still need to be recycled for these values to take effect.

  4. Separate notifications are now available for Spam/RBL, keywords, and sender/subject filters. Keyword filter notifications are available for the sender and recipients as well as the administrator. A new Spam Administrator is available for the Spam/RBL filters. Content Filter notifications are available for the sender and recipients, as well as the administrator, and include Sender and Subject Line filter notifications.

  5. Cluster support on Active/Passive clusters has been enhanced. Configuration data as well as scanner signature data are now associated with a Clustered Mailbox Server (formerly called Exchange Virtual Server). Registry data will be replicated on an Exchange Virtual Server basis.

Software Fixes

Build 10.1.0746

(Includes all software fixes from Forefront Security for Exchange Server 10.0.0566.0):

  1. KB936541 Exchange services do not start after you install Windows Server 2003 Service Pack 2.

  2. KB937542 Forefront Security for Exchange Server notifications stop working if you change the Exchange Pickup folder path.

  3. KB937543 Forefront Security for Exchange Server processes a message that contains invalid uuencode header information as a CorruptedCompressedFile virus.

  4. KB939365 Forefront Security for Exchange Server fails in a single copy cluster environment.

  5. Fixed a problem in which Forefront for Exchange would prevent Exchange from starting correctly if WSS 3.0 was installed on the same server.

Known Issues

  1. The FSCController Service is dependent on the NT Schedule service. The Schedule service must have the ability to start successfully for Microsoft Forefront Security for Exchange Server to initialize.

  2. A ZIP archive containing one or more files compressed with PKWARE's DCL-Implode or Deflate64(tm) algorithms will be treated as corrupted compressed.

  3. During a Hot Upgrade, you have the option to "Stop Waiting" if the upgrade is taking too long to process or if it has caused Forefront Security for Exchange Server to hang. However, if the "Stop Waiting" option is selected too soon after starting the process, there is a risk that Forefront Security for Exchange Server may be left in an off-line state. (Please allow 3-5 minutes before using the "Stop Waiting" option.) If this happens, the Exchange services may need to be recycled to restart Forefront Security for Exchange Server.

  4. The "Perform Updates at Startup" General Option setting will be cleared after an upgrade. If this setting was previously selected, use the Forefront Server Security Administrator to set this option back on after the upgrade.

  5. If the Service Control Manager is open, an install or upgrade may fail with "Setup failed in SetupRegistry".

  6. During the installation, when you are prompted by the Select Program Folder dialog for a program folder, either accept the default (Microsoft Forefront Server Security\Exchange Server) or enter the name of a totally new folder. Do not choose one from the list of Existing Folders, as all the current shortcuts in the selected folder will be replaced with the shortcuts for Forefront. (The original programs themselves will remain untouched; only the links to them in that Program Folder will be overwritten.)

  7. Installing Microsoft Forefront Security for Exchange Server in a folder that contains non-ASCII characters is not supported. Choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9) or the symbols :\/!#$%'()+,-.;=@[]^_`{}~.

  8. If you have multiple filter lists with names that differ only by case, they will not work properly.

  9. In the Forefront Security for Exchange Server User Guide, a correction has been made in the Read-Only Administrator section. The default database location is Program Files\Microsoft Forefront Security\Exchange Server\Data.

  10. If you create a user that is part of the Administrators Group with read-only access rights to FSE, when that user logs on and tries to open the Forefront Server Security Administrator, the following error will occur:

    ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied.

    This error is caused by a Windows Server 2003 SP 1 security enhancement. To work around this problem, follow these steps:

    1. Run DCOMCNFG from START/Run. The Component Services dialog box appears.

    2. Expand Component Services.

    3. Expand Computers, My Computer, and DCOM Config.

    4. Right-click on FSCController, and then select Properties.

    5. Click the Security tab, and then click Edit in Launch and Activation Permissions.

    6. Add "Domain Users", and click Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

    7. Click OK for both open dialog boxes.

  11. The "Messages Scanned" Statistics counter will not increment for each message if Keyword Filtering is unchecked in the Forefront Server Security Administrator.

Documentation

The documentation for this product is distributed in .chm format and is provided with this package. After installation, access help either from the Forefront Server Security Administrator interface or use the F1 key when running the Forefront Server Security Administrator.

Frequently Asked Questions

Regularly updated lists of frequently asked questions are available on Microsoft's web site (http://go.microsoft.com/fwlink/?LinkID=78562):

Q: How can I restrict who can administer Microsoft Forefront Security for Exchange Server?

A: The Forefront Server Security Administrator uses DCOM to connect to the Forefront Security for Exchange Server component. DCOM settings for the 'FSCController' application are set to initially allow the Administrators group and SYSTEM full access. You can change the "Access" and "Launch" settings in DCOM to restrict access. You do this by launching the DCOMCNFG.EXE program and selecting FSCController from the Application tab. Once completed, you will need to restart the Exchange Services.

Q: When I uninstall Microsoft Forefront Security for Exchange Server, there seems to be a file left behind. Is that by design?

A: When uninstalling Microsoft Forefront Security for Exchange Server, the process will not remove the file IsUnist.EXE from the Windows folder (for example, c:\windows). It is possible for this file to be shared and used by other applications. If you determine that no other application is using this file, you may safely remove it from your system.

The EICAR Anti-Virus Test File

Provided below is the code for the EICAR Standard Antivirus Test File.

To test your installation, copy the following line into its own text file and name it EICAR.COM.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 

When done, you will have a 69-byte or 70-byte file.

You can then attach this to an Exchange message for testing. Forefront Security for Exchange Server will report finding the EICAR-STANDARD-AV-TEST-FILE virus. If you have "cleaning" enabled, Forefront Security for Exchange Server will also report the attachment as being deleted. The infected attachment will be removed from the test message or post and be replaced with a text file. The new file will contain the following string when viewed: "Microsoft Forefront Security for Exchange Server found a virus and deleted this file."

It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that installations function correctly. The antivirus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need.

Please delete the file when installation testing is completed so that unsuspecting users are not unnecessarily alarmed.

Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Windows, Forefront, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.