Microsoft KB Archive/945572

= Description of Forefront Security for Exchange Server Service Pack 1 =

Article ID: 945572

Article Last Modified on 11/29/2007

-

APPLIES TO


 * Microsoft Forefront Security for Exchange Server Service Pack 1

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista



SUMMARY
Microsoft has released Microsoft Forefront Security for Exchange Server Service Pack 1 (SP1). This article describes the following information about the service pack:


 * The requirements to install the service pack
 * The new Deliver from Quarantine Security option
 * Important notes to consider before you install the service pack
 * The new features that are included in the service pack
 * The software fixes that are included in the service pack



Requirements to install the service pack
All minimum system memory and disk space requirements for Microsoft Exchange Server 2007 must be met before you install Microsoft Forefront Security for Exchange Server. Insufficient memory or disk space may affect the ability of Forefront Security to scan large files.

Minimum server requirements

 * You must be running one of the following operating systems:
 * Windows Server 2003 Service Pack 1 (SP1) or a later version of Windows Server 2003
 * Windows Server 2003 R2
 * Windows Server 2008
 * Exchange Server 2007 must be installed.
 * The computer must have 1 gigabyte (GB) of free memory in addition to the minimum of 2 GB of free memory that is recommended to run Exchange Server 2007.

Note For each additional scan engine that you use, more memory is needed for each scanning process.
 * The computer must have 2 GB of available disk space.
 * The computer must have a 1-gigahertz (GHz) Intel processor or a faster processor.

For more information about Exchange Server 2007 system requirements, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/aa996719.aspx

Minimum workstation requirements

 * Windows 2000 Professional or Windows Server 2003
 * 6 MB of available memory
 * 10 MB of available disk space
 * Intel processor

The new &quot;Deliver from Quarantine Security&quot; option
The new Deliver from Quarantine Security option has been added to give administrators more flexibility for handling messages and attachments that are forwarded from Quarantine. The following options are available for this setting:
 * Secure Mode is the default setting. It causes all messages and attachments that are delivered from Quarantine to be re-scanned for viruses and filter matches.
 * Compatibility Mode allows for messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.)

Forefront Security for Exchange Server identifies these messages by adding a special &quot;Tag&quot; text in the subject line of all messages that are delivered from Quarantine.

During installation, you are asked whether you want to run in secure mode or in compatibility mode.

If you want Forefront Security for Exchange Server to continue to allow for messages and attachments to be delivered from Quarantine without being rescanned for filter matches, select Compatibility Mode. If you want messages and attachments to be rescanned, select Secure Mode.

This setting applies to the Realtime Scan Job and to the Transport Scan Job. For more information about the Realtime Scan Job and the Transport Scan Job, visit the following Microsoft Web sites:

http://www.microsoft.com/technet/forefront/serversecurity/exchange/userguide/edc245f2-6d4f-47b4-8b6b-77bb9beca453.mspx?mfr=true

http://www.microsoft.com/technet/forefront/serversecurity/exchange/userguide/63272cc5-a3e9-4a73-a324-783072cb8ec3.mspx?mfr=true

You can customize the subject line &quot;Tag&quot; text that is used when messages are delivered from Quarantine by using the new ForwardedAttachmentSubject registry entry. The subject line &quot;Tag&quot; text can be changed to a unique string for the organization, or it can be changed to a local language.

Notes
 * If the Deliver from Quarantine Security option is set to Secure Mode, old messages that were delivered from Quarantine may be re-detected and quarantined if they are scanned again by the Realtime scanner.
 * If messages that are already in the organization were tagged with old &quot;Tag&quot; text in the subject line, filters are applied. This occurs if the following conditions are true:
 * The Deliver from Quarantine Security option is set to Compatibility Mode.
 * The subject line &quot;Tag&quot; text is changed.
 * The messages are re-scanned.

Regardless of which mode is selected, all incoming messages are scanned and filtered by the Forefront Security for Exchange Server Transport scan job.

By default, a Manual Scan Job will not perform file filtering on messages that were forwarded from Quarantine. If you want to run a Manual Scan Job, and if forwarded attachments are detected again, you must create the ManuallyScanForwardedAttachments registry entry and then set the value of the entry to 1. For more information, visit the following Microsoft Web site:

http://www.microsoft.com/technet/forefront/serversecurity/exchange/userguide/63272cc5-a3e9-4a73-a324-783072cb8ec3.mspx?mfr=true

Important notes to consider before you install the service pack
 Upgrades for releases that are earlier than Forefront Security for Exchange Server 10.0 are not supported. The standard Forefront Security for Exchange Server license includes the following antivirus scan engines:  Microsoft Norman Sophos Command Kaspersky</li> VBuster</li> AhnLab</li> Computer Associates</li></ul>

After a fresh installation, five engines are randomly selected for scanning. As soon as the product is installed, you can use Forefront Server Security Administrator to change the engine selection. You can select a maximum of five engines per scan job.</li> After a fresh installation, new signature files must be downloaded to make sure that the most up-to-date protection is used. An hourly scanner update for each licensed engine is scheduled. These updates start five minutes after Forefront Security for Exchange Server services are started.

However, if a proxy is being used for scanner updates, these scheduled updates will fail until all the proxy information has been entered. To enter the proxy information, use Forefront Server Security Administrator. To do this, follow these steps: <ol> In the General Options work panel, click Scanner Updates.</li> In the Proxy Username and Proxy Password boxes, type the appropriate information.</li> In the Scanner Updates work panel, click Update Now to perform an immediate scanner update for each engine.</li></ol>

Notes <ul> We recommend that you successfully update at least one engine before you consider the installation to be complete.</li> Errors may appear in the ProgramLog.txt file until all the licensed engines have been successfully downloaded. For example, you may receive an error message that resembles the following error message:

ERROR: Could not create mapper object

</li></ul> </li> To verify that Forefront Security for Exchange Server has been installed correctly together with default protection enabled, click Operate in Shuttle Navigator, and then click Run Job. You should see the following items: <ul> On a server that contains a Mailbox role, a Realtime Scan Job should be enabled, and there should be a Manual Scan Job.</li> On a server that includes a Transport role (such as a Hub Transport server, an Edge server, or a Mailbox/Hub Transport server), a Transport Scan Job should be enabled.</li></ul> </li> Forefront Security for Exchange Server sets an optimization tag on Mailbox servers to skip the scan at the store if mail is to be sent to a Hub Transport server. When you use this configuration, Forefront Security for Exchange Server must also be installed on Hub Transport servers. Otherwise, outgoing mail will not be scanned.</li> To enable scheduled background scanning, follow these steps: <ol> In Shuttle Navigator, click OPERATE, and then click Schedule Job.

The Schedule Job panel appears on the right side. The top section of the Schedule Job panel shows the background scan job, and it indicates whether the Scheduler is enabled or disabled.</li> <li>If you select the background scan job, the bottom part of the Schedule Job panel shows scheduling and configuration information.</li> <li>To schedule a background scan, select the date, the time, and the frequency, and then click Save. Click Enable if the Scheduler is not already enabled.</li> <li>Background Scanning now supports additional scoping options that determine which messages are scanned whenever a background scan is started. To modify these options, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In Shuttle Navigator, click SETTINGS, and then click General Options. The General Options settings appear in the right panel.</li> <li>Under Background Scanning, select the scan scoping options that you want.</li></ol> </li> <li>By default, Realtime Mailbox server scanning does not include message body scanning. To include message body scanning, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In Shuttle Navigator, click SETTINGS, and then click General Options.</li> <li>In the Scanning area, click to select the Body Scanning - Realtime check box.</li> <li>In the OPERATE/Run Job panel, verify that the Realtime Scan Job is enabled.</li></ol> </li></ol> </li> <li>Forefront Server Security Administrator cannot be used to manage servers that are running versions of Forefront Security that are earlier than version 10.0.</li> <li>Forefront Security for Exchange Server is not supported on two-node active/active Exchange Server cluster configurations.</li> <li>If the SharePoint Portal Alert service is running on the server, you might have to restart the computer after you upgrade or uninstall Forefront Security for Exchange Server.</li> <li>To enable Forefront Server Security Administrator to connect to a remote Forefront Server server, you must grant remote access permissions to the &quot;Anonymous Logon&quot; group.

To do this, follow these steps: <ol> <li>At a command prompt, type dcomcnfg .</li> <li>Expand Component Services, right-click My Computer, and then click Properties.</li> <li>Click the COM Security tab.</li> <li>Click Edit Limits, and then add remote access to the Anonymous Logon user.

Note To enable the Forefront Server Security Administrator application on a computer that is running Windows XP Service Pack 2 (SP2), you must also follow these steps:</li> <li>In Control Panel, click Security Center.</li> <li>Click Windows Firewall, and then click the Exceptions tab.</li> <li>Click Add Program.</li> <li>In the list, select Forefront Server Security Administrator, and then click OK to return to the Exceptions tab.</li> <li>Click to select the Forefront Server Security Administrator check box, and then click Add port.</li> <li>Type a name for the port, type 135 in the Port number box, and then select TCP as the protocol to use. Click OK two times.

Note If you are concerned about opening port 135 to all computers, you can open the port for the Forefront Server servers only. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>When you add port 135, click Change Scope, and then click Custom List.</li> <li>Type the IP addresses of all Forefront Server servers to which you want to connect.</li></ol> </li></ol> </li> <li>When you install an antivirus solution by using VSAPI2, the VirusScan registry key is created to save information about the VSAPI library.

If this key is present when you try to install Forefront Security for Exchange Server, the installation will fail. You must delete the key before you try to reinstall Forefront Security for Exchange Server. To do this, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. <ol> <li>Click Start, click Run, type regedit in the Open box, and then click OK.</li> <li>Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan

</li> <li>Press DELETE, and then click Yes.</li> <li>Exit Registry Editor.</li></ol> </li> <li>VSAPI will not let you run multiple antivirus software solutions at the same time.</li> <li>Files that are compressed into multipart RAR volumes are subject to the uncompressed file size limit that is specified by the MaxUncompressedFileSize registry subkey.

The default value of this limit is 100 MB. If any file exceeds the limit, any multipart RAR volume that contains the whole file or a part of the file is deleted.

For more information about the MaxUncompressedFileSize setting, see the following topics in the &quot;Forefront Security for Exchange Server User's Guide&quot;: <ul> <li>&quot;Registry Keys&quot;</li> <li>The &quot;Treat Multipart RAR Archives as Corrupted Compressed&quot; topic in the &quot;Forefront Server Security Administrator&quot; section</li></ul> </li> <li>You can prevent Forefront Security for Exchange Server from requiring a restart during an upgrade or an uninstallation. To do this, follow these steps: <ol> <li>Stop the MOM agent or any other monitoring software.</li> <li>Make sure that the Forefront Security installation folder or its subfolders are not open in any command prompts or Windows Explorer windows.</li> <li>After the upgrade or uninstallation is complete, start the MOM agent again.</li></ol> </li> <li>Forefront Security for Exchange Server does not support customers who use their own procedure to download engine updates from the Microsoft Web sites. Forefront Security lets a server be used as a redistribution server. However, this server must use Forefront Security to obtain the updates from Microsoft.</li> <li>Forefront Security for Exchange Server database paths have a maximum size of 216 characters. The database paths are configured in the DatabasePath registry entry.</li> <li>If you change the installation path, the new path must have fewer than 170 characters.</li> <li>UNC paths that are specified for engine updates must not end with a backslash (\).</li> <li>When Forefront Security for Exchange Server is installed on an Edge Transport server that is not a member of a domain, the InternalAddress setting is empty.</li> <li>If the server is a domain controller, and if Forefront Security for Exchange Server is installed on a Mailbox Only role, notifications and &quot;Deliver from Quarantine Security&quot; functionality will not work.</li> <li>Importing filter lists from a UTF-8-formatted file is not supported.</li> <li>We recommend that you use the Transport Scan Job to perform file filtering. This is because Transport can retrieve mail from the store before it is scanned by the Realtime Scan Job. Because all mail must use the Hub Transport role, the same filters would be applied to all messages.</li> <li>You can install and run Forefront Security only with the default setting of &quot;Remote Signed&quot; that Exchange Server adds to the PowerShell execution policy. Changing the default setting to a more restrictive policy such as &quot;Restricted&quot; or &quot;AllSigned&quot; is not supported by Forefront Security.</li> <li>To help you filter for profanity by using keywords, we have included sample lists in various languages. These lists are an optional component of Forefront Security for Exchange Server, and they must be installed separately.</li> <li>Single-node management of Forefront Security for Exchange Server is available by using Forefront Server Security Administrator. Multi-server management of Forefront Security for Exchange Server is available by using Forefront Security Management Console.</li> <li>To provide a consistent user experience in the Forefront Server Security Administrator Client, the servers should be configured to use uniform locale settings.

Specifically, the System Locale settings of the computer where the server is being run should match the User Locale settings of the computer where the client is being run. If these two locales do not match, connection will not be enabled.</li> <li>When you install Forefront Security for Exchange Server on a cluster continuous replication (CCR) cluster, the installation path must be the same for both nodes.</li> <li>In the General Options work panel, the Internal Address setting is limited to 64-kilobyte (KB) characters.</li> <li>By default, when you run Forefront Security for Exchange Server on a CCR cluster, the Redistribution Server option is selected in the General Options work panel after installation. This option must remain selected for correct engine replication.</li> <li>When you uninstall Forefront Security for Exchange Server, the Active Directory directory service must be available for the uninstallation process to work correctly.</li> <li>When you install Forefront Security for Exchange Server on a computer that is running Windows Server 2008, an error message that resembles the following error message may be logged in the event log:

Faulting application setup.exe_InstallShield

You can safely ignore this message. This is an InstallShield error that does not affect the system.</li> <li>The CA InoculateIT scan engine is no longer available as a separate engine. This engine and its functionality have been merged with the CA Vet engine.</li></ul>

New features that are included in the service pack
<ul> <li>Support has been added for Windows Server 2008.</li> <li>Support has been added for Microsoft Exchange Server 2007 Service Pack 1 (SP1).</li> <li>Support has been added for IPv6.</li> <li>A new option that is named Treat multipart RAR archives as corrupted compressed has been added to the General Options work panel.

By default, this option is enabled. When this option is enabled, files that Forefront Security determines to be multipart RAR are treated as &quot;corrupted compressed&quot; files. Then, these files are acted on according to the Delete Corrupted Compressed Files setting.

When this option is disabled, Forefront Security for Exchange Server passes each file in the RAR volume to the scan engines.

Note If a file spans RAR volumes, Forefront Security for Exchange Server can pass only the partial file to the scan engines. Therefore, file type filtering may not work.</li> <li>A new option that is named Treat high compression ZIP files as corrupted compressed has been added to the General Options work panel.

By default, this option is enabled. When this option is enabled, if a zip archive is found to contain one or more highly compressed files, the zip archive is treated as &quot;corrupted compressed.&quot; Then, the zip archive is acted on according to the Delete Corrupted Compressed Files setting.

When this option is disabled, Forefront Security for Exchange Server passes each file in a zip archive that is highly compressed to the scan engines in its compressed form. Forefront Security for Exchange Server does this by using the Deflated64, the Bzip2, or the PPMD algorithm. In this case, the whole zip archive will not be treated as &quot;corrupted compressed&quot; as long as no other files are compressed by using other high-compression algorithms.</li> <li>If Microsoft Updates has not already been enabled for the server, an option to opt in to the Microsoft Updates program is presented during the installation.</li> <li>Forefront Security scheduled tasks are now handled by using Task Scheduler. Each repeated task will now be shown as one scheduled task in the Scheduled Tasks user interface.</li> <li>A Profanity Keyword Setup package is now distributed as part of the Forefront Security for Exchange Server installation. When you run this package, localized profanity keyword lists are extracted and can be imported into Forefront Server Security Administrator to be used for keyword filtering.</li> <li>New Health State Monitoring event log entries have been added to give administrators a higher-level view of the system and to enable them to do proactive monitoring. The Forefront Security MOM pack has been improved to use these log entries to generate MOM alerts.</li> <li>A new Product Licensing Agreement and Expiration dialog box has been added. After you activate the product, you should enter the licensing information that you obtained from Microsoft Sales.

If you license the product, you can align your product expiration date with your license agreement. Otherwise, the expiration date is three years from the installation date. Also, you can easily renew your license by entering a new expiration date.

To license Forefront Security for Exchange Server, follow these steps: <ol> <li>On the Help menu, click Register Forefront Server. If you have not already activated the product, the Product Activation dialog box appears.</li> <li>Enter your product activation information. When you do this, the Product Licensing Agreement and Expiration dialog box appears.

Note If you have activated Forefront Security for Exchange Server, only the Product License Agreement and Expiration dialog box appears.</li> <li>Type your seven-digit License Agreement Number and an expiration date. You should type a date that corresponds to the expiration of your license agreement. When you do this, the expiration dates of the license agreement and of the product are coordinated.</li></ol>

When the product nears its expiration date, you should renew your license agreement and then enter the new license information in the Product Licensing Agreement and Expiration dialog box.</li></ul>

Software fixes that are included in the service pack
<ul> <li>The service pack resolves a problem in which Forefront Security for Exchange Server prevents Exchange Server from starting correctly if Windows SharePoint Services 3.0 is installed on the same server.</li> <li>The service pack resolves a problem in which Forefront Security for Exchange Server fails in a single copy cluster environment. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

939365 Forefront Security for Exchange Server fails in a single copy cluster environment

</li> <li>The service pack includes Hotfix Rollup 1 for Microsoft Forefront Security for Exchange Server. This hotfix rollup includes the following fixes: <ul> <li>The hotfix rollup resolves a problem in which Exchange Server services do not start after you install Windows Server 2003 Service Pack 2. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

936541 Exchange services do not start after you install Windows Server 2003 Service Pack 2

</li> <li>The hotfix rollup resolves a problem in which Forefront Security for Exchange Server notifications stop working if you change the Exchange Pickup folder path. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

937542 Forefront Security for Exchange Server notifications stop working if you change the Exchange Pickup folder path

</li> <li>The hotfix rollup resolves a problem in which Forefront Security for Exchange Server incorrectly identifies a message as a &quot;CorruptedCompressedFile virus&quot; and then blocks the message. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

937543 Forefront Security for Exchange Server processes a message that contains invalid uuencode header information as a CorruptedCompressedFile virus

</li></ul>

For more information about Hotfix Rollup 1 for Microsoft Forefront Security for Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base:

936831 Description of Hotfix Rollup 1 for Microsoft Forefront Security for Exchange Server

</li></ul>

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Keywords: kbhowto kbinfo kbregistry kbexpertiseadvanced KB945572

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.