Hotfix Rollup 3 for Microsoft Forefront Server Security Management Console

Microsoft has released Hotfix Rollup 3 for Microsoft Forefront Server Security Management Console (FSSMC). This article contains information about how to obtain the hotfix and a list of issues that are fixed by the hotfix rollup.

This hotfix rollup includes all the fixes that are included in Hotfix Rollup 1 and Hotfix Rollup 2 for FSSMC. For more information about the fixes included in the previous hotfix rollups, click the following article number to view the article in the Microsoft Knowledge Base:
Note When you upgrade from an earlier version of FSSMC, you must redeploy the FSSMC Deployment Agents to your managed servers. For more information about how to do this, refer to the following section of the FSSMC User Guide:

New features in the Hotfix Rollup

• Antigen version 9 with Service Pack 2 incorporates new anti-spam technology through a partnership with Cloudmark. FSSMC Hotfix Rollup 3 now supports Cloudmark engine update redistribution and Engine Version Reports.
  
  Note Hotfix Rollup 3 only supports Redistribution Jobs for Cloudmark engine updates and not signature updates. The Cloudmark anti-spam engine receives its signature updates directly from the vendor’s site and not through Microsoft. This means that the signature updates are not distributed through the FSSMC. An engine update refers to updating to a new version of a scan engine, which replaces the old version. A signature update refers to new signatures being added to an existing scan engine.
  
  For more information about this feature, visit the following Microsoft Web page:
  http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx (http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx)
• FSSMC now can automatically provision the scan engines on managed Antigen and FSS servers. It does so by using the scan engine updates that are deployed to the managed servers through the Signature Redistribution Job. This feature gives customers the latest protection against malware by extending the updating capabilities of Antigen version 9 and Forefront Server Security (FSS) products. This feature can quickly notify users of the availability of a new threat scanning engine, or a planned change in the existing scan engines. These notifications advise administrators on how to make appropriate changes to their product configurations before any changes take effect. The notifications are registered in the Antigen and FSS event log entries and can also be configured for e-mail delivery through the "Virus Administrators" notification group.
  
  For more information about this feature, visit the following Microsoft Web page, and then click the Engine Revision Overview and FAQ hyperlink:
  http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx (http://technet.microsoft.com/en-us/forefront/serversecurity/dd940095.aspx)

Issues that are fixed in the hotfix rollup

In addition to the fixes that are included in the previous hotfix rollups, this hotfix rollup fixes the following issues:

• The keyword list in the FSSMC Operation Job fails to deploy to Forefront for SharePoint Servers
• When you try to deploy Hotfix Rollup 3 for Forefront Security for Exchange Server (FSE) with Service Pack 1 to the passive node of a CCR cluster by using the FSSMC, the installation appears to fail with an error
• After you upgrade to FSSMC Hotfix Rollup 2, you cannot make configuration changes or deploy templates by using the FSSMC
• The FSSMC Remote Log Generator does not collect the same logs on an Antigen server and an FSS server
• The FSSMC console still contains the FTP option for scan engine updates even though the FTP download site was decommissioned

Details of the issues that are fixed in the hotfix rollup

Note All the fixes that are listed in this section apply to the following products:

• Forefront Server Security Management Console
• Hotfix Rollup 1 for Forefront Server Security Management Console
• Hotfix Rollup 2 for Forefront Server Security Management Console

• The keyword list in the FSSMC Operation Job fails to deploy to Forefront for SharePoint Servers
  
  Symptoms
  In the FSSMC Operation Job, you can change Keyword Filtering lists and deploy those changes to your managed servers. Before Hotfix Rollup 3, this feature did not function correctly when you deploy to Forefront Security for SharePoint managed servers.
  
  For more information about how to use the Operations Job, see the FSSMC User's Guide:

  http://technet.microsoft.com/en-us/library/bb878182.aspx#OperationJobs (http://technet.microsoft.com/en-us/library/bb878182.aspx#OperationJobs)

  Cause
  FSSMC pushes an XML document to the deployment agent on the managed servers. This document is parsed by aexmladapter. The issue occurs because of an .fdb format issue between FSSMC and FSSP. This issue occurred because of a change that was made to the .fdb format for keyword deletion text. The change was made after the release of the FSSMC.
• When you try to deploy Hotfix Rollup 3 for Forefront Security for Exchange Server (FSE) with Service Pack 1 to the passive node of a CCR cluster by using the FSSMC, the installation appears to fail with an error
  
  Symptoms
  When you install Hotfix Rollup 3 for FSE with Service Pack 1 on a CCR cluster, you have to deploy the package to the passive nodes in addition to the active node. Before Hotfix Rollup 3 for FSSMC, deploying the Hotfix Rollup 3 for FSE with Service Pack 1 on the passive node appears to fail with a returned status of "Installation Failed" in the FSSMC console. When this problem occurs, the following information is logged to the DeploymentAgent.txt file:

  DEBUG (3D0C) Process pid=#### terminated with exit code 3010
  ERROR Error executing the hotfix installer cab file packagelocation

  Cause
  The message that is returned to the FSSMC from the remote computer is "Restart_Required." However, this message is incorrectly treated as an "Error" by FSSMC. This causes the "Installation Failed" notification.
After you upgrade to FSSMC Hotfix Rollup 2, you cannot make configuration changes or deploy templates by using the FSSMC

Symptoms
After you upgrade to FSSMC Hotfix Rollup 2, you experience the following problems:
• You cannot make any configuration changes in the FSSMC console.
• You cannot deploy templates to managed servers by using the FSSMC.
• When you try to configure the Polling Interval in the Global Configuration section, you may receive an error message that resembles the following:
  Failed to update scheduler for job StatisticsJob, Retrieving the COM class factory for component with CLSID {0E566B66-4D10-436B-80EE-E6B56FBCEE8D} failed due to the following error: 80070005."
• The DCOM permissions on the Scheduler Service for the user SMGR_ServerName are missing.
Workaround
To work around this issue, manually add the necessary DCOM permissions on the Scheduler Service for the user SMGR_ServerName. To do this, follow these steps:
1. Click Start, and then click Run.
2. Type DCOMCNFG in the Open box, and then click OK.
3. Under Console Root, expand Component Services, expand Computers, and then expand My Computer.
4. Under My Computer, expand DCOM Config, right-click Scheduler Service, and then click Properties.
5. Click the Security tab, and then make the following changes:
   • Under Launch and Activation Permissions, click Edit, highlight the SMGR_ServerName account, and then confirm that it has the Local Launch and Local Activation permissions set to Allow. If it does not, add these permissions, and then click OK.
   • Under Access Permissions, click Edit, highlight the SMGR_ServerName account, and then confirm that it has the Local Access permission set to Allow. If it does not, add this permission, and then click OK.
Note This workaround is required only if you cannot upgrade to Hotfix Rollup 3.

Cause
During an upgrade of the FSSMC, the FSSMC version of the Scheduler Service is uninstalled and then reinstalled. This removes the permissions on SMGR_MachineName for that GUID. This occurs only on upgrade because the uninstall does not execute for the Scheduler Service if the Scheduler.config file does not exist.


• The FSSMC Remote Log Generator does not collect the same logs on an Antigen server and an FSS server
  
  Symptoms
  When you use the FSSMC diagnostic log to collect remote information for managed Antigen or FSS servers, different data is collected from an Antigen server than from an FSS server. The same files are collected from Antigen and FSS servers with the following exceptions.
  
  The following files are not collected on Antigen servers:
  
  AntigenInstall.log
  StatisticsManagerServer.txt
  AntigenHRLog.txt
  ProgramLog.txt
  AEXMLAdapter.txt
  StatisticsManagerClient.txt
  
• The FSSMC console still contains the FTP option for scan engine updates even though the FTP download site was decommissioned
  
  Symptoms
  In the FSSMC console, under Administration, there is a Global Configuration option. The Download Configuration section lets you configure the location where the FSSMC will download the scan engine updates. There is a drop-down box that contains two options: http and ftp. The ftp option is no longer valid because the ftp site was decommissioned.
  
  Cause
  This issue occurs because the FTP engine update site was decommissioned for engine updates. Before Hotfix Rollup 3, the FSSMC console does not reflect this change.

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.