The virus world has always seen a battle between virus makers and anti-virus vendors, each trying to outwit each other through their speed and technology. Antigen and Forefront products incorporate proprietary and 3rd-party anti-virus scan engines that use heuristics and pattern (definition) technology to scan and detect viruses.
When a new virus is released into the wild, it may initially be caught by an anti-virus (AV) vendor’s heuristic definitions, but if not the vendor will first need to locate and analyse a sample of the virus. The vendor then releases a new pattern file or ‘definition’ as part of an engine update, which will allow for detection of the virus.
Antigen and Forefront products encompass up to 8 AV scan engines (up to 5 can be enabled at any one time). This multi-engine approach gives your users a high level of protection against all, and particularly new threats, where time is of the essence.
No AV protection is (or probably ever will be) 100% secure, and as an administrator you may run into one of the following scenarios:
· False-negatives (virus is not detected)
· False-positives (non-virus is detected)
I’ve written this blog to give you the initial actions and troubleshooting steps that you should take (in relation to Antigen 9/Forefront Server 10 products) in each of these scenarios. Please read on below and if you’re not au fait with certain terms in this blog, I’ve also given you a Mini Glossary at the end as well J.
Microsoft CSS (Customer Service and Support)
FAQ: “A virus got past Antigen/Forefront (without being detected). How can I provide protection for this virus in the future?”
On the rare occasion that you find a virus getting past Antigen/Forefront, the first thing s that you’ll want to do are to make sure that no user has been infected and then take measures to ensure that the same virus will not get through again. A local AV product (on your user’s desktop PC) should help to achieve the former and you can use the following steps to tackle the latter:
1. Do not open/execute the file
2. Update your engines
3. Check your selected engine and Bias
4. Submit the virus
5. Check vendor sites for coverage
6. Use filters
7. Check your local AV
! Note: If your local AV cannot remove an infection, consult the Microsoft Malware Protection Center for removal advice and/or open a support case with Microsoft CSS to receive assistance.
1. Do not open/execute the file - ...unless you have good reason to believe that it has been cleaned (you do this at your own risk!). I like to state the obvious where security’s concerned J.
2. Update your engines – Make sure that your scan engines are up-to-date in the Antigen/Forefront Administrator console (click on SETTINGSàScanner Updates). To troubleshoot engine updates, try reviewing the ProgramLog.txt and search any errors on http://support.microsoft.com/. Without the latest engine updates, your system will not be protected against the latest threats!
3. Check your selected engine and Bias – one or two of your engines may already provide coverage for a specific new virus...but have you enabled these engines?
Similarly, your Engine Bias may prevent Antigen/Forefront from detecting the virus.
Let’s assume you have enabled 4 engines and are currently using a ‘Neutral’ Engine Bias. This setting will pick 2 of your 4 engines for each scan (50%). If only 1 or 2 engines currently provide detection against a new virus, you cannot guarantee that these engines will scan every mail with this bias.
Increasing the Engine Bias has a (usually minor) impact on performance, but in an outbreak situation you will probably want to sacrifice performance for added security. I would recommend the ‘Max Certainty’ Engine Bias in this situation. Antigen/Forefront will then scan each message with every enabled engine.
4. Submit the virus – if you are able to obtain a copy of the virus (maybe from a quarantine area within the user’s local AV product), please package it for submission to Microsoft as per KB952163. I recommend opening a support case for submission over sending directly to the email address provided, as this allows us to provide you with feedback and facilitates tracking.
5. Check vendor sites for coverage – most of the Antigen/Forefront AV vendors provide up-to-date information on the threats that they cover. You can find the latest threats and coverage at the Microsoft Malware Protection Center, for instance. As Microsoft polls all vendor sites constantly, you should expect Antigen/Forefront releases of any new vendor signature version within 30 minutes of a vendor release (after Microsoft has tested, repackaged and signed them for redistribution to you). Once a vendor has released a new definition for a virus, keep an eye on your Antigen/Forefront engine updates, as per point 1. You can also check for new updates immediately by using the ‘Update Now’ button in the Scanner Updates panel.
When comparing different vendor sites, note that each vendor will call a virus its own specific name. What Microsoft calls ‘Win32/Conficker.B’ for example, is also known as ‘Win32/Conficker.A’ (CA), ‘Mal/Conficker-A’ (Sophos), ‘Trojan.Win32.Agent.bccs’ (Kaspersky) and ‘W32.Downadup.B’ (Symantec).
Depending on the extent of the threat that you perceive, you may wish to run a Manual Scan on your Storage Groups (once you have corresponding updates in place), singling out 1 or 2 updated scan engines that now have definitions in place and can delete any instances of the virus. For more information on running a Manual Scan, please see the Antigen and Forefront User Guides.
6. Use filters - File, Subject Line and even Keyword Filters can be very effective in blocking viruses in the short-term (until definitions are available), particularly if you are facing a high number of infected mails/files entering your environment. File Filters are usually the easiest type to implement, but in the case that the virus attachment name varies significantly try using other filter types to home-in on the mail.
7. Check your local AV – Microsoft believes in a multi-layered approach to security (as do I!). Even though you have taken steps to stop the virus getting past Antigen, it’s also important to check that your local AV clients (AV product on each user’s PC, such as Forefront Client Security) are up-to-date and also provide coverage for the virus.
FAQ: “Antigen/Forefront detected a legitimate business file as a virus. How can I retrieve this file and prevent future detections of this nature?”
You might also find that a scan engine is detecting/deleting a file that you believe not to be infected. This is most common with a scan engine’s heuristic components that look for patterns in files to determine what is highly likely to be a virus. This is most useful before a pattern/definition has been released for a new virus. Occasionally heuristics (and other definitions) can pick up legitimate files as well and the scan engine may need some fine-tuning.
You would usually see false-positives detections only occurring with one specific scan engine at any one time. If multiple engines are detecting the file as a virus, the detection is most probably correct (it’s a virus!).
We recommend that you open a support case with CSS to report any suspected false positive. The support engineer will work with you to reproduce the detection and escalate the issue to the vendor(s) in question. The vendor then has the final call to correct their definition files as they see fit. If all goes well, you can expect a corrective engine update from Microsoft within a day or two.
To help with analysis and find you the quickest solution, please consider these points:
1. Do not open/execute the file
2. Record engine details
3. Submit the affected file
4. Consider disabling the engine
5. Command false-positives
1. Do not open/execute the file - ...unless you have good reason to believe that it is clean (you do this at your own risk!).
2. Record engine details – note the detecting engine and the engine details (Signature Version, Engine Version and Update Version). These are important details for your submission to Microsoft. Don’t forget to give us the virus name as well!
3. Submit the affected file – CSS will need a copy of the file to reproduce the detection. You may well be able to retrieve this from the Antigen/Forefront Quarantine (if you had enabled the ‘Quarantine Files’ option on the relevant scanjob). As I mentioned, it’s best to submit false-positive detections through a support case. Please use the guidelines in KB952163 to package the file to send through to us.
4. Consider disabling the engine – depending on the frequency of these unwanted detections and the importance of the affected mails; you may wish to temporarily disable the scan engine in question until the issue has been corrected. Using the multiple engines within Antigen/Forefront, you should be able to swap a current disabled engine for the culprit engine, so that you still have the same number of scan engines enabled overall.
5. Command false-positives – the Command engine has a number of different heuristic features. If these are producing many false-positives for you for any reason, consider the advice in KB963033, which tells you how they (heuristic detections only) may be disabled.
Definitions for this blog entry:
AV – Anti-Virus
Norman Data Defense
CSS – Customer Service and Support. The division of Microsoft that, amongst other things, handles support cases.
Definition – a set of characteristics that match a specific virus.
(Scan) Engine Update – a scan engine package that is downloaded from the internet to provide the latest AV pattern files/definitions. Engine updates are usually scheduled in Antigen/Forefront to run at least daily (I personally recommend hourly for AV engines).
Engine Version – The engine vendor’s version number of the underlying technology of the scan engine. This is the component that breaks down the content and scans it with the current virus definitions. This number will typically only change every few months or longer.
ProgramLog.txt – This is the main log for all Antigen/Forefront activity. It includes information that you’ll also see in the Application event log...but also a whole lot more. You’ll find the latest entries at the end of the log, so if you’re checking why an engine update hasn’t updated properly, scroll to the end and look for ERROR: or WARNING: entries around the time of the update. These are the default locations for the ProgramLog:
Antigen for Exchange
Program Files\Microsoft Antigen for Exchange
Antigen for SMTP
Program Files\Microsoft Antigen for SMTP
Forefront for Exchange (FSE)
Program Files (x86)\Microsoft Forefront Security\Exchange Server\Data
Forefront for Sharepoint (FSSP)
Program Files (x86)\Microsoft Forefront Security\SharePoint\Data
Signature Version – The engine vendor’s version number for the current set of definitions files. Each vendor increments their version Signature Version numbers with each engine update. This number will update from every couple of days to hourly, depending on the AV vendor.
Support Case – An “incident”, “call” or problem occurrence, opened by a customer with Microsoft to investigate a specific product issue. Microsoft Customer Service and Support (CSS) handles support cases. You can visit the main Microsoft Support page to browse support options and to open support cases by phone or online.
Update Version – Microsoft’s own number to represent the signature version in a standard format (standard for all Antigen/Forefront engines).