Microsoft #Forefront Protection for Exchange Server detected a virus


Been seeing a lot of these this week, all with different senders

Microsoft Forefront Protection for Exchange Server has detected a virus.
Virus name: "Trojan-Spy.HTML.Fraud.gen"
File name: "Body of Message"
State: "Removed"
Subject line: "FW: Receipt for Your Payment to"
Sender: "Jacki Seers"
Scan job: "Transport"

Thankfully Winking smile forefront removes it!

Forefront for Exchange Kaspersky Engine

#Exchange2010 #Exchange

Been getting lot of errors over the past couple of week with the Kaspersky engine not updating:

Log Name:      Application
Source:        GetEngineFiles
Event ID:      6012
Task Category: Engine Error
Level:         Error
Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Kaspersky
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

Found this:

The resolution works a dream:

Under C:ProgramData there is a folder called "KasperSky SDK" (you will have to enable viewing of hidden files to see if)

Rename the folder to say it for example  to "KasperSky SDK,old”

Update "Kaspersky" through the Forefront Console


Virus of the week (2012-01-09)

#Exchange #Exchange2010 #Virus

So this is a summary of what Microsoft Forefront Protection for Exchange Server detected as a virus.


  • Subject line:  "Botanical Gardens Boot Camp NOW STARTING"
  • Subject line:  "Just for Cardholders: Save an extra 10% on select TVs at"
  • Subject line:  "Bank of America Customer Service – Tell us what you think"
  • Subject line:  "PayPal – Your account has been limited!"



  • File name:  "winmail.dat->>1036775_4909136e-c76f-466a-a8fe-a935fb735dbd_TATAAIGFIRSTPLAN.doc"

    Forefront Protection for Exchange

    #Exchange #Exchange2010

    So it’s been annoying me, when Forefront sends you an email, the from address it is a bit pants, and I want to change it.  By default it’s ForefrontServerProtection@servername.server.

    I looked around the PowerShell add in for Forefront and drew a blank so after a bit of googling I found this:

    Essentially …

    Changing the From address for notifications

    FPE utilizes SMTP messaging for notification purposes, placing the message in the SMTP service Pickup folder and resolving the Exchange name with the Active Directory directory service. By default, the server profile used for identifying notifications is: ForefrontServerProtection@servername.server. However, you can change this server profile by modifying the FromAddress registry value.

    To modify the FromAddress registry value

    Open the Registry Editor and navigate to the following registry key:

    HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftForefront Server SecurityNotifications

    Modify the default value of FromAddress to the sender name you would like. Alphanumeric characters are acceptable. You may also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters will be replaced with an underscore (_).

    You must restart the relevant Microsoft Exchange and Microsoft Forefront Server Protection services in order for this change to take effect.