Chapter 21 - Troubleshooting overview
Applies to: Microsoft Antigen
This section contains troubleshooting information.
Getting help
To obtain technical support, visit the Microsoft® Web site at Microsoft Help and Support.
Using diagnostics
Diagnostic logging is helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Antigen is not working properly. Diagnostics can be set independently for each scan job by selecting the appropriate check box for each scan job in the Diagnostics area of the General Options work pane. The settings are: Additional Internet, Additional Realtime, Additional Manual, and Archive SMTP Mail. These options are disabled by default. For more information about these settings, see Chapter 4 - Using the Antigen Administrator.
For information about collecting diagnostic information, see Appendix D - Using the Antigen diagnostic utility.
Antigen installation failure
Antigen cannot co-exist with any VSAPI-based antivirus product. If you previously used VSAPI to install another antivirus software product, you receive an error message when attempting to install Antigen, and the installation fails.
When using VSAPI to install antivirus software, the following registry subkey is created to save information about the VSAPI library:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusScan
If the VirusScan registry subkey is present in the registry when you try to install Antigen, the installation fails. The VirusScan registry subkey must be present in the registry but only after you successfully install Antigen.
To delete the VirusScan registry entry
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand the following registry subkey.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusScan
Right-click the VirusScan registry entry, and then click Delete.
Exit Registry Editor.
Antigen services do not start when you start the computer
When you start the computer on which Antigen for Exchange is installed, the Microsoft Exchange and the Antigen services should start automatically. If the Antigen services do not start, an error message is logged in the ProgramLog.txt file stating that the VirusScan key is not enabled, and Antigen cannot virus scan. You can resolve this issue by enabling the VirusScan registry entry.
To enable the VirusScan registry entry
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand the following registry subkey.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusScan
In the right pane, right-click Enabled, and then click Modify.
In the Edit DWORD Value dialog box, type 1 in the Value data box, and then click OK.
Exit Registry Editor.
Restart all Antigen for Exchange services.
Restart all Exchange services.
Submitting malicious software files to Microsoft for analysis
If you suspect a file to contain malware or potentially unwanted software, you can submit it to Microsoft for analysis. You can use one of the following methods to submit malware files to Microsoft for analysis:
- Submitting files through the Microsoft Malware Protection Center Portal
- Submitting files through Microsoft Customer Support Services
Submitting files through the Microsoft Malware Protection Center Portal
The following Web site enables users to submit files that are suspected of containing malware or potentially unwanted software to Microsoft for analysis:
https://go.microsoft.com/fwlink/?LinkId=196858
After you have accessed the Microsoft Malware Protection Center portal, on the Submit a sample page, follow the instructions for the portal submission process.
Note
When prompted, enter your Microsoft Software Assurance ID. This ensures that your malware submission is given a higher priority assignment in our submission queue as compared to those anonymously submitted. For more information on software assurance, visit the following Microsoft Web site: Software assurance information
Preparing files for submission
If your submission is larger than 10 megabytes or you want to submit multiple files for analysis, compress the file or files into a single .zip or .rar archive (must be less than 10 megabytes in size) and password protect the file with the password "infected" (without quotation marks).
When you submit the file, make sure that you include the following data:
- Your name and email address
Microsoft sends all responses to the email address that you use to submit the files. When you submit the archive file, Microsoft processes the file and then sends a determination of the files that it contains, based on the current Microsoft malware definitions. If it is necessary, adjust your incoming mail filters to ensure that you receive this message.
If you want to add additional email contacts to receive updates about the status of the submission, also include these contacts and add the following note in the comments field: "Please Reply All". - Support case number (optional)
A support case number is not required to submit files for analysis. However, if a support case is already open for this submission, you can include the case number. - Product that you are using
Select Microsoft Forefront Server Security. (In the comments section, you may want to list a more specific product name, for example Microsoft Antigen for Exchange.) - False positives
If the submission includes files that you believe were incorrectly determined to contain malware, select the I believe this file should not be detected as malware check box. Otherwise, the files are assumed to contain malware. - File to submit
Click the Choose File button to browse to the file you want to submit for analysis. - Description of the malicious activity
In the comments field, describe what the files did to make you suspect that it contained malware. Also include the operating system on which the suspected malware was found (for example, Windows Server 2003), as well as any additional information that may be helpful in analyzing the files.
About the response message
After you submit the malware files, we send you a response to confirm the receipt of the submission. We then follow up with the results of our analysis and with responses from our partners. If you want more frequent updates through sample review, such as for high-priority submissions, it is recommended that you open a support case.
Submitting files through Microsoft Customer Support Services
Microsoft Customer Support Services can submit files on your behalf. If you have an urgent malware situation that Antigen does not address, or if it is after regular business hours, it is recommended that you contact Customer Support Services for help. To do this, use the support information that was provided to you when you purchased Antigen, or visit the following Microsoft Web site:
https://go.microsoft.com/fwlink/?LinkID=159889
No Realtime scanning occurs on the Exchange store after installing Antigen
After installing Antigen for Exchange, you may find that no Realtime virus scanning occurs on the Exchange store if a third-party antivirus product was installed and then uninstalled on the server. This problem occurs because a registry entry is incorrectly reset when the third-party antivirus product is uninstalled.
To correctly reset the registry entry
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand the following registry subkey.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ServerName\Private-GUID
Right-click VirusScanEnabled, click Modify, type 1, and then click OK.
Repeat steps 2 and 3 for each Exchange Server database that is present on the server.
Exit Registry Editor.
Restart the Microsoft Exchange Information Store service.
Attaching a disclaimer message that includes non-US-ASCII characters
When using the Add Outbound Disclaimer function to attach a disclaimer message to an outgoing e-mail message, the e-mail message may be unreadable if the disclaimer message includes non-US-ASCII characters.
By default, Antigen formats the e-mail message in the basic Internet encoding standard when Antigen adds a disclaimer message. The basic Internet encoding standard is the UTF7 encoding standard. However, many languages include characters that are not included in the UTF7 encoding standard. Therefore, non-US-ASCII characters are not represented correctly after Antigen processes the e-mail message.
By default, Antigen formats the e-mail message in the UTF7 encoding standard even if the original e-mail message from the sender is in a different character set. For example, Antigen does this even if the original e-mail message is in the ISO-8859-1 character set.
To prevent Antigen from forcing the disclaimer encoding type from the original format into UTF7, create the following registry key.
To prevent Antigen from forcing the UTF7 format
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand the following registry subkey.
HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange
Right-click Antigen for Exchange, point to New, and then click DWORD Value.
To name the new value, type ForceDisclaimerNonUTF7, and then press ENTER.
Right-click ForceDisclaimerNonUTF7, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the Antigen services.
Exchange cannot deliver e-mail messages to certain domains after you configure an e-mail disclaimer
After you configure an e-mail disclaimer in Microsoft Antigen for Exchange, you may encounter that Exchange cannot deliver e-mail messages to certain domains because they remain queued for delivery to the destination domains. This occurs if you have internal messaging servers that do not use the MIME format for e-mail messages. When troubleshooting this issue, you will notice that the affected destination domains reject the SMTP connection from Exchange.
When Antigen for Exchange appends a disclaimer to outgoing e-mail messages that are not in MIME format, Antigen may leave a bare line feed (LF) after the disclaimer. Therefore, the e-mail messages are in a non-standard Internet e-mail format. Certain destination e-mail servers may reject these messages. To resolve this issue, enable the Fix Bare CR or LF in Mime Headers setting, located under the Scanning heading of the General Options pane.
Rebuilding scan engines
Important
Before you rebuild a scan engine in Antigen, it is recommended that you first contact Microsoft Product Support Services (PSS) to help determine whether the problem that you experience requires a scan engine rebuild operation. For information about how to contact Microsoft PSS, visit the following Web site: https://support.microsoft.com/contactussupport/?ws=support
Symptoms that may require that you rebuild a scan engine include the following:
- Scan engine files become locked. Therefore, a scan engine can no longer be automatically updated.
- A scan engine generates an error message when it attempts to load.
When any of these symptoms occur, one of the following errors may be logged in the ProgramLog.txt file, located in the Antigen for Exchange folder.
- ERROR: Could not create mapper object
- INFORMATION: The engine_name engine was rolled back
- ERROR: Scan engine was corrupted on download
- ERROR: CheckCrc failed
To rebuild a scan engine
Create the UNC update folder structure. To do this, follow these steps:
- Create a directory that is named Antigen.
- In the Antigen directory, create a directory that is named Engines.
- In the Engine directory, create a directory that is named x86.
- In the x86 directory, create a folder for the engine on which you are working. For example, create a folder that is named Microsoft.
- In the Engine Name directory, create a folder that is named Package.
An example of a UNC update folder path is as follows:
C:\Antigen\Engines\x86\Microsoft\Package
Download the latest scan engine files. To do this, follow these steps:
Save the Manifest.cab file to the Package folder for the engine that you are updating. An example of the path of this file in the directory is as follows:
C:\Antigen\Engines\x86\Microsoft\Package\manifest.cab
To obtain the Manifest.cab file, go to the following Microsoft Web site:
https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/manifest.cabExtract the Manifest.xml file from the Manifest.cab file, and then open the Manifest.xml file by using a text editor, such as Notepad.
Search for the "version=" string in the Manifest.xml file. After one of the instances of "version=" a 10-digit number is displayed.
For example, locate the entry that resembles the following entry:
version="0606080004"
In this entry, the 10-digit number represents the update version number of the latest update. For this procedure, this update version number is represented by the update_version placeholder.Save the Microsoft_fullpkg.cab file to a directory that has the same version name within the Package folder. An example of the path of this file in the directory is as follows:
C:\Antigen\Engines\x86\Microsoft\Package\0606080004\Microsoft_fullpkg.cab
To obtain the Microsoft_fullpkg.cab file, go to the following Microsoft Web site:
https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/update_version\microsoft_fullpkg.cabImportant
In this URL, replace update_version with the update version number that you located in step 2b. For example, use a URL that resembles the following sample URL:
https://antigendl.microsoft.com/antigen/x86/Microsoft/Package/0606080004\microsoft_fullpkg.cabCopy the Manifest.cab file in the Package folder, and then paste the file into the Version folder. An example of the final structure of the file is as follows:
c:\Antigen\Engines\x86\Microsoft\Package\manifest.cab
c:\Antigen\Engines\x86\Microsoft\Package\0606080004\manifest.cab
c:\Antigen\Engines\x86\Microsoft\Package\0606080004\Microsoft_fullpkg.cab
Update the engine. To do this, follow these steps:
- Open the Antigen Administrator.
- Under SETTINGS, click Scanner Updates.
- Select the engine on which you are working. For example, select Microsoft.
- Change Network Update Path to the parent directory of the x86 folder. For example, change this item to C:\Antigen\Engines.
- Click Save.
- Click Update Now.
Note
The third-party products that the preceding procedure discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.