Microsoft Forefront Security for Sharepoint, version 10.0 with Service Pack 1

(Build 0700)

Thank you for using Microsoft Forefront Security for SharePoint which helps provide anti-virus and content filtering protection for Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0. This Readme file contains important information regarding the current version of this product. It is highly recommended that you read the entire document.

To view the latest, updated release notes, check: http://go.microsoft.com/fwlink/?LinkID=91415.

What's in this file

Requirements

Features

Product Notes

Software Fixes

Known Issues

The EICAR Anti-virus Test File

Requirements

Minimum Server Requirements:

Prerequisites for this release

SharePoint KB 936867 or later is required as a prerequisite for this release. To apply the hotfix, follow the steps listed in the KB 941268 or contact Microsoft Product Support Services (http://go.microsoft.com/fwlink/?LinkId=98215) for further guidance.

  • Windows 2003 Server

  • Microsoft Windows SharePoint Services 2007 or SharePoint Portal Server 2007

  • 1 GB of Available Memory (2 GB recommended.)

    Note:
    With each additional licensed scan engine, more memory is needed per scanning process.
  • 550 MB of Available Disk Space

Minimum Workstation Requirements:

  • Windows 2000 Professional

  • 6 MB of Available Memory

  • 10 MB of Available Disk Space

  • Intel Processor

Features

  • Enhanced Quarantine Database and Functionality

  • Enhanced Incident Database and Functionality

  • General Options Panel

  • GZip Support

  • Read-only Client

  • Summary Notification after Manual Scan

  • Filtering by File Size

  • Realtime and Manual Scan jobs

  • Resizable UI

  • Custom Job Templates

  • New Configuration Management Tools

  • Realtime Diagnostics "live" on Enable Scanjob

  • 100% Real-time and manual scanning of all Workspaces

  • In-Memory Scanning

  • Scan files by type

  • Remote Installation

  • Automatic Updates

  • Remote Administration

  • Virus Incident Notification and Reporting

  • PerfMon Statistics

  • Quarantine Database

Product Notes

  1. When Forefront Security for SharePoint cleans an infected file that has been checked into a document library, the file extension will not be changed. For example:

    If the file "eicar.com" is detected, the contents will be removed and replaced with deletion text, but the file extension will remain ".com" rather than being changed to "eicar.txt." If the same file is cleaned while it is nested inside a compressed file, however, the extension will be changed to ".txt."

  2. Upgrades from releases earlier than 10.0.0566.0 are not supported.

  3. The Forefront Security for SharePoint Notification Web Parts feature is not supported in this release.

  4. After a fresh install, new signature files must be downloaded to ensure the most up to date protection. An hourly scanner update for each licensed engine will be scheduled. These updates will start 5 minutes after Forefront Security for SharePoint services are started. However, if a proxy is being used for scanner updates, these scheduled updates will fail unless you use the Forefront Server Security Administrator to enter the proxy information. Once this is done, use the 'Update Now' button to perform an immediate scanner update for each engine.

    Note:
    A successful update of at least one engine should occur before the installation is considered complete.

    Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not create mapper object".
  5. The standard Forefront Security for SharePoint license includes eight AV scan engines: Microsoft, Norman, Sophos, Command, Kaspersky, VBuster, AhnLab, and Computer Associates. During a fresh install, five random engines will be selected for scanning; the Forefront Server Security Administrator can subsequently be used to change the engine selection. A maximum of five engines can be selected per scan job. (The CA InoculateIT scan engine is no longer available as a separate engine. This engine and its functionality have been merged with the CA Vet engine.)

  6. The Forefront Server Security Administrator cannot be used to manage servers running versions earlier than release 10.0.

  7. To enable the Forefront Server Security Administrator to connect to a remote Forefront server, the "Anonymous Logon" group must be granted the remote access permission. To make this change, run 'dcomcnfg'. Navigate to MyComputer in Component Services, right click on My Computer and select Properties; choose the COM Security page. Under Access Permissions, click Edit Limits and add Remote Access to the "Anonymous Logon" user. On WinXP SP2, an additional setting change needs to be made to allow the Forefront Server Security Administrator application. Run Control Panel, choose 'Security Center'. Enter the Windows Firewall admin and go to the Exceptions tab. Choose 'Add Program', select Forefront Server Security Administrator from the list and click OK. Now, check Forefront Server Security Administrator in the list on the Exceptions tab. Choose 'Add port'; Add '135' for the port number, with TCP checked, and any name. Click OK.

    If there is concern about opening port 135 to all computers, it can be opened for only the Forefront Server servers. When adding port 135, click 'Change Scope' and Select 'Custom List'. Type in the IP addresses of all Forefront Server servers you want to connect to.

  8. Forefront Security for SharePoint is able to scan the first part of a multi-part RAR file. Any other part of a multi-part RAR will be treated as CorruptedCompressed, and be treated according to the "Delete Corrupted Compressed Files" setting.

  9. To prevent Forefront from requiring a reboot during Upgrade or Uninstall, please shut down the MOM agent (or any other monitoring software) and make sure that any command prompts or Explorer windows do not have the Forefront installation folder or any of its subfolders open. After Upgrade or Uninstall is complete the MOM agent should be started again.

  10. Microsoft Forefront Security for SharePoint does not support you using your own procedure to download engine updates from the Microsoft web sites. Forefront provides the ability for a server to be used as a redistribution server, but this server must use Forefront to get the updates from Microsoft.

  11. Forefront Security for SharePoint database path names (DatabasePath registry key) greater than 216 characters are not supported.

  12. Localized database path names (in the DatabasePath registry key) are not supported.

  13. When installing Microsoft Forefront Security for SharePoint, the length of the install path must be less than 170 characters.

  14. UNC paths specified for engine updates must not end with a backslash ("\").

  15. Importing filter lists from a UTF-8 formatted file is not supported.

  16. Microsoft Forefront Security for SharePoint is not supported when running on a server that has both Microsoft Exchange and SharePoint installed.

  17. Keyword filtering will analyze the contents of Excel files, as well as the Text/HTML/Word/PowerPoint types shown in the Forefront Server Security Administrator.

  18. The summary notification of a Manual Scan is sent to the Virus Administrator of the Realtime Scan job.

  19. Keyword Filtering lists are not available for download from Microsoft in this release.

  20. Single node management of Forefront Security for SharePoint is available via the Forefront Server Security Administrator. Multi-server management of Forefront Server Security through the Microsoft Forefront Security Management Console is not available.

  21. If the password is changed on the account that was entered for SharePoint database access, the password must be changed on the FSSPController service using the Service Control Manager.

  22. In order to provide a consistent User Experience in the Microsoft Forefront Server Security Administrator Client, the machines involved should be configured with uniform locale settings. Specifically, the System Locale settings in the machine where the server is being run should match the User Locale settings in the machine where the client is being run. If these two locales do not match, date and time information will be presented in a combination of formats that may be confusing.

  23. In the Forefront Security for SharePoint User Guide, the term "SharePoint Services" includes the World Wide Web Publishing Service when discussing stopping and starting SharePoint services.

  24. The CA InoculateIT scan engine is no longer available as a separate engine. This engine and its functionality have been merged with the CA Vet engine.

  25. You can move the Quarantine and Incidents databases. However, for FSSP to function properly, you must move both databases, and all related databases and support files.

    To move all the files

    1. Create a new folder in a new location (for example: C:\Moved Databases).

    2. Set the permissions for the new folder. Right-click the new folder, and then select Properties. On the Security tab, add "Network Service", "WSS_ADMIN_APG" and "WSS_WPG" with Full Control privileges. Also, allow all permissions for Administrators and System.

    3. Stop World Wide Web Publishing Service, Windows SharePoint Services Timer and any Forefront Security for SharePoint services that might still be running after SharePoint is shut down.

    4. Copy the entire contents of the Data folder, including the subfolders, from the Forefront Security for SharePoint installation folder into the folder created in step 1. (This results in a folder called C:\Moved Databases\Data.)

    5. Change the path in one of these DatabasePath registry keys to point to the new Data folder location:

      For 32-bit systems: HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint\DatabasePath

      For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint\DatabasePath

    6. Restart the World Wide Web Publishing Service and Windows SharePoint Services Timer services.

Software Fixes

Build SYBARI_PRODUCT_MAJOR.SYBARI_PRODUCT_MINOR.SYBARI_BUILD_MAJOR (Includes all software fixes from Antigen 10.0.0566.0):

  1. Fixed an issue where all files were marked as infected with "" virus.

  2. Forefront for SharePoint now will correctly scan files up to 2 GB in size.

  3. Manual scan will no longer trigger Realtime to unnecessarily scan the same file.

  4. Fixed an issue where certain AV setting changes caused SharePoint to generate an access violation.

  5. Non-ASCII keywords will be correctly identified in Office 2007 documents.

  6. You will receive a warning if you attempt install Forefront for SharePoint to a server that has Exchange installed. Forefront for SharePoint is not supported if Exchange is installed on the same server.

  7. Fixed the issue where STSADM will hang during site import and export. The 'fix was done in 2 parts: (1) ensuring that the scanning threads are released in a proper manner; (2) Allowing the scanning processes to run as "System" by default to prevent 'Access Denied" errors from being generated.

Known Issues

  1. The FSCController service is dependent on the NT Schedule service. The Schedule service must have the ability to start successfully for Microsoft Forefront Security for SharePoint to initialize.

  2. Attachments compressed with PKWARE's DCL-Implode are not scanned.

  3. Attachments compressed with PKWARE's Deflate64(tm) are not scanned at this time.

  4. If the Service Control Manager is open, an install or upgrade may fail with "Setup failed in SetupRegistry".

  5. Installing Microsoft Forefront Security for SharePoint in a folder that contains non-ASCII characters is not supported. Please choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9) or the symbols :\/!#$%'()+,-.;=@[]^_`{}~

  6. Having multiple filter lists names that differ only by case will not work properly.

  7. In the Forefront Security for SharePoint User Guide, a correction should be made in the Read-Only Administrator section. The default database location is Program Files\Microsoft Forefront Security\SharePoint\Data on 32-bit servers, Program Files(x86)\Microsoft Forefront Security\SharePoint\Data on 64-bit servers.

  8. To prevent reboots, please ensure that the following services are stopped/disabled before running the upgrade:

    • MOM

    • Perfmon

    • Eventvwr

    • SPTimer

  9. During the installation, when you are prompted by the Select Program Folder dialog for a program folder, either accept the default (Microsoft Forefront Server Security\SharePoint) or enter the name of a totally new folder. Do not choose one from the list of Existing Folders, as all the current shortcuts in the selected folder will be replaced with the shortcuts for Forefront. (The original programs themselves will remain untouched; only the links to them in that Program Folder will be overwritten.)

  10. Forefront Security for SharePoint should be uninstalled before WSS is uninstalled. Uninstalling WSS before Forefront will prompt that Exchange services and the IISAdmin service be stopped. Once the IISAdmin is stopped, Forefront for SharePoint can be uninstalled. However, the FFSPUsernameFilter will not be removed and this will cause non-SharePoint sites to hang. To get out of this state, the FFSPUsernameFilter can be removed manually. Launch IIS Manager->Web Sites and right click of "Properties" to remove FFSPUsernameFilter from the ISAPI filters. Once this is done, recycle the IISAdmin to release non-SharePoint sites to hang.

  11. If Office 2003 or Office 2007 is installed on the SharePoint server, uninstalling the Office product will cause the keyword filtering to stop functioning.

  12. Manual scan does not work on sites that use the Enterprise-Document Center and Publishing-Collaboration Portal templates. It will be detected by the Manual scan and it will not be cleaned

The EICAR Anti-Virus Test File

Provided below is the code for the EICAR Standard AntiVirus Test File.

To test your installation, copy the following line into its own text file and name it EICAR.COM.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When done, you will have a 69-byte or 70-byte file.

You can use this file to check into a Sharepoint server for testing. Forefront Security for Sharepoint will report finding the EICAR-STANDARD-AV_TEST-FILE virus. If you have "cleaning" enabled, Forefront Security for Sharepoint will also report the attachment as being deleted. The infected attachment will be removed from the test message or post and be replaced with a text file. The new file will contain the following string when viewed: "Microsoft Forefront Security for Sharepoint found a virus and deleted this file."

It is important to know that THIS IS NOT A VIRUS. However, users often have the need to test that installations function correctly. The anti-virus industry, through the European Institute for Computer Antivirus Research, has adopted this standard to facilitate this need.

Please delete the file when installation testing is completed so that unsuspecting users are not unnecessarily alarmed.

Copyright

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Windows, Forefront, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.