Frequently Asked Questions

• Can the product be configured to remove unwanted files from archive files?
• Sometimes e-mails are getting stuck in the Exchange queue and users are unable to view their e-mails in Outlook. Usually restarting the F-Secure Anti-Virus for Microsoft Exchange service has fixed the problem. What is wrong?
• Why quarantined messages cannot be sent to the recipients on a mailbox-only server?
• Why are certain clean files detected as medium virus threats?
• Does F-Secure Anti-Virus for Microsoft Exchange 7 scan messages with OLE objects?
• Why creating or removing scheduled tasks does not work and manual scanning does not end?
• Why I have started to get warnings of Email.0Day.Malware?
• What do the Zero Hour related spam classifications mean?
• Why notifications are not sent when the message contained both blocked and infected attachments?
• Can I use F-Secure Policy Manager 6 to manage F-Secure Anti-Virus for Microsoft Exchange 7.0?
• Why Outlook Web Access reports about a conflict with the original item?
• Why F-Secure Anti-Virus for Microsoft Exchange 7.0 does not work with Microsoft Exchange Server 2007 evaluation version?
• Why F-Secure Anti-Virus for Microsoft Exchange lets empty attachments pass through even when attachment stripping has been turned on?
• How I can install F-Secure Content Scanner Server on a dedicated server with F-Secure Anti-Virus for Microsoft Exchange 7.0?
• Why F-Secure Anti-Virus for Microsoft Exchange does not send alerts by e-mail to the administrator?
• Why there is a small delay before some of the new settings are taken into use?
• Is it normal that the original message is included as an attachment when an infected file has been removed from a message?
• Why there are hourly peaks of activity on the Exchange server after installing the product?
• Why I get error message about PSAPI.DLL during the installation?
• Why messages cannot be released from the quarantine?
• Is F-Secure Anti-Virus for Microsoft Exchange compatible with F-Secure Policy Manager 7.0 on the same server?
• Is F-Secure Anti-Virus for Microsoft Exchange compatible with F-Secure Anti-Virus for Windows Servers 7.0?
• How to white or blacklist certain e-mail addresses?
• Why the MSDE installation fails during the setup when I have a space character in the password?
• How the proxy authentication settings for F-Secure Content Scanner Server can be set in centralized administration mode?
• How to configure F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper to protect against the WMF (Windows Metafile) vulnerability?
• Why the installation terminates with error about Graphical User Interface DLL?
• What is the difference between dns_available setting values test and yes in the RBL configuration file?
• Why spam definition databases have not been updated for a while?
• Why virus notificiation message is not always displayed when the message is viewed with POP3 mail client?
• Why the product calls Outbox as MDB Transport Queue Folder in the warning messages?
• Why outbound virus statistics grow even though there are no infected computers in the organization?
• After upgrading to F-Secure Anti-Virus for Microsoft Exchange 6.3x lots of SCIP error 7 messages started to appear.
• Why I'm getting errors about database updates being older than the previously accepted one?
• Why some encrypted and/or nested archives pass through undetected?
• Why messages under 200 kilobytes are suddenly quarantined or access to them is denied?
• Why spam scanner database updating fails with an error message about missing path?
• Why some of my e-mails are converted to attachments called WINMAIL.DAT?
• Why F-Secure Anti-Virus for Microsoft Exchange gives scanning error messages and quarantines messages?
• How to configure F-Secure Anti-Virus for Microsoft Exchange to protect against the .jpeg vulnerability?
• How I can turn on scanning on a gateway Exchange server?
• Why disclaimer is not added to the outbound HTML mails?
• Why suddenly a relatively several e-mails have been quarantined with the error "malformed header" in the log?
• Why scanning an e-mail causes the processor load go high and stays there for a couple of minutes?
• Why F-Secure Anti-Virus for Microsoft Exchange started to report about "FM API error 20" when scanning e-mails?
• How I can stop viruses or worms, such as Bagle.F, spreading in password protected ZIP files with F-Secure Anti-Virus for Microsoft Exchange?
• Why process called FSWBSTHK.EXE uses 100% CPU time?
• How to check Microsoft Exchange Server Service Pack level?
• I have a problem with a missed warning message to the sender of the infection?
• Why F-Secure Anti-Virus for Server 5.41 Real-Time scanning is disabled when installed on same host with FSAV4MSE+CSS?
• I have upgraded F-Secure Anti-Virus for Microsoft Exchange but only F-Secure Management Agent is updated to new version. What's wrong?
• I am trying to change Primary and Backup Content Scanner Servers settings through F-Secure Policy Manager Console, but changes did not affect F-Secure Anti-Virus for Microsoft Exchange. Why?
• Every time when the server shuts down I get error reports that F-Secure SMTP and Real-Time Scanners cannot connect to the server. What is the problem?
• A message has an attachment with a file extension that should be stripped. Why the attachment was not stripped?
• I have a Public Folder that is excluded from the virus scan, but some messages are scanned and disinfected before they arrive to the excluded Public Folder. Why?
• When examining a raw message that has been disinfected, there seems to be some data that should be stripped. Is the message still infected?
• A message has an VirusInfo.txt file as an embedded OLE object. What is this file and why do I get a warning message when I try to open the file?
• During the installation, I get a notification that an application is requesting access to a protected system. What causes this?
• What happens to e-mails saved in the Drafts folder during the real-time scanning?
• How can I check that F-Secure Content Scanner Server is Up and Running?
• How can I check that the Network Connection to the Original MTA is Working?
• What archive file formats does F-Secure Content Scanner Server support?
• Why I cannot send SMTP alerts to more than one email address?
• A problem opening Local User Interfaces
• How to configure Exchange server if clients access Exchange server using POP3 on Exchange 5.5?
• How to configure Exchange Server 5.5 if it is used only as a gateway (only IMC installed, no mailboxes)?
• What is the difference between Content Scanner Server and F-Secure Anti-Virus for Microsoft Exchange/Internet Mail/Lotus Domino/Firewalls?
• Why i get an error to the F-Secure Anti-Virus for Microsoft Exchange logfile.log "Cannot connect to F-Secure Anti-Virus Server on xxx.xxx.xxx.xxx due to error 8. The agent cannot connect to any of the servers specified in Server Pool".
• Which platforms can Content Scanner Server be installed on?
• I have all of my mailboxes installed on one Exchange server. This server is connected to another server that has the IMS installed. Can I protect my outbound mail with F-Secure Anti-Virus for Microsoft Exchange?
• Why do you recommend to install the product on Windows NT/2000 Server?
• Agent does not start, what I can do?
• Can I run any anti-virus programs locally on my F-Secure Content Scanner Server and at the same time have my e-mail traffic protected by F-Secure Anti-Virus for Microsoft Exchange/Lotus Domino/Internet Mail/Firewalls on the same server?
• Messages on my Exchange server are not scanned instantly as they appear in my inbox. Is there anything I can do?
• What happens to e-mails if the F-Secure Content Scanner Server machine is down?
• What about management features? Does the product work with F-Secure Policy Manager?
• What are the differences anti-virus wise in the SP3 and SP4 for MS Exchange 5.5?
• Can I use the same F-Secure Administrator that I am already using with Workstation Suite?
• Why the time to open a message in mailboxes and public folders increases after installation of F-Secure Anti-Virus Agent.
• Can I use the same F-Secure Policy Manager Server that I am already using with Workstation Suite?
• I run a backup procedure after installing F-Secure Anti-Virus Agent for Microsoft Exchange. Why is the backup speed is low?
• Do I need to use F-Secure Policy Manager Server or can I use a shared directory (CommDir)?
• I installed F-Secure Anti-Virus Agent on Microsoft Exchange 2000 Server and sent a message with a test virus in order to test F-Secure Anti-Virus functionality. The message was not received after 10 minutes. Where is my message?
• What alerting and reporting features are available?
• Is it possible to strip attachments with size greater or equal to a given value?
• How are the virus database updates done?
• I cannot locate the stripped attachments in the Quarantine directory although "Action on Stripped Attachments" is set to "Quarantine." However, infected attachments are present in the Quarantine directory. Where are the stripped attachments?
• Are the newly created mailboxes and Public Folders automatically protected by F-Secure Anti-Virus?
• F-Secure Anti-Virus for Microsoft Exchange/Internet Mail/Lotus Domino/Firewalls found a virus in .zip but could not disinfect it. Why?
• I want to prevent ordinary users from accessing the Quarantine directory. How can I do that?
• Can I use remote installation to install F-Secure Anti-Virus for Microsoft Exchange, FSAV for Internet Mail, FSAV for Firewalls and FSAV for Lotus Domino?
• Why e-mail stay in Outbox for a while after they have been sent?
• Can I install CSS to support multiple F-Secure Anti-Virus Mail Server and Gateway products?
• F-Secure Anti-Virus Agent for Microsoft Exchange complains about connection timeout to CSS. What should be done?
• I have a problem when I try to send a message using Outlook Web Access (OWA)?
• I have tried to install the FSAV for Exchange 6.00 build 32 on a Windows 2000 server running Exchange 2000 server. I am logged in as the domain Administrator. I get a message during the install that it has failed. Installation needs to be performed by a user who is a member of Domain Admins and Schema Admins. I have checked the account I am using and it is a member of both of these groups. Do you have any suggestions?

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0 and newer.

It is not possible to configure the product to remove files from archive files. It is not possible to remove, for instance executable files from a ZIP package and leave the rest of the files inside that particular archive intact.

The "List of Files to Scan Inside Archives" option under the Archive Processing sections defines only what files are scanned within archive files. It cannot be used to remove files from the archives even if the "Disallowed Files" option is selected.

This applies to F-Secure Anti-Virus for Microsoft Exchange version 6.62.

These kinds of problems have been occurring occasionally when F-Secure Anti-Virus for Microsoft Exchange has been installed on the same host with F-Secure Policy Manager version 7.10 or earlier. The problem has been caused by a wrong startup type of the F-Secure Automatic Update Agent service. F-Secure Anti-Virus for Microsoft Exchange requires that the startup type of this service is "Manual". There are multiple solutions to this problem. The startup type can be manually changed to type "Manual" or F-Secure Policy Manager can be upgraded into version 7.20 or later.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0 and newer, when installed a Microsoft Exchange Server 2007 with only Mailbox Role (i.e. without the Hub Transport Role).

If the Exchange server has just the Mailbox Role, the messages quarantined on the server cannot be delivered to the recipients when the administrator releases them from the quarantine using F-Secure Anti-Virus for Microsoft Exchange Web Console. Quarantine requires either SMTP transport or pickup folder on the server.

An environment with sole Mailbox Role server typically has a separate server with the Hub Transport Role installed. This server can be used to deliver the messages released from the quarantine.

To solve the problem, please follow these steps:

• Hub Transport Role Server: Share the Pickup folder on the Exchange Hub Server. By default the Pickup folder is located at %Program Files%\Microsoft\Exchange Server\TransportRoles\Pickup. Please use the default name (Pickup) for this share so that it can then be accessed at \\HubServerName\Pickup.
• Hub Transport Role Server: From Properties / Sharing / Permissions, please assign Read and Change permissions to the folder for the Exchange Servers group or for the Mailbox Role Server(s) directly.
• Hub Transport Role Server: From Properties / Security, please assign all the permissions except FullControl and Special for the Pickup Folder.
• Mailbox Role Server: Open the Registry Editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSAVMSED\Parameters subkey. If the Parameters subkey does not exist, please create it.
• Mailbox Role Server: Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FSAVMSED\Parameters subkey, create PickupFolderPath string value that points to the Hub Server's Pickup Folder share created earlier (\\HubServerName\Pickup)

Once these steps have been completed, the quarantine in the F-Secure Anti-Virus for Microsoft Exchange works properly also on the Mailbox Role only servers. No reboot or restart is needed after these steps, the product will take these changes into use automatically.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.60 and newer.

The proactive virus threat detection used in the F-Secure Anti-Virus for Microsoft Exchange does not use signature based detection. This means that there are no static rules of what is considered as medium virus threat and what is not.

The medium virus threat classification is determined by heuristics based on multiple parameters, specially designed to be able to react to possible virus outbreaks within the first minutes of the initial virus launch. This also means that sometimes normal clean files can possibly be classified as medium virus threats.

In situations like this, F-Secure Anti-Virus for Microsoft Exchange with default settings will stop the e-mail and quarantine it. However, this e-mail will be reprocessed 3 times within the following 24 hours. If the e-mail is not confirmed of containing any known malware during that time, the product can be configured to release the e-mail to the original recipient(s). These timers are also configurable for faster releasing.

These e-mails can also be manually released sooner if necessary with the F-Secure Anti-Virus for Microsoft Exchange Web Console. However, for the obvious security reasons, in uncertain situations it is recommended to wait for the confirmation cycle to complete.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0 and newer.

Although there is no longer a setting to control the OLE object scanning, F-Secure Anti-Virus for Microsoft Exchange scans the OLE objects in the e-mail messages and notes posted in the public folders. Previous versions of the product had a separate setting for this but starting from version 7.0 the scanning of the OLE objects is always on when the virus scanning is enabled.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0 and newer.

If creating or removing scheduled tasks does not work properly, or the manual scanning does not seem to end at all, please check that the Microsoft Exchange Store is running. If the store has not started or has been stopped or crashed, scheduled tasks and manual scanning functions in the F-Secure Anti-Virus for Microsoft Exchange will not work either. Depending on the environment, there may be a number of other non-working functions too, if the Microsoft Exchange Store is not running.

Microsoft Exchange Store is a crucial component in the Exchange Server and the functionality in F-Secure Anti-Virus for Microsoft Exchange depends on the availability of the store process.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0.

Email.0Day.Malware is a generic detection name for new, undefined malware. E-mail worms at the beginning of their spam run is an example of malware that could be detected as such.

The detection is made by the Zero-Hour Protection implemented in F-Secure Anti-Virus for Microsoft Exchange 7.0.

For more information, please check the F-Secure Malware Information Pages: Email.0Day.Malware.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.60 and newer with the F-Secure Spam Control module.

When viewing the full message headers, there will be one line starting with X-Spam-Status. This line may contain names of multiple different tests the message has been subjected to. Some of the tests are related to the heuristic spam scanning, while the Zero Hour spam classifications are the following:

• clConfirmed: The e-mail is confirmed spam message.
• clBulk: The e-mail is likely a bulk mail, for example a newsletter type of posting.
• clSuspected: The e-mail has been sent to slightly larger than average distribution, or an unidentified spam message sent during the first few seconds of a massive spam outbreak.
• clUnknown: The e-mail does not have any spam-like characteristics.
• clNone: The e-mail is certainly not a spam, comes from a trusted source.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0.

F-Secure Anti-Virus for Microsoft Exchange 7.0 has the priority for the notifications about infected content over the notifications about stripped, unallowed content.

The product can be configured to send a notification (to sender and/or recipient) about stripped attachments, but at the same time not to send notifications about infected messages. In typical situations the product would then notify the recipient about the unwanted attachment stripped off from the message, but whenever a virus is detected in a message, the product would not notify the recipient in any way.

However, if the same message contains an infected file as well as unwanted attachment, the recipient would not get notification about this if virus notifications are turned off.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0 when used in centrally managed environments.

Technically it is possible to use F-Secure Policy Manager version 6.0 to manage also F-Secure Anti-Virus for Microsoft Exchange 7.0, although there will be some functionality which will not work as intended. At least the new Lists and Templates functionality will not be as simple to use under F-Secure Policy Manager 6 as it is under F-Secure Policy Manager 7.

Officially F-Secure will support only F-Secure Policy Manager 7 with F-Secure Anti-Virus for Microsoft Exchange in centrally managed environments.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0.

If an internal user tries to send a message with infected attachment using Outlook Web Access, it may report the following error message:

The action could not be completed because of a conflict with the original item. The conflict may have occurred when an existing item was updated on another computer or device. Open the item again and try making your changes. If the problem continues, contact technical support for your organization.

This is because F-Secure Anti-Virus for Microsoft Exchange has detected a virus in the attachment. If the user tries to send the message again, the message will be sent but without the attachment. At the same time a blank message with an attachment nmaed "Attachment_information.txt" will remain in the user's Drafts folder. The "Attachment_information.txt" will contain information about the virus detected in the message.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0 when installed on Microsoft Exchange Server 2007 32-bit evaluation version.

Version 7.0 of F-Secure Anti-Virus for Microsoft Exchange supports only the 64-bit version of Microsoft Exchange Server 2007. The product cannot be installed on the 32-bit version of Microsoft Exchange 2007. Please refer to the product's Administration Guide or the Release Notes for system requirements.

This applies to all the versions of F-Secure Anti-Virus for Microsoft Exchange.

Attachments with size of 0 bytes will pass through the product even if the attachment stripping has been turned on with the file extension on the stripped attachments list. This is by design, as zero-sized files cannot contain any malicious code.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0.

The possibility of having F-Secure Content Scanner Server on a dedicated server was discontinued with F-Secure Anti-Virus for Microsoft Exchange version 7.0. F-Secure Content Scanner Server is the scanning component in the product. Starting from version 7.0, the whole product must be installed on the Microsoft Exchange Server 2007.

Having the F-Secure Content Scanner Server on the same server with the Microsoft Exchange Server 2007 improves the scanning performance, as the scanning can be done in memory without need to transfer the data through the network and save on the disk.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0.

In Microsoft Exchange Server 2007, the message relaying is tightly restricte

This means that the product cannot send SMTP alerts and reports unless some changes are done in the Microsoft Exchange Server 2007 configuration. These changes can be done before or after the product has been deployed.

For step-by-step instructions how to enable sending the alerts, please refer to the Appendix C in the F-Secure Anti-Virus for Microsoft Exchange 7.0 Administrator's Guide.

This applies to F-Secure Anti-Virus for Microsoft Exchange 7.0.

There may be a short delay before new Transport Protection settings are taken into use. The delay is because the Microsoft Exchange Server 2007 has a certain polling interval for changed anti-virus related settings. Typically this delay is only some seconds. When the new settings have been taken into use, F-Secure Anti-Virus for Microsoft Exchange will add the following message in Logfile.log:

The F-Secure Anti-Virus for Microsoft Exchange Transport Agent received new settings.

This applies to all versions of F-Secure Anti-Virus for Microsoft Exchange.

When the product has been configured to remove the infected attachments only, the actual message body of the original e-mail will be delivered to the recipient as an attachment. This occurs if the product has been configured to include a notification about the removed content.

This applies to F-Secure Anti-Virus for Microsoft Exchange version 6.62 and earlier.

F-Secure Anti-Virus for Microsoft Exchange checks the Microsoft Exchange mailbox and public folder databases for newly added mailboxes and public folders once in an hour by default. This may result to increased CPU and disk activity on an hourly basis and in some environments might cause performance problems too.

If necessary, the default mailbox and public folder polling intervals can be changed. This can increase the performance on the server. The settings can be found at F-Secure Anti-Virus for Microsoft Exchange / Settings / Advanced with F-Secure Policy Manager. For installations managed through the product's Web Console the settings can be found in the Advanced section on the F-Secure Anti-Virus for Microsoft Exchange tab.

If the public folders have been located on a separate server from the mailboxes, the mailbox server can have the public folder polling disabled. If the public folder server does not have mailboxes, the mailbox polling can be disabled.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.61 on all the supported platforms.

When installing F-Secure Anti-Virus for Microsoft Exchange, an error message saying "FSSetup.exe - Entry Point Not Found - The procedure entry point GetProcessImageFileNameW could not be located in the dynamic link library PSAPI.DLL." may show up. This error shows up sometimes once, sometimes a couple of times.

The error occurs on servers which have also Microsoft Internet Explorer 7.0 installed. The reason for the error message is a conflict between different versions of the PSAPI.DLL in the F-Secure Anti-Virus for Microsoft Exchange installation package and the one used by Microsoft Internet Explorer 7.0.

The error message is cosmetic, clicking OK will clear the situation and the installation will proceed normally. However, because of a certain time-out in the installation, the installation may fail if there is a long delay after the error message comes up before the administrator clicks OK.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.61 on all the supported platforms.

The product is not able to release e-mails from the quarantine if the Notification Sender Address has been set to be a public folder. The sender must be a mailbox with SMTP address, public folders cannot be used.

In centrally managed environments, the setting can be found at F-Secure Anti-Virus for Microsoft Exchange / Settings / Reporting and on the product's own web console it is on the Anti-Virus for Microsoft Exchange tab on Virus Scanning / Common page.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.61 on all the supported platforms.

F-Secure Anti-Virus for Microsoft Exchange 6.61 is not compatible with F-Secure Policy Manager Server 7.0 when installed on the same server. This compatibility is included to F-Secure Anti-Virus for Microsoft Exchange 6.62, scheduled to be released during Q1/2007.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.61 on all the supported platforms.

F-Secure Anti-Virus for Microsoft Exchange 6.61 and F-Secure Anti-Virus for Windows Servers 7.0 can be installed on the same server. The release notes file for F-Secure Anti-Virus for Windows Server outline the installation procedure, but the main thing with the installation is the installation order:

1. F-Secure Anti-Virus for Microsoft Exchange 6.61
2. F-Secure Anti-Virus for Windows Servers 7.0

If installed in the opposite order, the installation of the F-Secure Anti-Virus for Microsoft Exchange 6.61 will fail. To correct the situation, F-Secure Anti-Virus for Windows Servers 7.0 must be first uninstalled - after which the installations must be done in the order listed above.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.60 and newer when installed together with the F-Secure Spam Control.

F-Secure Anti-Virus for Microsoft Exchange uses two different approaches to scan e-mail messages for spam messages. Starting from version 6.60, the product uses zero hour techniques to verify whether e-mails are spam or not. Messages cannot be white or blacklisted with this method. The product also utilizes the traditional heuristic scanning for spam messages. At this stage the e-mail addresses can be verified against black and whitelisted addresses.

To enable the black and whitelisting, you need to create a text file with name BWL.TXT in the %Program Files%\F-Secure\Spam Control directory. The following settings can be used to specify the blocked and safe senders and/or recipients:

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.60 when installed together with the Microsoft SQL Server 2000 Desktop Engine (MSDE).

MSDE does not support the space character in the password. During the F-Secure Anti-Virus for Microsoft Exchange setup the administrator is asked to specify password for the 'sa' user account. If the password contains space, the installation will start but will result to a fault during the MSDE installation phase.

To overcome this problem, please specify a password without a space in it.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.60 when installed in the centralized administration mode.

Even when the product is installed in centralized administration mode, the proxy authentication settings for F-Secure Content Scanner Server must be set in the products' own web user interface. This is by design because of the security reasons as the policy files in F-Secure Policy Manager environment are not encrypted.

However, there is a bug in the web user interface which causes these settings to be greyed out in centralized administration mode. The following workaround can be used to overcome the problem:

1. In the product's web user interface, open the Home tab and click the Configure... button for F-Secure Management Agent.
2. Select the Stand-alone as the Communication method.
3. Open the Content Scanner Server tab and select the Proxy Configuration from the tree view on the left side of the user interface.
4. Fill in the fields on the Proxy Configuration page.
5. Go back to the F-Secure Management Agent settings (see step 1).
6. Return the Communication method back to F-Secure Policy Manager Server.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.40 and all the supported versions of F-Secure Internet Gatekeeper on Windows.

Refer to:
http://www.f-secure.com/news/items/news_2005123000.shtml.

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

F-Secure Internet Gatekeeper by default scans all attachments from incoming email traffic providing also the scanning of the WMF files. However, when using HTTP or FTP-over-HTTP scanning the WMF file extension should be added to the list of included content types.

In the Policy Manager Console:
Add a WMF file extension to the existing entry in the Included Content Types table as follows:
F-Secure Anti-Virus for Internet Gateways/Settings/Content Control/Virus Scanning/Included Content Types:
Active = Enable | Content Type = * | Filename/Extension(s) = "*.WMF" (without the quotation marks).

F-Secure Anti-Virus for Microsoft Exchange should be configured by adding the WMF file extension to the list of "Included Extensions".

In Policy Manager Console:
F-Secure Anti-Virus for Microsoft Exchange/Settings/Real-Time Processing/Virus Scanning/Included Extensions:
Included Extensions (Octet String) = "*.WMF" (without the quotation marks).

To make sure that the WMF files are caught if arriving packed inside an archive, please check that scan inside archives setting is enabled and the proper list of extensions is set to be scanned in the archives:
F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Inside Archives = Enabled

Add the above extension to the list of extensions to be scanned inside archives:
F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Extensions Inside Archives=[default list] + the list above

These settings are available also through both products' web console in the stand-alone installations.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.40 and earlier on any of the supported platforms.

When installing the product on an Exchange server, the installation fails right in the beginning with an error message "Unable to initialize Graphical User Interface DLL (Fssgui.dll)". After clicking the OK button the installation terminates. This error occurs in situations where there has been a previous installation (or attempted installation) of some certain F-Secure products on the server and there are some registry settings left behind from that.

To solve this problem the registry settings need to be removed. To do that, perform the following steps:

1. Start the Registry Editor by clicking Start -> Run... and type Regedit in the prompt.
2. Find this registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Customization\].
3. Delete it and all the branches under it.

After doing this, please start the F-Secure Anti-Virus for Microsoft Exchange installation again.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.40 with F-Secure Spam Control.

The RBL (Real-Time Blackhole List) configuration file (fssc.cfg and fssc_example.cfg) contains setting called "dns_available". By default this is set to "test". The documentation in the file claims that it should be set to "yes". That is a mistake in the documentation and the setting normally should be left to be "test."

When the setting is set to "test", the product first verifies that the network connections before starting to do the actual RBL checks. The product makes a few test queries and, if successful, it proceeds with the actual RBL checks. These tests are performed when the product is started and then subsequently after every 5000 e-mails.

If the setting is changed to "yes", these tests are not done. This is useful mainly in network related troubleshooting situations - typically the setting should be left to "test".

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30, 6.31 and 6.40 beta when Spam Control module is installed.

Because of certain technical limitations with the spam database format used by the Spam Control module in F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper, F-Secure did not release new spam definition databases to the automatic update channel used by these products for a short period.

The database format limitations have been solved in F-Secure Content Scanner Server hotfix 4, available on the Hotfix download pages. Installing this hotfix is required for the automatic spam database updates. Environments without the Spam Control module do not benefit from this hotfix.

Users of the affected products with the Spam Control module enabled may update the latest spam definition databases also manually. This should be done if spam detection capabilities with the current databases seem to degrade. The databases can be easily updated manually following these steps:

1. First download the newest database as a ZIP archive by clicking this link.
2. Stop the F-Secure Content Scanner Server Daemon through Control Panel / Administrative Tools / Services applet
3. Unzip the downloaded file to the %Program Files%\F-Secure\Spam Control\ directory
   • Please make sure the "Use Folder Names" or equivalent setting in the Unzip program is selected.
   • Answer "Yes" when asked about overwriting existing files.
   • If the product is installed in non-default directory, unzip the file there.
4. F-Secure Anti-Virus for Microsoft Exchange 6.3x users: Reboot the server.
5. F-Secure Anti-Virus for Microsoft Exchange 6.40 users: Start the F-Secure Content Scanner Server Daemon through Control Panel / Administrative Tools / Services applet

After updating the databases, the spam definition database version in the user interfaces will display "2005-03-01_01" or newer. This will be visible in the Web Console and in network administered mode also in the F-Secure Policy Manager Console. In some cases it may take a few minutes before the user interfaces display the correct database version.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.3x on all the supported platforms when e-mails are read with POP3 (Eudora, Netscape Messenger etc.) mail clients.

Because of Exchange database synchronization issues, it is not always possible to display the notification text if the particular e-mail has been sent with SMTP to the Exchange server and it is read with a POP3 mail client.

There isn't a workaround to this problem. However, the problem does not affect the product ability to scan messages, it affects only to the notification message displayed to the user.

This applies to any version of F-Secure Anti-Virus for Microsoft Exchange on all the supported platforms, when the mail client is Outlook 2003.

If Outlook 2003 user sends e-mail with malicious content to another Outlook 2003 user within the same Exchange server and same store, F-Secure Anti-Virus for Microsoft Exchange detects the virus or other unwanted content normally. However, when it composes notification message or administrator alert about the incident, it may display the user mailbox in the following way:

Folder: /MBX/Mailbox Store (SERVER_NAME)/NON_IPM_SUBTREE/MDB Transport Queue Folder

This problem occurs when "Cached Exchange Mode" is in use. The product is scanning messages properly, only the folder name is not displayed in the normal way.

The only way to change the Folder: to display "Outbox" is to disable the Cached Exchange Mode in Outlook. It can be disabled from Tools / E-Mail Accounts... / View or change existing accounts. In the dialog, click "Next" and then "Change..." for your Microsoft Exchange Server account. Unselect the "Use Cached Exchange Mode" checkbox to switch off the mode.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30 and above on all the supported platforms.

Many viruses use e-mail to spread and they send themselves to random e-mail addresses, such as "Joe.User@example.com". If the e-mail address does not exist in the "example.com" domain, Microsoft Exchange tries to bounce the message back to the sender. The e-mail is scanned at that point and, if it contains a virus, the virus will be then added to the outbound virus statistics.

This applies to any version of F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 on all the supported platforms, when upgraded from a previous version in a centrally administered environment.

If the MIB files are not imported to the F-Secure Policy Manager during the upgrade installation, they must be installed manually using the IMPTMIB.EXE tool included with the product. Otherwise the F-Secure Policy Manager will have old versions of the MIB files where the "Max Size of Data Processed In-Memory" has been defined in bytes while it should have been in kilobytes. Because of this the product will get wrong value and behaves incorrectly.

To correct the situation, install the correct MIB files to the F-Secure Policy Manager using the F-Secure Anti-Virus for Microsoft Exchange 6.31 IMPTMIB tool downloadable here.

The IMPTMIB.EXE tool must be run on the F-Secure Policy Manager Server or F-Secure Policy Manager Console computer. After the installation the policies must be distributed.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.31 on all the supported platforms in centrally administered environments, when F-Secure Automatic Update Agent is installed on the same server. F-Secure Automatic Update Agent is always installed when Spam Control is installed.

The symptoms for this problem are the following two error messages, shown frequently in the logs and sent to the administrator:

42 2004-11-07 23:58:00+02:00 server_name SYSTEM F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 The database update is older than the previously accepted one.
43 2004-11-07 23:58:00+02:00 server_name SYSTEM F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 Updating virus definition databases was unsuccessful.

This problem is caused by the fact that the F-Secure Automatic Update Agent downloads the databases directly from the F-Secure update servers. This polling is done typically once in a hour. At the same time the product contacts F-Secure Policy Manager Server in the organization and downloads the databases. This is done by default every ten minutes, but the interval is configurable.

One of these components always manages to download and install the new databases first. The second attempt of the database update will fail with the above error message, as there is already the same database in use.

Workaround to stop these alerts is to stop F-Secure Content Scanner Server from polling the F-Secure Policy Manager Server for database updates. This can be configured with F-Secure Policy Manager Console by setting F-Secure Content Scanner Server / Settings / Database Updates / Poll Automatically to "Disabled" and distributing the policies.

After changing this setting, the product will not try to download databases from the F-Secure Policy Manager Server. It will still continue downloading the databases with the local installation of F-Secure Automatic Update Agent. It will also report the database updates and versions to the F-Secure Policy Manager and will send out an alert should the databases become outdated.

This applies to F-Secure Anti-Virus for Microsoft Exchange versions 6.30, 6.30 Service Release 1 and 6.31.

In some cases the product is not able to detect encrypted or nested archives in e-mail or public folder messages. This problem has been corrected in F-Secure Anti-Virus for Microsoft Exchange 6.3x Hotfix 2, available on the F-Secure Anti-Virus for Microsoft Exchange hotfix download page.

F-Secure recommends all the F-Secure Anti-Virus for Microsoft Exchange users to apply this hotfix.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.30 Service Release 1 with Spam Control enabled on any of the supported platforms.

This problem occurs because of a change in the spam database structure change. F-Secure released a new spam database on October 13th, 2004. A hotfix is required to enable the spam database updates to continue - see more information about this below in a separate FAQ about F-Secure Content Scanner Server 6.40 Hotfix 2.

After installing the hotfix the product works normally until the F-Secure Content Scanner Server is restarted, for example in a reboot. After that the product will report scanning error of all the incoming SMTP e-mails smaller than 200 kilobytes. This will result all the incoming SMTP mails being quarantined or the access to them is denied, depending on which version and hotfix is installed:

Quarantined:

• F-Secure Anti-Virus for Microsoft Exchange 6.30 (the original release)

• F-Secure Anti-Virus for Microsoft Exchange 6.30 with Hotfix 1 installed
• F-Secure Anti-Virus for Microsoft Exchange 6.30 Service Release 1

To solve the problem, F-Secure Content Scanner Server 6.40 Hotfix 2 must be installed. After installing, it is required to install the spam scanner databases manually for the first time like described below:

• First download the database by clicking this link.
• Unzip the file to the %Program Files%\F-Secure\Spam Control\ directory - please make sure the "Use Folder Names" or equivalent setting in the Unzip program is selected.
• Reboot the server.

The subsequent spam database updates will be installed and taken into use fully automatically.

To deliver the quarantined e-mails they need to be copied to the Exchange Server's pickup directory manually. Microsoft Exchange Server will then process them just like any other inbound SMTP mails. They will also be scanned for viruses and spam by F-Secure Anti-Virus for Microsoft Exchange. Copying can be done like this:

• Go to the quarantine directory %Program Files%\F-Secure\Anti-Virus Agent for Microsoft Exchange\quarantine\suspect\MSESMTPxxxx\
• Copy all the files from there to %Program Files%\Exchsrv\Mailroot\vsi 1\PickUp\
• Repeat this to all the MSESMTPxxxx directories if there are more than one of them.

Please note that the e-mails stored in the other quarantine directories (MSERTSxxxx) cannot be restored to the pickup directory. Also note that the directories above are the default directories. If the products are installed in other directories, or if the quarantine or pickup directories have been changed after the installation, you need to use them instead.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30 and 6.30 Service Release 1 with Spam Control enabled on any of the supported platforms.

This problem occurs because of a change in the spam database structure change. Spam scanner database updating fails to an error about missing path like this:

19 2004-10-13 15:35:04+03:00 EXCHANGE_SERVER Example\administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 Started updating spam scanner database.
20 2004-10-13 15:35:06+03:00 EXCHANGE_SERVER Example\administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.1 The file 'C:\Program Files\F-Secure\Spam Control\lib\Mail\SpamAssassin\Util\RegistrarBoundaries.pm' cannot be written to due to error: The system cannot find the path specified. .
21 2004-10-13 15:35:06+03:00 EXCHANGE_SERVER Example\administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.6 Updating spam scanner database was unsuccessful.

F-Secure has released hotfix (F-Secure Content Scanner Server 6.40 Hotfix 2) to solve the problem. It can be downloaded from the F-Secure Anti-Virus for Microsoft Exchange 6.30 Hotfix Page. This hotfix requires a reboot, but it can be done after the spam databases have been manually updated as described below.

Revised on October 14th, 2004:

It is strongly recommended to install the spam database manually for the first time after applying this hotfix. If this is not done, on the next restart of the F-Secure Content Scanner Server the product will issue a scanning error with all the e-mails under 200 kilobytes.

Spam databases can be updated manually with these steps:

• First download the database by clicking this link.
• Unzip the file to the %Program Files%\F-Secure\Spam Control\ directory - please make sure the "Use Folder Names" or equivalent setting in the Unzip program is selected.
• Reboot the server.

After doing this, the subsequent spam database updates will be installed and taken into use fully automatically.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30 on all the supported platforms.

Certain type of SMTP messages will get broken in scanning, so that they are incorrectly converted to corrupted MS-TNEF format and in result may show up as attachments called WINMAIL.DAT. This happens because the terminating symbol of the mail is lost during processing of these types of messages.

Hotfix 1 for F-Secure Anti-Virus for Microsoft Exchange 6.30 solves this problem. After installing it the messages will remain in their original format. It is strongly recommended to install the Hotfix 1 since it contains other critical fix as well. The hotfix can be downloaded from F-Secure Anti-Virus for Microsoft Exchange hotfix page.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.30 on all the supported platforms.

The default scanning logic in F-Secure Anti-Virus for Microsoft Exchange 6.30 is such that, if F-Secure Content Scanner Server fails to process a given file because of virus scanning engine malfunction or some other failure, the product will report scan failure for the file being scanned. If an error is reported for three consecutive scan attempts, the file will quarantined and removed from the Microsoft Exchange store.

In some rare situations the virus scanning engines may remain in malfunction state after a particular file has been scanned. This may lead to a lot of quarantined items, especially if the error occurs before or during a backup operation.

The quarantined items contain e-mail messages where the message body and attachments are saved in different files. This is due to the fact that the virus scanning interface (AV API) in the Microsoft Exchange Server delivers the messages divided to separate parts to F-Secure Anti-Virus for Microsoft Exchange. F-Secure Anti-Virus for Microsoft Exchange is not able to reassemble the message, as Microsoft Exchange does not provide information on which parts belong to which message. Microsoft Exchange also does not provide the message headers to the virus scanner.

F-Secure has released a hotfix to solve the problem and recommends all the users of F-Secure Anti-virus for Microsoft Exchange version 6.30 to take the hotfix into use. The hotfix can be downloaded from the F-Secure Anti-Virus for Microsoft Exchange hotfix page.

This hotfix changes the scanning logic in F-Secure Anti-Virus for Microsoft Exchange so that after three scan attempts an error will be returned to Microsoft Exchange Information Store and F-Secure Anti-Virus for Microsoft Exchange will not modify the mail. The message will remain in the Microsoft Exchange store and F-Secure Anti-Virus will not quarantine it. The product will try to scan the message again when it is accessed the next time. The message cannot be accessed before the virus scanning engine malfunction has been corrected.

This hotfix also enables the "Gateway Mode Scanning" setting permanently. After installing the hotfix, this setting in the product user interfaces cannot any longer be used to control the behavior of the product. If the setting was "No" (default) before installing this hotfix, the product will still display the status as "No" even though it has been permanently set on.

This applies to all the versions of F-Secure Anti-Virus for Microsoft Exchange on any of the supported platforms.

A security vulnerability related to processing of picture files in the JPG-format has been reported recently. The vulnerability is present in Windows XP (without service pack 2) and Windows Server 2003 operating systems as well as several other products from Microsoft. This vulnerability does not pose an immediate threat to users at the moment. But viruses that use this vulnerability are likely to appear in the future. F-Secure wants to draw your attention to this, as a successful JPG-virus would be unique and break many common believes about how viruses replicate.

Affected file extensions are the following: BMP DIB EMF GIF ICO JFIF JPE JPEG JPG PCX PNG RLE TGA TIF TIFF WMF

F-Secure Anti-Virus for Microsoft Exchange can be configured to protect the user against the .jpeg vulnerability with the following settings. The setting names and locations are based on the F-Secure Policy Manager Console, but the same settings can be found also in the local user interface.

• F-Secure Anti-Virus for Microsoft Exchange/Settings/Real Time Processing/Virus Scanning/Examine Attachments=All Attachments with Included Extensions (default)

Add the list above to the included extensions to be scanned:

• F-Secure Anti-Virus for Microsoft Exchange/Settings/Real Time Processing/Virus Scanning/Included Extensions

See also that scan inside archives is enabled and the proper list of extensions is set to be scanned in the archives:

• F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Inside Archives=Enabled

Add the list above to the list of extensions to be scanned inside archives:

• F-Secure Content Scanner Server/Settings/Virus Scanning/Scan Extensions Inside Archives=[default list] + the list above

For more information about the issue, please check the following pages:

General information: http://www.f-secure.com/news/items/news_2004100500.shtml

Technical Description: http://www.f-secure.com/v-descs/ms04-028.shtml

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.2x when used with Microsoft Exchange Server 2000 or 2003.

By default, of the inbound e-mail traffic, F-Secure Anti-Virus for Microsoft Exchange scans only messages coming to local mailboxes. If the Exchange Server is used as a gateway or a front-end server delivering inbound e-mails to other mail servers inside the organization, those messages will not be scanned by default.

F-Secure has released a tool to toggle this behaviour. This tool must be executed locally from the command prompt on the gateway or front-end Microsoft Exchange Server.

Usage of the tool:

• fsgwmse.exe ON ---------- turns the scanning on
• fsgwmse.exe OFF ---------- turns the scanning off (default setting)
• fsgwmse.exe ---------- if no option is specified, displays the current status.

Please click here to download the FSGWMSE.EXE tool.

This applies to F-Secure Anti-Virus for Microsoft Exchange 6.2x when used on certain versions of Microsoft Exchange Server 2003.

In some Exchange Server 2003 versions (apparently builds newer than 6944.1) it is impossible to add disclaimer to outbound mails, if the mail is sent as HTML.

This problem will be corrected in the forthcoming F-Secure Anti-Virus for Microsoft Exchange version, 6.30. Until that it is recommended not to use HTML format when sending e-mails to the external recipients, if disclaimers are in use.

This applies to all F-Secure Anti-Virus for Microsoft Exchange versions when used together with F-Secure Content Scanner Server 6.31.

F-Secure Content Scanner Server 6.31 sometimes flags normal e-mails with the error message "Email message is found suspicious. Malformed header field." This problem has been corrected in the F-Secure Content Scanner Server 6.31 hotfix 2, available for download on the F-Secure Anti-Virus for Microsoft Exchange hotfix page.

This applies to all F-Secure Anti-Virus for Microsoft Exchange versions when used together with F-Secure Content Scanner Server 6.31.

F-Secure Content Scanner Server 6.31 has a problem when scanning some certain file types. The structure of the file causes the product use considerable amount of processor time. F-Secure has identified the problem and it has been corrected in the F-Secure Content Scanner Server 6.31 hotfix 2, available for download on the F-Secure Anti-Virus for Microsoft Exchange hotfix page.

This applies to all the F-Secure Anti-Virus for Microsoft Exchange versions when used together with F-Secure Content Scanner Server version 6.3x.

Some viruses, typically Sober.D, may spread itself archived in a corrupted ZIP file. The corrupted ZIP file cannot be properly unpacked by F-Secure Content Scanner Server and the following error message will appear:

420 2004-03-08 11:12:59+03:00 fsav4exc FSAV4EXC\Administrator F-Secure Content Scanner Server 1.3.6.1.4.1.2213.18.1 Scanning the file was unsuccessful.
Agent: fsav4exc
Transaction: 21437
Protocol: unknown
Source:
Destination:
File name: Patch.zip
File size: 33926 bytes
Error: File '*123460760' cannot be opened due to error: FM API error 20. File is corrupted in archive. Extended error code: 0.

The file will be stopped and put into quarantine.

This applies to F-Secure Anti-Virus for Microsoft Exchange versions 6.00 and above on all Windows server platforms when used together with Microsoft Exchange 5.5, 2000 or 2003 server.

Since it is impossible to scan inside the password protected ZIP files, regular e-mail virus scanner is not able to detect the infections. However, F-Secure Anti-Virus Mail Server and Gateway products can be configured to stop password protected archive files regardless the content of the archive.

In environments managed through F-Secure Policy Manager, change the F-Secure Content Scanner Server/Settings/Virus Scanning/Suspect Password Protected Archives setting to "Treat as Unsafe." You must have the archive scanning enabled to be able to use this setting. Once you've changed the setting, you must distribute the policies to take the setting into use.

In the locally managed environments, select F-Secure Content Scanner Server from the F-Secure Settings And Statistics and go to the Scanning/Advanced page. The same setting can be found there.

This applies to F-Secure Anti-Virus for Microsoft Exchange versions 6.10, 6.20 and 6.21 installed on Microsoft Exchange 2000 and 2003 Servers.

In some installations the FSWBSTHK.EXE will start to use considerable amount of CPU time and slow down the Microsoft Exchange Server. This problem has been fixed in Hotfix 2 for F-Secure Anti-Virus for Microsoft Exchange 6.21 and is available for download in the hotfix section. If you're running earlier version of F-Secure Anti-Virus for Microsoft Exchange, please upgrade to the latest version before applying this fix.

Please note that the F-Secure Anti-Virus Agent for Microsoft Exchange is version 6.20 in all the 6.2x versions of the product.

You can find all Service Packs for Microsoft Exchange Servers by clicking next link: Downloads for Exchange

A message is not scanned if it comes from a trusted Public Folder or mailbox.
If an infected attachment arrives to a trusted Public Folder or mailbox, it passes the virus scanner but it is not disinfected or stopped. The real-time scanner scans messages in the message store only once, so when the infected message is sent from the trusted folder or mailbox to another folder inside the same message store, the real-time scanner does not scan it again. If you want to exclude Public Folders from the real-time scan or use trusted mailboxes, store those messages in a different message store. When a message moves between message stores, it is scanned and infected attachments can be disinfected. You can also run the manual scan periodically to remove infected attachments.

There are two ways to re-configure your Exchange Server:
1. You can use utility fsaexgtw provided in the package. The utility can be found in the Agent installation directory (for example "C:\Program Files\F-Secure\Anti-Virus Agent for Microsoft Exchange\fsaexgtw.exe"). Run the utility and follow the instructions on the screen.
2. You can update the following value in the Registry on the gateway server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIMC\Parameters
Value Name: RerouteViaStore
Data Type: Reg_Dword
Data: 1
after that you will need restart Internet Mail Service.

The reason for this is that when the Exchange server is accessed with POP3 the messages do not go through the Exchange Store and thus will not be scanned. The configuration basically forced the messages through the store.

There are two ways to re-configure your Exchange Server:
1. You can use utility fsaexgtw provided in the package. The utility can be found in the Agent installation directory (for example "C:\Program Files\F-Secure\Anti-Virus Agent for Microsoft Exchange\fsaexgtw.exe"). Run the utility and follow the instructions on the screen.
2. You can update the following value in the Registry on the gateway server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIMC\Parameters
Value Name: RerouteViaStore
Data Type: Reg_Dword
Data: 1
after that you will need restart Internet Mail Service.

The reason for this is that when the Exchange server is used as a gateway the messages do not go through the Exchange Store and thus will not be scanned. The configuration basically forced the messages through the store.

NOTE: Use the same key code when installing F-Secure Content Scanner Server and F-Secure Anti-Virus Agent for Microsoft Exchange.

A2. A service or process is not running on the F-Secure Content Scanner Server.

Check that all the processes and services for F-Secure Content Scanner server are started in the server that runs F-Secure Anti-Virus. Check the Services Control Panel. The following services should be started:

F-Secure Content Scanner Server
F-Secure Management Agent
F-Secure Network Request Broker
F-Secure Quarantine Manager

Check the Task Manager. The following processes should be running:

FSMB32.exe
FSMA32.exe
FSGK32.exe
fsavsd.exe
FSAV32.exe
fqm.exe
FNRB32.exe
uniproc.exe
fnpcp.exe
FIH32.exe
fch32.exe
FAMEH32.exe

• Windows NT Server and Advanced Server, Service Pack 4 or later
• Windows 2000 Server and Advanced Server, Service Pack 1 or later

There is also another option which would require some reorganisation in your Exchange environment. You could also install IMS on the server that has all the mailboxes and then route all e-mail through the other server that will deliver it to Internet.

A2. Another thing to try to increase performance is to reindex your Information store. In most cases, this will speed things up. It would also be a good idea to remove some of the old messages in all mailboxes. The Information store can swell to huge sizes because on old messages are stored on the Exchange server. You can also check the CPU and disk usage on your Exchange server and Content Scanning Server:

• If the disk load is high on the Exchange server, reindex the Information store.
• If the CPU load is high on the Exchange server, check which application eats the processor time, if it is store.exe, check that your harddisk uses DMA transfers.
• If the disk load is high on the CSS, check the available memory, if 90% or more of the available memory is used, you probably need to increase memory on the server or stop running some other programs on the same server as CSS.
• If the CPU load is high on the CSS consider upgrading the server to something more powerful or make the server dedicated for CSS only.

NOTE! In very large, performance-critical installations, you will benefit from having backup F-SecureContent Scanner Server(s). Backup Content Scanner Servers will be used when the primaryone becomes unavailable. Each F-Secure Content Scanner Server should be installed on a dedicated machine.

NOTE: For the Exchange Server Virus Scan API to function correctly, you need to install the latest post-SP3 Information Store fixes. There is also Service Pack 4 for Microsoft Exchange Server 5.5 that accumulates all those post-fixes. There is a new Service Pack 4, available (released November 7, 2000). It includes all postfixes made after Service Pack 3 and feature enhancements. For more information and how to obtain the Service Pack, please visit this link:
http://support.microsoft.com/support/servicepacks/Exchange/5.5/SP4.asp

Note: In small environments both the Policy Manager Server and Content Scanner Server may be installed on the same machine, but in general, especially if there is lots of traffic going through the system, this is not recommended.

NOTE! F-Secure Anti-Virus for Workstation or Server does not disinfect inside archives automatically. You have to extract it and remove malicious code from it manually.

Install first CSS with the keycode for one product then run the same setup program and enter the keycode for the other product you want the CSS to support to additionally install components required. When running setup.exe for the second time (with the second product's key code), the setup program will ask to confirm the installation of the first product and you just need to enter again the keycode for it.

This (multiple keycodes feature) is supported in CSS 6.01 and later.