Realtime Scan Job

 

Applies to: Forefront Security for Exchange Server

The Forefront Security for Exchange Server Realtime Scan Job runs on the Exchange server to provide immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders resident on the server. This method of scanning e-mail messages in real time is the most effective method for stopping the spread of infectious file attachments. The Realtime Scan Job can be configured to scan message bodies as well as attachments. This feature is disabled by default upon installation, but can be enabled by selecting Realtime Body Scanning - Realtime in the General Options work pane. Message body scanning increases the time required to scan messages.

About multiple Realtime processes

During installation, four Realtime Scan Jobs (processes) are created for the Mailbox server. You can create additional Realtime Scan Jobs by changing the value of the General Options setting Realtime Process Count to represent the number of scanning processes you want running per Mailbox server. The maximum is ten.

When multiple realtime processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FSE delivers files to the first process if it is available.

Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step.

It is recommended that the number of realtime processes should be set to twice the number of effective processors on the server. For example, a two-processor server or a single processor dual core server should have the Realtime Process Count set to the default value of 4. If the server contains two processors each of which is dual core, the recommended setting is 8.

To change the number of realtime processes

  1. In the Forefront Server Security Administrator, in the Shuttle Navigator, select Settings, and then select General Options.

  2. In the Scanning area, choose a suitable value in the Realtime Process Count drop-down box. The maximum value that you can use is 10.

  3. Click Save.

  4. Exit the Forefront Server Security Administrator.

  5. Under Administrative Tools, click Services to open the Service Control Manager, and then restart the Forefront Security for Exchange Server services.

Configuring the Realtime Scan Job

When you configure the Realtime Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text.

To select the mailboxes and set the deletion text

  1. From the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears.

  2. In the top portion of the work pane (which contains a list of configurable scan jobs), select the Realtime Scan Job.

  3. In the Scan portion of the work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders.

  4. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text.

    Note

    FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros.

  5. Click Save to save your scan job configuration

Configuring antivirus settings

There are various settings that you can adjust for the Realtime Scan Job. These include file scanner selection, bias, action, notifications, and quarantining.

To configure antivirus settings

  1. In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears.

  2. In the list in the top pane, select the Realtime Scan Job. The file current settings are displayed in the bottom half of the work pane.

  3. In the list of available third-party scanners in the File Scanners section, choose the file scanning engines. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Realtime Scan Job.

  4. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines.

  5. In the Action field, select the action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are:

    Skip: detect only

    Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.

    Clean: repair attachment

    Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.

    Delete: remove infection

    Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.

  6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default.

  7. Enable or disable the saving of attachments detected by the file scanning engine by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

  8. Click Save to save your antivirus settings.

Note

The Realtime Scan Job settings are also used by Background Scanning.

Editing the Realtime Scan Job

Select the Realtime Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.

Controlling the Realtime Scan Job

To control the Realtime Scan Job, click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears.

Select the Realtime Scan Job in the list at the top of the Run Job work pane. The bottom portion of the Run Job work pane shows the status and results of the currently selected scan job.

Enabling and disabling the Realtime Scan Job

With the Realtime Scan Job selected, the Enable and Bypass buttons control the operation of the job.

Selecting virus scans, file filtering, and content filtering

The Realtime Scan Job can scan for viruses, perform file filtering or content filtering, or a combination of the three tasks. Use the Virus Scanning, File Filtering, and Content Filtering check boxes to make the appropriate selections. Any change to these settings will be performed immediately, even if the job is currently running.

Checking results and status

The lower window shows the infections or filtered results found by the Realtime Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Incidents log.

A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will remove the subset from the virus log file.

Note

If a large number of entries are selected, the deletion process may potentially take a long time. In this case, a message box appears, to ask you to confirm the deletion.

Use the Export button to save the results in formatted text or delimited text format.

At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.

About mailboxes and public folders

Forefront Security for Exchange Server offers flexibility in choosing what mailboxes, public folders, and items to scan with the Realtime Scan Job. You can configure the scan to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.

Note

Mailboxes and public folders with names that are made up entirely of backslashes () will not be scanned if Forefront Security for Exchange Server is configured for Selected scanning. If FSE is set to scan all mailboxes or public folders, those that use backslashes or other special characters will be scanned.

In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options:

All

Scan all existing and newly-created mailboxes or public folders.

None

Do not scan any mailboxes or public folders.

Selected

Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to see a listing of mailboxes or public folders on the server.

You can choose each mailbox or public folder to be scanned by clicking its name. You can use the accompanying buttons to select All or None of the mailboxes or public folders. The +/- button inverts the current selection.

Note

Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included.
To return to the main scan selection pane, click the arrow in the upper right corner of the mailbox or public folder selection pane.

About proactive scanning

Microsoft Exchange proactive scanning can be enabled on Public Folder servers to scan files as they are posted to the server and on Mailbox servers to scan sent items. You can enable proactive scanning in one of the following ways:

  • Set the following Exchange DWORD registry value to 1:

    HKEY_Local_Machine\System\CurrentControlSet\Services\MSExchangeIS\VirusScan\ProactiveScanning

    By default, this registry value is set to 0 (proactive scanning is disabled).

  • Check the General Options setting Scan on Scanner Update. When you enable this setting, the Realtime Scan Job rescans previously scanned messages when they are accessed following an engine update. Enabling this setting also automatically sets the ProactiveScanning registry value to 1. However, you may want to enable proactive scanning without rescanning messages after engine updates, since this may impact server performance. In this case, you should simply set the ProactiveScanning registry value to 1, and leave the Scan on Scanner Update setting disabled (this is the default).

About Realtime scan recovery

In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (default is 5 minutes or 300,000 milliseconds), the process is terminated and Forefront Security for Exchange Server attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and recovered.

When the new real-time scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Realtime Scan Timeout Action. For example, if it is set to Delete, Forefront Security for Exchange Server deletes the file, replaces its contents with the Deletion Text for the Realtime Scan Job, logs the information, and quarantines and archives the file. If Forefront Security for Exchange Server again times out while processing the message, the message will be delivered without being scanned. (For more information about General Options, see Forefront Server Security Administrator.)

If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job stopped. In this event, real-time scanning for the particular storage group will not function, but the information store will not stop.

The default time-out for message scanning can be modified by creating the DWORD registry value RealtimeTimeout and setting a new time-out. The value is in milliseconds.

If you continue to have time-out problems, you may try increasing the time specified in the RealtimeTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called RealtimeTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Forefront Security for Exchange Server services for the change to take effect. For more information about registry values, see Registry keys.

Scanning files by type

By default, Forefront Security for Exchange Server is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)