Microsoft has released Hotfix Rollup 2 for Microsoft Forefront Protection 2010 for Exchange Server (FPE). This article contains information about how to obtain the hotfix rollup and also descriptions of new features and issues that are fixed.
A new safety mechanism is introduced that will restart a Transport scan process if that process encounters more than five exceptions.
In the case that the exception type is specific to a process instance, this safety mechanism will automatically correct the situation and enable ordinary operations to continue.
After you upgrade to FPE Hotfix Rollup 2, you can use the Set-ExtendedOption Forefront Management Shell cmdlet to change the exception count. For example, to set the default exception count to 2, run the following command in the Forefront Management Shell:
Set-ExtendedOption ExceptionCount -value 2
Note The ExceptionCount extended option applies to the Transport scanjob only.
FPE will now post a warning if any items are present in the Undeliverable archive folder.
A new Health Point was introduced to monitor any undeliverable mail that is copied to the following folder:
%Program Files (x86)%\ Microsoft Forefront Protection for Exchange Server\Data\Archive\Undeliverable
When any messages are present in the Undeliverable folder or its subfolders, the following reporting mechanisms are enabled:
An "Undeliverable items archived" Health Point error will be logged to the Scanjob Health Monitor on the dashboard of the FPE administrator UI.
An 8056 event ID will be written to the Application log. In part, the event ID reads as follows:
X messages have been archived and purged due to an error while scanning, where X represents the number of messages that have been archived. Please ensure that mail is not queuing.
The Undeliverable folder is used to archive mail that cannot be processed correctly by the Transport scanjob of Forefront Protection 2010 for Exchange Server . Any mail that is present in this folder or subfolders encountered a serious scanning issue and could not be delivered to the intended recipient. The mail is archived so that the administrator has a copy of the original.
FPE now collects URL count data.
FPE now collects the following data for analysis by Microsoft:
FPE Hotfix Rollup 2 allows for the Microsoft Forefront Security for Exchange Server (FSE) Agent log size to be increased.
The FSE Agent log keeps a record of the results of each scan Forefront takes on each message on the Transport that is specific to anti-spam and filtering results. Before Hotfix Rollup 2, the FSE Agent log had a maximum size of 350 megabytes (MB). This threshold can now be increased.
To increase the size of the FSE Agent log, follow these steps:
Note These steps use 500 as an example. This number represents megabytes and has no limit. You can define any size limit that you want.
The FSE Agent logs are in the following folder:
%Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data\FSEAgentLog
FSCDiag now collects dump files on Windows Server 2008
FSCDiag is used to collect diagnostic information for FPE. After you apply Hotfix Rollup 2, FSCDiag will collect any existing dump files on Windows Server 2008.
You can now customize deletion text when Forefront Protection 2010 for Exchange Server tags mail as "EncryptedCompressedFIle" or "CorruptedCompressedFIle."
Deletion text for "EncryptedCompressedFile" or "CorruptedCompressedFile" was hardcoded. After you apply Hotfix Rollup 2, the deletion text will be used as defined by the administrator under the following panes of the administrative console:
Keywords: Events related to exhaustion of system commit limit (virtual memory).
Computer: [computer name]
Description:Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: store.exe (2460) consumed xxxxxxxxx bytes, FSEOnDemandNav.exe (1360) consumed xxxxxxxxx bytes, and w3wp.exe (6808) consumed xxxxxxxxx bytes.
This issue occurs because FPE uses an invalid pointer when it tries to bind with Exchange Server to identify mailboxes to scan.
The link that is provided by Forefront Protection for Exchange Server to request removal from the SpamHaus block list is incorrect.
When the "ForeFront DNSBL" functionality in FPE is enabled, messages may be treated as spam by the SpamHaus block list. When this happens, a link is provided in the non-delivery report (NDR) together in the following message:
To request removal from this list, go to http://www.spamhaus.org/query/bl?ip=$
The link in this message is broken.
The URL generates the following message:
The requested URL could not be retrieved
The dollar sign within the URL should be an IP address.
Forefront Protection for Exchange Server does not display data in multiple console fields, and mail cannot be sent externally.
FPE does not display data in multiple console fields, and mail cannot be sent externally.
When FPE is installed on Microsoft Exchange Server 2007, several administrative console fields show blank information. These fields may include the following:
POLICY MANAGEMENT – FILTER OPTIONS
POLICY MANAGEMENT - ANTIMALWARE SUBHEADINGS
POLICY MANAGEMENT – SCAN OPTIONS
Mail sent to external users may be undeliverable.
Options for the Cloudmark anti-spam engine may be present on mailbox servers. These options should be present only on hub-transport servers.
Although the server is running Exchange Server 2007, the existence of the following registry key makes FPE believe that Exchange Server 2010 is installed on the server:
When you start a Windows Server 2008 R2 server that is running Exchange Server and Forefront Protection for Exchange Server, startup times are exceptionally long.
Changes in Windows Server 2008 R2 can cause delays when you start an Exchange server that is running FPE. This is expected behavior and is not caused by an error condition.
You experience exceptionally long server startup times.
Additional functions were added to Windows Server 2008 R2 to coordinate service startup requests.
Forefront Protection for Exchange Server falsely detects legitimate attachments as corrupted compressed files
Legitimate compressed files are detected as "corrupted compressed" by FPE. These file types include RAR, ZIP, JPEG, and COD files.
FPE scans and detects these files as "corrupted compressed." FPE then takes action on these messages as defined by the administrator in the FPE console in relation to such files.
Failure in the FPE decompression logic incorrectly characterizes files as compressed.
File filtering does not occur in Forefront Protection for Exchange Server
FPE may be unable to identify a file name within TNEF or a WINMAIL.DAT if the file name is longer than expected. FPE then categorizes the file type as unknown and cannot perform any file filtering based on file name or file type.
File filtering does not occur. However, virus scanning does occur.
A Forefront Protection for Exchange Server antivirus engine does not load, and mail is deleted
If an engine does not load for any reason, and FPE directs mail to that engine to be scanned, the mail will be deleted. If you are using one engine, and that engine does not load, all mail starts to be deleted.
Mail is deleted and unrecoverable.
Forefront Protection for Exchange Server quarantines a blank message when taking action on a subject line filter
When FPE filters mail bases on a subject line filter during a RealTime scan, the message is sent to the quarantine. When the message is sent to quarantine, it contains a blank subject line and a blank message body.
These items in quarantine do not have subject lines or data within the body of the message. The message is basically lost and is replaced by a blank email message.
When you install FPE on the Data Availability Group cluster (DAG), Domain Administrator privileges are required
When you install FPE on the Data Availability Group (DAG) cluster, Domain Administrator privileges are required. These privileges can be viewed as excessive. With FPE Hotfix Rollup 2, you can install by using Exchange Administrator privileges.
Messages cannot be scanned because the FSCController service in Forefront Protection for Exchange Server is stuck in a continuous loop
This issue occurs when FSCController is trying to scan a new message and to save a configuration change at the same time.
You may notice "The installed virus scanner is currently unavailable errors in the Application log, or you may see other time-out errors. Mail cannot be scanned until the FSCController service is restarted.
The FSCController is caught in a loop while it tries to shut down
"The Expiration Date is not valid" error when you try to enter a new expiration date in Forefront Protection for Exchange Server
It is the last day of the month, and you try to enter a new expiration date in Forefront Protection for Exchange Server. The new expiration date is not accepted, and a "The Expiration Date is not valid" error message is returned. Notice that the actual expiration date is irrelevant. You will never be able to enter any date on the last day of any month.
Enter a new expiration date on any day other than the last day of the month.
The Forefront Protection for Exchange Server Administrator console hangs for several minutes when you browse to the "Filter Lists" section
When you browse to the Filter Lists section of the Forefront Protection for Exchange Server Administrator console, the console hangs for several minutes, and CPU use increases. (The console is located under Policy Management\Filter\Filter Lists.) Microsoft.Forefront.Securitysuite.ui.console.exe is known to consume close to 100 percent of CPU resources during this time.
Microsoft.Forefront.Securitysuite.ui.console.exe may consume close to 100 percent of CPU resources during this time.
You experience exceptionally long server startup times.
This issue can occur if you are using many filter list entries, because FPE tries to load them all.
Cannot uninstall Forefront Protection for Exchange Server on a nonclustered server Issue
You try to uninstall Forefront Protection for Exchange Server on a nonclustered server but cannot do this. You notice that the server has the Cluster Service installed, even though the server is in a disabled state.
When you try to uninstall Forefront Protection for Exchange Server, you receive the following message:
"System updates required.
Installation on clusters requires that the cluster service is running. Start the cluster service unless this server is no longer part of a cluster. In that case uninstall the cluster service"
Forefront Protection for Exchange uses the presence of the Cluster Service to determine whether the computer is part of a clustered server. If the Cluster Service is installed, FPE treats the service as a clustered server and requires the service to be enabled and started.
A transport scan process is not safely aborted after an out-of-memory condition occurs
If a transport scan process (FSCTransportScanner.exe) cannot scan a message because of an out-of-memory condition, Forefront Protection for Exchange Server should end the corresponding process and create a new process in its place. If FPE cannot do this, additional messages will continue to reach the process. This creates more out-of-memory errors.
You may see events that reference the following messages in the Application log:
Scan job encountered an out of memory error. Returning E_OUTOFMEMORY.
An exception has occurred within ForefrontAgent's Scan method. Exception message = "Insufficient memory to continue the execution of the program."
Transport scan engine exception occurred. The scanner will be aborted.
An exception has occurred within ForefrontAgent's AbortScanner method. Exception message = "Thread failed to start."
<Engine_Name>: Memory allocation failure
<Engine_Name>: operation failed with return code 2147747079 Scan engine failure within Internet scan job (file "<Message_Name>", message "<Undisclosed>", folder "<Message_Direction>", engine <Engine_Name> 00010016)
Forefront Protection for Exchange cannot end the scan process and continues to receive messages for scanning. However, each scan will fail until the process is successfully ended and a new process is created in its place.
The FSCTransportScanner.exe process in Forefront Protection for Exchange Server may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866
The FSCTransportScanner.exe process in Forefront Protection for Exchange Server may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866.
Dr. Watson reports Bucket ID  when this issue occurs. Additionally, the following information may be reported by Dr. Watson:
This crash occurs when RARNavigator.dll does not correctly handle invalid metadata.
Filter lists display an incorrect scan action in the Forefront Protection for Exchange Server Administrator console
You create a filter list in which you set a certain action to be taken when filter criteria are met. You decide to change the action. Then, you update the Forefront Protection for Exchange Server Administrator console and notice that the action for the filter list is changed.
The relationship between the original action, the new action, and the action that is ultimately visible in the Forefront Protection for Exchange Server Administrator console is described in the following table:
Collapse this tableExpand this table
Action that is visible in the FPE Administrator console
Skip: detect only
Skip: detect only
<None present; blank>
Additional functions were added to Windows Server 2008 R2 to coordinate service startup requests.
FSCController.exe is reloaded many times when the Start-SignatureUpdate cmdlet is run on a cluster that running Forefront Protection for Exchange Server
Running the Start-SignatureUpdate cmdlet on a cluster causes the Microsoft Cluster Resource Utility DLL (Resutils.dll) to become reloaded several times. This is not the most efficient way to register changes and could lead to performance issues.
You may notice that the Start-SignatureUpdate cmdlet takes a long time to execute.
This issue occurs because of inefficient reloading of Resutils.dll.
Submission queues in Exchange 2007 or 2010 fill when you make a configuration change in FPE through the administrator or through PowerShell
FPE and Exchange Server compete for CPU cycles when the Exchange server is under high stress. This typically coincides with peaks in mail flow.
Mail queues increase in the Exchange submission queues.
This issue occurs because of inefficient accessing of Forefront’s Configuration.xml file and inefficient processing of data that is retrieved later.
Hotfix rollup information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the hotfix rollup
To install the hotfix rollup on any server that is not part of an SCC cluster, follow these steps:
Run the installer. To do this, double-click the hotfix rollup executable file.
Note When the installer is running, Forefront services are stopped.
After the installation is complete and Forefront services are restarted, make sure that Forefront is working correctly.
Note Forefront services are restarted automatically during the installation.
To install the hotfix rollup on an SCC cluster, use one of the following methods.
To install this particular hotfix on a SCC cluster, you should perform upgrades on all active nodes first. Setup prompts you to enable it to take resources offline and bring them back online automatically. Check that all resources are online and that all Forefront and Exchange services are started afterward. You should manually bring resources online or start services if it is necessary. After you upgrade the active nodes, do not fail over. Finally, upgrade each passive node in turn.
Installing on all active nodes first means that Forefront will be able to access the DatabasePath location, where it has to copy a file to (LocalEngineMapping.cab).
If you prefer not to upgrade on active nodes, you may perform a "rolling upgrade." In a rolling upgrade, you install on each node only when the node is in a passive state. This involves performing a series of failovers so that each node can become passive. After all nodes are upgraded, you must copy LocalEngineMapping.cab from each active node’s local installation to the shared disk folder for the CMS. Forefront has to have this file in the following shared disk location so that it can upgrade the Kaspersky engine to version 8.
Copy LocalEngineMapping.cab from each active node’s local installation (source) to its shared disk folder (target):
Source location: <LocalDisk>\Program Files (x86)\Microsoft Forefront Protection for Exchange Server Target location: <SharedDisk>\ForefrontCluster\Engines\metadata
You don't have to restart any services or failover the cluster after you copy LocalEngineMapping.cab to the shared disk folder.
If you do not copy LocalEngineMapping.cab to the shared disk folder, Forefront will continue to try to update version 5 of the Kaspersky engine. (The Kapersky engine will be discontinued by Microsoft after January 31, 2011.)
This hotfix rollup requires you to have Forefront Protection for Exchange Server installed.
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.