Considerations when using antivirus software on FF Edge Products
Last revision: April 2010
Authors
Jim Harrison – Program Manager, ISA SE
Yuri Diogenes – Security Support Engineer
Dan Herzog – Sr Support Escalation Engineer
Contributors and Tech Reviewers
Mohit Saxena – Security Tech Lead (ISA & IAG)
Masoud Hoghooghi – Security Escalation Engineer
Vic Singh Shahid – Security Escalation Engineer
Update
With the release of Forefront Threat Management Gateway (TMG) Medium Business Edition; Forefront TMG 2010; and Forefront Unified Access Gateway (UAG) 2010, we’ve updated this article to include these products. In an effort to keep this information as accessible as possible, we have divided this document into separate sections for each product.Before reading this article, we strongly recommend that you read the white paper “The Antivirus Defense-in-Depth Guide” at the Microsoft Download Center (https://www.microsoft.com/downloads/details.aspx?FamilyId=F24A8CE3-63A4-45A1-97B6-3FEF52F63ABB\&displaylang=en). This guide provides an overview of antivirus technology, general recommendations, and best practices.
Support statement for antivirus and antimalware software on Forefront Edge products
Installation of antimalware is generally supported in accordance with commercially reasonable effort if the guidelines in this document are followed. Installation of additional firewall or network traffic monitoring mechanisms on Forefront edge products is not supported.
Customers who contact Microsoft Customer Support Services (CSS) may be asked to disable or remove an antivirus program in order to help identify issues. If the root cause of the issue is not caused by the antivirus application, customers are free to enable the software again after the issue is correctly diagnosed. This position is same for all other teams that sometimes need to disable the antivirus for troubleshooting purposes. For example:
XGEN: Microsoft's Position on Antivirus Solutions for Exchange 2000 (https://support.microsoft.com/kb/306105).
Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server(https://support.microsoft.com/kb/322941).
Common types of antimalware
There are two main types of antimalware application commonly used by customers:
File scanners—This type of application is responsible for scanning files residing on the disk, and checking whether they are virus-free. In this category we have three main types of scanning:
Memory-resident file-level scanning—This refers to a part of file-level antivirus software that is loaded in memory at all times. It checks all the files that are used on the hard disk, and in computer memory.
Process-level scanning—This type of scanning refers to a part of the antivirus software that performs scanning of in-memory processes, such as applications, services, etc.
On-demand file-level scanning—This refers to a part of file-level antivirus software that you can configure to scan files on the hard disk manually or on a schedule. Some versions of antimalware software start the on-demand scan automatically (after signatures are updated), to ensure that all files are scanned with the latest signatures.
Protocol-aware scanners—Because ISA Server and Forefront TMG Web proxy supports the ISAPI extensibility model, third-party companies can write antimalware filters that will operate on the data stream as it traverses the application. This mechanism is not supported on IAG 2007 and Forefront UAG.
Firewall or network behavior monitoring—Many antimalware products include some form of network monitoring. This might be a separate firewall mechanism, or something that integrates with Windows firewall mechanisms, such as Windows Filtering Platform.
Some of the definitions above are taken from the article “File-Level Antivirus Scanning on Exchange 2007” available at Microsoft TechNet (https://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx).
Note
Forefront Edge products do not support the use of firewall or network monitoring mechanisms that operate separate from the extensibility API provided by each product.
Besides those main types described above, there are some companies that offer a “combo”, which comes with both file and HTTP-stream solutions integrated. Depending on the type of antivirus that you are using, there will be different recommendations for daily operations and troubleshooting scenarios.
General recommendations
The file scanners mentioned in the previous section are a type of antivirus application that usually doesn’t offer many benefits when installed on a computer running Forefront Edge products. The main reason is that generally we do not use these products as a file share, or any other role that is not within product design boundaries. However, we understand that some companies require this type of antivirus for compliance reasons. For example, if the security policy and procedure of the company describes this is a mandatory requirement.
If you need to have this type of antivirus installed on an edge Forefront product, ensure that the following folders are excluded from antivirus scanning jobs (both real-time and scheduled jobs):
Exclude the application’s program files directory—Exclude this is to prevent file access contention when application services are starting, need to access data files such as error or logon pages, or need to access other components, such as RAS logon mechanisms. Program file locations are described in the sections for each product below.
Exclude the policy storage location—The reason for this is that running antivirus software against these files can cause file access contention with the Extensible Storage Engine (ESE), which might require you to restart the ADAM (LDS for TMG) service.
Exclude the logging destination—Exclude this because file scanning accesses the files exclusive of any other process. This might cause the logging mechanism to fail.
Exclude the cache file locations - Antivirus software can corrupt the log or the cache files if it locks the file for scanning while the Forefront application tries to access the file. For more information on issues that might arise if this occurs, see KB887311.
Exclude the application processes—AV scanning and behavioral monitoring software will adversely impact the application’s ability to process the traffic properly.
General Windows folders—Review the session Virus Scanning for computers that are running Windows Server 2003, Windows 2000, or Windows XP, at KB822158, and apply those recommendations.
ISA Server
Recommendations for ISA Server 2000, 2004, and 2006 are as follows:
ISA Server does not support operation of Windows Internet Connection Firewall (ICF) or Internet Connection Sharing (ICS). MSKB 813915 discusses this limitation.
The following table summarizes application processes and file paths that should be excluded from scanning.
| Version | Paths | Processes |
|---|---|---|
ISA Server 2000 |
ISA Server installation folder (can be changed during installation) ISA Server Log folder (may be changed by the ISA Server administrator) ISA Server Web cache folder (ISA Server administrator must define this) |
ISA Server Report Summary Generator ISA Server Report Generator ISA Server Control Service ISA Server Web Content Download Service ISA Server Firewall Service |
ISA Server 2004/2006 |
ISA Server installation folder (can be changed during installation) SQL MSDE folders (not changeable) ISA Server Web cache (ISA Server administrator must define this) |
ISA Server Report Summary Generator ISA Server Report Generator ISA Server Diagnostic Logging Viewer ISA Server Storage Service ISA Server Control Service ISA Server Web Content Download Service ISA Server Firewall Service SQL 2003 MSDE Active Directory Lightweight Directory Services (Enterprise Edition only) |
Intelligent Application Gateway (IAG) 2007
IAG recommendations are as follows:
For Internet Information Services (IIS) recommendations, see Microsoft Knowledge Based article 821749.
The folder and process exclusions for IAG are identical to those indicated for ISA Server 2006, with adjustments summarized in the following table:
Paths Processes IAG installation folder
c:\whale-com\e-gap\
Forefront TMG
Forefront TMG recommendations are as follows:
Forefront TMG operates in collaboration with Windows Firewall through the Windows Filtering Platform mechanisms. Thus, unlike ISA Server, Windows Firewall must be enabled on the computer where Forefront TMG operates.
For installations in which Exchange 2007 or Exchange 2010 Edge roles are deployed concurrently with Forefront TMG, you must also consider the instructions provided at https://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx.
The following table summarizes paths and processes that should be excluded from antivirus scanning for Forefront TMG Medium Business Edition and Forefront TMG 2010.
| Version | Paths | Processes |
|---|---|---|
Forefront TMG Medium Business Edition |
Forefront TMG installation folder (can be changed during installation) SQL 2005 Express and SQL 2005 Reporting Services TMG Malware scanning cache (may be changed by TMG administrator) TMG Log Folder (may be changed by the TMG administrator) TMG Log Queue (may be changed by the TMG administrator) TMG Reporting Folder TMG Web cache Internet Information Services (IIS) |
TMG Report Summary Generator TMG Report Generator TMG Diagnostic Logging Viewer TMG Storage Service TMG Administration Component TMG Firewall Service TMG Web Content Download Service SQL 2005 Express and SQL 2005 Reporting Services Active Directory Lightweight Directory Services Internet Information Services management |
Forefront TMG 2010 |
TMG installation folder (may be changed during installation): TMG SQL Express and SRS installation folders (not changeable) TMG Malware scanning cache (may be changed by TMG administrator) TMG Log Queue (may be changed by the TMG administrator) Web cache—(TMG administrator must define this) |
TMG Report Summary Generator TMG Report Generator TMG Diagnostic Logging Viewer TMG Managed Control Service TMG Storage Service TMG Administration Component TMG Firewall Service TMG Web Content Download Service SQL 2008 Express and SQL 2008 Reporting Services Active Directory Lightweight Directory Services |
Note that any path using “%ProgramFiles%\Microsoft Forefront Threat Management Gateway” may have been changed during Forefront TMG installation.
Forefront UAG 2010
Forefront UAG recommendations are as follows:
For Internet Information Services (IIS) recommendations, see https://support.microsoft.com/kb/821749.
The folder and process exclusions for Forefront UAG are identical to those indicated for Forefront TMG 2010, with the following adjustments:
| Version | Paths | Processes |
|---|---|---|
Forefront UAG 2010 |
UAG installation folder (may be changed during installation) |
Forefront UAG DNS-ALG Service Forefront UAG Monitoring Manager Forefront UAG Session Manager Forefront UAG File Sharing Forefront UAG Quarantine Enforcement Server Forefront UAG Terminal Services RDP Data Forefront UAG User Manager Forefront UAG Watch Dog Service Forefront UAG Log Server Forefront UAG SSL Network Tunneling Server |