Forefront Protection 2010 for Exchange Errors 7009 5314 on Windows 2003R2

I've got customer with:

- Exchange 2007 with the latest updates installed on 2 CAS/HUBs on Windows 2003 R2 and 1 CAS/HUB on Windows 2008 R2, also two clusters (one mailbox, one journaling);
- Forefront Protection for Exchange with Rollup 4.

Until April everything worked perfectly. Now there are many errors:

Event Type:       Error
Event Source:   Microsoft Forefront Protection
Event Category:               Health Status
Event ID:             7009
Date:                    2013-04-17
Time:                    08:39:20
User:                    N/A
Computer:         cas-hub-01
Description:

None of the antimalware engines selected for transport scanning have been initialized.

Event Type:       Error
Event Source:   FSCTransportScanner
Event Category:               Scan Error
Event ID:             5314
Date:                    2013-04-17
Time:                    08:39:20
User:                    N/A
Computer:         cas-hub01
Description:

Could not initialize Spyware Scanner properly.  As a result the system will not function.  Please check the Antispyware engine and signatures.

These errors affects only CAS/HUBs on Windows 2003R2, there are not present on Windows 2008R2. If I disable antispyware scan then without restart of Transport Service errors disappears. If I enable it again errors appear immediately. Of course Antispyware engine and signatures are updated.


The biggest problem is with queue - e-mails are not processed during these errors.

When the traffic is lower then errors don't appear or appear with very low frequency, during higher load, mass mailings e-mails are waiting in queue and are not processed.

Errors always appears in pairs. On low traffic - one pair of errors per few minutes, on high load two to three pairs per second.

Now I must investigate the real problem or some kind of sollution.

Windows 2008R2 multi-homed Exchange server loses communication

Problem: Exchange 2010 servers lost communication with domain - with domain controllers
Scenario:

• multi-homed Exchange 2010 servers - with two network interfaces - 1st to communicate with domain controllers, the 2nd to communicate with users;
• default gateway is on the 2nd network card - to communicate with users;
• the 1st NIC hasn't got default gateway - communication with domain controllers is possible via static route;
• when some of domain controllers are disabled (restart or something) then some of Exchange servers are losing their connection with domain controllers;
• lost communication means everything available by routes on the 1st NIC is unavailable; static routes are present, but Windows 2008 R2 disallows communication; when I remove these routes and add it again then communication returns;
• important: firewall is enabled but whole communication is allowed.

Error is repeatable, customer is a big bank with many localizations, during this strange behaviour other systems are working fine - only some of these Exchange servers are losing communication, e.g. 5 of 10 Exchange servers can't communicate with domain controllers and rest of them still can communicate.

Error disappears when firewall is disabled, but company has got policy with requirement of enabled firewall.  

Solution: 
suspected service is Network Location Awareness (NLA) which comes to play when something in networks is changing. It discovers that domain is unavailable (missing domain controller used by Exchange services) and tries to switch network from Domain to... Public but probably it is not possible (error?). 
Similar problem is described here KB980873

We used information available in: Technet:
- in gpo for these servers
- in section: Computer Configuration | Windows Settings | Security Settings | Network List Manager Policies
- change  Location Type from Not configured to Public or Private, but not leave it in default Not configured.

After change from Not configured to Public problem disappears.

MBSA viewreport error

Microsoft Baseline Security Analyzer - ver 2.1 and 2.2
Error: Unable to get value of the property "text": object is null or undefined.





Solution: open mbsa file in your favorite editor and analyze the source - I've got in my mbsa files on the end of the file something like this:

    <Composite>42</Composite>
</SecScan>a3949b83a494d724b05812ac559a24c.exe</DownloadURL>< ... and it's not end!!!


Make a copy of your files and remove the whole text after the </SecScan>. It's a kind of damage inside this mbsa files.