My name is Joe Anderson, and I work with the CSS Security Support Team.
Having firsthand experience with customers, I wanted to give some insight into things that we request when troubleshooting a particular issue. Below, I describe several of the common support scenarios and provide information about the type of diagnostics you will want to have on hand or be prepared to get before contacting support. I’ve also included some information about tools and utilities that are helpful in diagnosing problems.
What do I do if a virus gets past Antigen or Forefront?
While it doesn’t happen often, there’s always the chance that a virus outbreak will occur and the latest AV definitions are not able to detect a particular viral variant.
If this happens to you, you will want to lock down your messaging environment. Once you have your environment secure, you can follow knowledge base article KB952163 for the appropriate procedure to notify us about the undetected virus.
I have Antigen antispam protection, but too much spam is getting past the filters to the users’ inboxes. What do I do?
Spam can sometimes come in substantial waves. If you notice a big increase in the amount of spam that is hitting your environment or getting through to mailboxes, there are several troubleshooting steps you can take.
The first thing you should do is check to see that the antispam engine is being updated properly in the Antigen Administrator. If it is, then the likely problem is that the definitions have not yet been released for the spam variant hitting your environment.
In order to determine if the definitions are up to date, we usually request that you check the “update version” under “scanner updates” in the Forefront/Antigen administrator or run the “AntigenDiag” (see later in this article for details of what this contains) as this will tell us if updates are working or failing.
Other possible solutions and relief can be found in the following knowledge base article: KB920863
I have concerns about the functionality of Antigen/Forefront.
Depending on the issue, the bulk of our troubleshooting is done by reviewing the logs.
To help expedite the process, we usually ask customers to turn on additional diagnostics (These include: Additional Internet, Additional Realtime, Additional Manual) as well as set the “Max Programlog Size” setting to no more than 100000KB. All of the settings can be found in the General Options work pane in the Forefront/Antigen administrator.
While 100MB is a large size, it is important because the program log fills up quickly when additional diagnostics are turned on. The additional information provided when these settings are enabled is needed for extensive troubleshooting. If the program log size setting is left at a lower number, we run the risk of cutting off a part of the log that may be needed.
If you are opening up a ticket with support via a Web Incident, then a detailed summary of the problem and what steps you have already taken to try to resolve the issue will go a long way to helping the support engineer resolve your issue.
Helpful tools and utilities
Antigendiag.exe and FSCDiag.exe utility
The primary source for troubleshooting analysis is the
Antigendiag.exe / FSCDiag.exe. This utility gathers the following files:
· ADB / FDB files (contains the settings that allow us to reproduce the Antigen/Forefront environment as closely as possible).
· Event logs
· Programlog.txt and HRlog.txt (details the activity of the product including updates, detections and errors).
· Antigen/Forefront registry keys that tell us what’s turned on or not.
· Version information
· Dr. Watson logs and User Dumps (in case a dump is requested in performance related areas).
To Generate an Antigen/FSS Diagnostic
· Locate the install folder for Antigen or Forefront
· Double click on the AntigenDiag.exe (or the FSCDiag.exe if running Forefront)
· A command prompt will open
· Say YES to each question asked at the command prompt (not necessary in FSS)
· The subsequent diagnostic will be a zip file found in the following directories:
Antigen - C:\Program Files\Microsoft Antigen for Exchange\log\Diagnostics
Forefront – C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\log\Diagnostics
OneClick, Process Monitor and Performance Monitor
Antigen and Forefront install with a comprehensive set of proprietary diagnostic tools. It is often helpful, however, to employ the following auxiliary tools that will generate additional intelligence that can help shorten the troubleshooting path and lead to a faster resolution of the problem.
In order to generate network traces, we can leverage OneClick. This tool will allow a user to more closely examine Antigen and FSS specific network activity and communications.
Among the functionality that can be examined with OneClick are virus engine updates, database queries, template distribution, notification activity, as well as a host of Exchange specific network activity.
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon.
Troubleshooting for both Antigen and Forefront can require an administrator to more closely examine the properties and permissions of files and registry components as well as the status of process requests.
Performance Monitor is used to get statistical information about the hardware and software components of a server.
We can use this built-in tool to gather and analyze Antigen/FSS specific data. By adding Antigen/FSS counter objects and simultaneously introducing system counters, such as processor and memory usage, we can cross reference these values and determine Antigen/FSS’s tax on the server(s)
As you can see, gathering the data and diagnostics described in this article allows us to find the quickest and most accurate path to finding a solution.
Microsoft CSS Senior Support Engineer