Forefront Security for Exchange Server with Service Pack 1 is Now Available!

Forefront Security for Exchange Server with Service Pack 1 was released on November 29, 2007!! (Download here.) If you are looking forward to installing Exchange 2007 SP1 and are currently using Forefront Security for Exchange Server with then please download and upgrade to Forefront Security for Exchange Server with Service Pack 1 before upgrading to Exchange 2007 SP1. This build of Forefront is currently the only compatible and supported Forefront release for use with Exchange 2007 SP1. If you have never used Forefront Security for Exchange Server and you are interested in securing your Exchange 2007 server you can also install Forefront SP1 as a full installation on top of both Exchange 2007 RTM and Exchange 2007 SP1. Please see below for a comprehensive list of new features and fixes introduced into this release.




1. Exchange 2007 SP1 support
Forefront Security for Exchange Server with Service Pack 1 is the required version of Forefront for installation on Exchange 2007 SP1. Forefront Security for Exchange Server RTM cannot be installed on a server that is being upgraded to Exchange 2007 SP1. If an install/upgrade is attempted a hard block will be generated. However, Forefront for Exchange SP1 is backward compatible with Exchange 2007 RTM.
Note: Forefront RTM can be successfully installed on an Exchange SP1 install after the Exchange SP1 install/upgrade is completed. However, if the server has the Transport role installed the MSTransport service will fail to start after the Forefront RTM install because the Forefront RTM transport agent will not be able to register with Exchange SP1. Regarding the mailbox role, you can successfully install Forefront RTM on an Exchange SP1 server running the mailbox role and services will start correctly. However, this scenario is NOT supported. Customers are required to run Forefront SP1 on Exchange SP1.

2. Support for Microsoft Windows Server 2008 "Longhorn" Platform
Forefront Security for Exchange Server with Service Pack 1 is the only Forefront release compatible and verified to be installed on Windows Server 2008 (previous Forefront releases cannot be successfully installed on Windows Server 2008).

3. Support for IPv6
Forefront Security for Exchange Server with Service Pack 1 now supports IPv6.

4. IP Proxy Configuration during Setup
Setup.exe now prompts for IP Proxy configuration to enable immediate engine updates which improves security as engines will be able to successfully update through a proxy during the default automatic engine updates immediately following an install/upgrade.
Note: if the proxy requires authentication you will still need to use the Forefront Administrator after the install/upgrade completes to enter the username and password. We have no vehicle in the installer to populate the password….security related.


5. Microsoft Updates (MU) support for patches
Customers have the option to enable Microsoft Updates during the Forefront install IF it is not already enabled on the server. Forefront product updates will soon be distributed via MU. This does not change the way Forefront currently downloads “Engine Updates”. This screen will not be seen during setup if the server has already been enabled for MS updates.

6. Simplify license renewal
License Agreement and expiration date has been added to UI – seen from Help -> Register Forefront Server.

7. ForefrontHotfixes.log now contained in FSCDiag.exe output
At the request of Sustained Engineering a ForefrontHotfixes.log file is now included in the FSCDiag and will contain a list of any official Forefront hotfixes that are installed on the server. If none are installed the file will list none.


8. Improved Zip Navigation
Engineering improvements regarding zip navigation during scanning/updating zip files.

9. Persistence of AV stamp on mailbox moves within Storage Group
This is an Exchange SP1/ VSAPI enhancement that affects Forefront. This will improve mailbox server performance as prior to SP1 any message move would cause the AV stamp to be removed and cause additional on-access scans due to its removal. AV Stamps are not normally maintained when mailboxes are moved because the mailbox move feature doesn’t copy the AV stamp during the move which is a MAPI property at the Store level. In SP1, if the message is moved between folders in the same storage group the AV stamp will be maintained. This will decrease on-access scans and increase mailbox server performance.

10. On-Access scanning behavior modified
No longer will the on-access scanning age be set to one day by default or be configurable by the Administrator through Forefront. This setting will not exist as a General Options setting or Forefront registry key as it does in Forefront RTM. The value for this option can be edited at the location below, however Forefront will add 24 hours each night regardless of that value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan\OnAccessScanningRollingLowerAgeLimit. This change is viewed as “security improvement” in that it will increase the amount of items in the Information Store subject to the on-access scan. It may negatively affect mailbox server performance due to the increased load. The new design will allow VSAPI to maintain an “on-access scan rolling age limit” that will change every night during database compaction to increase 1 day from the original date of the Forefront SP1 installation/upgrade. This means that Forefront will be handed by VSAPI any item that is later than the date of the initial Forefront Security for Exchange Server with Service Pack 1 installation/upgrade if it does not contain an AV stamp.


11. Robust Health State monitoring via MOM & SCOM
A few Red events will show up in the Forefront Administrator and we program log most if not all of them. There are about 10 events that are monitored including engine updates, scan process state and transport/Store hook registration status. For example, there is a warning that is generated if all the engines you are using for scanning (at all scan jobs) are not enabled for scheduled updates. These will be logged in the App log and are useful for customers using MOM/SCOM to monitor for warning/error events.

12. Configuration and template extensibility
You can now specify the scheduled update times for each engine in templates. Previously, you could only configure the update path in templates. Customers have been requesting this for some time now. Templates can be copied between machines (same server role) or can be deployed using Forefront Server Management Console (FSSMC).

13. AD Marker
The installed Forefront version will be available in Active Directory for querying and reporting, etc. The marker is populating a value in AD that displays the installed Forefront version and server role. This value can be viewed via ADSI Edit in the Keyword Attribute column.

14. Forefront Scheduled Tasks are now handled by Task Scheduler
Scanner Engine update jobs are no longer maintained in AT scheduler with numerous obscure jobs due to the repeating frequencies. Engine updates are now managed by Scheduled Tasks with each engine on a single line with built-in frequencies. This is much more comprehensible and manageable.


15. Unify the CA virus engines
Last January, CA announced that they would combine the features of both CA InoculateIT and CA Vet engines under a single engine and would maintain the name CA Vet for this new antivirus product. A KB Article was created that outlined the change and the associated product benefits communicated by CA The CAIris (CA Inoculate) engine has been removed from the product, CA Vet is still available.

16. Localized Sample Profanity Keyword Block Lists
The localized profanity lists are installed via a separate installation (KeywordInstaller.msi) located in the Forefront install directory after the Forefront installation/upgrade. The example keywords are only for profanity and they are available in 11 languages (any combination of which are selectable during the keyword install). The installer will only place the Profanity List text files in the Example Keywords directory. The adminstrator will still have to create a keyword Filter list and import the contents of these text files into Forefront lists and enable the list. 

17. Elimination of False Positive detection of UUENCODE message parts
This was done to address false positives when a stack trace was present in the body of emails causing the mail to be deleted as a “CorruptedCompressedUuencodeFile”.

18. Additional Compression Types action options in General Options:

· A new General Option "Treat multipart RAR archives as corrupted compressed" has been added. When this option is enabled (the default setting), files determined by Forefront to be multipart RAR will be treated as corrupted compressed and acted on according to the "Delete Corrupted Compressed Files" General Option setting. When this option is disabled, Forefront will pass each file within the RAR volume to the scan engines. NOTE: if a file spans RAR volumes, Forefront will only be able to pass the partial file to the scan engines and file type filtering may not work.

· A new General Option "Treat high compression ZIP files as corrupted compressed" has been added. When this option is enabled (the default setting), if a zip archive is found to contain one or more highly compressed files, it will be treated as corrupted compressed, and acted on according to the "Delete Corrupted Compressed Files" General Option setting. When this option is disabled, any file within a zip archive that is highly compressed with either the Deflated64, Bzip2, or PPMD algorithms will be sent to the scan engines in its compressed form. In this case, the entire zip archive will not be treated as corrupted compressed as long as no other files are compressed using other high compression algorithms.


19. Inclusion of all existing Forefront Security for Exchange Server 10 hotfixes

· Forefront Hotfix Rollup 1 (3 fixes) included in SP1

· Cluster issue with node names of 15 or more characters (previously its own full installation)

· Forefront Security for Exchange Server processes a message that contains invalid uuencode header information as a “CorruptedCompressedFile” virus

· Fixed a problem in which Forefront for Exchange would prevent Exchange from starting correctly if WSS 3.0 was installed on the same server.

20. Elimination of SCC Cluster Registry Replication Race Condition
SCC (Single Copy Clusters) use a single shared storage approach. When the initial FF node fails to a target node, registry replication will associate with the Network Name resource. When ANOTHER node now fails to the same target node, it will overwrite that key with older information, creating the “Race Condition”. The race condition here is the file contention between two FF processes attempting to write to the registry causing an access violation. The solution was to write to a designated writer, which in this case is the Forefront Resource.dll, which has exclusive access to write to the registry. Changing the registry replication association from Network Name resource to Exchange IS resource addresses this. We have created the Forefront resource DLL that checks for single instance of Forefront resource running on the node.


Thank you,

Ryan McGrath,  CSS Security Engineer (Forefront) - Long Island |  Microsoft Corporation |