Microsoft has released Hotfix Rollup 1 for Forefront Protection for Exchange. This article contains information about how to obtain the hotfix rollup and about the issues that are fixed by the hotfix rollup.
Details of the issues that are fixed in the hotfix rollup
There is a handle leak in FSCController when SQM is uploading data in Microsoft Forefront Protection for Exchange
Problem
A small handle leak occurs in FSCController when SQM is uploading data.
Symptoms
If you actively monitor handles in Task Manager, you will see a slightly elevated number for FSCController. This may result in a slight increase in memory usage but would not noticeably affect performance.
A Forefront Protection for Exchange scan engine update fails and generates Application Log errors
Problem
If any of the Forefront Protection for Exchange Server external scan engine vendors release a scan engine update that incorporates files that are packaged within subdirectories, the scan engine update will fail.
SymptomsA
A scan engine update fails repeatedly. The following Application Log errors are generated:
Log Name: Application
Source: GetEngineFiles
Date: [Date/Time]
Event ID: 6014
Task Category: Engine Error
Level: Error
Keywords: Classic
User: N/A
Computer: [Server Name]
Description:
Microsoft Forefront Protection encountered an error while performing a scan engine update.
Scan Engine: [engine name]
Proxy Settings: Enabled
Error Code: 0x80004005
UpdateException: GetFileCommand failed on Local Filename: base169.kdc.cab Remote Filename: bases\base169.kdc.cab. WinHttpClient send request returned an invalid return code 404.
Log Name: Application
Source: GetEngineFiles
Date: [Date/Time]
Event ID: 6020
Task Category: Engine Error
Level: Error
Keywords: Classic
User: N/A
Computer: [Server Name]
Description:
Microsoft Forefront Protection encountered an error while performing a scan engine update.
During the Forefront Protection for Exchange startup, the scan job gets into bad state causing engine scan failures on any file it attempts to scan. This is caused by a timing issue where the engines begin updating prior to the Forefront services having started.
Symptoms
Quarantine fills with legitimate email. Mail delivered with deletion text in previously legitimate attachments.
Proxy credentials and UNC path settings for Forefront Protection for Exchange do not replicate to passive node during cluster failover
Problem
In Forefront Protection for Exchange users can set proxy credentials such as proxy name and password. Users can also set a custom UNC path for engine updates. These setting are kept in an encrypted file. During a failover this file is not passed to the new node.
Symptoms
The UNC path remains blank on the newly active node. The customized UNC path remains blank. The proxy credentials remain blank on the newly active node. Scan engines may not update.
Forefront Protection for Exchange is blocking all incoming mail
Problem
Administrators using 3rd party DNS servers while the DNSBL (DNS Block List) in Forefront Protection for Exchange is enabled do not receive any email. This is due to the DNS server returning invalid return codes causing Forefront’s DNS Blocklist (DNSBL) to block the email.
Symptoms
Exchange users are not receiving any mail.
A system state backup fails while attempting to perform anything other than a full backup on a server running Forefront Protection for Exchange
Problem
A system state backup fails while attempting to perform anything other than a full backup on a server running Forefront Protection for Exchange.
Symptoms
The backup will fail. The following will be generated within the Application Log:
Error FSCVSSWriter 11003
Microsoft Forefront Protection VSS Writer failed when preparing for backup. Writer instance: FSCVSSWriter Error code: 0x00000000
Warning VSS 8229
A VSS writer has rejected an event with error 0x800423f0, The shadow-copy set only contains only a subset of the
volumes needed to correctly backup the selected components of the writer.
Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer.
Forefront Protection for Exchange filters email with attached .MSG files that contain a subject line ending with a file extension
Problem
If a file filter is set in Forefront Protection for Exchange, to act on .COM files for example, Forefront will also apply this filter to MSG files attached to emails where the MSG attachment contains a subject line that ends with “.com”.
Symptoms
Emails that have MSG attachments where the subject line of that MSG attachment ends with a file extension matching a file name within the Forefront Protection for Exchange file filter list.
The Forefront Protection for Exchange client crashes when adding an IP address, or range, to either the IP Allow/Block List
Problem
If a duplicate IP address is added to Forefront’s IP Allow/Block List the, either directly in Forefront or as replicated from Exchange’s IP Allow/Block List, the microsoftforferontsecuritysuite.ui.console.exe will crash causing the administrative console to hang or close.
If an IP range is added encompassing another individual entry or an individual entry is added that already exists, the microsoftforferontsecuritysuite.ui.console.exe will crash causing the administrative console to close. The progress bar will initiate in the GUI but never finish and if the SAVE button is pressed, the console will hang or close. The IP Allow/Block list can be administered either directly in Forefront Protection or in Exchange where it is replicated to Forefront.
Symptoms
The Forefront Protection for Exchange administrative console will hang or close.
Forefront Protection for Exchange sends legitimate email to Exchange’s UNDELIVERABLE folder
Problem
An issue has been identified in Forefront that can put the FSEAgent into an error state when scanning files greater than 16 Kilobytes but smaller than 1 Megabytes.
Symptoms
All messages within these size parameters are sent to Exchange’s UNDELIVERABLE folder.
Store slows down and RPC request queue length rises when Forefront Protection for Exchange is running on Windows 2003 64-bit server.
Problem
You install Forefront Protection for Exchange on a Windows 2003 64-bit server. The number of RPC requests being processed by the Information Store (store.exe) exceeds the number of incoming RPC requests per second. Store.exe cannot process mails and the number of RPC Requests pending rises.
Symptoms
Exchange Store slows down and RPC request queue length increase.
The Forefront Protection for Exchange FSCUtility fails if run on a non clustered server that the cluster service is installed but disabled on
Problem
You install Forefront Protection for Exchange on a non-clustered server. The server also has the cluster service present, but it is disabled. When you run FSCUtility.exe on the server, it returns an error.
Symptoms
If you try to run FSCUtility.exe on the server, the following error is returned (example using the /disable parameter):
FSCUtility.exe /disable
Cause
Forefront Protection for Exchange uses the presence of the cluster service to determine whether the installation is clustered or non-clustered. Once the service is detected, Forefront Protection for Exchange attempts to retrieve CMS data, which is not present on a non-clustered server. The command therefore fails.
Files such as XLS and CSV are incorrectly identified as MacBin files by Forefront Protection for Exchange leading to an "Exceedingly Nested" tag
Problem
Forefront Protection for Exchange detects certain files incorrectly as MacBin (or Mac Binary) files.
Symptoms
If you have set up a file filter to delete MacBin files, Forefront Protection for Exchange may delete certain non-MacBin files by incorrectly matching them to the filter.
Cause
The MacBin, or Mac Binary, file format is very open and can lead to Forefront Protection for Exchange making false positive detections. MacBin navigator specifications have been tightened in the Rollup 1 for Forefront Protection for Exchange release, which will reduce the likelihood of false positive detections occurring.
Forefront Protection for Exchange does not send External Sender notifications
Problem
Forefront Protection for Exchange does not send External Sender notifications.
Symptoms
External Senders will not receive Forefront generated notifications for email Forefront takes action on.
The FSCManualScanner.exe process in Forefront Protection for Exchange terminates unexpectedlyProblem
The FSCManualScanner.exe process in Forefront Protection for Exchange terminates unexpectedly
Symptoms
The manual scan stops scanning.
The FSECCRService.exe process in Forefront Protection for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1076269539
Problem
The FSECCRService.exe process in Forefront Protection for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1076269539
Symptoms
Dr. Watson crash referencing Bucket ID 1076269539
Performance enhancement for the scanning of OpenXML files in Forefront Protection for Exchange
Problem
Forefront Protection for Exchange scans an OpenXML file contains thousands of manifest files.
Symptoms
In the case where an OpenXML file contains thousands of manifest files, the time taken for Forefront Protection for Exchange to scan is unnecessarily long.
Dr. Watson reports a null reference exception in Microsoft.FSS.AntiSpam.dll in Forefront Protection for Exchange; Bucket ID [838554094]
Problem
Dr. Watson reports a null reference exception in Microsoft.FSS.AntiSpam.dll, when using the Microsoft.FSS.AntiSpam.ContentFilter.Eventing.CreateEventingXml method.
Symptoms
Dr. Watson reports Bucket ID [838554094] when this issue occurs.
Spam Reports may take an excessive amount of time to retrieve in Forefront Protection for Exchange
Problem
When you attempt to retrieve Spam Reports in Forefront Protection for Exchange you find that the operation takes an excessive amount of time.
Symptoms
In the Forefront Administrator console, the screen appears blank and no data is present in the dashboard. If you run the Get-FseSpamReport Powershell command, you may receive an error similar to the following one:Get-FseSpamReport : Could not load file or assembly 'System.Core, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified.
A less then optimal routine for retrieving spam reports has been identified
A scan job in Forefront Protection for Exchange will not restart after hitting the MaxDisableWait time timeout threshold
Problem
If the Forefront Protection for Exchange worm list gets into a bad state, or is accidentally deleted, then any of the scanners, that is temporarily paused during an engine update that exceeds the MaxDisabledWait time , will not restart.
Symptoms
Legitimate mail is sent to the Quarantine. Mail flow is slow.
Forefront Protection for Exchange allows mail to go through unscanned if the MaxDisbaledWait time threshold is exceeded.
Problem
The MaxDisableWait time is the time given for a scan job to remain paused typically during an engine update. If the update exceeds that time threshold, mail will be permitted to go through unscanned while the process completes. The scan process should instead terminate, temporarily stopping mail flow, until the scan job starts.
Symptoms
Slow mail flow. Unscanned mail delivered.
Forefront Protection for Exchange generates more Realtime Scan Timeout notifications than expected Problem
If Forefront’s scan process takes more than 2.5 minute the scan will time out. Because the engine download time is incorporated into the scan time timeout threshold and the engine download times have increased, you may see a rise in scan time timeouts. Forefront Protection for Exchange hotfix rollup 1 increases this timeout value from 2.5 minutes to 10 minutes.
Symptons
Increased numbers of Realtime timeout notifications
Sluggish or stopped mail flow resulting from the FSCTransportScanner process, within Forefront Protection for Exchange, crashing while scanning files with embedded object links.
Problem
Forefront’s FSCTransportScanner process crashes when scanning embedded object links within a file in the following scenario:
The PackagedOleNativeStream in a Structured Storage attachment contains filename and file path headers, but does not contain any scannable content. The scannable content is linked in a file external to the stream. The PackagedOleNativeStream parsing code is expecting the scannable content to be present locally in the stream and as a result tries to access a vector beyond its bounds, thus resulting in a crash of the process.
Symptoms
Sluggish mail flow resulting from the FSCTransportScanner process restarting as well as the Application Log containing the following:
Faulting application FSCTransportScanner.exe, version 11.0.677.0, time stamp 0x4ac58121, faulting module FSCTransportScanner.exe, version 11.0.677.0, time stamp 0x4ac58121, exception code 0xc000000d, fault offset 0x00061fa4, process id 0x368, application start time 0x01cacf1edd0d0ff2
Forefront Protection for Exchange does not have a Skip/Detect action option for the MaxContainerScanTime action menu Problem
Forefront Protection for Exchange hotfix rollup 1 provides the option to Skip/Detect files that Forefront exceeds the MaxContainerScanTime threshold as opposed to solely "Delete".
Symptoms
Any file that Forefront Protection scans as a container and reaches its MaxContainerScanTime threshold, will, by default, be purged. With the application of hotfix rollup 1, users will now have the option to set the action to Skip/Detect.
This action can be set in the administrative console:
Under Policy Management in the console is the Antimalware pane. Under Antimalware, users can see their scan jobs; typically RealTime, Transport and Scheduled. Highlighting any of these scan jobs provides the user a list containing editable scan actions for various scenarios. The MaxContainerScanTime will now allow users to set an action of Skip/Detect.
Hotfix rollup information
Download information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the hotfix rollup
To install the hotfix rollup, follow these steps:
Run the installer. To do this, double-click the hotfix rollup executable file.
Note When the installer is running, the Forefront services are stopped.
After the installation is complete, and the Forefront services are restarted, make sure that Forefront is working correctly.
Notes
The Forefront services are restarted automatically during the installation.
Forefront service packs or hotfix rollups can be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User's Guide. In this case, the installer runs in silent mode, and user input is not required. The rest of the process remains the same as when you double-click the executable file to run the installer .
Prerequisites
This hotfix rollup requires that Forefront Protection for Exchange is installed.
File information
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
