Antigen Forum

Cloudmark scan

Fri, 20 Nov 2009 17:23:14 Z

Try to update cloudmark with no luck, got this message:
PS: Verify the post "http://social.technet.microsoft.com/Forums/en-US/forefrontexchange/thread/b35414f4-e80b-42ff-92d6-b996af6913a0/" and applied all recomendation, but I still cant update.

Event log from 2 diffent

Event Type:    Information
Event Source:    GetEngineFiles
Event Category:    General
Event ID:    2012
Date:        20-11-2009
Time:        15:00:03
User:        N/A
Computer:    SWLEXM01
Description:
There are currently no new scan engine files available for the Cloudmark scan engine at http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Cloudmark.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:    Error
Event Source:    GetEngineFiles
Event Category:    Engine Error
Event ID:    6014
Date:        20-11-2009
Time:        16:08:23
User:        N/A
Computer:    SWLEXB02
Description:
Unable to load manifest from: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Cloudmark/Package/manifest.cab : (0x00002ee2) The operation timed out. WinHttpClient failed while sending a request. [Timeout=0] Secure[0].

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

ERROR: Unable to load the Cloudmark scanner

Sun, 22 Nov 2009 19:30:39 Z

Sun Nov 22 20:16:01 2009 ( 4400- 8008), "ERROR: Could not create Cloudmark object, hr = 0x80070003."

upgrade to Antigen 9 SP2

Wed, 18 Nov 2009 13:54:02 Z

Hi

We have several servers running Antigen for SMTP 9.0 and several running Antigen for Exchange 9.0. I know that some of the AV engines are bing retired on 01/12/09

As per this notification below.

My question is do we need to upgrade to SP2 to avail of the new engines such as Kaspersky and Authentium? Also I have only found this information out today. If we cannot upgrade before the 01/12/09 will the old engines still work with the last definitions the downloaded until we are ready to upgrade?

Regards.

Roscop2009

Antimalware Protection

The AhnLab, CA and Sophos engines will be retired on Dec. 1, 2009. As of this date, customers will not receive any updates for these retired engines. Any customers running the AhnLab, CA or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman and VirusBuster.

At this time we also encourage you to upgrade to the latest Antigen 9.0 Service Pack 2 releases, which include a rollup of the latest software fixes. These service packs can be accessed on the MVLS and VLSC sites.

SP2 for Antigen 9.0 download ?

Thu, 16 Jul 2009 21:56:51 Z

We're currently using Antigen for Exchange version 9 with SP1 (9.1) on several clustered and standalone Exchange 2003 servers. We would like to upgrade to SP2 asap to address the issues with some of the engines being deprecated.

Where can we find the download for the SP2 update or the complete Antigen for Exchange version 9 with SP2 (9.2) package ?

We're not particularly interested in the "Microsoft Antigen for Exchange with Antigen Spam Manager with SP2 Trial Software" download which seems to be the only one available. ( http://www.microsoft.com/downloads/details.aspx?FamilyId=866b63bf-6207-4197-9c5d-511b7212e40c&DisplayLang=en )

Thanks

Sam

Hotfix Rollup 1 for Antigen 9.0 Service Pack 2

Mon, 16 Nov 2009 18:48:34 Z

Hi,
my configuration:

Windows Server 2003 R2 SP1
ISA Server 2006 SP0
Antigenfor SMTP 9.0 Service Pack 2

At the weekend I installed the Hotfix Rollup 1 for Antigen 9.0 Service Pack 2, because the features and bugfixes sounds very interesting. To complete the installation, I restarted the whole system. But now the problems began :-)

If I start the server now , I get an error message like "One or more services couldn't start. Please check the event log", that's why several services (5 I think) aren't active.
The service Microsoft ISA Server-Control don't start automatically after reboot, so all dependent services don't start too. But if I start the services manuelly, everything is fine.

So If the system crashs or there is a electrical power outage, I have to go to the server room and reset everything by hand - not very well ;-)
Does anybody have problems like this? What can I do? Would the newest service pack for Windows or ISA help?

Thanks,
Mimm

Block Messages with Malformed From Addresses?

Tue, 10 Nov 2009 12:54:10 Z

Running Antigen for Exchange SP2 on Cloudmark. While Cloudmark was doing quite well for the past few weeks, I've noticed a significant uptick in the number of messages that have made it through in the past 5 days. Many of those messages appear to have malformed "From" addresses, such as IAMSPAM@localhost or DOEJOE@A9u75509808. These addresses are malformed as they don't include the .com, .net, etc. on them.

Is there any filter setting I can use to prevent these messages from making it through?

I appreciate any help!

Thank you

Rollup 1 for Antigen 9 SP2 has been released

Wed, 11 Nov 2009 07:34:01 Z

For more information see:

http://blogs.technet.com/fss/archive/2009/11/09/rollup-1-for-antigen-9-0-with-service-pack-2-has-been-released.aspx

Greetings

Christian

Christian Groebner MVP Forefront

Upgrade to Antigen 9.0 SP2

Tue, 29 Sep 2009 10:03:16 Z

Hi
I going to upgrade Antigen 9.0 SP1 to Antigen 9.0 SP2, and I have to following problem:

- I have a 4 node exchange 2003 sp2 cluster (3 active\1 passive)
- Antigen is install in the c:\ driver
- To use a share disk resource for antigen I need to uninstall Antigen 9.0 SP1 and install Antigen 9.0 SP2 with the cluster live starting from active node.
- We have lots of Filtering options configure (ex. about 100 subject line blocked, some file extension block as well)

My question how to I keep this configuration, I can´t use FCSSM because this options is only for Forefront for Exchange 10 (exchange 2007)?

Cloudmark Update Path?

Mon, 14 Sep 2009 13:08:50 Z

For the Cloudmark Authority Engine, what should be the Network Update Path? Any secondary ones?

Event ID 5035

Sat, 07 Nov 2009 15:54:28 Z

Antigen 9, SP1 started flooding our applog with 5035 events, "Could not create mapper object", for both realtime and internet scanner. I've removed and re-installed the application, but the errors returned. I don't find much info on this anywhere. Help please.

Ted

Very high memory useage - Antigen 9.2.1097 SP2

Mon, 27 Jul 2009 04:50:10 Z

FSEContentScanner.exe is using a constant 191,000 K of memory. Combined with the other process like AntigenInternet.exe that are low now, but were each running 140,000 K a piece before, I've got a situation where I'm seeing system slowdown (4GB memory) because of this software and all I'm running is Exchange 2003 with 25 users.

File Filtering Problem - Body of Message

Wed, 28 Oct 2009 12:52:04 Z

I am testing Antigen for SMTP gateways.

I am trying to configure the server to block ALL attachments, except for certain types, here is what I have configured (which based on example from Chapter 8 of the Antigen guide):

<in>*

File Types: only these checked BMPFILE, DOCFILE, GIFFILE, JPEG, OPENXMLFILE, PNGFILE, RTFFILE, TEXT, TIFFILE, TNEFFILE, UNICODE, WINEXCEL1, WINWORD1&2, WINWRITE

Action: Skip: detect only

General Send Notifications and Quarantine unchecked

<in>*

File Types: All Types selected

Action: Delete: remove contents

General: Quarantine Files

I have sent through an email with an attachment A90ExQuickStart.pdf from a Hotmail account, but this is breaks down to 3 incidents:

1 removed file "A90ExQuickStart.pdf" FILE FILTER= <in>*

2 removed file "body of message" FILE FILTER= <in>*

In the logs the Body of Message is detected as fileType of 33 (FOBTYPE_TEXT_PLAIN)

I am used to GFI Mail essentials where the body of message would be delivered with a text message saying the attachment has been removed, if I add a rule <in>Body Of Message , Action Skip: detect only , General Send Notifications and Quarantine unchecked, then this acts the same way as GFI, is this a correct way to get this to work? Should the file scanner be checking the body of message anyway?

Paul

Here are the diagnostic logs:

Tue Oct 27 15:50:12 2009 ( 2832- 2844), "DIAGNOSTIC: Begin scanning SMTP message"

Tue Oct 27 15:50:12 2009 ( 2832- 2844), "DIAGNOSTIC: Begin scanning SMTP Inbound message named: Tester 15:50"

Tue Oct 27 15:50:27 2009 ( 2832- 2844), "INFORMATION: AVE multi engine manager enabled"

Tue Oct 27 15:50:27 2009 ( 2832- 2844), "INFORMATION: Loading MultiMapper (10908, F000000)"

Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: Check allowed senders is scanning the sender address "paulrewston@hotmail.com" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: Check allowed senders has finished scanning the sender address "paulrewston@hotmail.com" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hr(0x00000000) ulBypassTypes(0x00000000)"

Tue Oct 27 15:51:33 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is performing the AseScan test on the message named "Tester 15:50" located in the "Inbound" folder"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner has finished the AseScan test with hResult(0x00000000)"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

Tue Oct 27 15:51:34 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "Body of Message""

Tue Oct 27 15:51:35 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

Folder: SMTP Messages\Inbound

Message: Tester 15:50

File: Body of Message

Incident: FILE FILTER= <in>*

State: Removed"

Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 33 (FOBTYPE_TEXT_PLAIN)"

Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder"

Tue Oct 27 15:51:35 2009 ( 2316- 2360), "Changed Time: 2009/10/27 15:51:35"

Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "Body of Message" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

Tue Oct 27 15:51:35 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "Body of Message""

Tue Oct 27 15:51:36 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

Folder: SMTP Messages\Inbound

Message: Tester 15:50

File: Body of Message

Incident: FILE FILTER= <in>*

State: Removed"

Tue Oct 27 15:51:36 2009 ( 2316- 2360), "Changed Time: 2009/10/27 15:51:36"

Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner detected a FileType of 47 (FOBTYPE_PDFFILE)"

Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner is scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder"

Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS Virus scanner has finished scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder with hResult(0x000C0100)"

Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner is scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine"

Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS File Filter scanner has finished scanning the file named "A90ExQuickStart.pdf" from the message named "Tester 15:50" located in the "Inbound" folder using the Antigen Scan Engine with hResult(0x015C0101)"

Tue Oct 27 15:51:36 2009 ( 2832- 2844), "DIAGNOSTIC: The IMS scanner is attempting to delete the file named "A90ExQuickStart.pdf""

Tue Oct 27 15:51:36 2009 ( 2832- 2836), "INFORMATION: Internet scan found virus:

Folder: SMTP Messages\Inbound

Message: Tester 15:50

File: A90ExQuickStart.pdf

Incident: FILE FILTER= <in>*

State: Removed"

Action required by Dec. 1, 2009: Keep protections current

Tue, 03 Nov 2009 03:46:03 Z

As announced on July 1, 2009, Microsoft is revising its engine mix on December 1, 2009, for the Forefront and Antigen products. Below is a quick overview of the actions Antigen 9.0 and Antigen 8.0 users need to take in order to keep their protections current:

Antimalware Protection

The AhnLab, CA, and Sophos engines will be retired on Dec. 1, 2009. After December 1^st, customers will not receive any updates for these retired engines. In order to make sure your Antigen and Forefront products continue to scan efficiently and effectively for malware, any customers running the AhnLab, CA, or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman, and VirusBuster.

SPECIAL NOTE: Antigen for SharePoint 8.0 and Antigen for Instant Messaging 8.0 customers – In order to gain access to the new engine set and provide optimal protection for your messaging and collaboration environments, please download the Service Pack 1 releases of these products on the MVLS or VLSC site prior to Dec. 1, 2009. The updates for the new engine set will use a new update infrastructure as of Dec. 31, 2009 – the Service Pack 1 releases will allow you to continue to receive updates correctly from their new location.

For more information about Service Pack 1 for Antigen for SharePoint and Antigen for IM, see the following KB article:

http://support.microsoft.com/kb/975850/

SPECIAL NOTE: Antigen for Exchange 8.0 and Antigen for SMTP Gateways 8.0 customers –These products will end of life on Dec. 31, 2009. Customers must upgrade to Antigen 9.0 SP2 for Exchange before this date, as the product will no longer continue to receive anti-malware updates starting Jan. 1, 2010. With the retirement of the CA, Sophos, and AhnLab engines on Dec. 1, customers running Antigen for Exchange 8.0 or Antigen SMTP Gateways 8.0 will only be protected by the Norman engine. For customers who need to continue using this product between Dec. 1, 2009 and the end-of-life date of Dec. 31, 2009, please contact Forefront Contract Administration for access to the revised engine set.

For more information on upgrading your Antigen for Exchange 8.0 or Antigen for SMTP Gateways 8.0 to Antigen 9.0, see the following KB article:

http://support.microsoft.com/kb/932396/

Antispam Protection

One of the most important changes in our engine revision strategy is moving to the Cloudmark antispam engine*, which provides 99%+ detection rate and less than 1 in 250,000 false positives (West Coast Labs).

The Mail-Filters SpamCure antispam engine will be retired on Dec. 1, 2009. Customers using Antigen products for antispam protection must upgrade to the latest service pack releases listed below BEFORE DEC. 1, 2009 to maintain their antispam defenses. This is the only way to gain access to the new Cloudmark engine. The service packs can be accessed on the Microsoft MVLS and VLSC sites:

- Antigen for Exchange Server with Antigen Spam Manager 9.0 with SP2

- Antigen for SMTP Gateways with Antigen Spam Manager 9.0 with SP2

For more information on the engine revision strategy, see the

Antimalware Engine Notifications and Developments Web page or contact Forefront Contract Administration. Again, we strongly urge that you update your engine configurations and move to the newest service packs before December 1, 2009, to get the full protection benefits of the Forefront server products.

Getting more spam since switch from SpamCure to Cloudmark

Wed, 21 Oct 2009 13:49:43 Z

Don't know if just coincidence, but ever since I switched from SpamCure to CloudMark spam engine in Antigen, my personal mailbox is getting much much more spam (not being caught by Antigen on the server, being delivered to Junk folder in Outlook 2007). I haven't heard many complaints from users, and Cloudmark is catching alot of spam, and I'm also using sbl.xbl.spamhaus.org for my RBL. But just wondering if anyone else experienced that, or if there is anything I should look into to make sure Cloudmark is working as best as possible? I do forward all spam not caught to forefront-spam@submit.cloudmark.com.

Thanks.

Uninstalling Antigen

Fri, 30 Oct 2009 10:01:27 Z

Hi

We're currently on Antigen for Exchange 9.1 but we're going to drop it, anyone aware of any gotchas when or after uninstalling it?

We've had issues with it being rather complicated and tied into the Exchange services in funny ways before, so I'd like to get as much info as possible before we go ahead.

Thanks

Nicholas

Action Required by Dec. 1, 2009

Wed, 28 Oct 2009 16:40:42 Z

Hi,
At 1/12/2009 there is a lot of changes happening, AhnLab, CA, or Sophos engines must disable, SpamCure will stop receiving new definition. I a little bite confused, Andy Day said in this post (http://social.technet.microsoft.com/Forums/en-US/Antigen/thread/ec2ddb78-df0a-49c8-be40-738d0c09ec69/#2e4b2618-5602-4781-801b-cb12729c490e ) that “Cloudmark signature updates occur directly from the Cloudmark website only ” and “FSSMC, which now supports the redistribution of Cloudmark engine updates only ”, my doubt is what is the better way to configure may Antigen 9 SP2 and FSSMC to get the engine/signature/definition and keep my Exchange Server from contacting the Net.

It´s there a best pratice doc?

see all emails going through antigen

Mon, 26 Oct 2009 20:44:51 Z

Hi,

I have antigen for smtp installed on a windows 2003 server which sends email to our exchange server when done. The antigen server is a dedicated server for antigen. I am suspecting a problem with antigen but not sure. I was wondering if it's possible to see all emails pass, not just the ones that are in the "incident" or "quarantine" report in the antigen administrator.

Basically, one of my users is having problems receiving e-mails (not all of them). I don't see them in exchange so it can only be blocked by the antigen server. Looked in incidents and quarantine and nothing there that I'm looking for. Is there a log file or a monitor somewhere that I can see all emails that passed through antigen?

Thanks

Antigen Cloudmark Signature updates

Mon, 24 Aug 2009 11:02:47 Z

Hi,

Does anyone know how often the signatures are updated for Cloudmark integrated with Antigen 9 SP2, i installed it about 10 days ago, it picked up the first set of sig files and engine but hasn't had anything else since then. Without regular updates i wouldn't think it would be too effective.

It has been checking for updates as per its schedule but not finding any.

Thanks

Jeff

Just Installed AntiGen 9.0 SP2 for SMTP Gateaways.. A lot of new Engines.. Which one to choose from?

Thu, 22 Oct 2009 14:33:36 Z

I was satisfied with SpamCure, but with SP2, i now have 10 engines, should i enable them all? Or i should just use spamcure? Is there a doc somewhere explaining what all those engines are doing?

"Antigenrealtime" process high CPU ocupation

Tue, 20 Oct 2009 13:03:57 Z

Hi

I Have Exchange 2003 (Cluster 4 node) with Antigen 9 SP 2, now in one of the node after boot, the "Antigenrealtime" process start to exhaust the CPU.

I can´t see any errors in the Event viewer? Where more cam I look, if I Stop the the Store (Realtime Scan Job) in Antigen 9 Scan Job tab, the process became flat again, then a restart one Store (Realtime Scan Job) at time,waiting for cpu to became stable between with restart, the Server became it´s old self.

Error updating AhnLab V3 Engine (expired manifest)

Fri, 16 Oct 2009 07:54:00 Z

Hi guys,

I'm getting an expired manifest error when trying to update the AhnLab V3 Engine through Antigen.

The engine last updated 10/10/09 at 13:53:37 and when I try to force an update via http://antigendl.microsoft.com/antigen it says:

Event Type: Information
Event Source: GetEngineFiles
Event Category: General
Event ID: 2012
Date:  16/10/2009
Time:  08:50:30
User:  N/A
Computer: **********
Description:
Attempting to download the AhnLab scan engine package from http://antigendl.microsoft.com/antigen/x86/AhnLab.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Followed by:

Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date:  16/10/2009
Time:  08:50:41
User:  N/A
Computer: **********
Description:
Expired manifest.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Please help!

Is the engine no longer supported? If so we will need to disable it but I can't find any information regarding this

Managing Antigen 9 SP2 with latest Forefront Server Security Management Console HFRU3 (template.adb distribution)

Mon, 12 Oct 2009 13:19:10 Z

Hi everyone,

I'm using the latest versions of Antigen for Exchange and Forefront System Security Management Console
- Antigen 9 SP2
- Forefront Security Management Console Rollup 3 - 10.5.1241.28

I would like to manage 2 4-node Exchange clusters (active, active, passive, passive) an 3 standalone Exchange servers (1 PubFol, 2 Mail-Hubs, 1 FSSMC server). All Exchange servers have Service Pack 2 and all the latest Rollups and security hotfixes installed. My described experiences are made in a test environment with a 2-node mailbox cluster, 1 PubFol server and 1 Mail-Hub and a dedicated FSSMC server. The production environment is currently unmanaged running already with the latest FSSMC for log collection. All Exchange servers are running Antigen 9 SP1 RU3 which was manually installed.

FSSMC SW-package distribution works fine (even on my 2 node active passive test-cluster on the shared SAN-disk) on clean machines. At the moment I have no idea how it will work with active, active, passive, passive clusters, but I think the passive nodes are a kind of neutral concerning the shared drive and they could take over both (different letter) drives from the active nodes independent of the first bundle installation. Any experiences?

The next thing was the deployment of the general settings which works also fine.

The main problem is the distribution of the template.adb. I have generated one master template with the Antigen administrator (deleting the default one, restarting antigen services, Antigen will generate a new template.adb based on the other dedicated sub adb-Files). In the Antigen Administrator the default setting for processing the template.adb is default (the other choice is none in the template section of the admin tool). I haven’t changed that and I want to modify the default settings on all our 11 Exchange servers.

We are only using the virus scanning function of Antigen. My main problem is that I can’t disable “content filtering, spam filtering, keyword filtering, mailhost filtering and spam filtering in the template which I want to deploy with FSSMC.

On every Exchange server I must disable everything again in the Operate section of the antigen admin tool. Only the internet, realtime, manual and MTA of the server can be modified. Every template setting concerning the filtering is greyed out in the template view. The behaviour doesn’t change with user defined named templates.

Another issue was the deployment of customized notifications with the help of the template distribution. The stand alone servers work fine (they process changes quite in realtime) the clustered server doesn’t process the changes. After enabling the template view the templates have the new notification texts.

Has someone experience with the deployment of ALL Antigen 9 SP2 settings using the FSSMC template.adb distribution?

All program versions of antigen and FSSMC are up to date and should work. The topic would be a great challenge for a new white paper ;-)

Thanks in advance for your help.

Guido

Why is Antigen not deleting spam messages?

Fri, 15 May 2009 08:20:15 Z

Hi all,

We have antigen 9.0 /w spam manager for smtp installed. and we havent had any problems for a while, but wen i came back from leave the spam was excessive.
I have the spam cure updating every 15min and it is being updated according to the timers. i have 2 RBL's (sbl-xbl.spamhaus.org and list.dsbl.org) everything is set to quarantine, send notification and purge spam. but wen i send myself a test spam with "be your own boss" in the header it still gets delivered.

it does seem to tag it and so is delivered to my junk mail but with my settings it shouldnt get to me at all.there is nothing in the quarantine and i dont see much on the monitor. what is goin on?

To qualify IMF?

Wed, 07 Oct 2009 09:23:53 Z

Hello, I have installed Antigen 9.2.1097 SP2 in a Exchange 2003 SP2, can be qualified the IMF or it is not necessary?

On the other hand, how I must form Antigen to avoid D.E.P messages.?

Antigen 9 - Blocking All emails from Russia

Wed, 07 Oct 2009 09:32:29 Z

Is it possible to block all emails from a specific country, if so can anyone tell me how to block all emails from .ru in Antigen9 rinning on Exchange 2003.

Forefront Security Manager Issue

Thu, 27 Aug 2009 12:22:11 Z

Hi All,

We have installed forefront server security management console to
manage our exchange sevrers. We have 2 clusters both with 5 nodes, 3
active and 2 passive. All using exchange 2003 sp2 with Antigen 9 sp1

We have moved to Forefront and the Antigen Enterprise Manager Didn't
manage clusters very well.

When I have installed the agents into one of the clusters all the
physical servers show they are running the same virtual node and are
in passive mode. The other cluster is fine and reports correctly.

This is causing a problem with signature updates and filter list
changes.

The only thing I can find that might point be vaild is about the node
name has to be less than 15 characters which it isn't for this cluster
but it is for the cluster that is fine. The hotfix for this installed
forfront onto the exchange nodes and is 64bit so I can't install it on
our servers.

Has anyone seen this problem or know of a workaround for it

TIA
Andy

Event ID 5044, AntigenInternet Error

Wed, 02 Sep 2009 17:12:01 Z

Running Antigen 9.1. Noticed many 5044 errors in the applog, with the following description:

Call to engine scan function returned 0x80004005 within Internet scan job (file "winmail.dat->Untitled Attachment", message "Folder Content", folder "Outbound")

These also show up in the Antigen console quarantine, although they don't show up in the Incidents window.

In the Quarantine window the incident reads as EngineError, and the scan engine in use won't update. I changed engines and the error goes away. Question is, were all these messages really quarantined? We have notification enabled, and no users have complained. Anyone have any clues as to what's going on here?

Ted

Antigen 9.1 SpamCure updates cause spam checking to crash.

Tue, 04 Aug 2009 16:00:00 Z

Any ideas or suggestions?

Running Antigen Version: 9.1.1097 SP1

Sometimes during the SpamCure updates it timesout which then causes the spam aspect of the filter(s) to stop.

Looking at Report>Quarantine the only email getting blocked is the result of RBL parameters.

Getting it restart varies in methods. I try using the manual update, or restart the Antigen Store process then manual update.

While it's in this crashed/hung state the "Scanner Information" for SpamCure is blank or "Unknown"

Log contains.....

8508 - 8464 INFORMATION: The SpamCure scan engine for Antigen has been downloaded
8508 - 8464 INFORMATION: The SpamCure scan engine for Antigen has been staged.
8652 - 8932 INFORMATION: Testing the SpamCure scan engine.
8508 - 8512 ERROR: The SpamCure scan engine update timed out while loading scanner
8508 - 8464 ERROR: The scan engine update thread has been stopped due to a timeout condition while loading scanner.
8508 - 8512 INFORMATION: The SpamCure scan engine for Antigen has been rolled back.
4432 - 4484 ERROR: Could not load SpamCure mapper.

This can happen daily or once a week. It ran fine for many months.

Once it gets to this state it will stay that way until someone plays with it to get it going again even though it's attempted many updates (automatically, every 20 mins)

I have tried rebuilding the SpamCure by deleting the parent directory, updating, and allowing it to recreate itself.

SUSPECT Messages being delivered to Inbox

Wed, 19 Aug 2009 13:09:34 Z

Hello,

I've just installed and am testing AntiGen 9 SP2 and am trying to figure out how to automatically get messages that are marked as SUSPECT to immediately go to the users Junk Mail folder even without the Outlook client being open. I have configured the spam filter to tag messages on subject line, MIME and SCL level but only some are being placed into Junk Mail. The ones delivered to the Junk Mail folder also have the SUSPECT prefix in the subject line so I'm wondering why some goto Junk Mail and others don't.

I have IMF installed and configured to send all email over a 7 to the Junk Mail folder. So far all the email with the SUSPECT prefix seem to be junk mail and it would save a lot of frustration if I could somehow quarantine these emails on the server or at least automatically move them to the Junk Mail folder.

I only installed Antigen yesterday and have played around with the settings as well as going through some of the help file. I was hoping someone would be able to give some advice as how to best leverage Antigen to stop these messages appearing in the Inbox.

Also, I was hoping for a solution other than a client side exchange rule to move these messages. Our employees have smart phones with email push and without the Outlook client running the phones would receive all the junk mail until the client started and the rule ran.

Thanks in advance,
Charles

Forefront Antigen 9 with ASM - Not detecting SPAM

Tue, 11 Aug 2009 19:25:09 Z

Hello,

I manage a SBS2003 server with Exchange server 2003 and Forefront Antigen 9 with ASM installed.
Spamcure isn't detecting any spam!!!??
The Spamcure engine is running, It downloads the updates fine, but... doesn't detect any spam. And we receive a lot of It.

I have the exchange server configured to send email via smtp and receive via pop3, is this a problem? Antigen detects pop3 messages?

Any clues about what's wrong?

Here is a description of the antigen server:

Version: 9.00.1055 (Licensed)
Service Pack: 0
Product ID: 77823-270-2325117-04162
Licensed Components:
Component License Type Expiration Date
ASM      Subscription  29-MAR-2012
Antigen Subscription  29-MAR-2012
Antigen Mode: VSAPI
Exchange Version: 6.5
Exchange Service Pack: Service Pack 2
Exchange IS Version: 6.5.7638.2
Computer Name: STMSBSSRV
Operating System: Windows NT Version 5.2, Build number 3790
Operating System Service Pack: Service Pack 2
Processor: Intel processor
Number of Processor(s): 2
Total Physical Memory: 4294004 KBytes
Available Physical Memory: 1124458 KBytes
Temporary Directory Being Used: C:\WINDOWS\Temp\
Available Space on Drive C:\   61711304 KBytes
Available Space on Drive E:\   559991201 KBytes

Thanks

Nuno

Now Available – Antigen 9.0 Service Packs

Wed, 01 Jul 2009 20:05:53 Z

Microsoft announced today the release of Antigen for Exchange with Antigen Spam Manager 9.0 with Service Pack 2 and Antigen for SMTP Gateways with Antigen Spam Manager 9.0 with Service Pack 2 which include visibility of all actively published engines, alerts and notifications for new engine availability, improved anti-spam detection through integration of the Cloudmark engine, and a rollup of software fixes.

These releases introduce technology that will notify customers of engine changes – including the addition or elimination of engines – and allow administrators to update their engine configurations without having to deploy any new product updates. This update allows customers to accommodate engine changes effortlessly, helping maintain the high level of security provided in the Antigen and Forefront server security products.

As with previous releases of Forefront Antigen, the SP2 releases provide a multi-engine protection approach for superior detection of the latest threats when compared to single engine solutions. In fact, AV-Test.org has tested our products with competitors and found our detection rates have an average response time of 3-6 hours for new viruses. In contrast, competitive single-engine solutions average response times are more than 2-9 days.

Microsoft continually monitors antivirus engine quality and detection rates using internal and 3^rd party independent testing organizations. Testing for the last several years has indicated that using more than five malware engines concurrently does not improve overall detection rates. In order to develop stronger technology relationships with our antimalware partners and ensure continued customer value for the longer term, we are making available a set of five antimalware engines, with confidence that this solution will continue to offer industry leading detection rates and response times.

As an example of Microsoft’s commitment to continual improvement of our malware detection leadership, we are investing in new antispam technology through a partnership with Cloudmark that will provide an overall better antispam experience including higher detection rates, lower false positives, and improved submission and service experience. The Cloudmark engine is now included in latest service pack releases of Antigen for Exchange with Antigen Spam Manager 9.0 and Antigen for SMTP Gateways with Antigen Spam Manager 9.0 products as Beta while it undergoes customer trials. Upon the near term completion of the customer trials, it will be released by Microsoft for both the Antigen 9.0 products, as well as be included in the next generation releases of Forefront server security products later this year. More information is available on the Antimalware Engine Notifications and Developments (AMEND) TechNet page.

For more information on latest Antigen 9.0 service pack and engine revisions, please visit the AMEND page.

Task Scheduler - Update Engines - 0x8007000d: The data is invalid.

Fri, 21 Aug 2009 00:18:23 Z

Hi,
I finished installation Antigen for Exchange SP2.
Engines aren't update. I check the Task Scheduler and all tasks for Antigen show error.
What's happening?
Anderson.

Anderson Eriksson

Realtime scan job timeouts and messages get stuck in awaiting directory lookup

Tue, 07 Jul 2009 10:19:55 Z

Hi all,
we had to reboot our exchange 2003 server.
After this i noticed messages got stuck in awaiting directory lookup.
After some investigation i found out that every messages get timedout by the realtime scan job of antigen 9.0 sp1.
When i disable the realtime scan job, the message flow is normal.

I don't see anyting special in the event log, except the timeout messages. Is there anywhere else i can look to see what is causing these errors?

Rgds

9.1 - stripping Office 2007 XML - UnwritableCompressedFile - why?

Thu, 15 May 2008 21:57:13 Z

So I thought 9.1 was to now work with Office 2007 files - well, it does not. It strips them (xlsm, xlsx etc.). I am not blocking zip files. I use file filter lists (not names) so I cannot add office files to a list and expect them to hit first and let them thru with a SKIP/DETECT. Do I need to add all of them to a names in order to have them in order (vs. lists)? If that works, great - but why is this 9.1 not working with office files?

Also, noticed when I send an xlsx file thru - CPU on mail server hit 100% for 10 or more seconds. Wow - really does not like XML files.

I hope someone knows how to let these files thru - from what I read in the forums - this should not be happening I think.

Ron

Antigen Worm List Update?

Thu, 23 Jul 2009 16:10:02 Z

Just noticed that my Antigen Worm List Scanner hasn't updated since May 5th. I get this event when it tries to update

Unable to load manifest from: http://antigendl.microsoft.com/antigen/x86/Microsoft/Package/manifest.cab : (0x00002ee7) The server name or address could not be resolved. WinHttpClient failed while sending a request.

Is this scanner obsolete?

Orange County District Attorney

Antigen internet scan timed out and recovered

Wed, 05 Aug 2009 18:16:22 Z

Just upgraded my Exchange 2003 boxes with Antigen SP2 and I got this puzzling email alert:

Subject: Antigetn internet scan timed out and recovered

timeout occurred while scanning D:\Program Files\Microsft Antigen for Exchange\Archive\SMTP message. Please contact Microsoft.

I checked the server and found that I did not have a SMTP folder under the Archive folder. Could this have been the cause?

Orange County District Attorney

Integration with Outlook allowed senders lists?

Thu, 30 Jul 2009 22:36:05 Z

I'm on Exchange 2003 on Server 2003 and my client computers all run Office 2003. Is there any way to allow users to update their own whitelists? Does Antigen use Outlook's safe sender list or any other way to create a whitelist or is there just the filter in the admin console?

Antigen 9 Un-install problem

Fri, 17 Jul 2009 15:16:53 Z

Hi All

I am having trouble after I made a mistake and un-installed Antigen 9 without clearing the regkeys and failing over the cluster.

I have an Active/Passive Windows server 2003 running Exchange 2003 SP2 with Antigen 9.1 SP1.

We were having trouble with antigen on one of the nodes, when you opened the application it stated the license was out of date even though it had been upgraded from version 8. I decided to remove antigen and reinstall, so I removed it by add remove programs and failed the cluster over to enable me to restart.

After the restart i can no longer fail the cluster over to the passive node as 2 services fail to start, Exchange system attendant and SMTP Virtual server Instance 1 and it does seem to take a while for Cluster name and Disk services to stop and start.

I now know that I should have removed the keys and may be I should remove antigen from the current node but I do not want to cause any more problems.

If anyone has any suggestion as to what I can try it would be greatly appreciated.

Thanks in advance

Error GetEngineFiles not really an error?

Tue, 07 Jul 2009 22:49:39 Z

I just noticed an event on one of my Exchange 2003 servers running Antigen 9.1;

Type: Error
Source: GetEngineFiles
Event ID: 6014
Event Time: 7/7/2009 3:31:11 PM
User: n/a
Computer: OCDAEX00
Description:
Unable to load manifest from: http://antigendl.microsoft.com/antigen/x86/CAVet/Package/manifest.cab : (0x00002ee7) The server name or address could not be resolved. WinHttpClient failed while sending a request.

I opened the Antigen Console and noticed that it appeared to in fact update. It showed

Last Checked 15:31:11
Last Updated 03:31:23

Update Version 0907070001
Signature version 31.6.25.201

It looks good no?

Orange County District Attorney

using antigen 9 for exchange - "allowed senders" options grayed out for real time scan job

Thu, 02 Jul 2009 10:27:19 Z

Hi
we are using antigen 9, and want to exclude certain senders from realtime scanning. we have created a test list, and populated it with addresses. the list appears as expected in the filtering options for the smtp scan job, but does not appear in the bottom left pane for the realtime scan job. all options in the righthand bottom pane are therefore grayed out.