Microsoft has released Hotfix Rollup 1 for Microsoft Antigen 9.0 Service Pack 2. This article contains information about how to obtain the rollup and about the issues that are fixed by the rollup.
This rollup includes all fixes in Antigen 9.0 Service Pack 2.For more information about the fixes included in Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
971063 Description of Antigen 9.0 with Service Pack 2
New features in the hotfix rollup
The StarEngine service is stopped when SpamCure is deselected In versions of Antigen earlier than Antigen 9.0 Service Pack 2 Rollup 1, the StarEngine service would continue to run even though the SpamCure anti-spam engine was no longer being used, and either the Cloudmark anti-spam engine was selected or no anti-spam engines were selected. This meant that the StarEngine service continued to use memory and resources. In Rollup 1, the StarEngine service will now be stopped if it is not selected in the Antigen Administrator and the scan jobs are disabled. For example, this can occur when an engine update occurs or the services are recycled. After the scan jobs are re-enabled, the StarEngine service will remain stopped.
Rollup 1 for Antigen for Exchange version 9.0 with SP2 contains additional diagnostic logging features for the Cloudmark engine Rollup 1 for Antigen for Exchange version 9.0 SP2 adds new features that let you log additional diagnostic information about the Cloudmark engine. We recommend that you enable this logging only when instructed to do so by Microsoft Customer Service and Support (CSS).
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
If instructed to enable additional Cloudmark diagnostic logging, install Rollup 1 for Microsoft Antigen for Exchange version 9.0 SP2, and then follow these steps:
For Cloudmark Content Scanner Diagnostics These diagnostics log additional Cloudmark information to the ProgramLog.txt file.
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry key:
For Antigen for Exchange:
HKEY_LOCAL_MACHINE/SOFTWARE/Sybari Software/Antigen for Exchange
For Antigen for SMTP:
HKEY_LOCAL_MACHINE/SOFTWARE/Sybari Software/Antigen for SMTP
On the Edit menu, point to New, and then click DWORD Value.
Type ContentScannerDiagnosticsLevel, and then press ENTER.
On the Edit menu, click Modify.
Type 1, and then click OK.
Exit Registry Editor
To enable the new setting, make a change in the General options area of the Antigen Administrator UI. This causes Antigen to reread the registry settings and see the new registry value.
Registry values correspond to settings as follows. ContentScannerDiagnosticsLevel:
0: Disables logging for all Cloudmark signature update information.
1: Enables logging for all Cloudmark signature update information.
6: Enables logging for error information only.
For Cloudmark Engine Adaptor ETW Logging These diagnostics log additional Cloudmark Engine Adaptor information to a separate ETW trace file:
Open a command prompt, and then run the following command to create a new trace:
Run the following command to start data collection:
Logman start Forefront
Reproduce the issue.
Run the following command to stop data collection:
Logman stop Forefront
Run the following command to remove the trace from ETW:
Logman delete Forefront
Collect the trace file from your output folder. For example, collect the file from c:\CloudmarkAdapterLog.etl.
Antigen 9.0 Service Pack 2 Rollup 1 displays the current signature version of the Cloudmark Authority Engine in the Antigen console As the Cloudmark Authority Engine updates throughout the day, administrators can now view the specific Signature Version in the Antigen Administrator under Scanner Updates. Cloudmark downloads new micro-updates approximately every minute. This is displayed as a version number in the Signature Version box for the selected engine. The version number is constructed from the date and time (in 24-hour time) of the last micro-update download. For example, the following Signature Version indicates that Cloudmark was last updated on September 23 at 4:18 P.M.:
To view the Cloudmark signature version in the Antigen Administrator, click Settings, and then click Scanner Updates.
Antigen 9.0 Service Pack 2 Rollup 1 provides performance counters for the Cloudmark Authority Engine and SpamCure engines
The following performance counters are added for SpamCure and Cloudmark Authority engines in Antigen 9.0 Service Pack 2 Rollup 1:
Average Cloudmark Scan Time
Average Cloudmark Message Scan Rate
Average Spamcure Scan Time
Average Spamcure Message Scan Rate
Additional information added to the headers of e-mail messages for anti-spam detection For every e-mail that is scanned by Cloudmark for spam detection, Antigen adds the following information to the mail header, regardless of whether the message was detected as spam or not:
Note The placeholder data is Cloudmark-specific data that explains to Cloudmark why the mail was determined to be spam or not spam. This information assists Cloudmark with their spam detection.
Issues that are fixed in the Hotfix Rollup 1 for Antigen 9.0 SP2
In addition to the fixes included in all service packs and rollups for Antigen 9.0, this hotfix rollup fixes the following issues:
Details of the issues that are fixed in the hotfix rollup
Note All the fixes that are listed in this section apply to the following products, unless otherwise stated: Antigen for Exchange version 9.0 Antigen for Exchange version 9.0 with SP1 Antigen for Exchange version 9.0 with SP2 Antigen for SMTP Gateways version 9.0 Antigen for SMTP Gateways version 9.0 with SP 1 Antigen for SMTP Gateways version 9.0 with SP 2
Scan engine updates fail, and the Antigen logs do not provide a valid error
Symptoms When scan engine updates fail, there is typically an error logged to the ProgramLog.txt file that indicates a possible cause. However, in this case, the errors that are logged to the ProgramLog.txt are insufficient for troubleshooting the engine update failure.
The following error message is logged to the ProgramLog.txt file. The placeholder ScanEngineName contains the actual name of the scan engine that did not update.
INFORMATION: The ScanEngineName scan engine for Antigen has been downloaded INFORMATION: The ScanEngineName scan engine for Antigen has been staged. INFORMATION: Testing the ScanEngineName scan engine." ERROR: Unable to load the ScanEngineName scan engine. hr = 0x800C0102. An error occurred while loading the ScanEngineName scan engine. ERROR: (0x00000002) The system cannot find the file specified. The ScanEngineName scan engine test failed. hr = 0x80004005
Cause This issue occurs when the DatabasePath registry key contains invalid characters. Therefore, the engine test that occurs during all engine updates fails and causes every consecutive update to fail.
For example, this occurs if the DatabasePath registry key has the following configuration:
In this example, the additional backslash (\\) characters are invalid.
Resolution After you install Rollup 1, the following error message will be logged in the ProgramLog.txt file instead of the previous error message:
ERROR: The database path in the registry does not exist.
Mail is not scanned after you apply a new template in Antigen 9.0
Symptoms After you apply a new template in Antigen version 9.0, SMTP mail is no longer scanned for viruses.
The following error message is logged to the ProgramLog.txt file:
ERROR: scanjob.cpp::Load(): pStream->Read() returned 0x80010108 ERROR: scanjob.cpp::Load(): Invalid signature.
Cause Before Rollup 1, when templates were pushed out, the ScanJob settings were cleared out before the new settings replace them through the template push. During that process, an issue could occur in which the new settings do not replace the old settings that have already been cleared. Because of this, the ScanJob no longer contains the necessary settings. Therefore, it cannot scan mail.
The AntigenClient.exe process in Antigen for Exchange version 9.0 may crash. This generates a Dr. Watson crash that references Bucket ID 1177692600
Symptoms The AntigenClient.exe process in Antigen for Exchange version 9.0 may crash. This generates a Dr. Watson crash that references Bucket ID 1177692600. The crash generates the following Call Stack Dump:
Applies to Rollup 5 for Microsoft Antigen for Exchange version 9.0 SP1 Antigen for Exchange version 9.0 SP2
Engine deprecation notifications continue to be sent even though the engine was disabled from all scan jobs and scanner updates
Symptoms A new feature was added to Service Pack 2 for Antigen version 9.0 in which scan engines that are discontinued are removed from the product. E-mail alerts are sent out to the administrator before the retirement. However, in Antigen version 9.0 for SMTP Gateways with Service Pack 2, administrators still receive these retirement notifications even when the discontinued engine is disabled from all scan jobs and for engine updates.
Cause This issue is caused because the code to check which scan engines are enabled for the scan jobs is the same in Antigen for Exchange Server and Antigen for SMTP Gateways. However, Antigen for SMTP Gateways does not contain a Quick Scan so that you cannot confirm that the engines were disabled in the Quick Scan on an Antigen for SMTP Gateway installation.
Applies to Antigen 9.0 for SMTP Gateways SP2
AntigenService crashes in Antigen 9.0 after you save changes that you made in the Antigen General Options panel
Symptoms After you make any changes in the Antigen General Options panel, and then click Save, the AntigenService service may crash.
The crash will be confirmed when going to the Scan Jobs panel of the Antigen administrator. The following error is displayed at the bottom of the console:
Cannot Connect to RealTime Scanjob.
The following Application log error is also logged:
The AntigenService service terminated unexpectedly.
TheProgramLog.txt will not log an error.
Antigen 9.0 may detect that valid Office 2003 Word documents contain CorruptedCompressedFile viruses
Symptoms Antigen 9.0 falsely detects valid Office 2003 Word documents as CorruptedCompressedFiles. The attachment is removed as a virus.
An e-mail attachment is removed, and an incident is logged in the Incidents panel stating that Antigen removed the file as a CorruptedCompressedFile virus. The ProgramLog.txt file contains the following entry:
INFORMATION: Realtime scan found virus: Folder: Folder Name Storage Group\file name Message: subject line Incident: CorruptedCompressedFile State: Removed
Where the placeholder Folder Name is the name of the folder where Antigen found the virus.
Cause This error is caused by the method in which Antigen tries to parse the Word document.
Antigen 9.0 may generate the following error in the ProgramLog.txt: "ERROR: AntigenInternet process returned 80010105 while processesing message"
Symptoms Antigen 9.0 may generate the following error in the ProgramLog.txt:
ERROR: AntigenInternet process returned 80010105 while processesing message
Cause This error is caused by an issue in the Antigen MimeNavigator.dll file.
A scan engine update fails and generates a warning in the ProgramLog.txt file
Symptoms If any of Antigen’s external engine vendors release an engine update incorporating files packaged within subdirectories, the Antigen engine update will fail. The following warning is logged in the ProgramLog.txt file:
A failure was reported by the synchronization observer when you installed the scanner. Action = 0x00000001. C:\Program Files\Microsoft Antigen for Exchange\Engines\x86\(EngineName)\Bin\bases/stt/
Cause This issue is caused when Antigen cannot successfully update any engines that contain subdirectories within its update packages.
How to install the hotfix rollup
Run the installer by double-clicking the service pack or rollup executable file.
Note When the installer is running, the Exchange and Antigen services are stopped, and your mail flow is temporarily stopped.
After the installation is complete, and the Exchange and Antigen services were restarted (this occurs automatically during the installation), verify that Antigen is working correctly.
Note Antigen service packs or rollups can also be installed by using the FFSMC Deployment job. For more information, see Deployment Jobs in the Forefront Server Security Management Console User Guide. In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when you run the installer by double-clicking the executable file.
This hotfix rollup requires Antigen 9.0 Service Pack 2.For more information about how to obtain Antigen 9.0 Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
971063 Description of Antigen 9.0 with Service Pack 2
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.