Microsoft has released Hotfix Rollup 3 for Microsoft Forefront Protection for Exchange. This article contains information about how to obtain the hotfix rollup and about the issues that are fixed by the hotfix rollup.
Delivery of Transport-Quarantined messages is now possible in the original message format
Summary: Forefront Protection for Exchange now enables administrators to deliver messages from the Quarantine in their original format, rather than as an attachment to a Forefront-generated message. This allows for seamless delivery of Quarantine items to end-users, who will not witness any visible changes to the original messages (other than a delay in delivery).
The new functionality is only possible where the following conditions are met:
The original message has been quarantined as an EML file (whole message, not in separate parts)
When you choose to deliver the message, you select the “Send to original recipients” option
Condition 1 - Messages are quarantined as EML files on the Transport Scanjob only and typically when the Scan Action taken was “Purge”. To check whether a message was quarantined as an EML file, go to Monitoring\Server Security Views\Quarantine in the Forefront Administrator console and select the message. Under Detection Details at the bottom of the Forefront Administrator console, verify that the File field lists the file name as “Entire Message.eml”. Only “Entire Message.eml” files can be delivered from the Quarantine in their original format.
Condition 2 - If you specify any “additional recipients” when delivering from the Quarantine they will not receive the original message. Only original recipients are able to receive the message in its original format.
When the above conditions are not met, the quarantined item will be attached to a new message (default subject: “Message delivered from Microsoft Forefront Protection for Exchange Server Quarantine”), as in previous versions of Forefront Protection for Exchange.
This new functionality only applies to messages that are quarantined after Rollup 3 for Forefront Protection for Exchange has been installed.
The MSGID field will be removed from the original message, thus allowing Exchange to create a new MSGID when the message is delivered from the Quarantine. This is to avoid MSGID conflicts.
When you choose to redeliver a message from the Quarantine and also choose to bypass filtering by ensuring that the “Rescan filters on send” in the Forefront Administrator console is not checked, a new X-MS-EXCHANGE-FOREFRONT-FILTERS header will be inserted into the new EML file. This header is in the protected header namespace, so Exchange will strip these on the way into and out of your Exchange environment for added security.
Details of the issues that are fixed in the hotfix rollup
Mail queues and sluggish Exchange/Outlook performance
Under heavy load the queries Forefront Protection for Exchange makes to Active Directory may result in performance issues. By default, Forefront Protection for Exchange will now enable the OptimizeADQuery option within the registry.
Increased "Available Disk Space" Health Point threshold to 250 MB
You can monitor your Forefront Protection 2010 for Exchange Server (FPE) environment by viewing statistics and health monitoring reports. To view these health monitoring check point statistics, open the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring and under Server Security Views, click Dashboard.
One health check point is Available Disk Space. Forefront Protection for Exchange has increased the measure of what is considered a healthy state of "Available Disk Space" from between 25 and 50 MB to 250 MB. Forefront Protection for Exchange will give warnings and errors when disk space reaches these thresholds.
If the new threshold is reached, the following warning will be written to the Application Log:
Event ID: 7037
Task Category: Health Status
Description: There is less than 256000 KB of disk space available. This could have a negative impact on system’s scanning.
Error: The DNS Blocklist lookup domain blocklist.messaging.microsoft.com could not be contacted
When the Forefront services are starting, during a reboot for example, a test is performed to check availability of DNS blacklist. If the test begins prior to all of the networking services of that computer starting, the test will fail, generating the following error in the Application Log:
Log Name: Application
Source: Microsoft Forefront Protection
Date: 10/16/2010 12:00:42 PM
Event ID: 2098
Task Category: General
Computer: [Server Name]
The DNS Blocklist lookup domain blocklist.messaging.microsoft.com could not be contacted. This will prevent DNS Blocklist lookups. Please verify your network connectivity.
Hotfix Rollup 3 for Forefront Protection for Exchange addresses this timing issue.
The Exchange Information store crashes with Forefront Protection for Exchange installed
The STORE.EXE process can crash on Exchange while running Forefront Protection for Exchange.
If an Exchange mailbox with a folder exists with a name containing over 1,024 characters, Forefront Protection for Exchange is unable to scan files within this folder ultimately resulting in the STORE.EXE crash.
An attempted upgrade of Forefront Protection for Exchange fails with a "Registration Service Failed" error
An attempted upgrade of Forefront Protection for Exchange fails with a "Registration Service Failed" error.
When attempting to run an upgrade of Forefront Protection for Exchange you can use the /n switch which should allow an administrator to skip the domain preparation portion of the install. However, this necessitates having Organizational Management privileges. If these privileges are not met, the upgrade may result in the installation silently failing and removing Forefront.
This has been changed in hotfix rollup 3 so that these privileges are not required to run the /n switch, thus successfully skipping the domain prep. portion of the install.
You receive Forefront Protection Health Notifications indicating a status of "Green to Green"
Forefront Protection for Exchange may send a Microsoft Forefront Protection for Exchange Server Health Notification indicating a status of "Green New Status: Green". This is essentially communicating that a healthy (green) checkpoint is still healthy (green). In order to eliminate confusion, Forefront Protection for Exchange with hotfix rollup 3 will no longer send administrators these notifications.
Forefront generates a MaxDisabledWait error within 15 minutes after starting
After installing, or upgrading, Forefront Protection for Exchange you receive a MaxDisabledWait error occurs and mail queues.
When Forefront Protection for Exchange starts it relies on at least one antivirus scan engine to be present and functional so it can begin to scan. If all scan engines are disabled and the MSAV engine, which is available by default, is updating you may see Max DisableWait error. In this instance, this indicates there were no available engines available for scanning. This would result in queued mail and the Forefront generated MaxDisabledWait error.
A MaxDisabledWait error occurs and Forefront Protection does not recover
If more than one engine is updating simultaneously, and one engine update fails and needs to roll back to its previous version, the scan job can enter a disabled state.
This can happen if an exception occurs in the early stages of the GetEnginesFile process while multiple engines are updating at the same time.
Forefront Protection doesn't apply keyword filtering within hyperlink strings
By default, Forefront Protection for Exchange does not keyword filter within hyperlink strings found in the body of an email.
In order to provision Forefront Protection for Exchange to apply keyword filtering within hyperlinks:
Apply Forefront Protection for Exchange Hotfix Rollup 3
Create the following extended option: SkipHtmlTags
Set SkipHtmlTags to FALSE
In order to create the extended option and set it to false:
Open Forefront Management Shell
Type the following (case sensitive): new-fseextendedoption -name SkipHtmlTags -value false
Forefront Protection for Exchange crashes while scanning a TAR file
If Forefront Protection for Exchange attempts to scan a TAR file with a name that has forty (40) characters or more, any of the following processes may crash; FSCTransportScanner.exe, FSCRealtimeScanner.exe, FSCScheduledScanner.exe and FSCManualScanner.exe. This will result in mail queues.
An engine update fails in Forefront Protection for Exchange
If a local antivirus application is running on a computer that is also running Forefront Protection for Exchange, the local antivirus application may lock one of Forefront's engine update files causing the update to fail.
The engine update will fail and roll back to the previous version.
The following is an example of the engine error you will see in the trace log:
[DATE-TIME][PID][TRACE_LEVEL_ERROR][EngineUpdates][getenginefileslib][GefCommon_cpp64][GEF::LogMessage]UpdateException: GetFileCommand failed on Local Filename: unp020.avc Remote Filename: unp020.avc.cab. (0x00000020) The process cannot access the file because it is being used by another process. Failed to open file: C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Kaspersky\Package\Staging/unp020.avc.cab
Emails that are 90 MB or larger are being sent to the Forefront archive folder
Forefront Protection for Exchange may encounter an insufficient memory state while scanning emails that are 90 MB or larger.
This will result in the non-delivery of these emails and the email being sent to the Forefront\Data\Archive\Undeliverable folder.
The following entries will be logged to the Forefront trace log:
DATE-TIME (PID), "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program."
DATE-TIME (PID)"INFORMATION: ArchiveMailMessage called to archive d:\Forefront\Data\Archive\Undeliverable\xxxxx.eml
"INFORMATION: ArchiveMailMessage called to archive d:\Forefront\Data\Archive\Undeliverable\xxxxx.eml "
The Microsoft Forefront Server Protection Eventing Service will not start following an upgrade from a beta version of Forefront Protection for Exchange
You upgrade to Rollup 0, 1 or 2 for Forefront Protection for Exchange from a beta version of the product. After the upgrade, you find that the Microsoft Forefront Server Protection Eventing Service will not start. Due to dependencies, this also leads to the Microsoft Exchange Transport service failing to start.
If you open the Services panel (services.msc) you notice that the Microsoft Forefront Server Protection Eventing Service has not started. If you attempt to start this service you receive an error and additionally the following event may be written to the system event log (eventvwr.msc):
Source: Service Control Manager
Event ID: 7000
Task Category: None
Description: The Microsoft Forefront Server Protection Eventing Service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Forefront Protection for Exchange detects files as “Engine Error” when no engines have been enabled for scanning
You disable all scan engines from scanning, for example by doing the following in the Forefront Protection for Exchange administrator console:
Navigate to Policy Management \ Global Settings \ Advanced Options
Under Intelligent Engine Management, change the Engine Management drop down menu to Manual
Change the state of each engine on a scanjob to Disabled
All files scanned by Forefront Protection for Exchange will now result in a detection of “Engine Error”.
All engines are disabled for at least one scanjob under in the Forefront Protection for Exchange administrator console (see above) and you see a detection with an incident name of “EngineError” for every message scanned.
After applying Forefront Protection for Exchange hotfix rollup 3, an administrator can disable all scan engines without the spyware component generating an engine error message on subsequently scanned mail. However, it is highly recommended NOT to disable all engines as mail will not be scanned for viruses at that point.
Messages quarantined due to engine error can now be delivered as a complete email
In the past, messages that have been quarantined due to any engine error were subject to the body of the email and attachment being quarantined separately. This quarantine behavior made delivering a complete message from the quarantine problematic.
This behavior occurs because Forefront Protection for Exchange is unable to quarantine “Engine Error” messages in their original format.
This functionality has been changed in Forefront Protection for Exchange Hotfix Rollup 3 so now the complete EML is quarantined when resulting from an engine error. Delivery is as easy as navigating to Monitoring\Quarantine and then highlighting your email and clicking “Deliver selected items”.
High CPU conditions in EdgeTransort.exe process result in crash
If FPE deems a piece of email as spam it must write that mail to XML as part of the database process. If that piece of spam contains a character in the subject line that FPE is unable to sanitize before writing to XML, an exception is created that FPE is unable to process properly. This leads to a CPU spike and ultimately an EdgeTransport.exe crash.
You receive Forefront generated email notification that the Cloudmark engine or Worm list could not update
Microsoft has corrected an issue on our engine distribution servers that resulted in some customers unable to receive engine updates for both the Cloudmark engine and Worm list.
Forefront Protection sends the following email(s) to the administrator:
Subject: Microsoft Forefront Protection for Exchange Server failed to update the scan engine WormList [Server Name]
Contents: Error occurred in the Microsoft Forefront Protection while updating the scan engines.
Exchange email queues at startup following an abnormal shutdown
Following an abnormal Exchange server shutdown, the Forefront Configuration.xml file, and its backup file, are corrupted. Forefront cannot start at this point. Due to the dependencies between Forefront and Exchange, Exchange cannot complete startup either. This will cause email to queue.
Exchange will queue email
The application Log will contain the following error:
Event ID: 2063
Description: Failed to initialize document
Hotfix rollup information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the hotfix rollup
To install the hotfix rollup, follow these steps:
Run the installer. To do this, double-click the hotfix rollup executable file.
Note When the installer is running, the Forefront services are stopped.
After the installation is complete, and the Forefront services are restarted, make sure that Forefront is working correctly.
The Forefront services are restarted automatically during the installation.
This hotfix rollup requires that Microsoft Forefront Protection for Exchange is installed.
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.