Archive

Archive for the ‘Forefront Protection 2010 for SharePoint’ Category

Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint is Available

January 20th, 2011 Comments off

On behalf of the security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 1 for Microsoft Forefront Protection 2010 for SharePoint.

On January 17th Microsoft shipped Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint (FPSP) to provide a series of product enhancements and new features. For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the Knowledge Base article: Description of Hotfix Rollup 1 for Forefront Protection for SharePoint

As the installer runs, Server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup.

Rob McCarthy, Sr. Support Engineer

 

Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint is Available

January 20th, 2011 No comments

On behalf of the security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 1 for Microsoft Forefront Protection 2010 for SharePoint.

On January 17th Microsoft shipped Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint (FPSP) to provide a series of product enhancements and new features. For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the Knowledge Base article: Description of Hotfix Rollup 1 for Forefront Protection for SharePoint

As the installer runs, Server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup.

Rob McCarthy, Sr. Support Engineer

 

Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint is Available

January 20th, 2011 No comments

On behalf of the security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 1 for Microsoft Forefront Protection 2010 for SharePoint.

On January 17th Microsoft shipped Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint (FPSP) to provide a series of product enhancements and new features. For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the Knowledge Base article: Description of Hotfix Rollup 1 for Forefront Protection for SharePoint

As the installer runs, Server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup.

Rob McCarthy, Sr. Support Engineer

 

Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint is Available

January 20th, 2011 No comments

On behalf of the security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 1 for Microsoft Forefront Protection 2010 for SharePoint.

On January 17th Microsoft shipped Hotfix Rollup 1 for Forefront Protection 2010 for SharePoint (FPSP) to provide a series of product enhancements and new features. For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the Knowledge Base article: Description of Hotfix Rollup 1 for Forefront Protection for SharePoint

As the installer runs, Server service restarts may be necessary, so please plan accordingly when applying this hotfix rollup.

Rob McCarthy, Sr. Support Engineer

 

Forefront Protection Server Management Console 2010 Update

October 25th, 2010 No comments

My name is Andrew Schiano, and I work in Test for the Forefront Protection team. I would like to tell you a little bit about the soon-to-be released Forefront Protection Server Management Console 2010 (FPSMC). FPSMC provides centralized management for the Forefront Protection 2010 for Exchange (FPE) and Forefront Protection 2010 for SharePoint (FPSP) servers in your environment. FPSMC is expected to be available as a free download in Q4 2010.

 

FPSMC provides multi-server management through a browser-based interface, and supports the following features:

Signature redistribution

The signature redistribution job is used to deploy antivirus signature updates to the FPE/FPSP servers in an environment. The most efficient way to update engine signatures on all your servers is to create a redistribution job to download them to the FPSMC server. The FPSMC server is then used as the retrieval point for all the other servers in the environment.

 

Policy (configuration) deployment

FPSMC supports deploying a centralized set of configuration settings to one or more FPE or FPSP servers in your environment. This is accomplished by configuring one of your FPE/FPSP servers to the desired configuration and then exporting these settings in xml format.  The xml file is then imported into FPSMC, which can deploy these same settings to your other FPE/FPSP servers.

 

Patch deployment

FPSMC supports deploying FPE and FPSP roll ups and service packs. Patch packages can either be .MSP or .EXE file types.

 

Centralized incident reporting

The Incident Detection report presents data about the number of malware incidents and filter matches over a period of time on one or more managed servers. This includes the five most common malware types detected in your organization and the most recent detection date and time.

 

Centralized spam reporting

The Spam Detection report presents data about the number of spam messages blocked by FPE. This includes a pie-chart breakdown by filter type and a line graph showing the number of spam messages detected over time.

 

Centralized engine versions reporting

The Engine and Definition Versions report presents data about the antivirus engine versions and definitions on selected servers running FPE and FPSP. This report compares the current engine versions of the managed servers to determine which, if any, of your signatures are out of date.

 

Quarantine management

FPSMC supports retrieving quarantine data from managed Forefront Protection servers for local analysis and management, including delivering Exchange quarantine and restoring SharePoint quarantine.

 

Integration with Forefront Online Protection for Exchange (FOPE).

If you are using FOPE in your organization, you can use FPSMC to access the FOPE Administration Center to monitor your email flow. FPSMC provides access to the FOPE home page, quarantine, reports, and mail tracing facilities.

 

Auto discovery of servers

On a nightly basis, FPSMC will automatically detect new FPE and FPSP servers that have been added to your network.

 

Exchange Clusters — CCR, SCC, and DAG 
FPSMC supports clustered Exchange servers, including E14 Database Availability Groups.

 

FPSMC will initially be available in English.  Localized versions in all 11 languages (Chinese-Simplified, Chinese-Traditional, English, French, German, Italian, Japanese, Korean, Portuguese-Brazil, Russian, and Spanish) will be released at a later date (to be announced).  

 

Thank you for your time, and I hope you found this article helpful.

 

Andrew Schiano

Software Development Engineer in Test

Forefront Protection Server Management Console 2010 Update

October 25th, 2010 No comments

My name is Andrew Schiano, and I work in Test for the Forefront Protection team. I would like to tell you a little bit about the soon-to-be released Forefront Protection Server Management Console 2010 (FPSMC). FPSMC provides centralized management for the Forefront Protection 2010 for Exchange (FPE) and Forefront Protection 2010 for SharePoint (FPSP) servers in your environment. FPSMC is expected to be available as a free download in Q4 2010.

 

FPSMC provides multi-server management through a browser-based interface, and supports the following features:

Signature redistribution

The signature redistribution job is used to deploy antivirus signature updates to the FPE/FPSP servers in an environment. The most efficient way to update engine signatures on all your servers is to create a redistribution job to download them to the FPSMC server. The FPSMC server is then used as the retrieval point for all the other servers in the environment.

 

Policy (configuration) deployment

FPSMC supports deploying a centralized set of configuration settings to one or more FPE or FPSP servers in your environment. This is accomplished by configuring one of your FPE/FPSP servers to the desired configuration and then exporting these settings in xml format.  The xml file is then imported into FPSMC, which can deploy these same settings to your other FPE/FPSP servers.

 

Patch deployment

FPSMC supports deploying FPE and FPSP roll ups and service packs. Patch packages can either be .MSP or .EXE file types.

 

Centralized incident reporting

The Incident Detection report presents data about the number of malware incidents and filter matches over a period of time on one or more managed servers. This includes the five most common malware types detected in your organization and the most recent detection date and time.

 

Centralized spam reporting

The Spam Detection report presents data about the number of spam messages blocked by FPE. This includes a pie-chart breakdown by filter type and a line graph showing the number of spam messages detected over time.

 

Centralized engine versions reporting

The Engine and Definition Versions report presents data about the antivirus engine versions and definitions on selected servers running FPE and FPSP. This report compares the current engine versions of the managed servers to determine which, if any, of your signatures are out of date.

 

Quarantine management

FPSMC supports retrieving quarantine data from managed Forefront Protection servers for local analysis and management, including delivering Exchange quarantine and restoring SharePoint quarantine.

 

Integration with Forefront Online Protection for Exchange (FOPE).

If you are using FOPE in your organization, you can use FPSMC to access the FOPE Administration Center to monitor your email flow. FPSMC provides access to the FOPE home page, quarantine, reports, and mail tracing facilities.

 

Auto discovery of servers

On a nightly basis, FPSMC will automatically detect new FPE and FPSP servers that have been added to your network.

 

Exchange Clusters — CCR, SCC, and DAG 
FPSMC supports clustered Exchange servers, including E14 Database Availability Groups.

 

FPSMC will initially be available in English.  Localized versions in all 11 languages (Chinese-Simplified, Chinese-Traditional, English, French, German, Italian, Japanese, Korean, Portuguese-Brazil, Russian, and Spanish) will be released at a later date (to be announced).  

 

Thank you for your time, and I hope you found this article helpful.

 

Andrew Schiano

Software Development Engineer in Test

Forefront Protection Server Management Console 2010 Update

October 25th, 2010 No comments

My name is Andrew Schiano, and I work in Test for the Forefront Protection team. I would like to tell you a little bit about the soon-to-be released Forefront Protection Server Management Console 2010 (FPSMC). FPSMC provides centralized management for the Forefront Protection 2010 for Exchange (FPE) and Forefront Protection 2010 for SharePoint (FPSP) servers in your environment. FPSMC is expected to be available as a free download in Q4 2010.

 

FPSMC provides multi-server management through a browser-based interface, and supports the following features:

Signature redistribution

The signature redistribution job is used to deploy antivirus signature updates to the FPE/FPSP servers in an environment. The most efficient way to update engine signatures on all your servers is to create a redistribution job to download them to the FPSMC server. The FPSMC server is then used as the retrieval point for all the other servers in the environment.

 

Policy (configuration) deployment

FPSMC supports deploying a centralized set of configuration settings to one or more FPE or FPSP servers in your environment. This is accomplished by configuring one of your FPE/FPSP servers to the desired configuration and then exporting these settings in xml format.  The xml file is then imported into FPSMC, which can deploy these same settings to your other FPE/FPSP servers.

 

Patch deployment

FPSMC supports deploying FPE and FPSP roll ups and service packs. Patch packages can either be .MSP or .EXE file types.

 

Centralized incident reporting

The Incident Detection report presents data about the number of malware incidents and filter matches over a period of time on one or more managed servers. This includes the five most common malware types detected in your organization and the most recent detection date and time.

 

Centralized spam reporting

The Spam Detection report presents data about the number of spam messages blocked by FPE. This includes a pie-chart breakdown by filter type and a line graph showing the number of spam messages detected over time.

 

Centralized engine versions reporting

The Engine and Definition Versions report presents data about the antivirus engine versions and definitions on selected servers running FPE and FPSP. This report compares the current engine versions of the managed servers to determine which, if any, of your signatures are out of date.

 

Quarantine management

FPSMC supports retrieving quarantine data from managed Forefront Protection servers for local analysis and management, including delivering Exchange quarantine and restoring SharePoint quarantine.

 

Integration with Forefront Online Protection for Exchange (FOPE).

If you are using FOPE in your organization, you can use FPSMC to access the FOPE Administration Center to monitor your email flow. FPSMC provides access to the FOPE home page, quarantine, reports, and mail tracing facilities.

 

Auto discovery of servers

On a nightly basis, FPSMC will automatically detect new FPE and FPSP servers that have been added to your network.

 

Exchange Clusters — CCR, SCC, and DAG 
FPSMC supports clustered Exchange servers, including E14 Database Availability Groups.

 

FPSMC will initially be available in English.  Localized versions in all 11 languages (Chinese-Simplified, Chinese-Traditional, English, French, German, Italian, Japanese, Korean, Portuguese-Brazil, Russian, and Spanish) will be released at a later date (to be announced).  

 

Thank you for your time, and I hope you found this article helpful.

 

Andrew Schiano

Software Development Engineer in Test

Forefront Protection Server Management Console 2010 Update

October 25th, 2010 Comments off

My name is Andrew Schiano, and I work in Test for the Forefront Protection team. I would like to tell you a little bit about the soon-to-be released Forefront Protection Server Management Console 2010 (FPSMC). FPSMC provides centralized management for the Forefront Protection 2010 for Exchange (FPE) and Forefront Protection 2010 for SharePoint (FPSP) servers in your environment. FPSMC is expected to be available as a free download in Q4 2010.

 

FPSMC provides multi-server management through a browser-based interface, and supports the following features:

Signature redistribution

The signature redistribution job is used to deploy antivirus signature updates to the FPE/FPSP servers in an environment. The most efficient way to update engine signatures on all your servers is to create a redistribution job to download them to the FPSMC server. The FPSMC server is then used as the retrieval point for all the other servers in the environment.

 

Policy (configuration) deployment

FPSMC supports deploying a centralized set of configuration settings to one or more FPE or FPSP servers in your environment. This is accomplished by configuring one of your FPE/FPSP servers to the desired configuration and then exporting these settings in xml format.  The xml file is then imported into FPSMC, which can deploy these same settings to your other FPE/FPSP servers.

 

Patch deployment

FPSMC supports deploying FPE and FPSP roll ups and service packs. Patch packages can either be .MSP or .EXE file types.

 

Centralized incident reporting

The Incident Detection report presents data about the number of malware incidents and filter matches over a period of time on one or more managed servers. This includes the five most common malware types detected in your organization and the most recent detection date and time.

 

Centralized spam reporting

The Spam Detection report presents data about the number of spam messages blocked by FPE. This includes a pie-chart breakdown by filter type and a line graph showing the number of spam messages detected over time.

 

Centralized engine versions reporting

The Engine and Definition Versions report presents data about the antivirus engine versions and definitions on selected servers running FPE and FPSP. This report compares the current engine versions of the managed servers to determine which, if any, of your signatures are out of date.

 

Quarantine management

FPSMC supports retrieving quarantine data from managed Forefront Protection servers for local analysis and management, including delivering Exchange quarantine and restoring SharePoint quarantine.

 

Integration with Forefront Online Protection for Exchange (FOPE).

If you are using FOPE in your organization, you can use FPSMC to access the FOPE Administration Center to monitor your email flow. FPSMC provides access to the FOPE home page, quarantine, reports, and mail tracing facilities.

 

Auto discovery of servers

On a nightly basis, FPSMC will automatically detect new FPE and FPSP servers that have been added to your network.

 

Exchange Clusters — CCR, SCC, and DAG 
FPSMC supports clustered Exchange servers, including E14 Database Availability Groups.

 

FPSMC will initially be available in English.  Localized versions in all 11 languages (Chinese-Simplified, Chinese-Traditional, English, French, German, Italian, Japanese, Korean, Portuguese-Brazil, Russian, and Spanish) will be released at a later date (to be announced).  

 

Thank you for your time, and I hope you found this article helpful.

 

Andrew Schiano

Software Development Engineer in Test

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 Comments off

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Information about the new antivirus engine for Forefront and Antigen products

September 29th, 2010 No comments

Microsoft is upgrading the multi-engine protection in all Forefront server security products to support a newer version of the antivirus engine.  The newer version will provide customers with improved scanning times and reduced signature file size. The new engine replaces the older engine. 

This new engine publishes update files in a subdirectory – the first engine in the Forefront engine mix to do so.  In order to accommodate this new publishing model, Microsoft is releasing a series of roll-ups that will:

        Include the new antivirus engine

        Ensure that any engine that publishes update files in a subdirectory will update correctly

Customers must install the rollups by Jan. 31, 2011.

 

Krishnan Venkatasubramanian

Senior Program Manager, Forefront Server Protection

 

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 No comments

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 No comments

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 Comments off

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security

Forefront Server Protection RSS feeds are now available!

September 23rd, 2010 No comments

Hello,

 

I’d like to take a moment and encourage each of you to check out Microsoft’s latest efforts to save you support costs and time.

 

Introducing Forefront Server RSS feeds:   Forefront Server RSS Feeds

 

By subscribing to our Forefront Server RSS feed, you allow Microsoft to give you the answers without having to ask the questions. Our goal is to provide insight into the top Forefront Server solutions as early as possible while saving you the time, resources, and effort of opening a support case. Our Solution Center list page ( Solution Centers ) provides an RSS icon in the upper right hand corner of your browser that points to the feed subscription page as well.

 

Empower yourself! Subscribe, ask questions, and provide feedback!

 

 

And remember, the bad guys never sleep and are busy developing new ways to wreak havoc on your network. Forefront developers work tirelessly to give you the latest means to defend against these attacks. Make sure you are incorporating these shields into your environment with the latest updates for Forefront Server products: Forefront Server Product Updates.

 

 

Rob McCarthy

Sr. Support Engineer
CSS Security

Forefront Security for SharePoint (FSSP) registry setting information and defaults

August 13th, 2010 Comments off

Forefront Security for SharePoint (FSSP) includes a number of registry settings that control most of the configuration settings. The charts below provide information about the various settings.

·         The first table gives information about several registry settings that are recommended and/or frequently used to improve FSSP’s performance.

·         The second table gives information about registry settings related to blocking unwanted files.

·         The third table gives information about registry settings used to set file size limits.

·         The fourth table gives information about registry settings used to control the actions FSSP takes when infected files are detected.

Please Note: You should only make changes to registry settings if you are comfortable working in the registry. If you are uncertain, you should open a support case for assistance.

Recommended settings to maximize performance

Settings

Recommendation

Description

SumInternalSizesOfCompressedArchive DWORD set to 1

MaxUnCompressedFileSize (Default 100MB, represented in the registry as 100,000,000 decimal.)

DeleteCorruptedCompressedFiles Set to ON

Recommended

A combination of these three settings will allow compressed files that expand to less than 100 MB to be scanned, while ensuring that those that expand to over 100 MB are blocked.

SkipLargeCompressedFileDeletion DWORD set to 1

User discretion. Enabling this setting will allow large compressed files to bypass antimalware scanning. This will improve server performance, but it will reduce security.

By default this option is off (0).  If set to on (1), then compressed files that expand to over 100MB will be bypassed instead of being blocked.

RecycleSPScanJobs DWORD set to 345,600 (decimal)

Recommended

In the event that the scan process has leaked any memory or resources, we recommend restarting scan processes every 4 days.  The restart will reclaim any lost resources. Recycle Forefront scan processes every 4 days (345,600 seconds equals 96 hours equals 4 days)

DeleteCorruptedCompressedFiles

 

Interim workaround: to be used only if necessary.

In Service Pack 3, compressed files should only be reported as corrupted compressed if they are truly corrupted.   If for some reason files are mistakenly identified as corrupted compressed, the workaround is to set this setting to 0 (zero), which is OFF. After changing this setting, it is a good idea to contact support for help diagnosing the root cause of the problem.

ActionOnEngineError

Interim workaround: to be used only if necessary.

In Service Pack 3, all known engine errors are resolved.   In the event of these errors, the workaround is to set ActionOnEngineError to 0 (zero), which is “Ignore”. Other possible settings are 1 (detect/skip) and 2 (delete). After changing this setting, it is a good idea to contact support for help diagnosing the root cause of the problem.

 

Settings used to block unwanted files

This section details the various settings that FSSP uses to block specific files.  This section is provided as a quick reference on how to configure FSSP to bypass these settings in the event of unexpected behavior.  It is not recommended that you make any changes to these settings unless you are experiencing a particular problem that is leading to detections that you think are in error.

 

Forefront detection

What does this mean

How to set to skip detect

CorruptedCompressedFile

 

FSSP does not fully understand how to parse a container file.

Uncheck “Block/Delete Corrupted Compressed files” in the General Options work pane.

CorruptedCompressedUuencodeFile

 

FSSP does not fully understand how to parse a UUENCODE file.

Uncheck “Block/Delete Corrupted Compressed Uuencode files” in the General Options work pane.

UnwritableCompressedFile

FSSP encounters an error updating a container file.

This error will only occur when FSSP is updating a container file.  There is no need to set this to Skip/Detect because FSSP was going to update the contents of a file, but instead FSSP will block the file.

UnreadableCompressedFile

A specific read error condition when reading a container file

Uncheck “Block/Delete Corrupted Compressed files” in the General Options work pane.

Highly Compressed Files

There are two categories of highly compressed files:

1)       Highly compressed formats that FSSP is aware of, but is unable to parse.

2)       Highly compressed formats that FSSP is unaware of.

In either case, FSSP does not understand the compression algorithm used in a container file.

Case 1:  Uncheck “Treat Zip archives containing highly compressed files as Corrupted Compressed” in the General Options work pane.

 

Case 2: These files are always reported as CorruptedCompressed.  Uncheck “Block/Delete Corrupted Compressed files” in the General Options work pane.

Multipart RAR files

RAR files that are split across multiple archives cannot be scanned by FSSP.

Uncheck “Treat multipast RAR archives as Corrupted compressed” in the General Options work pane.

Concatenated Gzip files

FSSP cannot completely scan concatenated Gzip files.

Uncheck “Treat concatenated gzips as corrupted compressed” in the General Options work pane.

EncryptedCompressedFile

FSSP cannot scan a container file because it is password protected.

Uncheck “Block/Delete Encrypted Compressed files” in the General Options work pane.

EngineError, EngineExceptionError, EngineLoopingError

A third-party engine encountered an error scanning a file, or in the case of a looping error, has exceeded the maximum number of reads imposed by FSSP.

Set the DWORD registry key named “ActionOnEngineError” to 0 (zero).

ScanTimeExceeded

This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.)  It indicates that FSSP has exceeded the number of milliseconds in the MaxContainerScanTime registry key when scanning a container file.

 

 

There is no way to configure FSSP to ignore a compressed file that is taking too long to scan, but FSSP can be configured to avoid this error by increasing MaxContainerScanTime  to a maximum value of 0x7FFFFFFF.  As long as MaxContainerScanTime is longer than the SharePoint timeout value, this error will never occur.  If a compressed file takes a long time to scan, then FSSP will return “ExceededRealtimeTimeout” during the scan. 

ExceededRealtimeTimeout

Indicates that FSSP has timed out while scanning a file.  The time limit is specified in the SharePoint administrator console.

Create a DWROD registry key named “UploadDocNoTimeout” and set it to 1. If you set this key, files that would have been blocked by a timeout will instead be uploaded without being scanned.

Sharepoint timeout

Indicates SharePoint has timed out waiting for FSSP to scan a file.  In this case, SharePoint kills the thread in the w3wp.exe process that originated the scanning request.  The user’s http request will fail.  The user will have to resubmit a duplicate http request to recover.

n/a

 

Settings used to configure file size limits

Currently there is no way to set FSSP to skip these limit checks, but the limits can be increased if necessary.  If a file exceeds these limits, then the file will be blocked.

ExceedinglyCompressedSize

This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.).  It indicates that one of the compressed files within a container file has a compressed file size that is greater than the default value set by FSSP.  The default value is 0x01312d00 (20,000,000 decimal or approximately 20 MB) and is stored in the DWORD registry key MaxCompressedArchivedFileSize.  This value can be increased, but increasing it could cause Denial of Service attacks, more timeouts, and/or performance issues.

SkipLargeCompressedFileDeletion

When set to 1, ExceedinglyCompressedSize errors will be ignored, effectively allowing these large files to be bypassed. The default is 0 (zero).

LargeUncompressedSize

 

This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.).  It indicates that one of the compressed files within a container file has an uncompressed file size that is greater than the default value set by FSSP.  The default value is 0x05F5E100 (100,000,000 decimal or approximately 100 MB) and is stored in the DWORD registry key MaxUnCompressedFileSize.  This value can be increased, but increasing it could cause Denial of Service attacks, more timeouts, and/or performance issues.

ExceedinglyNested ExceedinglyNestedFolderStructure

 

This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.)  It indicates that a container recursively nests other container files more than then maximum nesting value set by FSSP.  FSSP has a default MaxNestedCompressedFile value of five, and a default MaxNestedAttachments value of 30.  These values can be increased, but it recommended to limit the increases to 10 and 60 respectively.  Increasing these values further could result in stack overflow crashes, Denial of Service attacks, more timeouts, and/or performance issues.

 

 

Settings used to control how FSSP behaves when updating infected files

These settings control the action FSSP takes for large infected container files and exceedingly nested container files.

LargeInfectedContainerFile

This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.)  When this error occurs, it means FSSP was attempting to update a file within a container file, but the container file is too big.  Instead of replacing one file in the container, the entire container will be replaced with deletion text.

FSSP has a default value to only clean compressed files under 25 MB, stored in the registry value MAX_COMPRESSED_FILE_SIZE.  Increasing this value could cause Denial of Service attacks, more timeouts, and/or performance issues.

ExceedinglyInfected

This error occurs only on compressed files (zips, tar, gzip, uuencode, office files, etc.)  When this error occurs, FSSP has detected numerous viruses within the same container file, and rather than continuing to scan this container file, the entire container file is blocked. FSSP uses a default of five, stored in the registry key MaxContainerFileInfections.  Increasing this value could cause Denial of Service attacks, more timeouts, and/or performance issues.

 

Forefront and Memory usage

Another important consideration when evaluating the performance of your SharePoint servers running FSSP is the impact of the antivirus scanning engines. Forefront utilizes many third-party virus scanning engines and components to provide virus and keyword filtering of the SharePoint server.  The Forefront team has automated backend systems that are constantly stressing these 3rd party components to ensure that they are behaving correctly and utilizing memory as efficiently as possible.  There have been incidents in the past, however, where a memory leak has been introduced through the update of one of our third-party engines.  We are continually improving our back end tests to be able to detect these memory leaks before they are published.

If FSSP is unable to allocate memory while scanning a file, it currently does not differentiate between a large memory allocation that failed (because it is just too big) vs. a small allocation that failed (because a leak has consumed all usable memory).   Depending on the type of file being scanned, and where in the scanning the memory allocation failure occurs, FSSP may report the problem as a “corrupted compressed” file, as an engine error, or as a scanning process exception.

A new feature has been added to FSSP SP3 to provide an additional layer of protection in the event a third-party vendor releases an update with a leak that is not detected by our back-end testing.  The new feature is to periodically recycle the FSSP scanning processes in a controlled manner.  This new registry key (named RecycleSPScanJobs) limits the life of our scanning processes to a finite time.  By recycling the FSSP scanning processes, any leaked memory is recovered, thus reducing the probability of encountering a memory allocation failure.  This feature will sequentially restart one scanning processes at a time, and the scanning load is shared among the other scanning processes during the recycle.  We recommend setting this new registry key to 96 hours. 

The registry key is a DWORD named “RecycleSPScanJobs” and is specified in seconds.  To set this value to 96 hours, you will need to create the key and enter a value of 345,600 (which is 60 seconds * 60 minutes * 24 hours * 4 days).  This will cause Forefront to reset its scanning processes every 4 days.

John Oesterle  
Senior Development Lead

Michel LaFantano           
Senior Writer – BPSG iX

New video available about using PowerShell to export and import Forefront Protection 2010 for SharePoint configuration settings

August 10th, 2010 Comments off

If you are managing multiple SharePoint servers with Forefront Protection 2010 for SharePoint (FPSP) installed and would like to share your FPSP configuration settings among your various installations, you can use PowerShell to export the settings from one configured instance of FPSP and then import the settings into other instances of FPSP.

 

Micah LaNasa, a tech writer on the BPSG iX team, recently posted a video that takes you through the process step-by-step. You can find the export/import video here:

 

 http://edge.technet.com/Media/Importing-Configuration-Settings-in-Forefront-Protection-2010-for-SharePoint/

 

You can find the export/import documentation in the TechNet library here:

http://technet.microsoft.com/en-us/library/dd639448.aspx

 

I hope you find both the video and the documentation helpful.

 

Michel LaFantano

BPSG iX

Microsoft Forefront Protection Server Script Kit now available for download

August 9th, 2010 Comments off

We’re excited to announce that a new solution for multi-server management of Forefront Server Protection products is now available for download!

The Microsoft® Forefront® Protection Server Script Kit provides multi-server management for Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint®. In addition to the ability to manage multiple Forefront servers from a single location, this Solution Accelerator provides easily extensible command-line scripts that help enable server discovery, configuration, deployment, and integration with existing management technologies. It also offers basic reporting capabilities to detect configuration drift and monitor server statistics.

 

Download the Forefront Protection Server Script Kit

 

Supported Products

·         Forefront Protection 2010 for Exchange Server

·         Forefront Protection 2010 for SharePoint

 

Configuration Management and Reporting

·         Capture server configuration snapshots and push snapshots to any number of servers

·         Compare configuration of any number of servers or baselines

·         Obtain statistics from one or many servers, including information about infected files, detected malware, server health, and more

·         See summary and/or server detail views

 

Ease of Use

·         Discover Forefront Protection Servers and export information to a .CSV file

·         Use customizable Windows PowerShell™ scripts to enhance your existing automation

Full documentation in the TechNet library

http://technet.microsoft.com/en-us/library/ff830371.aspx 

After you check out this new Solution Accelerator—and we hope you will—tell us what you think. Please send your honest and constructive feedback to secwish@microsoft.com.

 

Jeff Sigman
Sr. Program Manager

Updates to the Forefront Server Protection documentation in the TechNet library (August 2010)

August 5th, 2010 Comments off

Hi, my name is Scott Floman, and I’m a technical writer in the Forefront Server Protection group. Every few months or so, we update our existing “legacy” documentation on our TechNet Web site, and this post is to make you aware of our recent August 2010 update. (p.s. By “legacy” content I mean products that are already supported in production environments, such as Forefront Protection 2010 for Exchange Server (FPE), Forefront Protection 2010 for SharePoint (FPSP), and our Forefront Server Security Version 10 and Antigen Version 9 products).

 

Some of the topics we added or provided updated information about are:

 

·         FPE capacity planning: http://technet.microsoft.com/en-us/library/ff921060.aspx

·         Supported operating systems and Exchange Server versions: http://technet.microsoft.com/en-us/library/ff921059.aspx

·         Best practices for configuring FPE operations: http://technet.microsoft.com/en-us/library/ff716689.aspx

·         Managing performance and health. We added recommended resolutions for when your health monitors are not green (“healthy”).

·         FPE: http://technet.microsoft.com/en-us/library/ee358897.aspx

·         FPSP: http://technet.microsoft.com/en-us/library/ee358924.aspx

·         Submitting malware to Microsoft for analysis. The documentation was revised because customers are advised to use the Microsoft Malware Protection Center Portal to submit malware for analysis.

·         FPE: http://technet.microsoft.com/en-us/library/dd639384.aspx

·         FPSP: http://technet.microsoft.com/en-us/library/dd639465.aspx

·         Maximizing FPSP scan engine performance: http://technet.microsoft.com/en-us/library/ff729711.aspx

 

These are just some of the updates we made. We also made smaller-scale updates in many areas, for example we updated the Forefront Server Security Management Console (FSSMC) system requirements, the FPSP Performance Monitor topic, and the FPE cluster documentation.

In addition, the Table Of Contents (TOC) on TechNet has recently undergone a reorganization, and we are also continuing to seek out ways to optimize search results so that our customers can more easily find the information that they are looking for. 

Also, our team has been busy in creating videos that we hope you will find useful in learning about our products. Here are some recent FPE videos: 

 

So, that’s that, I just wanted to say a few words about our latest TechNet update, the TechNet TOC reorg, and our increased use of the video format. Please used the feedback feature on TechNet, because we do attempt to address all feedback received.

 

Also, another good resource for information is the Forefront Server Security Forum (http://social.technet.microsoft.com/Forums/en-us/category/forefront) where you can read and answer questions about our products. A passport account is needed to access the Forum.

There are other Microsoft forums, blogs, and online technology sites that might prove useful as well; for more information, read this blog article:

http://blogs.technet.com/fss/archive/2009/03/10/other-blogs-and-content-of-interest-for-fss-users.aspx

 

Finally, I want to call your attention to the TechNet wiki, which you can access at the following URL: http://social.technet.microsoft.com/wiki/

 

This is a new community where Forefront employees and customers can post technical articles and interact with one another, much like how wikipedia works. We’re excited about the possibilities of this wiki, which we feel will be a great resource of information, so please stop by and check it out. I recently posted the following wiki articles which I hope will help customers configure our products in multi-server environments (there are also videos for these topics if you want to see a visual demonstration):

Again, thanks for your time, and feel free to e-mail me with any feedback.


Scott Floman
scfloman@microsoft.com