Description of Hotfix Rollup 1 for Service Pack 2 for Forefront Security for Exchange Server

Article translations Article translations
Article ID: 978297 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released Hotfix Rollup 1 for Forefront Security for Exchange Server Service Pack 2. This article contains information about how to obtain the rollup and about the issues that are fixed by the rollup.

For more information about the fixes included in Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
960465 Description of Forefront Security for Exchange Server with Service Pack 2

New features in the hotfix rollup

  • A silent parameter is now supported with FSCUtility in Forefront Server Security for Exchange
    This rollup adds a new silent parameter for use with FSCUtility.exe on active cluster nodes. The silent parameter avoids the confirmation prompt that you would usually receive when you run following commands:
    • FSCUtility.exe /enable
    • FSCUtility.exe /disable
    The following is the new syntax that uses the silent parameter:
    • To disable Forefront Server Security for Exchange and take the Exchange Virtual Server (EVS) or the clustered mailbox server (CMS) automatically offline on a cluster:
      FSCUtility.exe /disable /silent
    • To enable Forefront Server Security for Exchange and bring the EVS/CMS automatically online on a cluster:
      FSCUtility.exe /enable /silent

MORE INFORMATION

Issues that are fixed in Hotfix Rollup 1 for Forefront Security for Exchange Server Service Pack 2

In addition to the fixes that are included in all service packs and rollups for Forefront Security for Exchange Server, this hotfix rollup includes fixes for the following issues:

Details of the issues that are fixed in the hotfix rollup

  1. The Forefront Security for Exchange product version that is displayed in the AD Marker does not match the version that is displayed in the client
  2. Forefront Security for Exchange may consume too much memory, which may require a restart of Exchange services
  3. Forefront Security for Exchange may consume too much memory when it is running on a mailbox server that requires a restart of Exchange services
  4. When Forefront’s EngineSync and FileSync cannot run at the same time on a CCR cluster, run lock errors are generated in the ProgramLog.txt file
  5. You cannot suppress engine deprecation (retirement) notifications even when you have disabled the retired engines on all scan jobs and their related scanner updates
  6. Lots of RPC requests lead to slow mail queues on an Exchange server that is running Forefront Security for Exchange
  7. E-mail messages cannot be delivered from Forefront’s archive folder
  8. The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 671966687
  9. Too much logging in Forefront Security for Exchange may cause slow mail flow and mail queues in Exchange
  10. The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 653246026
  11. Files are detected as "CorruptedCompressedFile" when the MaxUnCompressedFileSize registry entry is set to 0xFFFFFFFF
  12. Forefront Server Security for Exchange cannot filter files that are encoded in the "Japanese (EUC)" MIME format
  13. P7S files are detected as "CorruptedCompressedFile" when Forefront Server Security for Exchange scans digitally-signed messages
  14. Forefront Server Security for Exchange services cannot start if the installation root contains a file that is named "Program"
  15. Forefront Server Security for Exchange may incorrectly detect that valid Office Word 2003 documents contain CorruptedCompressedFile viruses
  16. Renaming an existing file filter list causes it to become disabled and revert to default settings in Forefront Server Security for Exchange
  17. A performance improvement lets Forefront Server Security for Exchange scan hidden infected files within 2007 Microsoft Office documents that were originally created by using Beta versions
  18. Memory is not released from a scan processes when Forefront Server Security for Exchange scans certain GZip files
  19. Memory is not released from a scan processes when Forefront Server Security for Exchange scans TAR files within GZip files
  20. Memory is not released from a scan processes when Forefront Server Security for Exchange scans Mac Zip files within another archive (compressed) file
  21. No FSS-ELI Scheduled Task is created if all engine updates are disabled in Forefront Server Security for Exchange
  22. All engine updates roll back in Forefront Server Security for Exchange if the installation root contains a file that is named "Program"
  23. Filter Lists settings are not applied when you perform a silent installation of Forefront Server Security for Exchange
  24. The FSCRealtimeScanner.exe process consumes too much memory in Forefront Server Security for Exchange
  25. The FSCRealtimeScanner.exe process crashes when it tries to scan an e-mail message that has many recipients
  26. Exceptions during a Forefront for Exchange manual scan cause "ExceedinglyNested" detection and file removal
  27. When you try to generate a Forefront Diagnostic for Forefront Security for Exchange, you are prompted to "press any key" to complete the data collection
  28. When an engine update fails in Forefront for Exchange because of an invalid database path, Forefront does not log an error
  29. When you apply a template from one Forefront Security for Exchange installation to another Forefront Security for Exchange installation on a different server, the receiving server may lose all Forefront settings and may stop scanning mail
  30. A scan engine update fails, and a warning message is logged in the ProgramLog.txt file
Note All the fixes that are listed in this section apply to Forefront Security for Exchange Server Service Pack 2, unless otherwise stated.
  1. The Forefront Security for Exchange product version that is displayed in the AD Marker does not match the version that is displayed in the client

    Symptoms
    When you click About on the Help menu in Forefront Server for Exchange, the product version that is listed is accurate on the client. However, the product version that is listed in the corresponding Active Directory (AD) Marker is not.

    This difference causes no functionality issues.
  2. Forefront Security for Exchange may consume too much memory, which may require a restart of Exchange services

    Symptoms
    Users experience slow mail flow and interruptions in mail delivery.

    Cause
    A memory leak was identified in the FSCRealtimeScanner.exe and FSCTransportScanner.exe processes. This memory leak can cause users to experience lulls and interruptions in the mail flow because of the memory resource depletion.
  3. Forefront Security for Exchange may consume too much memory when it is running on a mailbox server that requires a restart of Exchange services

    Symptoms
    Users experience slow mail flow and interruptions in mail delivery.

    Cause
    A memory leak was identified in the FSCRealtimeScanner.exe process. This memory leak can cause users to experience lulls and interruptions in mail flow because of the memory resource depletion.
  4. When Forefront’s EngineSync and FileSync cannot run at the same time on a CCR cluster, run lock errors are generated in the ProgramLog.txt file

    Symptoms
    The ProgramLog file contains the following errors:
    Date/Time: ( 1432- 1884), "WARNING: FileSync (Thread)::CCR::FileSync::Run(): filesync.cpp:335: Cannot obtain a Forefront run lock; replication of 'Notifications.fdb' skipped."

    Date/Time: 2008 ( 1432- 1884), "WARNING: FileSync (Thread)::CCR::FileSync::Run(): filesync.cpp:335: Cannot obtain a Forefront run lock; replication of 'FileScanners.fdb' skipped."
    The Application log contains the following error:

    Event Type: Warning
    Event Source: FSECCRService
    Event Category: (9)
    Event ID: 9411
    Date: 7/7/2008
    Time: 11:06:13 AM
    User: N/A
    Computer: Server1

    Cause When Forefront Server for Exchange runs on a Cluster Continuous Replication (CCR) cluster, you have to synchronize the engine files and the database files between each node. If this synchronization occurs at the same time, errors will be generated in the ProgramLog.txt file and in the Application log.

    There are no functionality issues because the file synchronization does occur when the engine synchronization is complete.
  5. You cannot suppress engine deprecation (retirement) notifications even when you have disabled the retired engines on all scan jobs and their related scanner updates

    Symptoms
    Forefront for Exchange generates engine deprecation notifications that cannot be disabled regardless of scan job settings that relate to engine usage.

    Forefront Security for Exchange will generate e-mail messages to remind the administrator of specific engine deprecations. These messages contain text that resembles the following Sophos example:
    Sophos Virus Detection Engine has been deprecated as of 1/07/2009 and will be available only until 1/12/2009. Updates for this engine will stop after 1/12/2009. For more information, see http://go.microsoft.com/fwlink/?LinkId=152864
  6. Lots of RPC requests lead to slow mail queues on an Exchange server that is running Forefront Security for Exchange

    Symptoms
    Lots of RPC requests lead to resource depletion and slow mail queues on an Exchange server that is running Forefront Security for Exchange.
  7. E-mail messages cannot be delivered from Forefront’s archive folder

    Symptoms
    Archived e-mail messages cannot be delivered when you drop them into Exchange’s pickup folder.

    Cause
    This issue occurs when Forefront’s Transport scan cannot initialize. This can cause it to remain in a state in which it cannot scan mail. Any mail that is dropped into Forefront’s archive folder is not delivered because it may contain incomplete header information.
  8. The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 671966687

    Symptoms
    The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 671966687. The crash generates the following stack dump output:
    OLE32.DLL!CStdMarshal::DisconnectCliIPIDs [marshal.cxx]
    OLE32.DLL!CStdMarshal::Disconnect [marshal.cxx]
    OLE32.DLL!CStdMarshal::HandlePendingDisconnect [marshal.cxx]
    OLE32.DLL!CStdMarshal::Finish_QueryRemoteInterfaces [marshal.cxx]
    OLE32.DLL!CStdMarshal::QueryRemoteInterfaces [marshal.cxx]
    OLE32.DLL!CStdIdentity::CInternalUnk::QueryMultipleInterfaces [stdid.cxx]
    OLE32.DLL!CStdIdentity::CInternalUnk::QueryInterface [stdid.cxx]
    RPCRT4.DLL!IUnknown_QueryInterface_Proxy [proxy.cxx]
    FSCCONTROLLER.EXE!CRealtimeProxy::DisableScanEngine [realtimeproxy.cpp]
    FSCCONTROLLER.EXE!CSybariService::DisableScanEngines [sybariservice.cpp]
    RPCRT4.DLL!Invoke [stubless.asm]
    RPCRT4.DLL!NdrStubCall2 [srvcall.cxx]
    RPCRT4.DLL!CStdStubBuffer_Invoke [stub.cxx]
    OLE32.DLL!SyncStubInvoke [channelb.cxx]
    OLE32.DLL!StubInvoke [channelb.cxx]
    OLE32.DLL!CCtxComChnl::ContextInvoke [ctxchnl.cxx]
    OLE32.DLL!MTAInvoke [callctrl.cxx]
    OLE32.DLL!STAInvoke [callctrl.cxx]
    OLE32.DLL!AppInvoke [channelb.cxx]
    OLE32.DLL!ComInvokeWithLockAndIPID [channelb.cxx]
    OLE32.DLL!ComInvoke [channelb.cxx]
    OLE32.DLL!ThreadDispatch [chancont.cxx]
    OLE32.DLL!ThreadWndProc [chancont.cxx]
    USER32.DLL!InternalCallWinProc [callproc.asm]
    USER32.DLL!UserCallWinProcCheckWow [clmsg.c]
    USER32.DLL!DispatchMessageWorker [clmsg.c]
    USER32.DLL!DispatchMessageW [cltxt.h]
    FSCCONTROLLER.EXE!CServiceModule::Run [antigenservice.cpp]
    FSCCONTROLLER.EXE!CServiceModule::ServiceMain [antigenservice.cpp]
    ADVAPI32.DLL!ScSvcctrlThreadA [scapi.cxx]
    KERNEL32.DLL!BaseThreadInitThunk [thread.c]
    NTDLL.DLL!__RtlUserThreadStart [rtlexec.c]
    NTDLL.DLL!_RtlUserThreadStart [rtlexec.c]
  9. Too much logging in Forefront Security for Exchange may cause slow mail flow and mail queues in Exchange

    Symptoms
    Users may experience slow mail flow and mail queues in Exchange.

    Cause
    This issue occurs when default level logging in Forefront Security for Exchange becomes resource-intensive.
  10. The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 653246026

    Symptoms
    The FSCController.exe may crash. This generates a Dr. Watson crash that references Bucket ID 653246026. The crash generates the following stack dump output:
    FSCCONTROLLER.EXE!CRealtimeProxy::Shutdown [realtimeproxy.cpp]
    FSCCONTROLLER.EXE!ShutdownStorageGroup [sybariservice.cpp]
    FSCCONTROLLER.EXE!CSybariService::ShutdownStorageGroup [sybariservice.cpp]
    FSCCONTROLLER.EXE!CSybariService::ShutdownStorageGroup [sybariservice.cpp]
    RPCRT4.DLL!Invoke [stubless.asm]
    RPCRT4.DLL!NdrStubCall2 [srvcall.cxx]
    RPCRT4.DLL!CStdStubBuffer_Invoke [stub.cxx]
    OLEAUT32.DLL!CUnivStubWrapper::Invoke [rpcwrap.cpp]
    OLE32.DLL!SyncStubInvoke [channelb.cxx]
    OLE32.DLL!StubInvoke [channelb.cxx]
    OLE32.DLL!CCtxComChnl::ContextInvoke [ctxchnl.cxx]
    OLE32.DLL!MTAInvoke [callctrl.cxx]
    OLE32.DLL!STAInvoke [callctrl.cxx]
    OLE32.DLL!AppInvoke [channelb.cxx]
    OLE32.DLL!ComInvokeWithLockAndIPID [channelb.cxx]
    OLE32.DLL!ComInvoke [channelb.cxx]
    OLE32.DLL!ThreadDispatch [chancont.cxx]
    OLE32.DLL!ThreadWndProc [chancont.cxx]
    USER32.DLL!InternalCallWinProc [callproc.asm]
    USER32.DLL!UserCallWinProcCheckWow [clmsg.c]
    USER32.DLL!DispatchMessageWorker [clmsg.c]
    USER32.DLL!DispatchMessageW [cltxt.h]
    FSCCONTROLLER.EXE!CServiceModule::Run [antigenservice.cpp]
    FSCCONTROLLER.EXE!CServiceModule::ServiceMain [antigenservice.cpp]
    ADVAPI32.DLL!ScSvcctrlThreadA [scapi.cxx]
    KERNEL32.DLL!BaseThreadInitThunk [thread.c]
    NTDLL.DLL!__RtlUserThreadStart [rtlexec.c}
    NTDLL.DLL!_RtlUserThreadStart [rtlexec.c]
  11. Files are detected as "CorruptedCompressedFile" when the MaxUnCompressedFileSize registry entry is set to 0xFFFFFFFF

    Symptoms
    If you set the value of the MaxUnCompressedFileSize registry entry to 0xFFFFFFFF, Forefront Server Security for Exchange detects files as "CorruptedCompressedFile," regardless of their size.

    If you have enabled the Delete Corrupted Compressed Files setting under the SETTINGS, General Options area in the Forefront Administrator console, the file will also be deleted.
  12. Forefront Server Security for Exchange cannot filter files that are encoded in the "Japanese (EUC)" MIME format

    Symptoms
    If a file name is written to the ProgramLog.txt file, it is displayed as garbled characters and does represent the original file name in Japanese.

    Cause
    This issue occurs when you send an attachment inside an e-mail message that you encode in the "Japanese (EUC)" MIME format. When Forefront Server Security for Exchange tries to scan the attachment, it cannot correctly identify the file name extension, and the file passes through unscanned.
  13. P7S files are detected as "CorruptedCompressedFile" when Forefront Server Security for Exchange scans digitally-signed messages

    Symptoms
    Files are detected as "CorruptedCompressedFile" and are viewable in the Incidents panel as Corrupted Compressed.

    Cause
    This occurs when you digitally sign messages. The digital signature of your message is carried in a P7S file. This file is attached to the message. When Forefront Server Security for Exchange scans the P7S file, it is detected as a "CorruptedCompressedFile."

    If you have enabled the Delete Corrupted Compressed Files setting under the SETTINGS, General Option area in the Forefront Administrator console, the file will also be deleted.
  14. Forefront Server Security for Exchange services cannot start if the installation root contains a file that is named "Program"

    Symptoms
    Forefront Server Security for Exchange cannot start if the installation root (for example, C:) contains a file that is named "Program."

    Cause
    Forefront Server Security for Exchange services do not contain quotation marks around the path of the executable files that they trigger upon startup. This causes the system to look for any file in the path. For example, it may look for a file that is named “C:\Program” when the path is "C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\FSEMailPickup.exe." This means that Forefront finds the wrong file and cannot start the service.

    Workaround
    If you are experiencing this issue and cannot install the rollup package to resolve it immediately, you can work around the issue by adding quotation marks around the path of the executable in the Services registry. This is documented in the following Microsoft Knowledge Base article:
    812486 Event ID 7000 and "%1 is not a valid Win32 application" error message when you start a service
  15. Forefront Server Security for Exchange may incorrectly detect that valid Office Word 2003 documents contain CorruptedCompressedFile viruses

    Symptoms
    Forefront Server Security for Exchange may incorrectly detect that valid Microsoft Office Word 2003 documents contain CorruptedCompressedFiles viruses.

    The e-mail attachment is removed, and an incident is logged in the Incidents panel, stating that the file was removed as a CorruptedCompressedFile virus. The ProgramLog.txt file contains the following entry:
    INFORMATION: Realtime scan found virus: Folder: Folder Name Storage Group\file name Message: subject line Incident: CorruptedCompressedFile State: Removed
    In this message, the placeholder Folder Name reoresents the name of the folder where the virus was found.

    Cause
    This error is caused by the method that Forefront Server Security uses to try to parse the Word document.
  16. Renaming an existing file filter list causes it to become disabled and revert to default settings in Forefront Server Security for Exchange

    Symptoms
    When you rename an existing file filter list in the Filter Lists area under FILTERING in the Forefront Administrator console, the file filter list in the Lists area, under File, under FILTERING will be disabled. All configuration settings, such as Action, General, and Identify are set to default values.
  17. A performance improvement lets Forefront Server Security for Exchange scan hidden infected files within 2007 Microsoft Office documents that were originally created by using Beta versions

    Symptoms
    Some 2007 Office (OPENXML) documents may contain "hidden" subfiles. That is, these documents may contain files that are not referenced in the document’s Document.xml.rels file. Certain inefficiencies were found in the additional code that is used to scan "hidden" files in 2007 Office documents.

    More Information
    The fix for this issue lets Forefront Server Security for Exchange scan the file more efficiently by using fewer system resources.

    Note The initial releases of 2007 Office will not open any files that are not referenced in the document’s Document.xml.rels file.
  18. Memory is not released from a scan processes when Forefront Server Security for Exchange scans certain GZip files

    Symptoms
    Forefront Server Security for Exchange does not release memory from scan processes after GZip files are scanned.

    This issue can cause the memory that is consumed by a Forefront scan processes (FSCRealtimeScanner.exe, FSCTransportScanner.exe, or FSCManualScanner.exe) to grow exponentially and may cause a low-memory condition on the server.

    When this issue occurs, you may find any of the following entries written to the ProgramLog.txt file:
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
    "DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"

    "ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"

    "ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
    "eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
    "esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
    "102a2f0: 00000000 00000000 00000000" ...

    "102f720: 00000004 0042378f 8007000e"
    Additionally, the following entries may be written to the HRLog.txt file:
    "INFORMATION: F 0x8007000e, 775-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1209-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1855-(primaryobject)"
    "INFORMATION: S 0x8007000e, 7103-(workthread)"
    Many of these entries contain the hexadecimal code 0x8007000E, which means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."
  19. Memory is not released from a scan processes when Forefront Server Security for Exchange scans TAR files within GZip files

    Symptoms
    Forefront Server Security for Exchange does not release memory from a scan processes that scans tarball files (TAR files compressed within GZip files, such as .tar.gz or .tgz files).

    This issue can cause the memory that is consumed by a Forefront scan processes (FSCRealtimeScanner.exe, FSCTransportScanner.exe, or FSCManualScanner.exe) to grow exponentially and may cause a low-memory condition on the server.

    When this issue occurs, you may find any of the following entries written to the ProgramLog.txt file:
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
    "DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"

    "ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"

    "ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
    "eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
    "esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
    "102a2f0: 00000000 00000000 00000000" ...

    "102f720: 00000004 0042378f 8007000e"
    Additionally, the following entries may be written to the HRLog.txt file:
    "INFORMATION: F 0x8007000e, 775-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1209-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1855-(primaryobject)"
    "INFORMATION: S 0x8007000e, 7103-(workthread)"
    Many of these entries contain the hexadecimal code 0x8007000E. This means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."
  20. Memory is not released from a scan processes when Forefront Server Security for Exchange scans Mac Zip files within another archive (compressed) file

    Symptoms
    Forefront Server Security for Exchange does not release memory from a scan processes that scans Mac Zip files within another archive (compressed) file.

    This issue can cause the memory that is consumed by Forefront scan processes (FSCRealtimeScanner.exe, FSCTransportScanner.exe, or FSCManualScanner.exe) to grow exponentially and may cause a low-memory condition on the server.

    When this issue occurs, you may find any of the following entries written to the ProgramLog.txt file:
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
    "DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"

    "ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"

    "ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
    "eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
    "esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
    "102a2f0: 00000000 00000000 00000000" ...
    "102f720: 00000004 0042378f 8007000e"
    Additionally, the following entries may be written to the HRLog.txt file:
    "INFORMATION: F 0x8007000e, 775-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1209-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1855-(primaryobject)"
    "INFORMATION: S 0x8007000e, 7103-(workthread)"
    Many of these entries contain the hexadecimal code 0x8007000E. This means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."

    Cause
    This problem is caused by a problem with Forefront’s TNEFNavigator.dll file.
  21. No FSS-ELI Scheduled Task is created if all engine updates are disabled in Forefront Server Security for Exchange

    Symptoms
    The FSS-ELI Scheduled Task's responsibility is to update Forefront’s Engine Licensing Information (ELI) file, which is EngineInfo.cab. If no engine updates are enabled for any engines in the Scanner Updates area, under SETTINGS in the Forefront Administrator Console, the FSS-ELI Scheduled Task will not be created. For example, you may select this configuration if you use FSSMC to distribute engines centrally.

    Workaround
    If you are experiencing this issue and cannot install the rollup package to resolve it immediately, you can work around the issue by following these steps:
    1. Schedule at least one engine update in the Scanner Updates area, under SETTINGS in the Forefront Administrator Console.
    2. Restart Forefront and Exchange services to let Forefront Server Security for Exchange create the FSS-ELI Scheduled Task.
  22. All engine updates roll back in Forefront Server Security for Exchange if the installation root contains a file that is named "Program"

    Symptoms
    When you try to update a scan engine in Forefront Server Security for Exchange, it rolls back. A new scan engine is then downloaded, but it cannot be integrated. The new engine is then rolled back, and Forefront reverts to the old engine.

    The following entries may be written to the Application log and to the ProgramLog.txt for each attempted engine update. The following example is for the Microsoft scan engine:
    "INFORMATION: The Microsoft scan engine has been downloaded"
    "INFORMATION: The Microsoft scan engine has been staged."
    "ERROR: (0x000000c1) %1 is not a valid Win32 application. Unable to launch ScanEngineTest for the Microsoft scan engine."
    "INFORMATION: The Microsoft scan engine has been rolled back."


    Cause
    When a new scan engine is downloaded, Forefront must first test it before integrating it. Forefront uses ScanEngineTest.exe to do this. However, the path of ScanEngineTest.exe is not enclosed in quotation marks in Forefront’s engine update code. This causes the system to look for any file in the path. For example, it may look for a file that is named “C:\Program” when the path is "C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\ScanEngineTest.exe," if the file exists. This means that Forefront finds the wrong file and cannot complete the scan engine test. The engine is then rolled back.
  23. Filter Lists settings are not applied when you perform a silent installation of Forefront Server Security for Exchange

    Symptoms
    You use the -t parameter to specify a Template.fdb file when you run the Forefront Server Security for Exchange setup as a silent installation. If the Template.fdb file contains custom Filter Lists, these are not populated in the new installation. This issue occurs even though the installation completes successfully and without error.

    Cause
    This issue occurs because the FilterLists.fdb file is not created until the Forefront Administrator console is opened for the first time. Therefore, Setup cannot load any custom Filter Lists into the FilterLists.fdb file during a silent installation because the FilterLists.fdb file does not exist at that point.
  24. The FSCRealtimeScanner.exe process consumes too much memory in Forefront Server Security for Exchange

    Symptoms
    There are two issues in which the FSCRealtimeScanner.exe processes can consume too much memory. These issues cause the memory that is consumed by FSCRealtimeScanner.exe processes to grow exponentially and may cause a low-memory condition on the server.

    Note Because Forefront Server Security for Exchange typically scans most mail at the Transport level, you may find that this memory condition is difficult to spot and may become obvious only if you have not restarted Forefront services for a long period, say for several weeks.

    When these issues occur, you may find any of the following entries written to the ProgramLog.txt file:
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
    "ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
    "DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"

    "ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"

    "ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
    "eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
    "esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
    "102a2f0: 00000000 00000000 00000000" ...

    "102f720: 00000004 0042378f 8007000e"
    Additionally, the following entries may be written to the HRLog.txt file:
    "INFORMATION: F 0x8007000e, 775-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1209-(primaryobject)"
    "INFORMATION: F 0x8007000e, 1855-(primaryobject)"
    "INFORMATION: S 0x8007000e, 7103-(workthread)"
    Many of these entries contain the hexadecimal code 0x8007000E. This means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."

    Cause
    This issue occurs when one of the following conditions is true:
    • Forefront is querying Active Directory for e-mail recipient information
    • Mailbox information is being handed from Exchange through VSAPI to the FSCRealtimeScanner.exe process.


    Workaround
    There is a workaround available for the memory issue that involves Active Directory queries. You may apply this workaround if you cannot install the rollup package to resolve it immediately.

    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows
    1. Click Start, click Run, type regedit, and then click OK.
    2. Locate and then click the following key in the registry:
      HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Microsoft\Forefront Server Security\Exchange Server
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type OptimizeADQuery, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. Type 1, and then click OK.
    7. Exit Registry Editor.
    8. Stop the FSCController service. Then, restart the FSCController service and all Exchange services.
  25. The FSCRealtimeScanner.exe process crashes when it tries to scan an e-mail message that has many recipients

    Symptoms
    After you apply Forefront Security for Exchange Service Pack 2, crashes may occur when the real-time scanning processes runs.

    Cause
    This issue occurs because Forefront Security for Exchange Server SP2 includes performance optimizations that build a large LDAP query to process all the legacyExchangeDNs for mail recipients into one query. It does this by creating a sub query for each recipient in the message, which resembles the following:
    (legacyExchangeDN= /o=ORGNAME/OU=First Administrative Group/cn=Recipients/cn=RECIPIENT)
    This query is 88 characters long. However, the variable that stores the LDAP query can store only 10,241 characters. If there many subqueries, the total length of the LDAP query can exceed 10,241 characters. When this character limitation is exceeded, the FSCRealtimeScanner.exe process crashes.
  26. Exceptions during a Forefront for Exchange manual scan cause "ExceedinglyNested" detection and file removal

    Symptoms
    During a manual scan on an Exchange server, Forefront Security for Exchange incorrectly detects Office documents and e-mail messages as "ExceedinglyNested." Forefront Security for Exchange quarantines these files, and the body of the e-mail message is replaced with deletion text.

    Cause
    This issue occurs when, during a manual scan, if Forefront Security for Exchange enters into unhealthy state where exceptions are thrown, it may try to continue scanning documents. If these exceptions occur, they can cause the counters, which track highly nested files, to become invalid. These invalid counters then cause Forefront Security for Exchange to incorrectly detect ordinary files as being "ExceedinglyNested."
  27. When you try to generate a Forefront Diagnostic for Forefront Security for Exchange, you are prompted to "press any key" to complete the data collection

    Symptoms
    When you try to generate a Forefront Diagnostic for Forefront Security for Exchange, you are prompted to "press any key" to complete the data collection. Therefore, an administrator is required to complete the data collection.
  28. When an engine update fails in Forefront for Exchange because of an invalid database path, Forefront does not log an error

    Symptoms
    When an invalid database path is present in the Forefront for Exchange registry settings, the engine update will not be completed. However, a concise error will not be logged.

    After you install Hotfix Rollup 1 for Forefront Security for Exchange Service Pack 2, the following error is logged in the Application log when an engine update fails because of the presence of an invalid database path:

    Source: FSCController
    Event ID: 100
    Severity: Error
    ERROR: The database path in the registry does not exist.

  29. When you apply a template from one Forefront Security for Exchange installation to another Forefront Security for Exchange installation on a different server, the receiving server may lose all Forefront settings and may stop scanning mail

    Symptoms
    When you try to apply a template from one Forefront Security for Exchange installation to another Forefront Security for Exchange installation on a different server, RPC issues may occur. The Forefront Security for Exchange settings on the receiving server may be deleted before the template is applied. Because of certain RPC and networking issues, the new template cannot be applied and can leave Forefront unable to scan.

    Cause
    This issue occurs because the order in which Forefront for Exchange applies a template begins with the deletion of the existing database configurations on the receiving Forefront for Exchange server, followed by applying the new template. If networking issues occur, they may interfere with applying the new template after the existing database configurations are deleted.
  30. A scan engine update fails, and a warning message is logged in the ProgramLog.txt file

    Symptoms
    If any of the Forefront Security for Exchange external scan engine vendors release a scan engine release a scan engine update that incorporates files that are packaged within subdirectories, the scan engine update will fail. Additionally, a warning message that resembles the following is logged in the ProgramLog.txt file:
    WARNING: A failure was reported by the synchronization observer while installing the scanner. Action = 0x00000001. C:\ Forefront Installation Directory\EngineName\Bin\bases/stt/


    Cause
    This problem occurs because Forefront Security for Exchange Server cannot update a scan engine that contains one or more subdirectories within its update package.

Hotfix rollup information

Download information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

How to install the Hotfix Rollup

  1. Run the installer by double-clicking the service pack or rollup executable file.

    Note When the installer is running, the Exchange and Forefront Security for Exchange services are stopped, and your mail flow is temporarily stopped.
  2. After the installation is complete and the Exchange and Forefront Security for Exchange services are restarted (this occurs automatically during the installation), verify that Forefront Security for Exchange is working correctly.

    Note Forefront Security for Exchange service packs or rollups can also be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User Guide. In this case, the installer runs in silent mode, and there is no user input required. The rest of the process remains the same as when you run the installer by double-clicking the executable file.

Prerequisites

Antigen 9 for Exchange Service Pack 2

File Information

This hotfix rollup may not contain all the files that you must have to fully update a product to the latest build. This hotfix rollup contains only the files that you must have to correct the issues that are listed in this article.

The English (United States) version of this hotfix rollup uses a Microsoft Windows Installer package to install the hotfix rollup. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Adonavigator.dll10.2.945.0421,23212-Jan-201001:34x86
Adonavigator64.dll10.2.945.0716,14412-Jan-201001:41x64
Adonavsvc.exe10.2.945.0154,99212-Jan-201001:41x64
Aexmladapter.dll10.2.945.0379,24812-Jan-201001:34x86
Custominstall.dll10.2.945.0922,99212-Jan-201001:34x86
Customuninstall.dll10.2.945.0342,38412-Jan-201001:34x86
Eventstrings-en_us.dll10.2.945.0118,64012-Jan-201001:34x86
Eventstrings.dll10.2.945.0118,64012-Jan-201001:34x86
Extractfiles.exe10.2.945.0338,28812-Jan-201001:34x86
Filterengine.dll10.2.945.0332,65612-Jan-201001:34x86
Fscadmarksvc.exe10.2.945.089,08811-Jan-201023:35x86
Fscappscanner.dll10.2.945.0334,70412-Jan-201001:34x86
Fsccodec.dll10.2.945.0194,92812-Jan-201001:34x86
Fsccommon.dll10.2.945.018,28812-Jan-201001:34x86
Fsccontroller.exe10.2.945.01,607,02412-Jan-201001:34x86
Fsccontrollerps.dll10.2.945.085,36012-Jan-201001:34x86
Fscdiag.exe10.2.945.0487,79212-Jan-201001:34x86
Fscexec.exe10.2.945.057,20012-Jan-201001:34x86
Fscmanualscanner.exe10.2.945.0899,44012-Jan-201001:34x86
Fscmonitor.exe10.2.945.0265,07212-Jan-201001:34x86
Fscmonitorps.dll10.2.945.051,05612-Jan-201001:34x86
Fscrealtimescanner.exe10.2.945.0882,54412-Jan-201001:34x86
Fscstarter.exe10.2.945.0249,20012-Jan-201001:34x86
Fscstatsserv.exe10.2.945.0270,70412-Jan-201001:34x86
Fsctransportscanner.exe10.2.945.0903,53612-Jan-201001:34x86
Fscutility.exe10.2.945.0494,44812-Jan-201001:34x86
Fseccrservice.exe10.2.945.0825,71212-Jan-201001:34x86
Fseimc.exe10.2.945.0324,46412-Jan-201001:34x86
Fsemailpickup.exe10.2.945.092,01612-Jan-201001:34x86
Fsevsapi.dll10.2.945.0616,81612-Jan-201001:41x64
Fsevsapiex.dll10.2.945.076,65612-Jan-201001:41x64
Fssaclient.exe10.2.945.01,221,48812-Jan-201001:34x86
Getenginefiles.exe10.2.945.0643,95212-Jan-201001:34x86
Gziparchive.dll10.2.945.0267,12012-Jan-201001:34x86
Installservice.exe10.2.945.049,00812-Jan-201001:34x86
Installtask.exe10.2.945.0226,67212-Jan-201001:34x86
Launcher.exe10.2.945.0400,24012-Jan-201001:41x64
Macbinnavigator.dll10.2.945.0241,52012-Jan-201001:34x86
Mimenavigator.dll10.2.945.0322,92812-Jan-201001:34x86
Multimapper.dll10.2.945.0672,62412-Jan-201001:34x86
Openxmlnavigator.dll10.2.945.092,52812-Jan-201001:34x86
Perfmonitorsetup.exe10.2.945.0294,76812-Jan-201001:34x86
Programlogmsg.dll10.2.945.0111,47212-Jan-201001:34x86
Rarnavigator.dll10.2.945.0333,68012-Jan-201001:34x86
Remotinglayer.dll10.2.945.082,28812-Jan-201001:34x86
Remotinglayer64.dll10.2.945.0115,56812-Jan-201001:41x64
Scanengines.dll10.2.945.0562,03212-Jan-201001:34x86
Scanenginetest.exe10.2.945.0359,79212-Jan-201001:34x86
Semsetup.exe10.2.945.0292,20812-Jan-201001:34x86
Sfxcab.exe10.2.945.039,42409-Feb-201019:52x86
Smimenavigator.dll10.2.945.0238,44812-Jan-201001:34x86
Statisticsmanager.dll10.2.945.0537,45612-Jan-201001:34x86
Structstgnavigator.dll10.2.945.0300,40012-Jan-201001:34x86
Tararchive.dll10.2.945.0249,20012-Jan-201001:34x86
Tnefnavigator.dll10.2.945.0308,08012-Jan-201001:34x86
Uuencodenavigator.dll10.2.945.0256,88012-Jan-201001:34x86
Version.exe10.2.945.0309,61612-Jan-201001:34x86
Ziparchive.dll10.2.945.0304,49612-Jan-201001:34x86
Fscperfmonitor.dll10.2.945.0315,76012-Jan-201001:34x86
Fscperfmonitor.dll10.2.945.0544,62412-Jan-201001:41x64
Custom64.dllNot Applicable99,84002-Feb-201017:46x64
Updspapi.dll6.3.16.0463,72010-Oct-200816:42x64


The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 978297 - Last Review: August 27, 2010 - Revision: 4.0
APPLIES TO
  • Microsoft Forefront Security for Exchange Server Service Pack 2
Keywords: 
kbexpertiseadvanced kbhotfixrollup kbregistry atdownload kbautohotfix kbsurveynew kbinfo KB978297

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com