Description of Antigen 9.0 with Service Pack 2

Article translations Article translations
Article ID: 971063 - View products that this article applies to.
Expand all | Collapse all

On This Page

SUMMARY

Microsoft has released Antigen version 9 with Service Pack 2 (SP2). This article contains information about how to obtain the service pack and about a list of issues that are fixed by the service pack.

This service pack includes all fixes in Antigen 9.0 Service Pack 1 (SP1) and all hotfix rollups released after SP1. For more information about the fixes included in the previous Service Pack and Hotfix rollups, click the following article numbers to view the articles in the Microsoft Knowledge Base:
943623 Hotfixes that are included in Antigen 9.0 Service Pack 1
945597 Description of Hotfix Rollup 1 for Antigen 9.0 Service Pack 1
947184 The Kaspersky scan engine definition files are no longer updated, and event IDs 6012 and 9874 are logged in Antigen 9.0 for Exchange or in Antigen 9.0 for SMTP Gateways
950791 Description of Hotfix Rollup 3 for Antigen 9.0 for Exchange with Service Pack 1
954568 Description of Hotfix Rollup 4 for Antigen 9.0 for Exchange with Service Pack 1
957075 Description of Hotfix Rollup 5 for Antigen 9.0 with Service Pack 1

New Features and Fixes

New features in the Service Pack

  1. The following new scan engine performance counters are added for Simple Mail Transfer Protocol (SMTP), real-time, and manual scan jobs:
    • The average number of messages scanned per second by any engine
    • The average time taken to scan a message by any engine
  2. Antigen version 9 with Service Pack 2 incorporates new anti-spam technology through a partnership with Cloudmark that provides an overall better anti-spam experience including higher detection rates, lower false positives, an improved submission experience, and enhanced service experience. The solution integrates with the Antigen product in much the same manner as any other engine, with a few exceptions.
    • The Cloudmark anti-spam engine receives its signature updates directly from the vendor’s site and not through Microsoft.
    • The signature updates are not configurable in the Antigen administrator, as the other scan engine updates are.
    • Cloudmark uses the FSEContentScanner.exe process to pull the signature updates. This will use approximately 80 MB initially, then it will use an average of between 80 MB to 150 MB spread out over a 24-hour period, so that you will see only a small amount of bandwidth used every minute.
    • The engine updates for the Cloudmark anti-spam engine are configurable in the Antigen administrator, exactly like the other scan engine updates.
    For more information about the Cloudmark anti-spam engine, including prerequisites, enabling the engine, and how to submit false positives and false negatives, click the following link:
    http://go.microsoft.com/fwlink/?LinkID=125280
    For more information about this feature, visit the following Microsoft Web page:
    http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx
  3. A new feature is added that gives customers the latest protection against malware by extending the updating capabilities of Antigen version 9 products. This feature can quickly notify users of the availability of a new threat scanning engine, or a planned change in the existing scan engines. These notifications advise administrators on how to make appropriate changes to their product configurations before any changes take effect. The notifications are registered in the Antigen event log entries and can also be configured for e-mail delivery through the "Virus Administrators" notification group. For more information about this feature, visit the following Microsoft Web page:
    http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx

Issues that are fixed in the Service Pack

In addition to the fixes in Antigen 9.0 SP1 and all hotfix rollups released after SP1, this service pack fixes the following issues:
  1. When you create a custom worm purge list in Antigen for Exchange version 9, worms are removed but not purged
  2. Antigen does not correctly detect some SMIME messages
  3. Antigen may detect 2007 Microsoft Office system files as containing an UnwritableCompressedFile virus
  4. The Antigen disclaimer is not added or an error is generated when a user tries to open a 2007 Office system Calendar
  5. The AntigenService.exe process in Antigen version 9 may crash, and this generates a Dr. Watson crash that references Bucket ID 792770311
  6. The AntigenStarter.exe process may crash, and this generates a Dr. Watson crash that references Bucket ID 1051284231
  7. The Antigen Worm List shows an Update Version of 0 on the Active node of a clustered server
  8. Antigen Service causes heap corruption and crashes during the daily RemoveJunkFolderRules maintenance process
  9. Antigen version 9 may display an inaccurate threshold for keyword hits as defined in the Minimum Unique Keyword Hits option in the Antigen Administrative console
  10. Antigen for Exchange version 9 generates lots of LDAP queries causing e-mail to queue
  11. The GetEngineFiles.exe process in Antigen version 9 may crash during an engine download, and this generates a Dr. Watson crash that references Bucket ID 1148118666, 665956571, or 920198427
  12. HTML-embedded viruses are not removed when you run a Manual scan

Details of the issues that are fixed in the Service Pack


Note All the fixes that are listed in this section apply to the following products, unless otherwise stated:
Antigen for Exchange version 9
Antigen for Exchange version 9 with SP1
Antigen for SMTP Gateways version 9
Antigen for SMTP Gateways version 9 with SP 1

  1. When you create a custom worm purge list in Antigen for Exchange version 9, worms are removed but not purged
    Symptoms
    When you create a custom worm purge list as described in the Antigen for Exchange User's Guide, worms are removed but are not purged as they should be. For more information about how to create custom worm purge lists, visit the following Microsoft Web page:
    http://technet.microsoft.com/en-us/library/bb914075.aspx
    Cause
    This problem occurs because the MaxCompressedFileInfections option is also set to zero instead of to a number.

    Workaround
    To work around this problem, change the MaxCompressedFileInfections option to a value that is larger than zero.

    Applies to
    Antigen for Exchange version 9
    Antigen for Exchange version 9 with SP1
  2. Antigen does not correctly detect some SMIME messages
    Symptoms
    Antigen version 9 may not correctly detect some SMIME messages if the SMIME message has a Content-Type or Content-Disposition of "smime.p7m."
  3. Antigen may detect 2007 Microsoft Office system files as containing an UnwritableCompressedFile virus
    Symptoms
    The following Detection information is logged in the ProgramLog.txt file.

    Example:
    INFORMATION: Realtime scan found virus: 
    Folder: *During Scanning* 
    Message: message name  
    File: Office 2007 file name - file name that matches file filter
    Incident: FILE FILTER= file filter detection
    State: Detected
    
    INFORMATION: Realtime scan found virus: 
    Folder: *During Scanning* 
    Message: message name
    File: Office 2007 file name
    Incident: UnwritableCompressedFile State: Removed
    
    Example:
    INFORMATION: Realtime scan found virus: 
    Folder: *During Scanning* 
    Message: MessageName 
    File: Office2007FileName.docx->image4.jpeg 
    Incident: FILE FILTER= *.jpeg 
    State: Detected
    
    INFORMATION: Realtime scan found virus: 
    Folder: *During Scanning* 
    Message: MessageName 
    File: Office2007FileName.docx 
    Incident: UnwritableCompressedFile 
    State: Removed
    


    Cause
    This problem occurs because Microsoft Office 2007 files contain sub-files that may match a file filter in Antigen version 9. Then, Antigen removes the sub-files and replaces them with the standard deletion text. This causes Office 2007 files to be detected as an UnwritableCompressedFile virus.

    Note An Office 2007 file contains several sub-files. These sub-files are considered part of the structure of the Office 2007 file.
  4. The Antigen disclaimer is not added or an error is generated when a user tries to open a 2007 Office system calendar invitation
    Symptoms
    In some cases the Antigen disclaimer cannot be appended to an Office 2007 calendar invitation. When this problem occurs, the recipient of a 2007 Office Calendar Invitation may receive an error message formatted in rich text that resembles the following when they open the invite:
    There is not enough memory or disk space to complete the operation


    Applies to
    Antigen for Exchange version 9
    Antigen for Exchange version 9 with SP1
  5. The AntigenService.exe process in Antigen version 9 may crash, and this generates a Dr. Watson crash that references Bucket ID 792770311
    Symptoms
    The AntigenService.exe process in Antigen version 9 may stop responding, and this generates a Dr. Watson crash that references Bucket ID 792770311
  6. The AntigenStarter.exe process may crash, and this generates a Dr. Watson crash that references Bucket ID 1051284231
    Symptoms
    The AntigenStarter.exe process may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1051284231.
  7. The Antigen Worm List shows an Update Version of 0 on the Active node of a clustered server
    Symptoms
    When you view the Update Version of the Antigen Worm List in SETTINGS, Scanner Updates in the Antigen Administrator, the version is displayed as 0.
  8. Antigen Service causes heap corruption and crashes during the daily RemoveJunkFolderRules maintenance process
    Symptoms
    You may find that the Antigen Service crashes at around 2 AM every day. This causes the current scan jobs to time out. The service does not automatically recover, and the service stays down. Mail is not scanned until the service is restarted.

    Applies to
    Antigen for Exchange version 9
    Antigen for Exchange version 9 with SP1
  9. Antigen version 9 may display an inaccurate threshold for keyword hits as defined in the Minimum Unique Keyword Hits option in the Antigen Administrative console
    Symptoms
    In the Antigen console under Filtering, Keyword, you can define the Minimum Unique Keyword Hits value that Antigen uses when taking the defined action on an e-mail. In some cases, this setting will revert to a number that matches the total number of keywords listed on the selected Filter List, instead of the number defined by the user.

    Cause
    This condition may occur if you are using a version of Antigen earlier than Antigen version 9 with Service Pack 2.
  10. Antigen for Exchange version 9 generates lots of LDAP queries causing e-mail to queue
    Symptoms
    Mail queues may occur on an Exchange server that runs Antigen for Exchange version 9.

    Cause
    This problem can occur because lots of LDAP queries can cause RPC threads to become unavailable. This causes mail to queue.

    Applies to
    Antigen for Exchange version 9
    Antigen for Exchange version 9 with SP1
  11. The GetEngineFiles.exe process in Antigen version 9 may crash during an engine download, and this generates a Dr. Watson crash that references Bucket ID 1148118666, 665956571, or 920198427
    Symptoms
    On a computer that is running Antigen version 9, the GetEngineFiles.exe process may crash. Additionally, a Dr. Watson error that has the Bucket ID of 1148118666, 665956571, or 920198427 for the GetEngineFiles.exe process is logged in the Application log.
  12. HTML-embedded viruses are not removed when you run a Manual scan
    Symptoms
    A virus that is embedded in the .hmtl metadata of an Outlook e-mail message may not be detected when you run a manual scan, even with the Body Scanning - Manual check box selected on the General Options page.

    Cause
    This problem occurs because the Manual Scan does not correctly scan the metadata of an Outlook e-mail message. Before Service Pack 2, the Manual Scan scans only the data for viruses.

    Applies to
    Antigen for Exchange version 9
    Antigen for Exchange version 9 with SP1

Known issues

  • If you install Antigen version 9.2.1097.50 as an upgrade on a server where the DatabasePath and InstallPath values are not the default values, you may receive error messages that resemble the following:
    Licensing: Could not fine ELI at ELI path (%Databasepath%\Engines\). Using install path (%InstallPath%)
    SybLicense: Could not load the cab file: (%InstallPath%)\EngineInfo.cab
    If you have a server that has values that are different than the defaults for DatabasePath and InstalledPath, you must manually extract the EngineInfo.cab file from the installation files, and add a copy of the cab file to the server in the "%DatabasePath%\Engines" folder before you run the installation.

    The values for DatabasePath and InstalledPath are located in the following registry subkey:
    HKEY_LOCAL_MACHINE\Software\SybariSoftware\Antigen for Exchange
    To extract the EngineInfo.cab from the installation files, follow these steps:
    1. At a command prompt, type the following command, and then press ENTER:
      Setup.exe /x
    2. In the dialog box that opens, provide a path, and then click OK.
    3. After the file Engineinfo.cab is extracted, copy the file to the correct "%Database%\Engines" folder.
  • The Cloudmark anti-spam signature updates may fail when passing through a proxy server if NTLM Authentication is enabled. This issue occurred in Service Pack 2 for Antigen version 9.0. However, it has since been resolved by Cloudmark in an engine update.

Download Information

A licensed version of this update is available on the following Microsoft Volume Licensing Services (MVLS) Web page:
https://licensing.microsoft.com/eLicense/L1033/Default.asp
An evaluation version is also available on the following Microsoft TechNet Web pages:

Microsoft Antigen for Exchange version 9.0 with Service Pack 2
http://go.microsoft.com/fwlink/?LinkId=156473

Microsoft Antigen for SMTP Gateways version 9.0 with Service Pack 2
http://go.microsoft.com/fwlink/?LinkId=156474

Prerequisites

There are no prerequisites for installing this service pack.

Properties

Article ID: 971063 - Last Review: November 30, 2009 - Revision: 3.1
APPLIES TO
  • Microsoft Antigen 9.0 for Exchange Service Pack 2
  • Microsoft Antigen 9.0 for SMTP Gateways Service Pack 2
Keywords: 
fpe2010sweptdoesnotapply kbhotfixserver kbexpertiseadvanced kbhotfixrollup kbsurveynew kbfix KB971063

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com