Release Notes


Applies to: Forefront Protection for Exchange

Microsoft® Forefront Protection 2010 for Exchange Server

Build 0677.0

Thank you for using Microsoft Forefront Protection 2010 for Exchange Server (FPE). This Release Notes file contains important information regarding the current version of the product. It is highly recommended that you read the entire document.

What's in this file

This topic contains the following information:

  • Important Notes

  • New Features

  • Known Issues

  • Documentation

  • Accessing the Solution Center

Important Notes

The following are important notes regarding upgrading, installing, uninstalling, configuring, and monitoring FPE.


  • If you have the release candidate (RC) version of FPE installed and want to maintain your RC data when upgrading to the general availability release of FPE, you must run the FPE installation program without uninstalling the RC version of the product. By doing this, the original program files and data directories are preserved during the installation.

    If you are not concerned about data retention, it is recommended that you uninstall the RC version of the product, delete the old data folder, and then perform a fresh installation.

  • Upgrades from Forefront Security for Exchange Server Version 10 are not supported.

  • FPE upgrades or uninstalls on SCC clusters running on Windows Server 2003 will fail when the volume where the FPE components are installed are unavailable but still mounted (for example, on a passive node). As a workaround, unmount the volume before proceeding with your FPE uninstall or upgrade.

    To find the volumes where FPE looks for installed components:

    1. On the cluster node on which you want to uninstall or upgrade FPE, at a command prompt, enter the following command:

      REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server" /V DatabasePath

    2. Open the FssSetupLog text file, usually located in the data folder, which is in the corresponding CMS shared drive for the node on which you want to uninstall or upgrade FPE. Search for the string “TARGETDATA=”. Because the node is passive, you must access this file from an active node.

    Note that the two locations indicated may be the same or they may be slightly different. If they are different, both locations need to be unmounted. Alternatively, you can also use Windows Explorer to find which letter drives are not accessible.

    To unmount a volume, run the following command from a command prompt:

    MOUNTVOL VolumeLetter: /D

  • An upgrade from the RC version of the FOPE Gateway is not supported. Uninstall the RC version of FOPE and then install FOPE.

Installing and post-installation configuration:

  • To view the most recent FPE system requirements, see Verifying system requirements.

  • FPE data folder path names (DatabasePath registry key) have a maximum size of 216 characters.

  • If you change the program folder, its name must be less than 170 characters.

  • Installing FPE and the Forefront Online Protection for Exchange Gateway in the same directory prevents the products from operating correctly and is not supported.

  • After a fresh installation, new definition files must be downloaded in order to ensure the most up-to-date protection. An hourly check for updates for each licensed engine is scheduled. By default, these updates start five minutes after FPE services are started. If a proxy server is being used for updates, these scheduled updates will fail until all the proxy server information has been entered. If you did not enter this information during installation, use the Forefront Protection 2010 for Exchange Server Administrator Console and enter it in the Global Settings - Engine Options pane. Then, immediately update each scan engine by clicking Update All Engines Now in the Actions section.


    • You should successfully update at least one engine before the installation is considered complete.

    • Until all the licensed engines have been successfully downloaded, errors may appear in the event log. These errors include "Could not create mapper object".

  • To verify that FPE has been correctly installed with default protection enabled, use Task Manager. You should see the following in a default installation:

    • On a server that contains a Mailbox role, there should be four FSCRealtimeScanner.exe processes running, and there should be one FSCScheduledScanner.exe process running.

    • On a server that includes a Transport role (such as a Hub Transport, Edge, or Mailbox/Hub Transport server), there should be four FSCTransportScanner.exe processes running.

  • FPE only installs and runs with the default setting of "Remote Signed" that Exchange places on the Windows PowerShell execution policy. Changing it to a more restrictive policy such as "Restricted" or "AllSigned" is not supported by FPE.

  • If you have Microsoft Office Manager 2005 or Microsoft System Center Operations Manager 2007 agents installed, you might see services start unexpectedly after the product has been installed. These agents are stopped (disabled) during an installation and automatically re-enabled when the process has completed. This is normal behavior.

  • During the first run after installation, FPE automatically selects a Client Access Server (CAS) (provided that one is available), which may not be the optimal server for your environment. If you are using Exchange Server 2010 and a CAS is not available, the on-demand scan will not work. (For information about adding a CAS to your Exchange environment, see your Exchange Server 2010 documentation.) You can change the selected CAS by using the Forefront Protection 2010 for Exchange Server Administrator Console or by running the following Windows PowerShell command from the Forefront Management Shell: Set-FseOnDemandScan

  • When FPE is installed on an Edge Transport server that is not a member of a domain, the Domain names used for identifying internal addresses setting in Global Settings – Advanced Options is empty.

  • Forefront Online Protection for Exchange (FOPE) credentials must be entered prior to importing configuration settings that include FOPE configuration settings. This can be done by running the following Windows PowerShell command from the Forefront Management Shell: Set-FseHostedServicesCredentials

  • If the Forefront Online Protection for Exchange (FOPE) Gateway is installed on a different server than FPE, the FOPE sync status widget in the user interface will not display the last sync time.


  • When FPE is uninstalled, Exchange services are stopped, resulting in a temporary interruption in mail flow. The services that are stopped are automatically restarted when FPE finishes uninstalling.

    During uninstall, FPE waits four minutes for the Microsoft Exchange Information Store to stop; the uninstall may fail if the service does not stop within four minutes. If this occurs, manually stop the Microsoft Information Store service before uninstalling FPE, and then manually restart the Microsoft Information Store service after successfully uninstalling FPE.

  • When uninstalling FPE, Active Directory® must be available in order for FPE to uninstall correctly.

  • If the SharePoint Portal Alert service is on the server and running, an uninstall of FPE may require a restart.

  • To prevent FPE from requiring a restart during an uninstall process, shut down any monitoring software and make sure that any command prompts or Windows Explorer windows do not have the FPE program folder or any of the subfolders open. After the uninstall process is complete, start the monitoring software again.

  • If you have Microsoft Office Manager 2005 or Microsoft System Center Operations Manager 2007 agents installed, you might see services start unexpectedly after the product has been uninstalled. These agents are stopped (disabled) during an uninstall and automatically re-enabled when the process has completed. This is normal behavior.

Antimalware scanning, filtering, and spam:

  • Files compressed into multipart RAR volumes are subject to the uncompressed file size limit. This limit is specified in Policy Management, on the Global Settings - Advanced Options pane, in the Maximum uncompressed file size setting. The default value of this limit is 100 megabytes. If any file exceeds the limit, any multipart RAR volume that contains the file or a part of the file is deleted. You can also set its value by running a Windows PowerShell command from the Forefront Management Shell. (For example: Set-FseAdvancedOptions -UnCompressedFileSize 150).

  • There are certain settings for the on-demand scan that can only be configured by using the Windows PowerShell cmdlet Set-FseOnDemandScan. For more information about this cmdlet, see the Windows PowerShell help for the Set-FseOnDemandScan cmdlet. The settings are as follows:

    -DocFiles As Containers—Scans .doc files as containers

    -BodyScanning—Causes the body of the message to be scanned

    -MaxContainerScanTime—The maximum time for scanning a container file

    -Priority—The CPU priority of the on-demand scan

    -SuppressMalwareNotifications—Indicates whether virus, spyware, or worm notifications should be sent when malware is detected

  • The ability to scan public folders using the on-demand scan is not supported.

  • When FPE is installed on a Mailbox server, the Transport Exclusion Flag is set to 1, and outgoing e-mail is not scanned for malware or filters at the Store. Outgoing mail is scanned at the Bridgehead server, so if you do not have FPE installed on your Transport servers, then outgoing e-mail is not scanned.

  • If you have installed FPE on a standalone server (single node), you can select mailboxes that are not located on that server by means of the user interface. This is because it is possible to select any mailboxes that are defined in Active Directory, regardless of where they actually reside. However, if you select mailboxes that are not on the server, they will not be scanned or filtered.

  • When you enable the Scan message body setting for the scheduled scan (it is disabled by default), you must also disable the scheduled scan setting Scan only messages with attachments (it is enabled by default).  Otherwise, message bodies will only be scanned for messages that also have attachments.

  • Importing filter lists from a UTF-8 formatted file is not supported.

  • The profanity example lists are provided in a different format than in former versions of the product. For the revised method of importing profanity example lists, see Using example keyword lists.

  • There is a limit of 800 elements in any spam list. The spam lists are: sender exception list, sender domain exception list, recipient exception list, IP allow list, IP block list, recipient block list, sender block list, and sender domain block list.

  • FPE marks messages that it believes to be legitimate with an SCL rating of -1. As a result, on Exchange Server 2007, the end user blocked senders feature may not be enforced for these messages. If this occurs, as a workaround, you can set the extended option CFAllowBlockedSenders to 'true'. This changes the SCL rating from -1 to 0 and allows Exchange Server 2007 to enforce the end user blocked senders feature. 


    See the following knowledge base article to see how to set CFAllowBlockedSenders: Outlook's "Blocks Sender" functionality and Exchange's IMF stop working after installing Forefront Protection for Exchange

Engine and definition updates:

  • FPE does not support customers using their own procedure in order to download engine updates from the Microsoft Web sites. FPE provides the ability for a server to be used as a redistribution server, but this server must use FPE in order to get the updates from Microsoft.

  • If you use a redistribution server for engine and definition updates, you must use a Universal Naming Convention (UNC) path.

  • UNC paths specified for engine updates must not end with a backslash (\).

  • If you receive this message: "The digital signature associated with the engine manifest file is either missing or invalid, or the file is corrupt" and you are using a proxy server when updating engines, the proxy server may have sent back a response code that is not recognized as a failure code and includes a response that contains html with a detailed description of the error instead of the requested manifest file. Before troubleshooting further, check your proxy server settings.

  • If you disable worm list updates, a warning is written to the application log stating that not all engines are enabled for updates. You may receive this message even if you have enabled updates for all antimalware scan engines. It is recommended that you enable updates for the worm list.

  • If antispam is enabled, the server requires Internet connectivity in order to obtain and download the definition updates for the Cloudmark antispam engine directly from the Cloudmark Web sites. Also, ensure that proxy information has been entered, if required. The following URLs (and any subdomains under them) and the use of http and https must be allowed through the firewall:





    Note: The proxy and firewall information still applies if you set your engine update path to point to a redistribution server.

  • When you enable or disable antispam filtering, Cloudmark Antispam engine updates are not affected. If you enable antispam filtering, you should ensure that Cloudmark engine updating is also enabled (this is the default) so that the latest engine updates are always downloaded. If this is not done, the engine still continues to be used for scanning, but as time passes and its definitions become out of date, its effectiveness diminishes. If you disable antispam filtering, FPE continues to download updates for the Cloudmark engine unless you disable updating for that engine. If antispam filtering is enabled after installation, you should also ensure that the Cloudmark engine is enabled for updating.


  • If FPE is installed on a Mailbox Only role and the server is a Domain Controller, notifications and deliver from quarantine functionality do not work.

  • When configuring notifications and deletion texts, various macros are available that can fill in useful information about the message or file being processed and the server doing the processing. Notifications and deletion texts can be sent to any e-mail address that was part of the original message, including those outside your organization. When enabling or customizing notifications and deletion texts, it is recommended that you do not use any macros that could expose any information you do not want disclosed. (For notifications, you can leverage the internal and external roles to prevent information disclosure.)

  • To ensure that notifications are always delivered and are not mistakenly detected as spam by Microsoft Outlook, the FromAddress of the notifications must be added to the safe senders list of all mailboxes that expect to receive these notifications. (To access the safe senders list in Outlook 2007, click Tools and then Options, click the Junk E-mail button, and then click the Safe Senders tab.) For more information about the FromAddress registry key, see "Changing the From address for notifications" in Configuring e-mail notifications.

  • The FPE product help states that by default, delivered quarantined messages are rescanned for filter matches, which is incorrect. By default, delivered quarantined messages are not rescanned for filter matches. For more information, see “Delivering quarantined items using e-mail” in Managing quarantine.


  • There are a number of settings and situations that require you to restart services. In the event that FPE does not recognize the current settings, stop and then restart the relevant Microsoft Exchange and Microsoft Forefront Server Protection services. For more information, see Restarting services.

  • Before using the VSS Writer Service restore functionality, stop all Microsoft Forefront Server Protection services, and then restart the Microsoft Forefront Server Protection VSS Writer Service.

  • If you change the Exchange Pickup folder path (for example, by running the Exchange PowerShell command Set-TransportServer –PickupDirectoryPath d:\Pickup), you must restart the Microsoft Forefront Server Protection Mail Pickup Service in order for the change to take effect.

  • If you are using Exchange Server 2007 and the WinHTTP Web Proxy Auto-Discover Service is disabled, the Microsoft Forefront Server Protection Controller, Microsoft Exchange Transport, and Microsoft Exchange Information Store services cannot be started. Make sure that the WinHTTP Web Proxy Auto-Discover Service is set to an enabled “Startup type” before starting these Microsoft Forefront and Microsoft Exchange services.

New Features

Build 0677.0:

  1. Added support for Windows PowerShell, the Windows command line shell that can be used to enter commands directly or to create scripts.

  2. Product installation is now done with the Windows Installer (MSI).

  3. There is a new scan job called the scheduled scan job, which was separated from the realtime scan job. There is also a new on-demand scan job.

  4. The user interface has been revised and includes statistics and health monitoring reports.

  5. Antispyware scanning is performed by the Microsoft Antimalware Engine.

  6. Antispam functionality includes a built-in DNS block list, a new antispam engine (Cloudmark), integrated management of the Exchange antispam agents, and backscatter filtering (helps to prevent bounced mail or Delivery Status Notifications (DSN) for mail that was never sent from addresses in your organizations).

  7. FPE can be run on the Hyper-V virtual platform.

  8. FPE can be deployed by using the System Center Configuration Manager (SCCM).

  9. Added support for management of the Forefront Online Protection for Exchange (FOPE) Gateway from a standalone FPE server. For more information about the FPE-FOPE integration, see the Forefront Online Protection for Exchange Gateway Release Notes.

Known Issues

  1. A valid ZIP archive is detected as corrupted compressed.

    Reason: FPE currently does not support the PKWARE's DCL-Implode or Deflate64 algorithms.

    Workaround: None.

  2. Forefront services may still exist if the Service Control Manager is open during uninstall.

    Reason: FPE services may only get marked for deletion instead of actually being deleted if the Service Control Manager application is open.

    Workaround: Closing the Service Control Manager application or restarting the server allows the FPE services to be deleted.

  3. During the installation, choosing a directory from the list of existing folders when you are prompted by the Program Folder box for a program folder, only replaces the current shortcuts in the selected folder with the shortcuts for FPE. (The original programs themselves remain untouched; only the links to them in that program folder are overwritten.)

    Workaround: Either accept the default or enter the name of a totally new folder.

  4. FPE does not properly scan for viruses if installed to a folder with non-ASCII characters.

    Workaround: Choose a path that contains only characters from the following groups: letters (A-Z, a-z), numbers (0-9), or the symbols :\/!#$%'()+,-.;=@[]^_`{}~.

  5. In Windows PowerShell, in the incident and quarantine records, time is displayed as Universal Time Coordinate (UTC), which might differ from local time.

  6. If antispam is enabled during the installation of FPE on an Exchange Server 2007 hub, the Exchange Management Console does not reflect it as having been enabled. If antispam is enabled with the Set-FseSpamFiltering cmdlet in the Forefront Management Shell, the Exchange Management Console correctly reflects it.

    Reason: The Microsoft Forefront Server Security Controller service does not have write access to the flag controlling whether the Exchange Management Console displays antispam-related settings.

    Workaround: The flag controlling whether the Exchange Management Console displays antispam-related settings can be set using the following Exchange Management Shell command:

          Set-TransportServer -Identity MachineName -AntispamAgentsEnabled $true

  7. When the Forefront Protection 2010 for Exchange Server Administrator Console (FPE Administrator Console) is opened on the passive node of an SCC cluster, the splash screen does not disappear. The FPE Administrator Console is visible behind it, but when you click the FPE Administrator Console, you get an exception that begins:

              See the end of this message for details on invoking

              just-in-time (JIT) debugging instead of this dialog box.

       This is followed by details about the exception.

    Reason: Forefront services are not running on the passive node and the Data folder is not available. You cannot access the FPE Administrator Console on an SCC passive node.

    Workaround: None.

  8. After entering GB18030 characters into the FPE installation path, the Exchange Information Store fails to start.

    Reason: During installation, GB18030 characters were entered as part of the name of the installation path for the FPE program folder. GB18030 characters are not supported in path names.

    Workaround: Reinstall FPE without using GB18030 characters in path names.

  9. The Dashboard stops displaying information after you change the Regional and Language Options to show the system time and date in Arabic on Microsoft Windows Server 2008 or Windows Server 2008 R2 systems.

    Workaround: Configure the Regional and Language Options to show the system time and date in any other format.

  10. If you have opted into or have enabled antispam and if you are using Exchange 2007 SP1, you must manage static IP allow and block list entries via Exchange PowerShell. If you use an Exchange server version higher than Exchange 2007 SP2, build 153.0, you can manage static IP allow and block list entries from the Forefront Protection 2010 for Exchange Server Administrator Console.

  11. Every time the Forefront Protection 2010 for Exchange Server Administrator Console attempts to write to the Windows PowerShell event log, a pop-up message tells you that the event log is full.

    Reason: Every time that the Forefront Protection 2010 for Exchange Server Administrator Console is opened or you navigate within the user interface, records are written to the Windows PowerShell event log. The pop-up appears because the maximum log size is too small and you have the When maximum event log size is reached option set to Do not overwrite events (Clear log manually)

    Workaround: Increase the maximum size of the Windows PowerShell event log by following these steps:

    1. In Control Panel/Administrative Tools, open the Event Viewer.

    2. Right-click the Windows PowerShell event viewer and select Properties.

    3. Increase the Maximum log size by entering a new log size, in kilobytes. Click OK and close the Event Viewer.

    4. Consider changing the value of the When maximum event log size is reached option to one of the other choices:

      • Overwrite events as needed (oldest events first) - this is the default

      • Archive the log when full, do not overwrite events

  12. When you attempt to open the Forefront Protection 2010 for Exchange Server Administrator Console you get the message "A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." The Forefront Protection 2010 for Exchange Server Administrator Console cannot be used.

    Cause: You entered a port number greater than 65535 when you entered proxy server data during installation.

    Workaround: Use Windows PowerShell to assign a different port number (one no greater than 65535).

    Set-FseSignatureOptions -port <portnumber>

  13. If you set the action of a keyword filter list in Windows PowerShell to any value other than "Identify", the action displayed in the user interface may be incorrect. This also applies when enabling a keyword filter through Windows PowerShell, which sets a default action if none is explicitly chosen.

    Workaround: Add the following parameter when enabling or setting the action for a keyword filter list:

    -IdentifyIn @()
  14. When making multiple changes to file filter lists, the resulting file filter list order may be changed. You can use the Change File Filter List Order option in order to reorder your file filter lists, if necessary.


The documentation for this product is distributed in .chm format and is provided with this package. After installation, access help either from the Forefront Protection 2010 for Exchange Server Administrator Console interface or use the F1 key when running the Forefront Protection 2010 for Exchange Server Administrator Console. To view the latest updated documentation, see:

Accessing the Solution Center

Additional information about FPE is available on Microsoft's Web site:

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Forefront, SharePoint, Windows, Windows NT, Windows Vista, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.