Forefront Security for SharePoint with Service Pack 1 Available Now!

We are very happy to announce that Forefront Security for SharePoint with Service Pack 1 shipped on July 31st and is available in the 11 supported languages (English, French, German, Italian, Japanese, Korean, Chinese (Simplified), Chinese (Traditional), Brazilian Portuguese, Spanish, and Russian).


Forefront Security for SharePoint with SP1 provides an improved user experience around file uploads, manual scanning, keyword filtering, and program administration. At the same time, SP1 addresses critical deployment blockers that customers are facing today with the RTM version of Forefront Security for SharePoint. 


Service Pack 1 contains the following features/fixes:


1. Impersonation Fix

Forefront only gives certain groups permission to access the Forefront registry. The accounts used to run the SharePoint application pools are in one of these groups. There is a bug in SharePoint which sometimes results in the worker process impersonating SharePoint’s regular users, instead of the accounts from the application pools. The regular users do not have permission to access the Forefront registry and as a result, Forefront’s VSAPI hooking dll Initialize will fail. When this happens, all the files will be marked as infected with “” virus. 

The fix included in this build will ensure that Forefront will impersonate the SharePoint application pool credentials to run the process, and then revert back to the original user credentials before returning the call. If the user has SharePoint’s fix for this problem, the Forefront patch will be redundant and not used.


2. File Size Fix

The maximum file size is supposed to be 2GB, but the RTM version released restricted the maximum size to 128Mb. The Service Pack has the fix to allow files up to 2GB.


3. Manual Scan Fix

Currently, Manual scan can no longer disable VSAPI scanning, thus triggering a Real-time scan instead. This causes a number of problems – the store cannot be cleaned effectively, content that is flagged as infected cannot be retrieved and cleaned, and content filtering cannot be applied. The fix will allow manual scan to disable VSAPI so that it is able to scan and clean content effectively.


4. Crash Fix

Changes to the SharePoint Central Administration’s AV settings can sometimes cause SharePoint to crash, leaving the system in a bad state. The user will then have to manually recycle services to set the system right. This fix for this is included in this release.


5. Non-ASCII Keyword Filtering Fix

Non-ASCII keywords were not being detected in Office 2007 documents. The fix will ensure that non-ASCII keywords will be correctly detected in Office 2007 documents.


6. Added Soft Block for Installing FSSP on a Box that has Exchange

Forefront Security for SharePoint does not support having Exchange Server installed on the same server. The product will install, but not operate properly, thus creating a supportability issue. To address this, the user will be shown a message informing them that installing FSSP on a server containing Exchange is not a supported scenario as it could cause adverse side effects. At the same time, it will ask the user whether they wish to continue with the installation.



The STSAdm utility would hang on an Import or export because Forefront was not releasing threads in a manner which STSADM was able to handle properly. We have since fixed this to ensure that the threads are released in a proper manner. As part of this fix we changed the default behavior of our setup to create the LegacyScanAccount key. This key has to be created and set to allow the scanning processes to run as ‘System’, instead of “Network Service”. The issue is that, when our scanning processes run as “Network Service”, Forefront does not have the permissions to scan files presented by 3rd party applications, like STSADM. This results in “Access denied” errors being generated when the external application tries to communicate with Forefront. When the key is set, the scanning processes will run as “System”, thus providing Forefront with the privileges necessary to scan the files from 3rd party applications. The key, which has to be created under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\SharePoint, will be created during install so as to ensure that customers do not face any additional issues with the STSAdm utility.


8. Removed CA InoculateIT Engine due to CA Engine Consolidation

Computer Associates (CA) recently combined the CA InoculateIT and the CA Vet engines into one engine. As a result, CA will no longer offer support for the CA InoculateIT engine.

Download Forefront Security for SharePoint with Service Pack 1


Installation Instructions

1) Install the SharePoint hotfix package found in KB936867 or later as a pre-requisite to the Forefront Security for SharePoint with SP1 release.

2) Stop all, if any of the follow services are currently running on the server:

a. MOM 

b. Perfmon

c. Eventvwr

d. SPTimer

This will help prevent a reboot at the end of the upgrade.

3) Run the Forefront Security for SharePoint Setup package.

4) At the end of setup process, restart any services that you have stopped in Step 2.


For more information about Forefront Security for SharePoint visit

Forefront Server Security Forums

Please post any product questions on the Forefront Security Forum:

Contact the Microsoft Product Support Services for further assistance at



Priya Ravichandran

Forefront Security for SharePoint

Program Manager