Microsoft has released Hotfix Rollup 1 for Microsoft Forefront Security for SharePoint with Service Pack 3. This article contains information about how to obtain the hotfix rollup and about the issues that are fixed by the hotfix rollup.
New feature in Hotfix Rollup 1 for Forefront Security for SharePoint with Service Pack 3
Before this rollup, Forefront Server Security for SharePoint only enabled the deletion of files that exceed any of the following four General Option limits:
Max Container Scan Time (Real-Time)
Max Container Scan Time (Manual)
Max Nested Attachments
Max Nested Compressed Files
Hotfix Rollup 1 for Forefront Security for SharePoint with Service Pack 3 now includes the ability to perform a "Skip: detect only" action on files that exceed any of these four General Option limits. To do this, disable the Delete Corrupted Compressed Files General Option, after you have applied the hotfix rollup.
Note When the Delete Corrupted Compressed Files General Option is enabled, files that match any of these four General Options will also be deleted.
To locate these features, on the Settings menu in the Forefront Administrator console, click General Options.
Issues that are fixed in Hotfix Rollup 1 for Forefront Security for SharePoint with Service Pack 3
In addition to the fixes included in all service packs and rollups for Forefront Security for SharePoint, this hotfix rollup fixes the following issues.
Details of the issues that are fixed in the hotfix rollup
An error message is logged when you use Microsoft Forefront Server Security Management Console to update the scan engines: "ERROR: A standard exception was caught in GetEngineFiles. invalid string position"
Symptoms
When you use the Microsoft Forefront Server Security Management Console (FSSMC) to update the scan engines on Forefront Security for SharePoint, the engine updates fail. Additionally, the following error message is logged:
Date/Time (3284- 1556), ERROR: A standard exception was caught in GetEngineFiles. invalid string position."
Forefront Server Security for SharePoint may clean and upload a file to SharePoint instead of performing the expected behavior of blocking the file
Symptoms
If a file contains both a component that can be cleaned, such as a virus, together with a component that should be blocked, such as a Keyword Filter, the file is cleaned and uploaded instead of blocked.
Forefront Server Security for SharePoint does not quarantine the whole OpenXML document during a Quick or Manual scan
Symptoms
An OpenXML document was deleted and quarantined during a Quick or Manual scan. You locate and try to deliver the OpenXML document from the Forefront Server Security for SharePoint Quarantine. But you find that only a sub-file of the document is present. For example, Newletter.docx is deleted according to a Keyword filter during a Manual scan. However, only document.xml is present in the Quarantine.
More information
OpenXML files are basically container files. When Forefront Server Security for SharePoint makes a detection in the file, only the specific sub-file within is actioned and quarantined if the Quarantine Files option is enabled. Therefore, an administrator cannot deliver the whole OpenXML document from quarantine to the intended recipient.
The Incidents panel in Forefront Security Server for SharePoint may display the user GUID or remain blank in the Document Creator column, instead of displaying the actual user name
Symptoms
An administrator may see GUIDs or blanks in the Incidents panel in the Document Creator column.
More Information
Forefront Security Server for SharePoint may be unable to identify a document creator name of a file that it lists in the Incidents panel. The user name is blank or is displayed as a GUID.
The FSCController.exe process may crash and generate a Dr. Watson crash that references Bucket ID 671966687
Symptoms
The FSCController.exe process may crash. This generates a Dr. Watson crash that references Bucket ID 671966687. The crash generates the following stack dump file:
Files are detected as CorruptedCompressedFile when the MaxUnCompressedFileSize registry value is set to 0xFFFFFFFF
Symptoms
If you set the value of the MaxUnCompressedFileSize registry value to 0xFFFFFFFF, Forefront Server Security for SharePoint detects files as CorruptedCompressedFile, regardless of their file size.
If you have enabled the Delete Corrupted Compressed Files setting, the file is also deleted. To locate this setting, on the Settings menu in the Forefront Administrator console, click General Option.
Forefront Server Security for SharePoint services do not start if the installation root directory contains a file that is named "Program"
Symptoms
Forefront Server Security for SharePoint services do not start if the installation root directory, such as C:, contains a file that is named "Program."
Cause
Forefront Server Security for SharePoint services do not contain quotation marks around the path of the executable that they trigger when they start. This causes the system to look for any file in the path. For example, "C:\Program" may be found for a path of the file "C:\Program Files (x86)\Microsoft Forefront Security\SharePoint Server\FSCController.exe." This means that Forefront finds the wrong file and cannot start the service.
Workaround
If you experience this issue, and you cannot install this rollup package, to resolve this issue immediately, put quotations marks around the path of the executable in the Services registry.
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
Forefront Server Security for SharePoint may falsely detect that valid Microsoft Office 2003 Word documents contain CorruptedCompressedFile viruses
Symptoms
Forefront Server Security for SharePoint falsely detects that valid Office 2003 Word documents contain CorruptedCompressedFiles viruses. The attachment is removed as a virus.
An e-mail attachment is removed, and an incident is logged in the Incidents panel that the file was removed as a CorruptedCompressedFile virus. The ProgramLog.txt file contains the following entry:
INFORMATION: Realtime scan found virus: Folder: folder_name Storage Group\file name Message: subject line Incident: CorruptedCompressedFile State: Removed
Note The folder_name placeholder is the name of the folder where the virus was found.
Cause
This issue occurs because of the method that Forefront Server Security for SharePoint uses to parse the Word document.
When you rename an existing File Filter list, this causes the File Filter list to be disabled, and configuration settings revert to default settings in Forefront Server Security for SharePoint
Symptoms
Consider the following scenario:
You rename an existing File Filter list. To locate the list, on the Filter Lists menu in the Forefront Administrator console, click Filtering.
You view the File Filter list.
In this scenario, the File Filter lists is displayed as Disabled, and all configuration settings such as Action, General and Identify are set to their default values.
Performance is improved in Forefront Server Security for SharePoint for actioning hidden infected files in 2007 Microsoft Office OpenXML documents that were originally created by using beta versions of 2007 Microsoft Office
Symptoms
Some 2007 Microsoft Office OpenXML documents may contain hidden subfiles. For example, these hidden files can be files that are not referenced in the document's file_name.xml.rels file.
Cause
This issue occurs because of certain inefficiencies in the additional code that is used to scan hidden files in 2007 Microsoft Office OpenXML documents.
More information
The fix for this issue enables Forefront Server Security for SharePoint to scan the file more efficiently by using fewer system resources.
Note RTM releases of 2007 Microsoft Office do not open any files that are not referenced in the document's file_name.xml.rels file.
Memory is not released from scan processes when Forefront Server Security for SharePoint scans certain GZip files
Symptoms
Memory is not released from scan processes when Forefront Server Security for SharePoint scans GZip files.
When this issue occurs, you may find that one or more of the following entries is logged in the ProgramLog.txt file:
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
"DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"
"ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"
"ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
"eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
"esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
"102a2f0: 00000000 00000000 00000000"
...
"102f720: 00000004 0042378f 8007000e"
Additionally, the following entries may be logged in the HRLog.txt file:
"INFORMATION: F 0x8007000e, 775-(primaryobject)"
"INFORMATION: F 0x8007000e, 1209-(primaryobject)"
"INFORMATION: F 0x8007000e, 1855-(primaryobject)"
"INFORMATION: S 0x8007000e, 7103-(workthread)"
Note Many of these entries contain the following hexadecimal code:
0x8007000E
This hexadecimal code means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."
Cause
This issue can cause the memory that is consumed by Forefront scan processes such as FSCRealtimeScanner.exe, FSCTransportScanner.exe, or FSCManualScanner.exe to grow exponentially. This may ultimately cause a low-memory condition on the server.
Memory is not released from scan processes when Forefront Server Security for SharePoint scans TAR files that are inside GZip files
Symptoms
Memory is not released from scan processes after Forefront Server Security for SharePoint scans tarball files (TAR files that are compressed inside GZip files, such as .tar.gz or .tgz).
When this issue occurs, you may find that one or more of the following entries is logged in ProgramLog.txt file:
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
"DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"
"ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"
"ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
"eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
"esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
"102a2f0: 00000000 00000000 00000000"
...
"102f720: 00000004 0042378f 8007000e"
Additionally, the following entries may be logged in the HRLog.txt file:
"INFORMATION: F 0x8007000e, 775-(primaryobject)"
"INFORMATION: F 0x8007000e, 1209-(primaryobject)"
"INFORMATION: F 0x8007000e, 1855-(primaryobject)"
"INFORMATION: S 0x8007000e, 7103-(workthread)"
Note Many of these entries contain the following hexadecimal code:
0x8007000E
This hexadecimal code means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."
Cause
This issue may cause the memory that is consumed by the Forefront scan processes such as FSCRealtimeScanner.exe, FSCTransportScanner.exe, or FSCManualScanner.exe to grow exponentially. This may ultimately cause a low-memory condition on the server.
Memory is not released from scan processes when Forefront Server Security for SharePoint scans Mac Zip files that are inside another archive or compressed file
Symptoms
Memory is not released from the scan process when Forefront Server Security for SharePoint scans Mac Zip files that are inside another archive or compressed file.
When this issue occurs, you may find that one or more of the following entries is logged in the ProgramLog.txt file:
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program.""
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "No more threads can be created in the system. (Exception from HRESULT: 0x800700A4)""
"ERROR: An exception has occurred within ForefrontAgent's Scan method. Exception message = "Value does not fall within the expected range.""
"DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0x8007000e"
"ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e"
"ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0x056C3769, p[0]=0x0, p[1]=0x3287224f"
"eax=0x00000000 ebx=0x32871fb7 ecx=0x07bdcfd0 edx=0x328721cd"
"esi=0x07c8e3dc edi=0x32871fb7 ebp=0x07c6f0d0 esp=0x0102a2f8"
"102a2f0: 00000000 00000000 00000000"
...
"102f720: 00000004 0042378f 8007000e"
Additionally, the following entries may be logged in the HRLog.txt file:
"INFORMATION: F 0x8007000e, 775-(primaryobject)"
"INFORMATION: F 0x8007000e, 1209-(primaryobject)"
"INFORMATION: F 0x8007000e, 1855-(primaryobject)"
"INFORMATION: S 0x8007000e, 7103-(workthread)"
Note Many of these entries contain the following hexadecimal code:
0x8007000E
This hexadecimal code means "Not enough storage is available to complete this operation" or "ERROR_OUTOFMEMORY."
Cause
This issue occurs because of a problem with the TNEFNavigator.dll file in Forefront Server Security for SharePoint.
An FSS-ELI Scheduled Task is not created if all engine updates are disabled in Forefront Server Security for SharePoint
Symptoms
An FSS-ELI Scheduled Task is not created if all engine updates are disabled in Forefront Server Security for SharePoint.
Cause
This issue occurs because of a problem with the TNEFNavigator.dll file in Forefront Server Security for SharePoint.
Workaround
If you experience this issue and cannot install this rollup package to resolve this issue immediately, follow these steps to work around the issue temporarily:
Schedule at least one engine update, such as the Worm List. To do this, on the Settings menu in the Forefront Administrator Console, click Scanner Updates.
Restart Forefront SharePoint services. This enables Forefront Server Security for SharePoint to create the FSS-ELI Scheduled Task.
More information
The FSS-ELI Scheduled Task is responsible for updating Forefront’s Engine Licensing Information (ELI) file EngineInfo.cab. If engine updates are not enabled for any engines, the FSS-ELI Scheduled Task is not created.
To enable engine updates for any engine, on the Settings menu in the Forefront Administrator Console, click Scanner Updates.
Note For example, this may be a configuration that you may choose if you use Forefront Server Security Management Console to distribute engines centrally.
All engine updates roll back in Forefront Server Security for SharePoint if the installation root contains a file that is named "Program"
Symptoms
When you try to update a scan engine in Forefront Server Security for SharePoint, it rolls back. A new scan engine is downloaded, but the scan engine cannot be integrated. The new engine is rolled back, and Forefront reverts to the old engine.
Additionally, the following entries may be logged in the Application log and in the ProgramLog.txt file for each attempted engine update. The following example is for the Microsoft scan engine:
"INFORMATION: The Microsoft scan engine has been downloaded"
"INFORMATION: The Microsoft scan engine has been staged."
"ERROR: (0x000000c1) %1 is not a valid Win32 application. Unable to launch ScanEngineTest for the Microsoft scan engine."
"INFORMATION: The Microsoft scan engine has been rolled back."
Cause
This issue occurs because, when a new scan engine is downloaded, Forefront must first test it before integrating the scan engine. ScanEngineTest.exe is used for this purpose.
The path of ScanEngineTest.exe is not enclosed in quotation marks in the engine update code in Forefront. This causes the system to look for any file in the path. For example, "C:\Program" may be found for a path of the file "C:\Program Files (x86)\Microsoft Forefront Security\SharePoint Server\ScanEngineTest.exe." This means that Forefront finds the wrong file and cannot complete the scan engine test. The engine is then rolled back.
This issue occurs because of a problem with the TNEFNavigator.dll file in Forefront Server Security for SharePoint.
Filter Lists settings are not applied when you perform a silent installation of Forefront Server Security for SharePoint
Symptoms
Consider the following scenario:
You use the -t parameter to specify a Template.fdb file when you run the Forefront Server Security for SharePoint setup as a silent installation.
The Template.fdb file contains custom Filter Lists.
In this scenario, the custom Filter Lists are not populated in the new installation. However, the installation of Forefront Server Security for SharePoint is successful.
Cause
This issue occurs because of a problem with the TNEFNavigator.dll file in Forefront Server Security for SharePoint.
More information
The FilterLists.fdb file is not created until the Forefront Administrator console is opened for the first time. Setup is therefore unable to load any custom Filter Lists into the FilterLists.fdb file during a silent installation because the FilterLists.fdb file does not exist at that point.
Exceptions during a Forefront for SharePoint manual scan cause "ExceedinglyNested" detection and file removal
Symptoms
During a manual scan on SharePoint, Forefront Security for SharePoint incorrectly detects Office and e-mail documents as "ExceedinglyNested." Forefront Server for SharePoint quarantines these files, and the documents in SharePoint are replaced with deletion text.
Cause
This issue may occur during the manual scan if Forefront Security for SharePoint enters into an unhealthy state where exceptions are thrown. Additionally, the manual scan may try to continue scanning documents.
If these exceptions occur in a specific code location, it will cause the counters that track exceedingly nested files to become invalid. These invalid counters cause the Forefront Security for SharePoint manual scan to incorrectly detect normal files as "ExceedinglyNested."
When you generate a Forefront Diagnostic for Forefront Security for SharePoint, you are prompted to "press any key" to complete the data collection
Symptoms
When you generate a Forefront Diagnostic for Forefront Security for SharePoint, you are prompted to "press any key" to complete the data collection. To complete the data collection, you must have administrative credentials.
When an engine update fails in Forefront Security for SharePoint because of an invalid database path, Forefront does not log a concise error message
Symptoms
When an invalid database path is present in the Forefront for SharePoint registry settings, the engine update is not completed. Additionally, a concise error message is not logged.
More information
After you install Forefront Security for SharePoint Service Pack 3 Rollup 1, the following error message will now be logged in the Application log when an engine update fails because of an invalid database path:
Source: FSCController
Event ID: 100
Severity: Error
ERROR: The database path in the registry does not exist.
When a template from one Forefront Security for SharePoint installation is applied to another installation, the installation that receives the template may lose all Forefront settings and stop scanning documents
Symptoms
In some scenarios, when RPC issues occur as a Forefront Security for SharePoint template is applied from one Forefront Security for SharePoint server to another, the Forefront Security for SharePoint settings may be deleted on the server that receives the template before the template is applied. Because of certain RPC and networking issues, the new template cannot be applied. This causes Forefront to stop scanning.
Cause
This issue may occur because of the order in which Forefront for SharePoint applies a template. This process starts with the deletion of the existing database configurations on the Forefront for SharePoint server that receives the template, and then the new template is applied. Networking issues may interfere with applying the new template after the existing database configurations are deleted.
A scan engine update fails and logs a warning message in the ProgramLog.txt file
If any of the Forefront Security for SharePoint Server external scan engine vendors release a scan engine update that incorporates files that are packaged within subdirectories, the scan engine update fails. Additionally, a warning message is logged in the ProgramLog.txt file that resembles the following:
WARNING: A failure was reported by the synchronization observer while installing the scanner. Action = 0x00000001. C:\Forefront Installation Directory\EngineName\Bin\bases/stt/
Cause
This problem occurs because Forefront Security for SharePoint Server cannot update a scan engine that contains one or more subdirectories in its update package.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the hotfix rollup
To install the hotfix rollup, follow these steps:
Run the installer. To do this, double-click the hotfix rollup executable file.
Note When the installer is running, the Forefront and SharePoint services are stopped.
After the installation is complete, and the Forefront and SharePoint services are restarted, make sure that Forefront is working correctly.
Notes
The Forefront and SharePoint services are restarted automatically during the installation.
Forefront service packs or hotfix rollups can be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User's Guide. In this case, the installer runs in silent mode, and there is no user input that is required. The rest of the process remains the same as when you run the installer by double-clicking the executable file.
Prerequisites
There are no prerequisites for installing this hotfix rollup.
File information
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Back to the top
