October 8, 2008 – flaphead.com

Symantec to Extend Online Services with Acquisition of MessageLabs

October 8, 2008 by ucinfo, posted in !News, Flaphead

No Waaaaaaaaaaaaay

Source: http://www.messagelabs.co.uk/resources/press/19234

CUPERTINO, Calif. – Oct. 8, 2008 – Symantec Corp. (Nasdaq: SYMC) today announced it has signed a definitive agreement to acquire MessageLabs, a leading provider of online messaging and Web security services. Under the terms of the agreement, Symantec will acquire MessageLabs for a purchase price of approximately $695 million in cash, subject to foreign currency adjustments, payable in approximately £310 million Pounds Sterling and $154 million US Dollars.

MessageLabs generated approximately $145 million in revenue during fiscal year 2008, ending July 31, 2008 and grew by more than 20 percent over the prior fiscal year. The agreement is subject to customary closing conditions including regulatory approvals, and is expected to close by the end of the 2008 calendar year.

With the acquisition of MessageLabs, Symantec gains a leadership position in the rapidly growing Software-as-a-Service (SaaS) segment and strengthens its lead in the messaging security market. MessageLabs is the number-one provider of online messaging security worldwide with more than eight million end users at more than 19,000 clients ranging from small business to the Fortune 500. Symantec will capitalize on cross-selling and up-selling its existing SaaS offerings of backup, storage and online remote access into the MessageLabs customer base. And future SaaS offerings, leveraging Symantec technology in data loss prevention, compliance, endpoint security and archiving, will be enhanced by MessageLabs’ expertise in SaaS sales, operations and support.

…

MessageLabs plus Symantec Protection Network will result in the creation of a new Symantec Software-as-a- Service product group to accelerate the development of new SaaS solutions and hybrid offerings for IT professionals. SaaS is described as one of the most impactful trends in software with a current estimated market size of $5.71 billion (in 2007) reaching $16.98 billion by 2012, representing 24.4 percent CAGR according to IDC1. For more information on how MessageLabs will complement Symantec in the delivery of SaaS offerings please visit: http://go.symantec.com/MessageLabs

Get-ExchangeADChanges.ps1

October 8, 2008 by ucinfo, posted in Exchange, Flaphead, MsExchange, Powershell

So I needed a way to check what has changed in the Exchange Configuration container … basically if something stopped worked ;-)

So I came up with this. I run it once a week, and it checks for changes in the last 7 days.

It has one command line option and that is –email to email the results :-D

$Error.Clear() ######################################################################################### $AppName = “Get-ExchangeADChanges.ps1“$AppVer = “v1.0 [11 September 2008]“#v1.0 11 September 2008 : A script is Born # #This script looks the the configuration container in the AD and lists objects that # that have changed in the last x days # By default it is the last 7 days # # #Written By Paul Flaherty #blogs.flaphead.com # #Common Variables $ServerName = hostname # Server Name $ServerName = $ServerName.ToUpper() $Today = Get–Date # Todays Date $NoDays = “7“ $xUser = [System.Security.Principal.WindowsIdentity]::GetCurrent() $xUser = $xUser.Name $evt = new–object System.Diagnostics.EventLog(“Application“) $Warnevent = [System.Diagnostics.EventLogEntryType]::Warning $evt.Source = “PowerShellMonitoring“$MsgBody = “Exchange Server 2007 Change Status`n`n“$MsgFrom = “$ServerName@NoReply.local“$MsgSubject = “PSM: Exchange 2007 Server AD Change Status as of $Today“ $WarningPreference = “silentlyContinue“######################################################################################### #Command Line Options ######################################################################################### $CmdLineOptions = @” COMMANDLINE OPTIONS No Commandline .. Default to a 7 day Check -EMAIL ………. Send an Email -? ………….. Displays this Help Text “@ ######################################################################################### #Parse the Commnd Line ######################################################################################### $doEmail = $False $DelimitedArgs = $False If ($Args.count –ge 1) { Write–Host “Number of Arguments: “ –NoNewLine Write–Host $Args.count $Args[0] = $Args[0].ToSTring() If ($Args[0].Contains(“–“)) {$DelimitedArgs = $True} if (($DelimitedArgs –eq $False) –AND ($Args.count –ge 1)){$NoDays = $Args[0]} For($i=0;$i –le $Args.Count –1; $i++) { $xArgs = $Args[$i] $xArgs = $xArgs.ToUpper() Switch ($xArgs) { “-EMAIL“ {$doEmail = $True} “-?“ {$doHelp = $True} } Write–Debug $Args[$i] } } If ($doHelp) { Write–host $AppName –NoNewLine –foregroundcolor Green Write–host “ – HELP!“ Write–Host $CmdLineOptions Exit } Start–Transcript –Path “$AppName.log“ $xComp = (Get–Date).AddDays(–$NoDays) $currentdom = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain() $Forest = $currentdom.Forest.ToString() $Forest = $Forest.Replace(“.“, “,DC=“) $Forest = “DC=“ + $Forest $Dom = “LDAP://CN=Microsoft Exchange,CN=Services,CN=Configuration,“$Dom += $Forest $Root = New–Object DirectoryServices.DirectoryEntry $Dom $selector = New–Object DirectoryServices.DirectorySearcher $selector.PageSize = 1000$selector.SearchRoot = $root $objs= $selector.findall() ######################################################################################### #Display script name and version ######################################################################################### Write–host “ “ $AppName –NoNewLine –foregroundcolor Green Write–Host “: “ $AppVer –foregroundcolor Green Write–host “`n Run on $ServerName at $Today by $xUser“ –foregroundcolor Yellow Write–Host “|——————————————————————-|`n“ Write–Host $Dom –foregroundcolor Yellow Write–Host “`nExchange Active Directory Objects that have changed… “Write–Host “..in the last “ –nonewline Write–Host $NoDays –foregroundcolor red –nonewline Write–Host “ days [since $xcomp]“ $i=0Write–Host “`nTotal number objects found: “ –nonewline Write–Host $objs.count –foregroundcolor Green ForEach($obj in $objs) { #adspath #distinguishedname #name $xADS = $obj.Properties.adspath $xName = $obj.Properties.name $xChange = $obj.properties.whenchanged if ($xChange –ge $xComp) { $i++ Write–Host “`nName: $xName“ –foregroundcolor Yellow Write–host “Path: $xads“ Write–Host “Last Changed : $xChange“ } } Write–Host “$i objects modified in the last $NoDays days“ –foregroundcolor Yellow Stop–Transcript ########################################
################################################# #Read in Transcript and add to Message Body ######################################################################################### $TranscriptOutput = Get–Content “$AppName.log“Write–Debug “Adding transcript to Email Message Body“ForEach ($xLine in $TranscriptOutput) { $MsgBody += “$xLine`n`n“} ######################################################################################### #Send email with attachments ######################################################################################### If ($InServer –ne $Null) {$MsgSubject += “ for $InServer“} IF ($doEmail) { .send–mail.ps1 –Server “AutoDiscover“ –tocsv c:ps_emailAlertList1.txt –from $MsgFrom –Subject $MsgSubject –body $MsgBody –attachment “C:PS$AppName.log“} $evt.WriteEntry($ServiceStatus,$infoevent,1000) ######################################################################################### #End #########################################################################################

The file is attached

Forefront Security for Exchange and Multiple Engines

October 8, 2008 by ucinfo, posted in Exchange, Flaphead, MsExchange, Security

It took ages to find some decent information, so this is what I found out ..

Forefront Security for Exchange Server integrates and ships with industry-leading antivirus scan engines from:

Figure 1: Forefront for Exchange Antivirus Engines

Each scan job in Forefront Security for Exchange Server can run up to five engines simultaneously

Figure 2: Multiple Engines

Why Multiple Engines

One of the most important factors in the successful protection of your network against viruses is how fast you get new virus engine signature files. Email allows viruses to be spread in a matter of hours, and a single email virus is enough to infect your whole network. So a critical factor is how fast the signature files of your anti-virus solution are updated when a new virus emerges.

Every anti-virus vendor in the market claims to have a fast response time. Anti-virus labs produce updates for virus and worm outbreaks at different intervals. For example, the same lab may produce an update for one virus within six hours, yet take 18 hours for the next one.

The problems with a single antivirus engine approach originate from having only one system in place to identify threats – no engine is immune to vulnerability. Although the signature files used by an engine to identify viruses are generally updated several times a day, they are often released after a new virus has already hit and damage has been done. Even if an engine is 99.9 percent effective, it only takes one infection to cost an organization hundreds of thousands of dollars in lost productivity and downtime.

The Forefront Security for Exchange provides the capability to use multiple anti-virus engines and allows you to concurrently run up to 5 of the included Microsoft and third-party anti-malware engines. Using multiple scan engines delivers several critical advantages:

It increases the chances that emerging threats will be quickly caught.
It provides redundancy to help protect against scan failures or defects in individual engines; if an engine fails, other engines continue scanning messages.
It gives administrators an effective way to choose the most appropriate level of protection for their environment given their security needs and server performance capabilities.
It allows engines to be taken offline for updates or reconfiguration without forcing messages to be queued.

A recent set of tests performed by the independent AV-Test.org group found some surprising differences in signature update times from various vendors.

The tests compared AV lab response times were tested for 68 “In the Wild” viruses and variants that appeared from April – June 2007. (The tests used five randomly chosen Forefront engines versus three single-engine vendors.)

The results showed that 37 viruses were proactively detected by all labs, while 23 viruses showed significant variations in detection times

Forefront engine sets performed much better when compared to the three leading competitors tested – both the competitors’ release and beta engines (the data in this table include beta engines’ times).

Figure 3: Multiple Antivirus Engines

All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.

Bias

When using Multiple Antivirus engines with Forefront for Exchange, you can control how many engines are needed to provide an acceptable probability that the system is protected.

The Forefront for Exchange Server Multiple Engine Manager (MEM) controls the selected engines during the scan job. It ranks each engine based on its past performance and its age, and uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.

The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system’s performance. Microsoft recommends FAVOR CERTAINTY, which is the default setting, and MAX CERTAINTY where possible.

Bias Setting	Description
Max Certainty	Each item is virus-scanned by all five of the selected engines
Favor Certainty	Fluctuates between virus scanning each item with three and five engines
Neutral	Each item is virus-scanned by at least three engines
Favor Performance	Fluctuates between virus scanning each item with one and three engines
Max Performance	Each item is virus-scanned by only one of the selected engines

Virus Scanning and Exchange 2007 Message Flow

October 8, 2008 by ucinfo, posted in Exchange, Flaphead, MsExchange, Security

I have been wanting to post this for a while, but you know how things are … comments and views please ..

Message flow within an Exchange Server 2007 organization is based on the server roles. In a single AD site, all messages flow between the Mailbox and Hub Transport server roles.

1.1.1 How messages flow within a single site

When a user sends a message to a user who has a mailbox on an Exchange server in the same Active Directory site, the following steps occur:

1. If the user is using a MAPI client such as Outlook, the message is submitted to the computer running the Mailbox server role.

2. The message is forwarded to a computer running the Hub Transport server role using a MAPI connection. The Hub Transport server applies transport rules, expands any distribution lists, and determines where to route the message

3. The message is routed to the Mailbox server and the client is notified that the message has arrived.

4. Outlook Web Access and Exchange ActiveSync always connect to the Client Access server role and submit messages through the Client Access server role. After the message is submitted, the message flow continues as described previously.


Figure 1: Steps 1 to 3	Figure 2: Step 4

1.1.2 How messages are routed to the Internet

5. If you have deployed an Edge Transport server, all messages sent to the Internet or received from the Internet are passed through the Edge Transport server. For outbound messages, the computer running the Hub Transport server role forwards the messages to the computer running the Edge Transport server role, which applies transport rules and filtering for outbound e-mail, and then forwards the messages to the Internet. Inbound messages are sent to the Edge Transport server, which applies message filtering, and then forwards the messages to the Hub Transport server

Figure 3: Step 5

1.2 Anti Virus Scanning

Exchange 2007 can virus scan messages on an Exchange 2007 server with either a Mailbox or Hub Transport role installed.

1.2.1 Exchange Server-based solutions.

Microsoft recommends that you install server-side antivirus software on every Mailbox server and Hub Transport server in your organization. On Mailbox servers, antivirus software scans mailbox and public folder databases. On Hub Transport servers, antivirus software scans messages as they are sent between users. You also can deploy spam filters on Hub Transport servers to filter messages for spam sent inside your organization.

1.2.2 Exchange Server 2007 Antivirus Features

Viruses often spread between organizations via e-mail. By stopping all messages that contain viruses at your messaging environment’s perimeter, you can better protect your organization. If infected messages get into the organization, it is important that the virus is detected as soon as possible. To achieve this goal, Exchange Server 2007 includes the following virus protection improvements:

Continued support of the Virus Scanning API (VSAPI). In Exchange Server 2007, Microsoft has maintained support for the same VSAPI used in Exchange Server 2003. This VSAPI will be used by any antivirus software that runs on Mailbox servers.
Use of transport agents to filter and scan messages. Exchange Server 2007 introduces the concept of transport agents, such as the attachment filtering agent, to reduce spam and viruses. By running attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of malware attachments before they enter the organization. Additionally, third-party vendors can create transport agents that perform virus scans. Because all messages must be passed through a Hub Transport server, this is an efficient and effective means to scan all messages in transit inside the organization.
Use of antivirus stamping. Antivirus stamping reduces how often a message is scanned as it moves through an organization. After a message has been scanned once, the message is stamped with information that specifies the version of the antivirus software that performed the scan and the results of the scan. This antivirus stamp travels with the message as it is routed through the organization, and also is used to determine whether additional virus scanning must be performed on a message.

1.3 What to scan?

If you are using Exchange 2007, with no external access to OWA or Outlook, and you have desktop antivirus software, then it is reasonable to only virus scan on servers with the Hub role.

Only scanning on Hub servers will not prevent a virus being saved into a mailbox, but will protect from its proliferation around the messaging system.

If however, a client can access a server from outside an organisation where you cannot verify the client will have antivirus software, then you should install antivirus on mailbox role servers too.

Virus scanning on a mailbox role will increase the memory and CPU usage of a server.

Update Rollup 4 for Exchange Server 2007 Service Pack 1 (KB952580)

October 8, 2008 by ucinfo, posted in Exchange, Flaphead, MsExchange

after a false start RU4 is now available here: http://www.microsoft.com/downloads/details.aspx?FamilyID=8b492ed2-ea92-412f-a852-3aa1c58d9499&DisplayLang=en .. currently it’s not up on Windows Update

It has both 32 and 64 bit downloads and the related KB is http://support.microsoft.com/?kbid=952580

As you would expect you get a .msp. On my 64bit vm, it took 46 minutes to install, finishing with the usual :

Event Type:    Information
Event Source:    MsiInstaller
Event Category:    None
Event ID:    1022
Description:
Product: Microsoft Exchange Server – Update ‘Update Rollup 4 for Exchange Server 2007 Service Pack 1 (KB952580) 8.1.311.3’ installed successfully.

Event Type:    Information
Event Source:    MsiInstaller
Event Category:    None
Event ID:    11728
Description:
Product: Microsoft Exchange Server — Configuration completed successfully.

And again, as usual, the rollup appears in Add/Remove Programs (with show updated ticked)

So version 1 lists this lot: .. what is interesting is that it looks like they have added functionality to web services! (check out the last two in the list)

Update Rollup 4 for Exchange Server 2007 SP1 fixes the issues that are described in the following Microsoft Knowledge Base articles:

942649 Description of the commands that support the UseRusServer option that is imported in Update Rollup 4 for Exchange Server 2007 Service Pack 1
944831 You cannot configure Exchange Server 2007 so that the simple display name appears in outgoing messages
945854 A meeting reminder is still active when you configure Outlook to send no reminders to an Exchange Server 2007 user
945870 TAB symbols may be converted incorrectly to spaces in Exchange Server 2007
948896 Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server
948897 An attachment incorrectly appears as the body of the e-mail message in an Exchange Server 2007 environment
948923 Users do not receive information in DSN messages in Exchange Server 2007 with Service Pack 1
949512 An embedded message is removed from the attachment list on Exchange Server 2007 if the embedded message subject ends with .com, .exe, or any other blocked extension
949782 An In-Policy request that is forwarded to delegate appears as an Out-Of-Policy request if a user submits an In-Policy meeting request against a room mailbox of Exchange Server 2007
949858 The provisioning process is unsuccessful when you use Identity Lifecycle Manager (ILM) 2007 to provision user objects to an Exchange Server 2007 resource forest
949926 Error when you use an IMAP4 client or a POP3 client to log on to a delegate mailbox of Exchange Server 2007: “800cccd1”
950076 After you move a mailbox from Exchange Server 2003 to Exchange Server 2007 Service Pack 1, you cannot edit rules in Outlook Web Access
950081 Error message when users use an SMTP client to send e-mail messages in Exchange Server 2007 Service Pack 1: “454 4.7.0 Temporary authentication failure”
950138 You are prompted for your credentials three times and you receive an error message when you use the Outlook Anywhere feature to connect to an Exchange Server 2007 Service Pack 1–based server that is running Windows Server 2008
950198 You can enable AfterConversion snapshot for all messages if pipeline tracing and Content Conversion Tracing are enabled
950235 The IMAP4 or POP3 worker process may stop responding on an Exchange 2007 CAS role when you use an IMAP4 client or a POP3 client to connect the Exchange 2007 CAS role to your mailbox
950409 The reminder is triggered earlier than expected when an Exchange Server 2007 server receives an iCalendar meeting request message over an SMTP server
950622 Messages are converted to a very small font size in Outlook Web Access and in Outlook 2003 when you use Exchange Server 2007
950976 Event ID 115 may be logged intermittently on a computer that is running Exchange Server 2007 with Service Pack 1
951067 Event ID 7034 may be logged in the Application log in Exchange Server 2007 when an MAPI application tries to access a mailbox in a certain way
951156 The message body of appointments is garbled after you use a mobile device to synchronize appointments that were created in Outlook Web Access on Exchange 2007
951251 A MAPI application does not work correctly if Exchange 2007 is installed on a Windows Server 2008 server
951594 The W3svc log reports the incorrect number of attachments on an Exchange Server 2007 server that has deployed Exchange ActiveSync Service (EAS)
951747 An error occurs when you use the Export-mailbox or Restore-mailbox command to migrate certain mailboxes on Exchange Server 2007: “error code -1056749164”
951864 Some users must enter their credentials when they access rights-protected messages even though you have deployed the Rights Management Services (RMS) prelicensing agent on an Exchange Server 2007 Service Pack 1-based server
952152 The Autodiscover service for ActiveSync in an Exchange 2007 environment does not work for users in sites that do not have the ExternalURL property set
952250 You encounter a long delay for each mailbox when you run the “Move-Mailbox” or “Set-Mailbox” command on an Exchange Server 2007 computer
952682 Log file drives on the SCR target may eventually fill up and cause replication failure in Exchange Server 2007 Service Pack 1
952924 Error message when Exchange users try to access public folders that are hosted on Exchange Server 2003 by using Outlook Web Access for Exchange Server 2007: “Outlook Web Access is unable to open public folders”
953312 The “Open Message In Conflict” button is not available in the conflict notification message for Exchange Server 2007 users
954058 You can change the method for transfer encoding after you apply Update Rollup 5 for Exchange Server 2007 Service Pack 1
954205 Event ID 1113 is logged in the Application log on a Unified Messaging (UM) server when users contact the UM server by using secured connections
954237 The IMAP service crashes intermittently on Exchange 2007, and Event ID 5000 is logged
955208 Event ID 5000 occurs when the Exchange IMAP4 worker process crashes intermittently in Exchange Server 2007
956775 CopyItem and MoveItem Operations in Exchange Web Services can return the Item ID after you install Update Rollup 4 for Exchange Server 2007 Service Pack 1
957133 Description of improvements in functionality that occur in Exchange Web Services operations after you install Update Rollup 4 for Exchange Server 2007 Service Pack 1