-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1135
  End of life announced for AV engines in Microsoft Forefront and Antigen
                             19 November 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Forefront
                      Microsoft Antigen
Operating System:     Windows Server 2003
                      Windows Server 2008
Impact/Access:        Reduced Security -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
Member content until: Saturday, December 19 2009

OVERVIEW

        Microsoft has announced the end of life for the AV engines used by
        its Forefront and Antigen products to occur on December 1st 2009. [1]


IMPACT

        Microsoft has provided the following details regarding Antimalware 
        Protection:
        
        "The AhnLab, CA, and Sophos engines will be retired on Dec. 1, 2009.  
        After December 1st, customers will not receive any updates for these 
        retired engines. In order to make sure your Antigen and Forefront 
        products continue to scan efficiently and effectively for malware, any 
        customers running the AhnLab, CA, or Sophos engines must DISABLE these 
        engines before Dec. 1, 2009 and select from the new set of five engines  
        Authentium, Kaspersky, Microsoft, Norman, and VirusBuster." [1]
        
        "SPECIAL NOTE:  Antigen for SharePoint 8.0 and Antigen for Instant 
        Messaging 8.0 customers  In order to gain access to the new engine set 
        and provide optimal protection for your messaging and collaboration 
        environments, please download the Service Pack 1 releases of these 
        products on the MVLS or VLSC site prior to Dec. 1, 2009.  The updates 
        for the new engine set will use a new update infrastructure as of Dec. 
        31, 2009  the Service Pack 1 releases will allow you to continue to 
        receive updates correctly from their new location." [1]
        
        Microsoft has provided the following information regarding Antispam 
        Protection:
        
        "The Mail-Filters SpamCure antispam engine will be retired on Dec. 1, 
        2009. Customers using Antigen products for antispam protection must 
        upgrade to the latest service pack releases listed below BEFORE DEC. 
        1, 2009 to maintain their antispam defenses.  This is the only way to 
        gain access to the new Cloudmark engine." [1]


MITIGATION

        The vendor has recommended that these retired engines be disabled, and
        that customers select from the new set of five engines for Antigen
        and Forefront. Additionally Antigen users should upgrade to the 
        latest Service Pack releases. [1]


REFERENCES

        [1] Microsoft Forefront Server Protection Blog
            http://blogs.technet.com/fss/archive/2009/10/21/action-required-by-dec-1-2009-keep-your-protection-current.aspx

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLBNeNNVH5XJJInbgRAlh2AJ9b5UIp5k1dariulFZgK9Lha71QRgCfZ2p8
gncZt7UorGR86H0durFVLaQ=
=C+JT
-----END PGP SIGNATURE-----