Microsoft Antigen for Exchange Release Notes
Microsoft Antigen for Exchange Version 9
Microsoft Corporation
Published: July 2010
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, ActiveX, Excel, Internet Explorer, Outlook, PowerPoint, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Privacy policy
Review the "Microsoft Antigen Privacy Statement" at the Microsoft Antigen Web site.
Contents
Microsoft Antigen for Exchange Release Notes
What's in this file
Important notes
New features
Known issues
Documentation
Frequently Asked Questions
EICAR antivirus test file
Microsoft Antigen for Exchange Release Notes
Microsoft Antigen for Exchange Version 9 with Service Pack 2
(Build 1097.50)
© 2009 Microsoft Corporation
All Rights Reserved.
Thank you for using Microsoft Antigen for Exchange, which provides antivirus protection for Microsoft Exchange servers. This Readme file contains important information regarding the current version of this product. It is highly recommended that you read the entire document.
Please send all comments, feedback, issues, and support questions to .
What's in this file
Important notes
New features
Known issues
Documentation
Frequently Asked Questions
Eicar antivirus test file
Important notes
1.The Antigen Administrator console may display a license expired notice after upgrading Antigen. This message is only reported if you have configured an alternate DatabasePath during the upgrade (the default DatabasePath is: Program Files\Microsoft Antigen for Exchange\data). You may need to re-select the engines that were previously configured and restart the Microsoft Antigen services.
This issue can be resolved prior to upgrading Antigen by copying the engineinfo.cab file to the current location of the Engines folder (by default, the location is: Microsoft Antigen for Exchange\). Because engineinfo.cab is embedded in the installation executable, you should copy setup.exe to a temporary location on disk and then type the following command to extract its contents:
setup.exe /x:extractpath
Note that if you are typing an extract path containing spaces, you must enclose quotes around the path. For example: setup.exe /x:"c:\Program Files\Microsoft Antigen for Exchange\data\Engines".
2.Upgrades from releases earlier than Antigen 8.0SR3 are not supported.
3.When upgrading from Antigen 8.0SR3, if proxy information is needed for file scanner updates, the information must be re-entered into the Antigen Administrator in the General Options pane.
4.After a fresh installation, new signature files must be downloaded to ensure the most up-to-date protection. For an upgrade, a one time scanner update for each licensed engine will be scheduled. For a fresh installation, a daily scanner update for each licensed engine will be scheduled. These updates will start 5 minutes after the Antigen services are started. However, if a proxy is being used for scanner updates, these scheduled updates will fail. Use the Antigen Administrator to enter the proxy information. After this is done, click the Update Now button in the Scanner Updates pane to perform an immediate scanner update for each engine.
Note:
Until all the licensed engines have been successfully downloaded, errors may appear in the ProgramLog.txt file. These errors include "ERROR: Could not load enginename mapper" and "ERROR: Could not create mapper object".
5.Upgrading from Antigen 8.0SR3 may take longer than expected if the existing quarantine folder contains a large number of files.
6.In order for Microsoft Antigen Enterprise Manager to retrieve statistics from Antigen for Exchange when running on an Exchange 2000 server, Exchange 2000 SP2 or higher must be installed.
7.The ASM Junk Mail folder processing on Exchange 2000 requires that .NET Framework 1.1 be installed on the server.
8.Antigen is no longer supported running on two-node active/active Exchange cluster configurations.
9.Antigen users should be aware of a problem installing ASP.NET 1.1 on a computer running on a Windows 2000 Server domain controller with Service Pack 4 (SP4) installed. The IWAM account is not granted impersonate user rights for ASP.NET 1.1. When you request an ASP.NET 1.1 page, you may receive the following error message:
Server Error in '/AntigenJunkMail' Application.
Access is denied.
Microsoft posted Knowledge Base Article number 824308 ( describing the problem and providing a workaround solution.
10.Antigen users should be aware of an issue where the AntigenStoreEvent service uses large amounts of memory. If you think you are experiencing this issue, contact your Microsoft representative to obtain the fix.
11.The ASM Junk Mail folder processing requires that the World Wide Web Publishing Service be started.
12.When changing the Enable Junk Mail Folders General Option setting, Antigen will begin to create or disable ASM Junk Mail Folders for all users when the Save button is clicked. It is important to let Antigen finish this process before changing the option again. The start and completion of these operations are written to the ProgramLog.txt file.
13.The ASM Junk Mail folder displays/updates ASM settings for the user currently logged on to Outlook even when other users' mailboxes are displayed. To administer settings for these other users' mailboxes, you must log on to Outlook as that user.
14.If the SharePoint portal alert service is running on the server, an upgrade or uninstall of Antigen might require a restart.
15.When using the ASM Junk Mail Folder feature, if your IIS server is configured to use SSL, then you must set the Antigen registry DWORD value named UsingSSL to 1.
16.If a client's Internet Explorer settings are configured to use a proxy server, the Tools->Internet Options->Connections->LAN Settings->Bypass proxy server for local addresses option must be checked for that client to be able to access the ASM Junk Mail home page.
17.If an Antigen for Exchange installation is performed without an ASM license, and a subsequent ASM license is required, you must reinstall the product to enable the ASM Junk Mail features.
18.To enable the Antigen Administrator to run on Windows XP SP2, two steps need to be taken.
First, run dcomcnfg. Navigate to MyComputer in Component Services, right-click My Computer, and then select Properties. Click the COM Security tab. Under Access Permissions, click Edit Limits and add Remote Access privileges for the Anonymous Logon user.
The second step is to allow the Antigen Administrator application. Access Control Panel, choose Security Center. Enter the Windows Firewall administrator and click the Exceptions tab. Select Add Program, select Antigen Administrator from the list, and then click OK. Now, check Antigen Administrator. Choose Add port. Add 135 for the port number, with TCP checked, and any name. Click OK.
If there is concern about opening port 135 to all computers, it can be opened for only the Antigen servers. When adding port 135, click Change Scope and select Custom List. Type the IP addresses of all Antigen servers to which you want to connect.
19.The Exchange 2003 UCE setting of the SCL Property requires Exchange 2003 and the Outlook 2003 client for mail to be routed to the Junk E-mail folder.
Note:
The Exchange 2003 SCL rating feature does not work on an SMTP Windows 2000/Windows 2003 only server.
20.When installing an AV solution using VSAPI2, a registry key is created to save information concerning the VSAPI library. If this key is present when you attempt to install Antigen, the installation fails. You must delete the key before attempting to reinstall Antigen.
The registry key you must delete is:
HKEY_LOCAL_MACHINE->System->CurrentControlSet->Services-> MSExchangeIS->VirusScan
Delete the entire VirusScan key. Additionally, VSAPI will not allow you to run multiple AV software solutions concurrently.
21.When Antigen appends a disclaimer to an e-mail that has a different encoding, such as iso-2022-jp, it uses the MS API WideCharToMultiByte to convert the Unicode disclaimer text to the format needed before appending it to the e-mail. If support for that particular encoding has not been installed on the server, (Control Panel->Regional and Language Options, Languages tab) Antigen cannot create a disclaimer in the appropriate encoding. If this occurs, a blank disclaimer is added to the e-mail, and the following error is logged to the Program Log: "WideCharToMultiByte returns an empty string for the Unicode plaintext disclaimer using the %s encoding" (where %s is replaced by the charset name.)
22.If you are using the ASM Junk Mail Folder and want to host the Antigen ASM Web application on a different server, create a string registry key named JunkMailHostName. Antigen then uses this value (instead of the local host name) when setting the home page for the ASM Junk Folder for each Outlook user.
23.When installed in a cluster environment, if you manually fail over an Exchange Virtual Server and you are using the ASM Junk Mail Folder feature, you must also manually fail over the ‘Cluster Group’. Otherwise, Outlook users will be unable to use any of the features of ASM Junk Folders. On an automatic failover, the ‘Cluster Group’ fails over with the Exchange Virtual Server and this is not an issue.
24.Antigen is able to scan the first part of a multi-part RAR file. Any other part of a multi-part RAR will be treated as CorruptedCompressed, and be treated according to the Delete Corrupted Compressed Files General Option setting.
25.After an upgrade of Antigen, any monitoring software should be recycled to use the new Antigen monitoring library.
26.Antigen no longer supports the ability of customers to host their own engine updates.
27.Antigen database path names (DatabasePath registry key) greater than 216 characters are not supported.
28.When installing Antigen, the length of the installation path must be less than 170 characters.
29.UNC paths specified for engine updates must not end with a backslash ("\").
30.To change the server profile for notification purposes, you must modify the FromAddress registry value. In the registry editor, the FromAddress registry value is located under HKEY_LOCAL_MACHINE\SOFTWARE\SybariSoftware\Notifications\. For details about modifying this value, refer to the “Sending notifications” section in the "Using e-mail notifications” chapter in the “Microsoft Antigen for Exchange User Guide," which is available at the Microsoft Antigen TechNet Library.
Note:
In previous releases, the FromAddress registry value was named ServerProfile. If the user guide erroneously lists the value as ServerProfile, change it to FromAddress.
New features
Build 9.2.1097.50(Includes all features from Antigen 9.1.1097):
1.Adding and deprecating scan engines
When Antigen adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Antigen Administrator; for more information about how to do this, see “Chapter 18 - Using e-mail notifications” in the Microsoft Antigen for Exchange User Guide.
Adding new scan engines
When Antigen adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.
Deprecating scan engines
When Antigen is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete.
Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes.
After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.
For more information regarding engine revisions, refer to Antimalware Engine Notifications and Developments.
2.Using the Cloudmark anti-spam scan engine
Antigen version 9 with Service Pack 2 incorporates new anti-spam technology through a partnership with Cloudmark that provides an improved anti-spam experience including higher detection rates, lower false positives, an improved submission experience, and an enhanced service experience. The solution integrates with the Antigen products in the same manner as any other engine with a few exceptions that are outlined in this section.
Configuring Cloudmark updates
Cloudmark distributes anti-spam signature updates directly to the Antigen server. This differs from the other scan engines, which receive signature updates directly from Microsoft. Cloudmark signature updates occur automatically throughout the day; they are not configurable in the Antigen Administrator.
However, administrators can schedule Antigen to check to see if Cloudmark has released an engine update. (An engine update refers to updating to a new version of a scan engine (which replaces the old version), whereas a signature update refers to new signatures being added to an existing scan engine.) Because engine updates occur much less frequently than signature updates, it is recommended that engine updates be scheduled to occur once daily during off hours. Historically, an engine update occurs once every several months but these occur as needed. In the Antigen Administrator, click SETTINGS, and then click Scanner Updates. Use the Scanner Update Settings pane to schedule Cloudmark engine updates. It is also recommended that you click the Update Now button before scanning.
The Cloudmark engine utilizes HTTPS (port 443) to verify the user license while signatures are updated by the Cloudmark engine via HTTP (port 80). This requires that the Antigen server has the ability to connect to the Internet and that both port 80 and port 443 are open on any firewall through which the Antigen server connects. Administrators can verify the connection to the Cloudmark servers by running the following commands on the Antigen server:
telnet cdn-microupdates.cloudmark.com 80
telnet lvc.cloudmark.com 443
If you are not connecting to the required ports, you must configure your firewall to allow these connections.
Note:
You can set the time, in seconds, that the Cloudmark engine attempts to download updates before timing out by setting the CloudmarkDownloadTimeout registry key (located under HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange). By default, this is set to 900 seconds (15 minutes).
Note:
Cloudmark uses the FSEContentScanner.exe process to receive signature updates. This uses approximately 80 MB initially, after which it uses an average of between 80 MB to 150 MB per 24-hour period, so that only a small amount of bandwidth is used every minute.
Caution:
The Cloudmark anti-spam signature updates may fail when passing through a proxy server if NTLM Authentication is enabled. As a workaround, configure the proxy server to allow the Antigen server through anonymously.
Enabling the Cloudmark anti-spam engine for scanning
When performing a fresh installation of Antigen version 9 with Service Pack 2, Cloudmark is the anti-spam solution.
Submitting false positives and false negatives to Cloudmark
To submit false positive or false negative spam e-mails to Cloudmark, send the e-mail as an RFC 2822 attachment (.eml). Do not send misclassified messages by using the Forward command; this strips them of essential header information and results in an invalid submission.