Forefront Security for Exchange Server: Description of Hotfix Rollup 1 for Service Pack 2 for Forefront Security for Exchange Server

By TechSupport

SUPPORT PROBLEM: Description of Hotfix Rollup 1 for Service Pack 2 for Forefront Security for Exchange Server

Applications Supported:

SUPPORT SOLUTION:
Microsoft has released Hotfix Rollup 1 for Forefront Security for Exchange Server Service Pack 2. This article contains information about how to obtain the rollup and about the issues that are fixed by the rollup.

This rollup includes all the fixes that are included in Forefront Security for Exchange Server Service Pack 2.

For more information about the fixes included in Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:

960465

(http://support.microsoft.com/kb/960465/
)

Description of Forefront Security for Exchange Server with Service Pack 2

.New features in the hotfix rollup

A silent parameter is now supported with FSCUtility in Forefront Server Security for Exchange This rollup adds a new silent parameter for use with FSCUtility.exe on active cluster nodes. The silent parameter avoids the confirmation prompt that you would usually receive when you run following commands:
FSCUtility.exe /enable
FSCUtility.exe /disable
The following is the new syntax that uses the silent parameter:To disable Forefront Server Security for Exchange and take the Exchange Virtual Server (EVS) or the clustered mailbox server (CMS) automatically offline on a cluster:FSCUtility.exe /disable /silentTo enable Forefront Server Security for Exchange and bring the EVS/CMS automatically online on a cluster: FSCUtility.exe /enable /silent
.Issues that are fixed in Hotfix Rollup 1 for Forefront Security for Exchange Server Service Pack 2

In addition to the fixes that are included in all service packs and rollups for Forefront Security for Exchange Server, this hotfix rollup includes fixes for the following issues:.Details of the issues that are fixed in the hotfix rollup

The Forefront Security for Exchange product version that is displayed in the AD Marker does not match the version that is displayed in the clientForefront Security for Exchange may consume too much memory, which may require a restart of Exchange servicesForefront Security for Exchange may consume too much memory when it is running on a mailbox server that requires a restart of Exchange servicesWhen Forefront’s EngineSync and FileSync cannot run at the same time on a CCR cluster, run lock errors are generated in the ProgramLog.txt fileYou cannot suppress engine deprecation (retirement) notifications even when you have disabled the retired engines on all scan jobs and their related scanner updatesLots of RPC requests lead to slow mail queues on an Exchange server that is running Forefront Security for ExchangeE-mail messages cannot be delivered from Forefront’s archive folderThe FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 671966687Too much logging in Forefront Security for Exchange may cause slow mail flow and mail queues in ExchangeThe FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 653246026Files are detected as “CorruptedCompressedFile” when the MaxUnCompressedFileSize registry entry is set to 0xFFFFFFFFForefront Server Security for Exchange cannot filter files that are encoded in the “Japanese (EUC)” MIME formatP7S files are detected as “CorruptedCompressedFile” when Forefront Server Security for Exchange scans digitally-signed messagesForefront Server Security for Exchange services cannot start if the installation root contains a file that is named “Program”Forefront Server Security for Exchange may incorrectly detect that valid Office Word 2003 documents contain CorruptedCompressedFile virusesRenaming an existing file filter list causes it to become disabled and revert to default settings in Forefront Server Security for Exchange A performance improvement lets Forefront Server Security for Exchange scan hidden infected files within 2007 Microsoft Office documents that were originally created by using Beta versionsMemory is not released from a scan processes when Forefront Server Security for Exchange scans certain GZip files Memory is not released from a scan processes when Forefront Server Security for Exchange scans TAR files within GZip files Memory is not released from a scan processes when Forefront Server Security for Exchange scans Mac Zip files within another archive (compressed) fileNo FSS-ELI Scheduled Task is created if all engine updates are disabled in Forefront Server Security for Exchange All engine updates roll back in Forefront Server Security for Exchange if the installation root contains a file that is named “Program”Filter Lists settings are not applied when you perform a silent installation of Forefront Server Security for Exchange The FSCRealtimeScanner.exe process consumes too much memory in Forefront Server Security for ExchangeThe FSCRealtimeScanner.exe process crashes when it tries to scan an e-mail message that has many recipientsExceptions during a Forefront for Exchange manual scan cause “ExceedinglyNested” detection and file removalWhen you try to generate a Forefront Diagnostic for Forefront Security for Exchange, you are prompted to “press any key” to complete the data collectionWhen an engine update fails in Forefront for Exchange because of an invalid database path, Forefront does not log an errorWhen you apply a template from one Forefront Security for Exchange installation to another Forefront Security for Exchange installation on a different server, the receiving server may lose all Forefront settings and may stop scanning mailA scan engine update fails, and a warning message is logged in the ProgramLog.txt fileNote All the fixes that are listed in this section apply to Forefront Security for Exchange Server Service Pack 2, unless otherwise stated.The Forefront Security for Exchange product version that is displayed in the AD Marker does not match the version that is displayed in the client SymptomsWhen you click About on the Help menu in Forefront Server for Exchange, the product version that is listed is accurate on the client. However, the product version that is listed in the corresponding Active Directory (AD) Marker is not.
This difference causes no functionality issues.
Forefront Security for Exchange may consume too much memory, which may require a restart of Exchange servicesSymptomsUsers experience slow mail flow and interruptions in mail delivery.CauseA memory leak was identified in the FSCRealtimeScanner.exe and FSCTransportScanner.exe processes. This memory leak can cause users to experience lulls and interruptions in the mail flow because of the memory resource depletion.Forefront Security for Exchange may consume too much memory when it is running on a mailbox server that requires a restart of Exchange servicesSymptomsUsers experience slow mail flow and interruptions in mail delivery.CauseA memory leak was identified in the FSCRealtimeScanner.exe process. This memory leak can cause users to experience lulls and interruptions in mail flow because of the memory resource depletion.When Forefront’s EngineSync and FileSync cannot run at the same time on a CCR cluster, run lock errors are generated in the ProgramLog.txt fileSymptomsThe ProgramLog file contains the following errors:Date/Time: ( 1432- 1884), “WARNING: FileSync (Thread)::CCR::FileSync::Run(): filesync.cpp:335: Cannot obtain a Forefront run lock; replication of ‘Notifications.fdb’ skipped.”

Date/Time: 2008 ( 1432- 1884), “WARNING: FileSync (Thread)::CCR::FileSync::Run(): filesync.cpp:335: Cannot obtain a Forefront run lock; replication of ‘FileScanners.fdb’ skipped.”
The Application log contains the following error:Event Type: Warning
Event Source: FSECCRService
Event Category: (9)
Event ID: 9411
Date: 7/7/2008
Time: 11:06:13 AM
User: N/A
Computer: Server1
Cause When Forefront Server for Exchange runs on a Cluster Continuous Replication (CCR) cluster, you have to synchronize the engine files and the database files between each node. If this synchronization occurs at the same time, errors will be generated in the ProgramLog.txt file and in the Application log. There are no functionality issues because the file synchronization does occur when the engine synchronization is complete.You cannot suppress engine deprecation (retirement) notifications even when you have disabled the retired engines on all scan jobs and their related scanner updatesSymptomsForefront for Exchange generates engine deprecation notifications that cannot be disabled regardless of scan job settings that relate to engine usage.
Forefront Security for Exchange will generate e-mail messages to remind the administrator of specific engine deprecations. These messages contain text that resembles the following Sophos example:
Sophos Virus Detection Engine has been deprecated as of 1/07/2009 and will be available only until 1/12/2009. Updates for this engine will stop after 1/12/2009. For more information, see http://go.microsoft.com/fwlink/?LinkId=152864Lots of RPC requests lead to slow mail queues on an Exchange server that is running Forefront Security for ExchangeSymptomsLots of RPC requests lead to resource depletion and slow mail queues on an Exchange server that is running Forefront Security for Exchange. E-mail messages cannot be delivered from Forefront’s archive folderSymptomsArchived e-mail messages cannot be delivered when you drop them into Exchange’s pickup folder.CauseThis issue occurs when Forefront’s Transport scan cannot initialize. This can cause it to remain in a state in which it cannot scan mail. Any mail that is dropped into Forefront’s archive folder is not delivered because it may contain incomplete header information.The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 671966687SymptomsThe FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 671966687. The crash generates the following stack dump output: OLE32.DLL!CStdMarshal::DisconnectCliIPIDs [marshal.cxx]
OLE32.DLL!CStdMarshal::Disconnect [marshal.cxx]
OLE32.DLL!CStdMarshal::HandlePendingDisconnect [marshal.cxx]
OLE32.DLL!CStdMarshal::Finish_QueryRemoteInterfaces [marshal.cxx]
OLE32.DLL!CStdMarshal::QueryRemoteInterfaces [marshal.cxx]
OLE32.DLL!CStdIdentity::CInternalUnk::QueryMultipleInterfaces [stdid.cxx]
OLE32.DLL!CStdIdentity::CInternalUnk::QueryInterface [stdid.cxx]
RPCRT4.DLL!IUnknown_QueryInterface_Proxy [proxy.cxx]
FSCCONTROLLER.EXE!CRealtimeProxy::DisableScanEngine [realtimeproxy.cpp]
FSCCONTROLLER.EXE!CSybariService::DisableScanEngines [sybariservice.cpp]
RPCRT4.DLL!Invoke [stubless.asm]
RPCRT4.DLL!NdrStubCall2 [srvcall.cxx]
RPCRT4.DLL!CStdStubBuffer_Invoke [stub.cxx]
OLE32.DLL!SyncStubInvoke [channelb.cxx]
OLE32.DLL!StubInvoke [channelb.cxx]
OLE32.DLL!CCtxComChnl::ContextInvoke [ctxchnl.cxx]
OLE32.DLL!MTAInvoke [callctrl.cxx]
OLE32.DLL!STAInvoke [callctrl.cxx]
OLE32.DLL!AppInvoke [channelb.cxx]
OLE32.DLL!ComInvokeWithLockAndIPID [channelb.cxx]
OLE32.DLL!ComInvoke [channelb.cxx]
OLE32.DLL!ThreadDispatch [chancont.cxx]
OLE32.DLL!ThreadWndProc [chancont.cxx]
USER32.DLL!InternalCallWinProc [callproc.asm]
USER32.DLL!UserCallWinProcCheckWow [clmsg.c]
USER32.DLL!DispatchMessageWorker [clmsg.c]
USER32.DLL!DispatchMessageW [cltxt.h]
FSCCONTROLLER.EXE!CServiceModule::Run [antigenservice.cpp]
FSCCONTROLLER.EXE!CServiceModule::ServiceMain [antigenservice.cpp]
ADVAPI32.DLL!ScSvcctrlThreadA [scapi.cxx]
KERNEL32.DLL!BaseThreadInitThunk [thread.c]
NTDLL.DLL!__RtlUserThreadStart [rtlexec.c]
NTDLL.DLL!_RtlUserThreadStart [rtlexec.c]
Too much logging in Forefront Security for Exchange may cause slow mail flow and mail queues in ExchangeSymptomsUsers may experience slow mail flow and mail queues in Exchange.CauseThis issue occurs when default level logging in Forefront Security for Exchange becomes resource-intensive.The FSCController.exe process may stop responding. This generates a Dr. Watson crash that references Bucket ID 653246026SymptomsThe FSCController.exe may crash. This generates a Dr. Watson crash that references Bucket ID 653246026. The crash generates the following stack dump output: FSCCONTROLLER.EXE!CRealtimeProxy::Shutdown [realtimeproxy.cpp]
FSCCONTROLLER.EXE!ShutdownStorageGroup [sybariservice.cpp]
FSCCONTROLLER.EXE!CSybariService::ShutdownStorageGroup [sybariservice.cpp]
FSCCONTROLLER.EXE!CSybariService::ShutdownStorageGroup [sybariservice.cpp]
RPCRT4.DLL!Invoke [stubless.asm]
RPCRT4.DLL!NdrStubCall2 [srvcall.cxx]
RPCRT4.DLL!CStdStubBuffer_Invoke [stub.cxx]
OLEAUT32.DLL!CUnivStubWrapper::Invoke [rpcwrap.cpp]
OLE32.DLL!SyncStubInvoke [channelb.cxx]
OLE32.DLL!StubInvoke [channelb.cxx]
OLE32.DLL!CCtxComChnl::ContextInvoke [ctxchnl.cxx]
OLE32.DLL!MTAInvoke [callctrl.cxx]
OLE32.DLL!STAInvoke [callctrl.cxx]
OLE32.DLL!AppInvoke [channelb.cxx]
OLE32.DLL!ComInvokeWithLockAndIPID [channelb.cxx]
OLE32.DLL!ComInvoke [channelb.cxx]
OLE32.DLL!ThreadDispatch [chancont.cxx]
OLE32.DLL!ThreadWndProc [chancont.cxx]
USER32.DLL!InternalCallWinProc [callproc.asm]
USER32.DLL!UserCallWinProcCheckWow [clmsg.c]
USER32.DLL!DispatchMessageWorker [clmsg.c]
USER32.DLL!DispatchMessageW [cltxt.h]
FSCCONTROLLER.EXE!CServiceModule::Run [antigenservice.cpp]
FSCCONTROLLER.EXE!CServiceModule::ServiceMain [antigenservice.cpp]
ADVAPI32.DLL!ScSvcctrlThreadA [scapi.cxx]
KERNEL32.DLL!BaseThreadInitThunk [thread.c]
NTDLL.DLL!__RtlUserThreadStart [rtlexec.c}
NTDLL.DLL!_RtlUserThreadStart [rtlexec.c]
Files are detected as “CorruptedCompressedFile” when the MaxUnCompressedFileSize registry entry is set to 0xFFFFFFFFSymptomsIf you set the value of the MaxUnCompressedFileSize registry entry to 0xFFFFFFFF, Forefront Server Security for Exchange detects files as “CorruptedCompressedFile,” regardless of their size.
If you have enabled the Delete Corrupted Compressed Files setting under the SETTINGS, General Options area in the Forefront Administrator console, the file will also be deleted.
Forefront Server Security for Exchange cannot filter files that are encoded in the “Japanese (EUC)” MIME formatSymptomsIf a file name is written to the ProgramLog.txt file, it is displayed as garbled characters and does represent the original file name in Japanese.CauseThis issue occurs when you send an attachment inside an e-mail message that you encode in the “Japanese (EUC)” MIME format. When Forefront Server Security for Exchange tries to scan the attachment, it cannot correctly identify the file name extension, and the file passes through unscanned.P7S files are detected as “CorruptedCompressedFile” when Forefront Server Security for Exchange scans digitally-signed messagesSymptomsFiles are detected as “CorruptedCompressedFile” and are viewable in the Incidents panel as Corrupted Compressed.CauseThis occurs when you digitally sign messages. The digital signature of your message is carried in a P7S file. This file is attached to the message. When Forefront Server Security for Exchange scans the P7S file, it is detected as a “CorruptedCompressedFile.”
If you have enabled the Delete Corrupted Compressed Files setting under the SETTINGS, General Option area in the Forefront Administrator console, the file will also be deleted.
Forefront Server Security for Exchange services cannot start if the installation root contains a file that is named “Program”SymptomsForefront Server Security for Exchange cannot start if the installation root (for example, C:) contains a file that is named “Program.”CauseForefront Server Security for Exchange services do not contain quotation marks around the path of the executable files that they trigger upon startup. This causes the system to look for any file in the path. For example, it may look for a file that is named “C:\Program” when the path is “C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\FSEMailPickup.exe.” This means that Forefront finds the wrong file and cannot start the service.WorkaroundIf you are experiencing this issue and cannot install the rollup package to resolve it immediately, you can work around the issue by adding quotation marks around the path of the executable in the Services registry. This is documented in the following Microsoft Knowledge Base article:
812486

(http://support.microsoft.com/kb/812486/
)
Event ID 7000 and “%1 is not a valid Win32 application” error message when you start a service

Forefront Server Security for Exchange may incorrectly detect that valid Office Word 2003 documents contain CorruptedCompressedFile virusesSymptomsForefront Server Security for Exchange may incorrectly detect that valid Microsoft Office Word 2003 documents contain CorruptedCompressedFiles viruses.

The e-mail attachment is removed, and an incident is logged in the Incidents panel, stating that the file was removed as a CorruptedCompressedFile virus. The ProgramLog.txt file contains the following entry:
INFORMATION: Realtime scan found virus: Folder: Folder Name Storage Group\file name Message: subject line Incident: CorruptedCompressedFile State: RemovedIn this message, the placeholder Folder Name reoresents the name of the folder where the virus was found.CauseThis error is caused by the method that Forefront Server Security uses to try to parse the Word document.Renaming an existing file filter list causes it to become disabled and revert to default settings in Forefront Server Security for Exchange SymptomsWhen you rename an existing file filter list in the Filter Lists area under FILTERING in the Forefront Administrator console, the file filter list in the Lists area, under File, under FILTERING will be disabled. All configuration settings, such as Action, General, and Identify are set to default values.A performance improvement lets Forefront Server Security for Exchange scan hidden infected files within 2007 Microsoft Office documents that were originally created by using Beta versionsSymptomsSome 2007 Office (OPENXML) documents may contain “hidden” subfiles. That is, these documents may contain files that are not referenced in the document’s Document.xml.rels file. Certain inefficiencies were found in the additional code that is used to scan “hidden” files in 2007 Office documents. More InformationThe fix for this issue lets Forefront Server Security for Exchange scan the file more efficiently by using fewer system resources.
Note The initial releases of 2007 Office will not open any files that are not referenced in the document’s Document.xml.rels file.
Memory is not released from a scan processes when Forefront Server Security for Exchange scans certain GZip files SymptomsForefront Server Security for Exchange does not release memory from scan processes after GZip files are scanned.
This issue can cause the memory that is consumed by a Forefront scan processes (FSCRealtimeScanner.exe, FSCTransportScanner.exe, or FSCManualScanner.exe) to grow exponentially and may cause a low-memory condition on the server.
When this issue occurs, you may find any of the following entries written to the ProgramLog.txt file:
“ERROR: An exception has occurred within ForefrontAgent’s Scan method. Exception message = “Insufficient memory to continue the execution of the program.”"
“ERROR: An exception has occurred within ForefrontAgent’s Scan method. Exception message = “No more threads can be created in the system. (Exception from HRESULT: 0×800700A4)”"
“ERROR: An exception has occurred within ForefrontAgent’s Scan method. Exception message = “Value does not fall within the expected range.”"
“DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0×8007000e”

“ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e”

“ERROR: FSCRealtimeScanner: Exception occurred (0xc0000005) at address 0×056C3769, p[0]=0×0, p[1]=0×3287224f”
“eax=0×00000000 ebx=0×32871fb7 ecx=0×07bdcfd0 edx=0×328721cd”
“esi=0×07c8e3dc edi=0×32871fb7 ebp=0×07c6f0d0 esp=0×0102a2f8″
“102a2f0: 00000000 00000000 00000000″
…
“102f720: 00000004 0042378f 8007000e”
Additionally, the following entries may be written to the HRLog.txt file:”INFORMATION: F 0×8007000e, 775-(primaryobject)”
“INFORMATION: F 0×8007000e, 1209-(primaryobject)”
“INFORMATION: F 0×8007000e, 1855-(primaryobject)”
“INFORMATION: S 0×8007000e, 7103-(workthread)”
Many of these entries contain the hexadecimal code 0×8007000E. This means “Not enough storage is available to complete this operation” or “ERROR_OUTOFMEMORY.”CauseThis problem is caused by a problem with Forefront’s TNEFNavigator.dll file.No FSS-ELI Scheduled Task is created if all engine updates are disabled in Forefront Server Security for Exchange SymptomsThe FSS-ELI Scheduled Task’s responsibility is to update Forefront’s Engine Licensing Information (ELI) file, which is EngineInfo.cab. If no engine updates are enabled for any engines in the Scanner Updates area, under SETTINGS in the Forefront Administrator Console, the FSS-ELI Scheduled Task will not be created. For example, you may select this configuration if you use FSSMC to distribute engines centrally.WorkaroundIf you are experiencing this issue and cannot install the rollup package to resolve it immediately, you can work around the issue by following these steps:
Schedule at least one engine update in the Scanner Updates area, under SETTINGS in the Forefront Administrator Console.
Restart Forefront and Exchange services to let Forefront Server Security for Exchange create the FSS-ELI Scheduled Task.
All engine updates roll back in Forefront Server Security for Exchange if the installation root contains a file that is named “Program”SymptomsWhen you try to update a scan engine in Forefront Server Security for Exchange, it rolls back. A new scan engine is then downloaded, but it cannot be integrated. The new engine is then rolled back, and Forefront reverts to the old engine.The following entries may be written to the Application log and to the ProgramLog.txt for each attempted engine update. The following example is for the Microsoft scan engine: “INFORMATION: The Microsoft scan engine has been downloaded”
“INFORMATION: The Microsoft scan engine has been staged.”
“ERROR: (0×000000c1) %1 is not a valid Win32 application. Unable to launch ScanEngineTest for the Microsoft scan engine.”
“INFORMATION: The Microsoft scan engine has been rolled back.”
CauseWhen a new scan engine is downloaded, Forefront must first test it before integrating it. Forefront uses ScanEngineTest.exe to do this. However, the path of ScanEngineTest.exe is not enclosed in quotation marks in Forefront’s engine update code. This causes the system to look for any file in the path. For example, it may look for a file that is named “C:\Program” when the path is “C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\ScanEngineTest.exe,” if the file exists. This means that Forefront finds the wrong file and cannot complete the scan engine test. The engine is then rolled back.Filter Lists settings are not applied when you perform a silent installation of Forefront Server Security for Exchange SymptomsYou use the -t parameter to specify a Template.fdb file when you run the Forefront Server Security for Exchange setup as a silent installation. If the Template.fdb file contains custom Filter Lists, these are not populated in the new installation. This issue occurs even though the installation completes successfully and without error.CauseThis issue occurs because the FilterLists.fdb file is not created until the Forefront Administrator console is opened for the first time. Therefore, Setup cannot load any custom Filter Lists into the FilterLists.fdb file during a silent installation because the FilterLists.fdb file does not exist at that point.The FSCRealtimeScanner.exe process consumes too much memory in Forefront Server Security for ExchangeSymptomsThere are two issues in which the FSCRealtimeScanner.exe processes can consume too much memory. These issues cause the memory that is consumed by FSCRealtimeScanner.exe processes to grow exponentially and may cause a low-memory condition on the server.
Note Because Forefront Server Security for Exchange typically scans most mail at the Transport level, you may find that this memory condition is difficult to spot and may become obvious only if you have not restarted Forefront services for a long period, say for several weeks.
When these issues occur, you may find any of the following entries written to the ProgramLog.txt file:
“ERROR: An exception has occurred within ForefrontAgent’s Scan method. Exception message = “Insufficient memory to continue the execution of the program.”"
“ERROR: An exception has occurred within ForefrontAgent’s Scan method. Exception message = “No more threads can be created in the system. (Exception from HRESULT: 0×800700A4)”"
“ERROR: An exception has occurred within ForefrontAgent’s Scan method. Exception message = “Value does not fall within the expected range.”"
“DIAGNOSTIC: localizestream.cpp::LocalizeStream(): Failed to allocate memory for local stream 0×8007000e”

“ERROR: ReadWideCharBufferFromStream(): Attempted read of 5572 byte(s). Actual bytes read were 0. hr=8007000e”

(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in WindowsClick Start, click Run, type regedit, and then click OK.
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Microsoft\Forefront Server Security\Exchange ServerOn the Edit menu, point to New, and then click DWORD Value.Type OptimizeADQuery, and then press ENTER.
On the Edit menu, click Modify.
Type 1, and then click OK.
Exit Registry Editor.Stop the FSCController service. Then, restart the FSCController service and all Exchange services.The FSCRealtimeScanner.exe process crashes when it tries to scan an e-mail message that has many recipientsSymptomsAfter you apply Forefront Security for Exchange Service Pack 2, crashes may occur when the real-time scanning processes runs.CauseThis issue occurs because Forefront Security for Exchange Server SP2 includes performance optimizations that build a large LDAP query to process all the legacyExchangeDNs for mail recipients into one query. It does this by creating a sub query for each recipient in the message, which resembles the following:(legacyExchangeDN= /o=ORGNAME/OU=First Administrative Group/cn=Recipients/cn=RECIPIENT)This query is 88 characters long. However, the variable that stores the LDAP query can store only 10,241 characters. If there many subqueries, the total length of the LDAP query can exceed 10,241 characters. When this character limitation is exceeded, the FSCRealtimeScanner.exe process crashes.Exceptions during a Forefront for Exchange manual scan cause “ExceedinglyNested” detection and file removalSymptomsDuring a manual scan on an Exchange server, Forefront Security for Exchange incorrectly detects Office documents and e-mail messages as “ExceedinglyNested.” Forefront Security for Exchange quarantines these files, and the body of the e-mail message is replaced with deletion text.CauseThis issue occurs when, during a manual scan, if Forefront Security for Exchange enters into unhealthy state where exceptions are thrown, it may try to continue scanning documents. If these exceptions occur, they can cause the counters, which track highly nested files, to become invalid. These invalid counters then cause Forefront Security for Exchange to incorrectly detect ordinary files as being “ExceedinglyNested.”When you try to generate a Forefront Diagnostic for Forefront Security for Exchange, you are prompted to “press any key” to complete the data collectionSymptomsWhen you try to generate a Forefront Diagnostic for Forefront Security for Exchange, you are prompted to “press any key” to complete the data collection. Therefore, an administrator is required to complete the data collection.When an engine update fails in Forefront for Exchange because of an invalid database path, Forefront does not log an errorSymptomsWhen an invalid database path is present in the Forefront for Exchange registry settings, the engine update will not be completed. However, a concise error will not be logged.
After you install Hotfix Rollup 1 for Forefront Security for Exchange Service Pack 2, the following error is logged in the Application log when an engine update fails because of the presence of an invalid database path: Source: FSCController
Event ID: 100
Severity: Error
ERROR: The database path in the registry does not exist.
When you apply a template from one Forefront Security for Exchange installation to another Forefront Security for Exchange installation on a different server, the receiving server may lose all Forefront settings and may stop scanning mailSymptomsWhen you try to apply a template from one Forefront Security for Exchange installation to another Forefront Security for Exchange installation on a different server, RPC issues may occur. The Forefront Security for Exchange settings on the receiving server may be deleted before the template is applied. Because of certain RPC and networking issues, the new template cannot be applied and can leave Forefront unable to scan.CauseThis issue occurs because the order in which Forefront for Exchange applies a template begins with the deletion of the existing database configurations on the receiving Forefront for Exchange server, followed by applying the new template. If networking issues occur, they may interfere with applying the new template after the existing database configurations are deleted.A scan engine update fails, and a warning message is logged in the ProgramLog.txt fileSymptomsIf any of the Forefront Security for Exchange external scan engine vendors release a scan engine release a scan engine update that incorporates files that are packaged within subdirectories, the scan engine update will fail. Additionally, a warning message that resembles the following is logged in the ProgramLog.txt file: WARNING: A failure was reported by the synchronization observer while installing the scanner. Action = 0×00000001. C:\ Forefront Installation Directory\EngineName\Bin\bases/stt/ CauseThis problem occurs because Forefront Security for Exchange Server cannot update a scan engine that contains one or more subdirectories within its update package.
.Hotfix rollup information

Download information
3,
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. If the hotfix is available for download, there is a “Hotfix download available” section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)
Note The “Hotfix download available” form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.How to install the Hotfix Rollup
3,
Run the installer by double-clicking the service pack or rollup executable file.

Note When the installer is running, the Exchange and Forefront Security for Exchange services are stopped, and your mail flow is temporarily stopped.
After the installation is complete and the Exchange and Forefront Security for Exchange services are restarted (this occurs automatically during the installation), verify that Forefront Security for Exchange is working correctly.

Note Forefront Security for Exchange service packs or rollups can also be installed by using the FFSMC Deployment job. For more information, see “Deployment Jobs” in the Forefront Server Security Management Console User Guide. In this case, the installer runs in silent mode, and there is no user input required. The rest of the process remains the same as when you run the installer by double-clicking the executable file.
Prerequisites
3,
There are no prerequisites for installing this hotfix rollup.File Information
3,
This hotfix rollup may not contain all the files that you must have to fully update a product to the latest build. This hotfix rollup contains only the files that you must have to correct the issues that are listed in this article.The English (United States) version of this hotfix rollup uses a Microsoft Windows Installer package to install the hotfix rollup. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.Collapse this tableExpand this tableFile nameFile versionFile sizeDateTimePlatformAdonavigator.dll10.2.945.0421,23212-Jan-201001:34×86Adonavigator64.dll10.2.945.0716,14412-Jan-201001:41×64Adonavsvc.exe10.2.945.0154,99212-Jan-201001:41×64Aexmladapter.dll10.2.945.0379,24812-Jan-201001:34×86Custominstall.dll10.2.945.0922,99212-Jan-201001:34×86Customuninstall.dll10.2.945.0342,38412-Jan-201001:34×86Eventstrings-en_us.dll10.2.945.0118,64012-Jan-201001:34×86Eventstrings.dll10.2.945.0118,64012-Jan-201001:34×86Extractfiles.exe10.2.945.0338,28812-Jan-201001:34×86Filterengine.dll10.2.945.0332,65612-Jan-201001:34×86Fscadmarksvc.exe10.2.945.089,08811-Jan-201023:35×86Fscappscanner.dll10.2.945.0334,70412-Jan-201001:34×86Fsccodec.dll10.2.945.0194,92812-Jan-201001:34×86Fsccommon.dll10.2.945.018,28812-Jan-201001:34×86Fsccontroller.exe10.2.945.01,607,02412-Jan-201001:34×86Fsccontrollerps.dll10.2.945.085,36012-Jan-201001:34×86Fscdiag.exe10.2.945.0487,79212-Jan-201001:34×86Fscexec.exe10.2.945.057,20012-Jan-201001:34×86Fscmanualscanner.exe10.2.945.0899,44012-Jan-201001:34×86Fscmonitor.exe10.2.945.0265,07212-Jan-201001:34×86Fscmonitorps.dll10.2.945.051,05612-Jan-201001:34×86Fscrealtimescanner.exe10.2.945.0882,54412-Jan-201001:34×86Fscstarter.exe10.2.945.0249,20012-Jan-201001:34×86Fscstatsserv.exe10.2.945.0270,70412-Jan-201001:34×86Fsctransportscanner.exe10.2.945.0903,53612-Jan-201001:34×86Fscutility.exe10.2.945.0494,44812-Jan-201001:34×86Fseccrservice.exe10.2.945.0825,71212-Jan-201001:34×86Fseimc.exe10.2.945.0324,46412-Jan-201001:34×86Fsemailpickup.exe10.2.945.092,01612-Jan-201001:34×86Fsevsapi.dll10.2.945.0616,81612-Jan-201001:41×64Fsevsapiex.dll10.2.945.076,65612-Jan-201001:41×64Fssaclient.exe10.2.945.01,221,48812-Jan-201001:34×86Getenginefiles.exe10.2.945.0643,95212-Jan-201001:34×86Gziparchive.dll10.2.945.0267,12012-Jan-201001:34×86Installservice.exe10.2.945.049,00812-Jan-201001:34×86Installtask.exe10.2.945.0226,67212-Jan-201001:34×86Launcher.exe10.2.945.0400,24012-Jan-201001:41×64Macbinnavigator.dll10.2.945.0241,52012-Jan-201001:34×86Mimenavigator.dll10.2.945.0322,92812-Jan-201001:34×86Multimapper.dll10.2.945.0672,62412-Jan-201001:34×86Openxmlnavigator.dll10.2.945.092,52812-Jan-201001:34×86Perfmonitorsetup.exe10.2.945.0294,76812-Jan-201001:34×86Programlogmsg.dll10.2.945.0111,47212-Jan-201001:34×86Rarnavigator.dll10.2.945.0333,68012-Jan-201001:34×86Remotinglayer.dll10.2.945.082,28812-Jan-201001:34×86Remotinglayer64.dll10.2.945.0115,56812-Jan-201001:41×64Scanengines.dll10.2.945.0562,03212-Jan-201001:34×86Scanenginetest.exe10.2.945.0359,79212-Jan-201001:34×86Semsetup.exe10.2.945.0292,20812-Jan-201001:34×86Sfxcab.exe10.2.945.039,42409-Feb-201019:52×86Smimenavigator.dll10.2.945.0238,44812-Jan-201001:34×86Statisticsmanager.dll10.2.945.0537,45612-Jan-201001:34×86Structstgnavigator.dll10.2.945.0300,40012-Jan-201001:34×86Tararchive.dll10.2.945.0249,20012-Jan-201001:34×86Tnefnavigator.dll10.2.945.0308,08012-Jan-201001:34×86Uuencodenavigator.dll10.2.945.0256,88012-Jan-201001:34×86Version.exe10.2.945.0309,61612-Jan-201001:34×86Ziparchive.dll10.2.945.0304,49612-Jan-201001:34×86Fscperfmonitor.dll10.2.945.0315,76012-Jan-201001:34×86Fscperfmonitor.dll10.2.945.0544,62412-Jan-201001:41×64Custom64.dllNot Applicable99,84002-Feb-201017:46×64Updspapi.dll6.3.16.0463,72010-Oct-200816:42×64The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products..

For File Repair and Data Recovery, visit File Repair / Data Recovery

Comments: Write a Comment

Category: Forefront Security for Exchange Server

« previous home top next »

Forefront Security for Exchange Server: Description of Hotfix Rollup 1 for Service Pack 2 for Forefront Security for Exchange Server

Comments: Write a Comment

Category: Forefront Security for Exchange Server

Categories

Support Issues