Microsoft has released Hotfix Rollup 2 for Antigen 9 for Exchange Server with Service Pack 2 and for Antigen 9 for SMTP Gateways with Service Pack 2. This article contains information about how to obtain the hotfix rollup and about the issues that are fixed by the hotfix rollup.
Details of the issues that are fixed in the hotfix rollup
Antigen 9 for Exchange and Antigen 9 for SMTP Gateways do not send notifications to internal e-mail addresses
Internal recipients that are specified in any notifications do not receive the expected e-mail notification. To view the internal recipients that are supposed to receive notifications, click Notifications on the Report menu of the Antigen Administrator console.
This problem occurs when you use the DomainDatFilename feature in Antigen 9 for Exchange and in Antigen 9 for SMTP Gateways to specify internal domains.
The Cluster Service cannot create or restore Crypto Checkpoints on a Microsoft Exchange 2003 cluster
The Cluster Service cannot create or restore Crypto Checkpoints for an Exchange 2003 Information Store instance in Antigen 9 for Exchange or for an Exchange SMTP instance in Antigen 9 for SMTP Gateways.
During the installation of Antigen 9 for Exchange or Antigen 9 for SMTP Gateways on an Exchange cluster, the installation stops, and you receive the following error message:
Setup failed to create the Antigen resource and configuration in the EVS.
When a cluster resource is brought online, an event type that resembles the following is logged in the System log:
Event Type: Error
Event Source: ClusSvc
Event Category: Checkpoint Mgr
Event ID: 1121
The crypto checkpoint for cluster resource 'Exchange Information Store Instance
could not be restored to the container name
'C44FBC30-1445-11d3-8CAA-00104B9C5823'. The resource may not function correctly.
This problem occurs because the Local Administrators account does not have sufficient permissions on the following folder:
%drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
The permissions that are applied to this folder are inherited by the file that is created in the following folder when either of these symptoms occurs:
If you experience this problem and cannot install this rollup package to resolve this problem immediately, you can work around this problem by adding the following local accounts with Full Control to the "%Drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder:
Note Make sure that the option to propagate permissions to all child objects is selected for each account.
The Antigen 9 for Exchange and Antigen 9 for SMTP Gateways services cannot start if the installation root directory contains a file that is named "Program"
The Antigen 9 for Exchange and Antigen 9 for SMTP Gateways services cannot start if the installation root directory contains a file that is named Program.
This problem occurs when the executable services file for Antigen 9 for Exchange or for Antigen 9 for SMTP Gateways do not contain quotation marks around the path of the executable file. This causes the system to look for any file in the path. For example, the file "C:\Program" may be found for a path of the file "C:\Program Files\Microsoft Antigen for Exchange\AntigenService.exe." This means that Antigen 9 for Exchange and Antigen 9 for SMTP Gateways finds the wrong file and cannot start the service.
To temporarily work around this problem if you cannot immediately install this hotfix rollup, do one of the following:
Rename the file that is named "Program."
Put quotation marks around the executable file path in the Services registry.
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
Event ID 7000 and "%1 Is Not a Valid Win32 Application" error message when you start a service
All engine updates roll back in Antigen 9 for Exchange and in Antigen 9 for SMTP Gateways if the installation root directory contains a file that is named "Program"
When you try to update a scan engine in Antigen 9 for Exchange and in Antigen 9 for SMTP Gateways, the update rolls back. After the new scan engine is downloaded, it cannot be integrated. The new scan engine is rolled back, and Antigen 9 for Exchange and in Antigen 9 for SMTP Gateways reverts to the old scan engine.
Additionally, the following entries may be logged in the Application log and in the ProgramLog.txt file for the time that you try to update a scan engine. The following example is for the Microsoft scan engine.
"INFORMATION: The Microsoft scan engine has been downloaded" "INFORMATION: The Microsoft scan engine has been staged." "ERROR: (0x000000c1) %1 is not a valid Win32 application. Unable to launch ScanEngineTest for the Microsoft scan engine." "INFORMATION: The Microsoft scan engine has been rolled back."
This problem occurs when the path of ScanEngineTest.exe is not enclosed in quotation marks for the engine update code in Antigen 9 for Exchange and Antigen 9 for SMTP Gateways. This causes the system to look for any file in the path. For example, the file "C:\Program" may be found for a path of the file "C:\Program Files\Microsoft Antigen for Exchange\ScanEngineTest.exe." This means that Antigen 9 for Exchange and Antigen 9 for SMTP Gateways finds the wrong file and cannot complete the scan engine test. In this scenario, the scan engine is rolled back.
Template settings cannot be deployed to Antigen 9 for Exchange and Antigen 9 for SMTP Gateways servers when you use the Forefront Server Security Management Console
You use the Forefront Server Security Management Console to deploy template settings to an Antigen 9 for Exchange or an Antigen 9 for SMTP Gateways server. The job is completed successfully. However, when you check the Antigen Administrator console, you find that the settings from the template are not applied to the scan jobs.
AntigenStarter.exe is used to deploy the template settings on the local Antigen 9 for Exchange and Antigen 9 for SMTP Gateways server. When this problem occurs, the AntigenStarter.exe file is called before the template.adb file is copied to the local server.
Therefore, AntigenStarter.exe integrates the current settings that are already applied to the scan jobs. AntigenStarter.exe does not apply the new template.adb settings.
To work around this problem, use AntigenStarter.exe locally to deploy template settings after Forefront Server Security Management Console has deployed your template.adb to the server. For more information about AntigenStarter.exe and command-line parameters, see Chapter 11 - Using templates in the Antigen for Exchange User Guide. To obtain this User's Guide, visit the following Microsoft TechNet Web site:
Sender notifications are not sent in Antigen for Exchange if the "From" field in the original e-mail message header has a single display name that occupies more than one line
Sender notifications are not sent in Antigen for Exchange if the "From" field in the original e-mail message header has a single display name that contains a lots of characters and bridges more than one line. For example, this problem occurs with the following encoded header:
Typically, when an e-mail message is detected as matching a virus, a file filter, or some other relevant entity in Antigen for Exchange, Antigen sends the original sender of an e-mail message a notification that contains details of the event. However, when the "From" field of the original e-mail message header contains multiple lines because of the length of the display name, sender notifications are not sent.
Additionally, the following error messages may be logged in the Programlog.txt file:
ERROR: Could not retrieve next row of data from AD. Error code: 00005012.
WARNING: The user does not have an SMTP address. User:
A scan engine update fails and logs a warning message in the ProgramLog.txt file
If any of the Antigen for Exchange Server or the Antigen for SMTP Gateways external scan engine vendors release a scan engine update that incorporates files that are packaged in sub-directories, the scan engine update will fail. Additionally, a warning message is logged in the ProgramLog.txt file that resembles the following:
WARNING: A failure was reported by the synchronization observer while installing the scanner. Action = 0x00000001. C:\<Forefront Installation Directory>\<EngineName>\Bin\bases/stt/
This problem occurs because Antigen cannot update a scan engine that contains one or more sub-directories in its update package.
The settings in a new Antigen installation remain unconfigured after you apply an existing Antigen <template>.adb file to Antigen by using the AntigenStarter command
The Antigen administrative console contains blank configurations such as the File Filter lists and the Allowed Sender lists.
In order to duplicate settings from an existing Antigen server to a new Antigen server, an administrator can copy the Antigen template.adb file to the new server and then run the AntigenStarter command. In some instances, the settings from the template.adb file are not fully applied.
Antigen generates notifications on obsolete scan engines even though they are not being used
Administrators on the critical notification list in Antigen continue to receive e-mail requests to stop using a deprecated scan engine. This problem occurs even though the scan engine is disabled in the Antigen administrator.
Additionally, the following is logged in the event log:
The engine_display_name scan engine is no longer supported. Updates are no longer available for this engine, and therefore the update check for this engine has been disabled. Please review the scan engines chosen for your scan jobs and make another selection to ensure up-to-date protection.
Antigen incorrectly detects PDF files as UNICODE files when it is configured to filter PDF files
You configure Antigen to filter PDF files. When a PDF file is filtered, the following entries are logged in the ProgramLog.txt file:
date time (812- 2468), "DIAGNOSTIC: The IMS scanner detected a FileType of 2 (FOBTYPE_UNICODE)"
date time (812- 2468), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "file_name.pdf" from the message named subject located in the "Outbound" folder"
When a File Filter is set up for Portable Document Format (PDF) files in Antigen, and UNICODE is selected under the File Type list, Antigen successfully filters the file. However, it will incorrectly logs that a UNICODE file was filtered.
E-mail may queue in the Exchange Directory Lookup queues, e-mail flow is slow, or longer send and receive wait times in Exchange when Antigen for Exchange is installed
You may experience one or more of the following symptoms in Exchange when Antigen for Exchange is installed:
E-mail may queue in the Exchange Directory Lookup queues.
E-mail flow is slow.
Users report longer wait times to send and receive e-mail.
CPU utilization may be high.
This problem may occur in Exchange when Antigen is installed. This occurs because of a performance issue in Antigen's keyword filtering component.
Antigen for Exchange Service Pack 2 Rollup 2 provides improved performance for incidents logging
When Antigen makes lots of detections, these have to be logged in the Incident.mdb database. When this occurs, there is an increase in CPU utilization. For example, you may see an increase in CPU utilization by the AntigenService.exe process at this point. This occurred because Antigen accesses the incident count table two times to update the table.
After you install Hotfix Rollup 2 for Antigen 9 for Exchange Service Pack 2, performance for incident logging is improved.
Hotfix rollup information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
How to install the hotfix rollup
To install the hotfix rollup, follow these steps:
Run the installer by double-clicking the hotfix rollup executable file.
Note When the installer is running, the Exchange and Antigen services are stopped, and your mail flow is temporarily stopped.
After the installation is complete and the Exchange and Antigen services are restarted, make sure that Antigen is working correctly.
The Exchange and Antigen services are restarted automatically during the installation.
Antigen service packs or hotfix rollups can be installed by using the FFSMC Deployment job. For more information, see "Deployment Jobs" in the Forefront Server Security Management Console User's Guide. In this case, the installer runs in silent mode and no user input is required. The rest of the process remains the same as it is when you run the installer by double-clicking the executable file.
This hotfix rollup requires that one of the following to be installed:
Microsoft Antigen 9 for Exchange Service Pack 2
Microsoft Antigen 9 for SMTP Gateways Service Pack 2
For more information about these service packs, click the following article number to view the article in the Microsoft Knowledge Base:
This hotfix may not contain all the files that you must have to fully update a product to the latest build. This hotfix contains only the files that you must have to correct the issues that are listed in this article.
The English (United States) version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.