| Setting | Description |
|---|
Body Scanning – Manual | Enables message body scanning for the Manual Scan Job. Disabled by default. |
Body Scanning – Realtime | Enable message body scanning for the Realtime Scan Job. Disabled by default. |
Delete Corrupted Compressed Files | Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for FSE. When a corrupted compressed file is detected, FSE reports it as a CorruptedCompressedFile virus. This option is enabled by default. Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0. .gif) Note: In addition to CorruptedCompressedFile viruses, this setting also handles these file types: UnwritableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file. UnReadableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive. |
Delete Corrupted Uuencode Files | Specifies whether corrupted UUENCODE files are deleted. Typically, a Uuencoded file that FSE is unable to parse is considered corrupted. FSE reports those as a CorruptedCompressedUuencodeFile virus. Enabled by default. |
Delete Encrypted Compressed Files | Specifies whether an encrypted compressed file with at least one encrypted item within its contents is deleted (encrypted files cannot be scanned by antivirus scan engines). Disabled by default. FSE reports those as an EncryptedCompressedFile virus. |
Treat ZIP archives containing highly-compressed Files as corrupted compressed | Specifies whether ZIP archives containing highly-compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat can not be cleaned, the message will be deleted. If the file is compressed with an unknown algorithm, it is treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files are treated as corrupted compressed). |
Treat multipart RAR archives as corrupted compressed | A file within a RAR archive can be compressed across multiple files or parts (hence “multipart”), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed. Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted. Enabled by default. Note: If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Registry keys. |
Treat concatenated gzips as corrupted compressed | Multiple Gnu zip (gzip) files can be concatenated into a single file. Although FSE recognizes concatenated gzips, it may not recognize individual files split across concatenated gzips. Therefore, FSE treats concatenated gzips as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections. Disabling the Treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case a virus may escape detection. |
Scan Doc Files As Containers - Manual | Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see File types list. Disabled by default. |
Scan Doc Files As Containers - Transport | Specifies that the Transport Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by default. |
Scan Doc Files As Containers - Realtime | Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by defalut. |
Case Sensitive Keyword Filtering | Specifies that keyword filtering should be case-sensitive. Disabled by default (that is, filtering is not case-sensitive). |
Fix Bare CR or LF in Mime Headers | Specifies whether FSE should fix bare carriage returns and bare line feeds. This corrects a discrepancy between the MIME header parsing method used by Microsoft Outlook® and Outlook Express and the RFC 822 specification on how "bare carriage return (CR)" (0x0d) and "bare line feed (LF)" (0x0a) are handled in MIME headers. Disabled by default. If enabled, it corrects out-of-compliance MIME messages to be compliant with the RFC 2822 specification, meaning that bare carriage returns and bare line feeds are replaced by a "CR-LF" combination. Messages with bare carriage returns or bare line feeds can be parsed differently by different e-mail clients. By design, FSE parses these messages in the same manner as Microsoft Outlook and Outlook Express. If this feature is enabled, FSE alters these messages to be compliant with the RFC 2822 specification and, as a result, all e-mail clients will parse them in the same manner. If this feature is disabled, e-mail clients other than Microsoft Outlook and Outlook Express may parse messages with bare carriage returns or bare line feeds differently than FSE. Because of this, a virus could avoid detection. To maximize system performance, this feature is disabled by default. If your organization uses e-mail clients that interpret messages with bare carriage returns or bare line feeds differently than Microsoft Outlook and Outlook Express, you should enable this feature for maximum security. |
Optimize for Performance by Not Scanning Messages That Were Already Virus Scanned - Transport | Configures Forefront Security for Exchange Server to skip scanning for messages that were previously scanned by any instance of Forefront Security for Exchange Server in any configuration. This applies to messages being received on Transport servers that have been scanned by Forefront Security for Exchange Server on another Transport server within the Exchange organization. Enabled by default. |
Scan on Scanner Update | Causes previously scanned files to be re-scanned when accessed following a scanner update. This setting applies to messages stored on a Mailbox server or a Public Folder server. This setting provides heightened security protection to re-scan messages that have already been scanned. Messages are re-scanned the first time a mailbox server “on-access” event occurs and during every “on-access” event after the initial one if new virus signatures have been received since the last time the message was scanned. Disabled by default. .gif) Caution: When this option is enabled and an engine update occurs while a background scan is in progress, the background scan restarts at the mail that was being scanned. If updates continue to occur before the background scan finishes, the background scan continues to run indefinitely. It is therefore recommended that you do not schedule a background scan for a large dataset if this option is enabled. .gif) Important: When this option is enabled, the Mailbox server may experience increased virus scanning, which may impact server performance. Also, be aware that enabling this setting automatically also enables proactive scanning; for more information, see "About proactive scanning" in Realtime Scan Job. Note: Messages retrieved by Microsoft Outlook 2003 or Microsoft Outlook 2007 clients running in cache mode only generate an “on-access” event when they are originally synchronized to the client. They are not re-scanned on the server when the messages are accessed on the local client and retrieved from the cache. To re-scan these already retrieved messages, use the Enable Background Scan if 'Scan on Scanner Update' Enabled option in the Background Scanning section of General Options. If the background scan detects a virus in a message and cleans or purges the message, then the next time the Outlook client re-synchronizes with the server, the already retrieved infected message will be cleaned or purged. |
Perform Reverse DNS Lookups | Provides the ability to enable reverse DNS lookups for inbound and outbound determination if the Internal Address list contains entries other than the domain name of the server. The inbound or outbound determination is used by keyword and file filtering. When selected (enabled), Forefront Security for Exchange Server uses reverse DNS lookup to get the domain name and make the inbound or outbound determination. If the option is cleared (disabled), Forefront Security for Exchange Server will use the information in the Received header as well as secure routing information from the Exchange Transport Agent to make the inbound or outbound determination. Disabled by default. |
Purge Message if Message Body Deleted – Transport | Some messages carry viruses in the body of the message file. When all or part of the message body is deleted to remove a virus, Forefront Security for Exchange Server inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Forefront Security for Exchange Server and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is selected. Disabled by default. |
Enable Forefront Security for Exchange Scan | Permits administrators to enable or disable all or selected Forefront Security for Exchange Server jobs. The options are Disable All, Enable Store Scanning (Realtime and Manual), Enable Transport Scanning, and Enable All (the default). After changing this setting, the Forefront Security for Exchange Server services must be recycled. (For more information about recycling the services, see "Recycling the Forefront Security for Exchange Server services" in Forefront Security for Exchange Server Services.) |
Transport Process Count | Used to change the number of FSCTransportScanning processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 Transport processes. After changing this setting, the Forefront Security and Exchange Server services must be recycled. (For more information about this setting, see Transport Scan Job.) |
Realtime Process Count | Used to change the number of real-time processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 real-time processes. After changing this setting, the Forefront Security and Exchange Server services must be recycled. (For more information about this setting, see Realtime Scan Job.) |
Forefront Manual Priority | Enables administrators to set the CPU priority of manual scans to: Normal (the default), Below Normal, or Low to permit more important jobs to take precedence over manual scans when demands on server resources are high. |
Engine Error Action | Enables administrators to set the action that Forefront Security for Exchange Server should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which logs the error to the program log; Skip: detect only, which logs the error to the program log and displays an EngineError entry with the state Detected in the UI; and Delete, which logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI. The file that caused the engine error is always quarantined. The default value is Delete. |
Illegal MIME Header Action | If Forefront Security for Exchange Server encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are messages where the Content-Disposition or Content-Type header is longer than it is supposed to be. Identified messages are quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining. |
Transport Scan Timeout Action | Indicates what to do in the event that the Transport Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and the program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Transport Scan Timeout Action is set to either Skip or Delete. The default value is Delete. |
Realtime Scan Timeout Action | Indicates what to do in the event that the Realtime Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Realtime Scan Timeout Action is set to either Skip or Delete. The default value is Delete. |
Quarantine Messages | Forefront Security for Exchange Server performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled. The choices are: Quarantine as Single EML File (the default) - the quarantined message and all attachments are quarantined in an EML file format. Quarantine Message Body and Attachments Separately - messages are quarantined as separate pieces (bodies and attachments). For a complete description of this setting, see Quarantine. Note that these settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected. |
Deliver From Quarantine Security | This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode. - Secure Mode forces all messages and attachments delivered from quarantine to be re-scanned for viruses and filter matches. This is the default setting.
- Compatibility Mode enables messages and attachments to be delivered from quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.
(For more information about using this setting, see Reporting and statistics.) |
Transport Sender Information | By default, Forefront Security for Exchange Server uses the MIME FROM header sender address for the Transport Scan Job. This setting enables administrators to use the MAIL FROM sender address from the SMTP protocol for the Transport Scan Job. When Use Transport Protocol Mail From is selected, the address in that field is used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, or reporting in the Administrator. The options for this setting are: - Use MIME From: Header (the default).
- Use Transport protocol MAIL FROM
Note that when MIME From is selected and a MIME Sender header is also present, the MIME Sender header information is used. |
Max Container File Infections | Specifies the maximum number of infections permitted in a compressed file. If this is exceeded, the entire file is deleted and an incident is logged stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case the logged incident has "Container Removed" appended to the filter match. The default value is 5 infections. |
Max Container File Size | Specifies the maximum container file size (in bytes) that FSE attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Forefront Security for Exchange Server reports these deleted files as LargeInfectedContainerFile virus. |
Max Nested Attachments | Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUEncoded files. Note that for the Realtime Scan Job, a nested MSG file is not treated as a nested file with certain e-mail clients. If the maximum number is exceeded, FSE deletes the document and reports an ExceedinglyNested incident. The default value is 30. |
Max Nested Compressed Files | Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSE sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is permitted. The default is 5. |
Max Container Scan Time (msec) - Realtime/Transport | Specifies the number of milliseconds that the Realtime Scan Job or the Transport Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes). |
Max Container Scan Time (msec) - Manual | Specifies the number of milliseconds that the Manual Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 milliseconds (ten minutes). |
Internal Address | Forefront Security for Exchange Server can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;company.com) with no spaces. Any change to this value is immediately reflected in virus notifications. When entering a domain name in the Internal Address field, be aware that its sub-domains are covered by the entry. For example: domain.com includes subdomain.domain.com and subdomain2.domain.com. Alternate domains such as domain.net or domain.org must be entered individually. Values entered in Internal Address are used as a substring match of the end of an e-mail address. For example, “soft.com” would consider “someone@microsoft.com” and “someone@abcdef123soft.com” to be internal addresses. Entries in the Internal Address field must be separated by semicolons (";") and there must be no spaces between the items. If you have a large number of domains to be used as internal addresses, enter them in an external file called Domains.dat, and leave the Internal Address field blank. Domains.dat was created, as an empty file in the DatabasePath directory, during installation. It is a text file, into which you enter all your internal domains, each on a separate line. Unlike the Internal Address field, all sub-domains must be entered individually. In order to use the external Domains.dat file, you must change the value of the UseDomainsDat registry key to 1 (its default value is 0). For more about this key, see Registry keys. Note: The Domains.dat file is reloaded at 02:00 (2:00 A.M.) each day. This is when any changes you make to the file take effect. (For more information about internal addresses and notifications, see E-mail notifications.) |
Transport External Hosts | If you are using an Edge Transport or Hub Transport to route e-mail into your Exchange environment, you may enter the IP address of the edge transport server so that Forefront Security for Exchange Server will treat all mail coming from that server as inbound when determining which filters and scan jobs to utilize for a message. If you do not enter the IP address of your Edge Transport or Hub Transport, Forefront Security for Exchange Server will use its internal logic to determine if messages are inbound or not. IP addresses should be entered as a semicolon delimited list with no spaces. |