Chapter 15 - Reporting and statistics overview

  • Article

 

Applies to: Microsoft Antigen

Antigen for SMTP Gateways provides a variety of reports designed to help administrators analyze the state and performance statistics of the Antigen services through the Antigen Administrator interface.

About the incidents database

The Incidents database (Incidents.mdb) stores all virus and filter detections for an SMTP server. To view the virus Incidents log, click REPORT in the left navigation shuttle and then click the Incidents icon. The Incidents work pane opens on the right.

The results are stored to disk in the Incidents database by AntigenService and are not dependent on the Antigen Administrator remaining open.

Antigen reports a variety of information in the Incidents work pane. The various values are described in the following table.

Value Description

Time

Date and time of the incident.

State

Action taken by Antigen for SMTP Gateways.

Name

Name of the scan job that reported the incident.

Folder

Name of the folder where the file was found. This column also reports if messages were inbound or outbound when caught by the SMTP scanner. Messages that are being relayed by the SMTP server are reported as inbound and outbound to distinguish them from standard inbound and outbound messages.

Message

Subject line of the message or the name of the file that triggered the incident.

File

Name of the virus or name of the file that matched a file or content filter.

Incident

Type of incident that occurred. Examples include: VIRUS, FILE FILTER, SENDER FILTER, and SUBJECT FILTER. Each type is followed by either the name of the virus caught, or the file or content filter that triggered the event.

Sender Name

Name of the person who sent the infected or filtered message.

Sender Address

E-mail address of the person who sent the infected or filtered message.

Recipient Name

Names of the people who received the infected or filtered message.

Recipient Addresses

E-mail addresses of the people who received the infected or filtered message.

Note

Antigen for SMTP Gateways keyword filtering scans both plain text and HTML message body content. If Antigen for SMTP Gateways finds a match in both the HTML and the plain text, it reports two detections in the virus Incidents pane and in the Quarantine database, respectively.

About VirusLog.txt

Incidents can also be written to a text file called VirusLog.txt, located under the Antigen for SMTP Gateways installation path. To enable this feature, select the Enable Antigen Virus Log check box in the General Options work pane (it is disabled by default).

The following is a sample entry from the VirusLog.txt file:

Fri Feb 07 12:56:13 2003, "Information: Internet scan found virus:

Folder: SMTPMessages\Internal

Message: test4

File: Eicar.com

Incident: VIRUS=EICAR test file

State: Removed"

About Antigen incidents

The following table describes the various reported incidents for Antigen for SMTP Gateways. Many of the reported incidents are generated by Antigen for SMTP Gateways settings that are controlled through the General Options work pane.

Reported incident General Options setting Description

CorruptedCompressedFile

Delete Corrupted Compressed Files

Antigen for SMTP Gateways has deleted a corrupted compressed file.

CorruptedCompressedUuencodeFile

Delete Corrupted Uuencode Files

Antigen for SMTP Gateways has deleted a corrupted compressed UUENCODE file.

EncryptedCompressedFile

Delete Encrypted Compressed Files

Antigen for SMTP Gateways has deleted an encrypted compressed file.

EngineLoopingError

Not applicable

Antigen for SMTP Gateways has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file.

ExceedinglyInfected

Maximum Container File Infections

Antigen for SMTP Gateways has deleted a container file that has exceeded the maximum number of infections. When the number is exceeded, the entire container is deleted.

ExceedinglyNested

Maximum Nested Compressed Files

Antigen for SMTP Gateways has deleted a compressed file that has exceeded the maximum number of infections. When the number is exceeded, the entire container is deleted.

ExceedinglyNested

Maximum Nested Attachments

Antigen for SMTP Gateways has deleted a compressed file that has exceeded the maximum nested depth. When the number is exceeded, the entire file is deleted.

FragmentedMessage

Not applicable

A fragmented SMTP message has been replaced with the fragmented message deletion text. This setting is enabled by default but can be turned off by setting the registry value MIMEDeletePartialMessages to 0.

LargeInfectedContainerFile

Maximum Container File Size

Antigen for SMTP Gateways has deleted a file that has exceeded the maximum container size that it will attempt to clean or repair.

ScanTimeExceeded

Max Scan Time

Antigen for SMTP Gateways has deleted a container file that has exceeded the maximum amount of scan time in milliseconds (msec).

UnReadableCompressedFile

Not applicable

Antigen for SMTP Gateways has deleted a compressed file that it could not read.

UnWritableCompressedFile

Not applicable

Antigen for SMTP Gateways has deleted a compressed file to which it cannot write (for example, during a cleaning operation).

About event statistics

Antigen maintains three basic groups of statistics:

  • **Event Rate—**Tracks the number of events per second (monitored in Performance Monitor).
  • **Events—**Tracks the number of events for the current Antigen for SMTP Gateways session (the time since the last restart of the Antigen services).
  • **Total Events—**Tracks the total number of events since Antigen for SMTP Gateways was installed or the statistics pane was reset.

Statistics for messages

Several kinds of statistics are maintained for messages:

  • **Messages Scanned—**The number of messages scanned by Antigen for SMTP Gateways since the last restart of the services.
  • **Messages Detected—**The number of messages scanned that contained a virus or matched a file, content, or spam filter since the last restart of the services.
  • **Messages Tagged—**The number of messages tagged by Antigen for SMTP Gateways due to a filter match since the last restart of the services.
  • **Messages Purged—**The number of messages purged by Antigen for SMTP Gateways due to a virus detection or filter match since the last restart of the services. (Action is set to Purge – Eliminate Message or a worm purge match.)
  • Total Messages Scanned—The number of messages scanned by Antigen for SMTP Gateways since the product was installed or since the Statistics pane was last reset.
  • Total Messages Detected—The number of messages scanned that contained a virus or matched a file, content, or spam filter since the product was installed or since the Statistics pane was last reset.
  • Total Messages Tagged—The number of messages tagged by Antigen for SMTP Gateways due to a filter match since the product was installed or since the Statistics pane was last reset.
  • Total Messages Purged—The number of messages purged by Antigen for SMTP Gateways due to a virus detection or filter match since the product was installed or since the Statistics pane was last reset.

Statistics for message attachments

Several kinds of statistics are maintained for message attachments:

  • **Attachments Scanned—**The number of attachments scanned by Antigen for SMTP Gateways since the last restart of the services.
  • **Attachments Detected—**The number of attachments scanned that contained a virus or matched a file, content, or spam filter since the last restart of the services.
  • **Attachments Cleaned—**The number of attachments that were cleaned by Antigen for SMTP Gateways due to a virus infection or filter match since the last restart of the services.
  • **Attachments Removed—**The number of attachments that were removed by Antigen for SMTP Gateways due to a virus infection or filter match since the last restart of the services.
  • Total Attachments—The number of attachments scanned by Antigen for SMTP Gateways since the product was installed or since the Statistics pane was last reset.
  • Total Attachments Detected—The number of attachments scanned that contained a virus or matched a file, content, or spam filter since the product was installed or since the Statistics pane was last reset.
  • Total Attachments Cleaned—The number of attachments that were cleaned by Antigen for SMTP Gateways due to a virus infection or filter match since the product was installed or since the Statistics pane was last reset.
  • Total Attachments Removed—The number of attachments that were removed by Antigen for SMTP Gateways due to a virus infection or filter match since the product was installed or since the Statistics pane was last reset.

Event statistics are maintained on a physical basis as well as a logical basis for the SMTP Scan Job. Antigen for SMTP Gateways makes a distinction between the number of times the attachment has been actually scanned (physical), and the number of times the same attachment can potentially be scanned (logical). For example, if three recipients receive the same mail message with one attachment, the attachment will be reported as physically scanned once, and logically scanned three times.

Note

Antigen for SMTP Gateways scans the message body and the attachments, but reports all scanned files as attachments. A single message with one attachment, therefore, will be reported as two attachments in the Statistics work pane.

Resetting statistics

To reset all the statistics for a scan job, click the x next to the scan job's name (Internet) in the Statistics work pane. The following image shows the Statistics work pane.

2e0d9a76-a292-4985-9e85-b1147a306fb6

You will be asked to confirm the reset. Clicking Yes resets all the statistics for the selected scan job.

Exporting statistics

To save the report statistics in either formatted text or delimited text formats, click the Export button on the Incidents work pane.

About quarantine

Antigen for SMTP Gateways, by default, creates a copy of every detected file before a clean, delete, or skip action occurs. These files are stored in an encoded format in the Quarantine folder under the Antigen for SMTP Gateways installation folder. Each detected file is saved under the name Filex, where x is the ID number of the file. The actual file name of the detected attachment, the name of the infecting virus or the file filter name, its associated ID value, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses, along with other bookkeeping information, are saved in the file Quarantine.mdb and in the Quarantine folder. The Quarantine database consists of two tables stored inside the Quarantine.mdb file. This database is configured as a system data source name (DSN) with the name Antigen Quarantine. This database can be viewed and manipulated using third-party tools.

About quarantine options

Antigen for SMTP Gateways performs two different quarantine operations: quarantine of entire messages or quarantine of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled.

When the General Options setting Quarantine Messages is set to Quarantine as Single EML File, the quarantined messages are quarantined in an EML file format. If you want to view the attachments that are contained inside the EML file, you must save the file from the Quarantine database and use Outlook Express to view the contents of the file. If Outlook Express is not installed on the computer, the message's attachments cannot be easily separated from the EML file for viewing.

If you do not have Outlook Express installed on the server on which you are quarantining messages, you can choose to have messages quarantined in pieces by setting Quarantine Messages to Quarantine Message Body and Attachments Separately. Antigen for SMTP Gateways quarantines messages as separate pieces (bodies or attachments) so they can be viewed more easily after they are saved to disk from the Quarantine database.

Messages that have been quarantined can also be forwarded to a mailbox. When the Quarantine Messages option is set to Quarantine Message Body and Attachments Separately, you must forward each piece of the message that was quarantined if you want the recipient to see the entire contents of the original message. If the Quarantine Messages option is set to Quarantine as Single EML File, only the quarantined EML file needs to be forwarded, and the recipient receives the original message and any attachments as a single attachment to a new message.

Note

These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

Quarantine Database Tables

The Quarantine database (Quarantine.mdb) contains the following tables:

  • **HeaderInfo Table—**Contains the quarantine version, the number of quarantined files, and the ID to use for the next quarantined file.
Field name Type

Version

Int

Count

Int

NextDetectedId

Int
  • **Quarantine Table—**Contains all the details for the quarantined message.
Field name Type Size Description

FileName

Text

255

Attachment file name

VirusIncident

Text

255

Virus name

Message

Memo

5000

Subject Line

SenderName

Text

255

Sender Name

SenderAddress

Text

255

Sender Address

RecipientNames

Memo

255

Recipient names

RecipientAddresses

Memo

255

Recipient addresses

ccNames

Text

255

cc names

ccAddresses

Text

255

cc addresses

bccNames

Text

255

bcc names

bccAddresses

Text

255

bcc addresses

_DateTime

Date/Time

Not applicable

Date and time file was quarantined

DetectedFileId

Int

Not applicable

File ID used to save renamed quarantined file (for example, File9)

ID

AutoNumber

Not applicable

Identifies a row in the table

An administrator can access the Quarantine work pane to delete or extract stored detected file attachments. To view the Quarantine log, click REPORT in the left navigation shuttle and then click the Quarantine icon. The Quarantine work pane appears on the right.

The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as a virus or filter match), the name of the infecting virus or the filter file name, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses.

Saving database items to disk

Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.

About the Deliver button

The Deliver button on the Quarantine work pane enables administrators to deliver quarantined messages to the intended recipients or any other designated recipients. When the Deliver button is clicked, a dialogue box is displayed that enables you to configure the recipients and the delivery action for the message being delivered.

If a single file is selected for delivery, the original recipients populate the To:, Cc:, and Bcc fields. If multiple files are selected, the recipients fields are initially empty

There are three choices in the Delivery Action section:

  • Original Recipients—The recipients fields are disabled. Click OK to deliver the selected files to their original recipients.
  • Above Recipients—The recipients fields are enabled and can be changed by the administrator. Click OK to deliver the selected files to the named recipients.
  • Original and Above Recipients—The recipients fields are enabled and the administrator can change them. Click OK to deliver the selected files to both the original recipients and any additional ones entered.

When quarantined messages are delivered to the user’s mailbox, the original message is included as an attachment. When the user opens the attachment, the original message launches within Outlook as a separate message.

About DeliverLog.txt

When a message file is delivered from the quarantine database, a text file named Deliverlog.txt is created and saved in the folder where Antigen for SMTP Gateways is installed. This file provides a log of messages and attachments that have been delivered from quarantine.

Forwarding attachments

Attachments that were quarantined by the virus scanner or the file filter can be forwarded.

Forwarding attachments quarantined by the virus scanner

Attachments that were quarantined by the virus scanner cannot be forwarded unless the scan jobs are disabled. Any forwarded attachment that contains a virus is redetected and treated appropriately.

Forwarding attachments quarantined by the file filter

Attachments that were quarantined by the file filter are scanned for filter matches unless the General Options setting Deliver from Quarantine Security is set to Compatibility Mode. This allows messages to be forwarded without being redetected by any of the scan jobs.

To allow attachments to be delivered without being redetected, Antigen for SMTP Gateways adds a special tag to the subject line of the message. You can customize this tag by changing the entry in the registry key value ForwardedAttachmentSubject. This value allows administrators to specify the tag text to use in the subject line. The subject line tag text can be changed to a unique string for the organization or changed into a local language.

Note

If the General Options setting Deliver from Quarantine Security is set to Compatibility Mode and the subject line tag text is changed, filters are applied to messages already in the organization that were tagged with old tag text in the subject line if they are scanned again.

Using the ExtractFiles tool

Antigen for SMTP Gateways includes a console tool, ExtractFiles, that enables you to extract all, or a subset, of the quarantined files to a specified directory. ExtractFiles.exe has two required arguments: path and type.

Path—The absolute path of the folder in which to save the extracted quarantined files.

Type—The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:

  • Wingtip.Toys—Extracts files that were infected with the virus named Wingtip.Toys.
  • *.doc—Extracts quarantined files having a .doc extension.
  • *.*—Extracts all quarantined files

This is the syntax of ExtractFiles:

extractfiles path type

Examples include:

  • extractfiles C:\temp\quarantine Wingtip.Toys
  • extractfiles C:\extract\ *.doc

Maintaining the databases

You can also perform other tasks with the Incidents or Quarantine databases. For example, you can clear or move the databases, export or purge database items, filter database views, or change the database compaction time.

Clearing the databases

Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2 GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to all those having a notification role of Virus Administrator, warning that the database is nearing its limit. An administrator can then clear the database to ensure that future incidents and quarantined items will be saved.

The subject line of the message reads:

Microsoft Antigen for SMTP Database Warning

The body of the message reads:

The Microsoft Antigen for SMTP <<database name>> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB.

If this database grows to 2 GB, updates to the <<database name>> do not occur.

If for some reason the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.

Clearing the incidents database

The Incidents database can be cleared when it becomes too large.

To clear the Incidents database

  1. Click Clear Log on the Incidents work pane on the REPORT shuttle. This clears all the items from the Incidents work pane. You will be asked to confirm your decision.

  2. Select Run Job in the OPERATE shuttle. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database.

After you have cleared the entries in both places, they no longer appear in the Incidents work pane. However, they are actually deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then pressing the DELETE key to remove them from both locations, as indicated above.

Note

If a large number of entries are selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Clearing the quarantine database

To clear the Quarantine database, click Clear Log on the Quarantine work pane on the REPORT shuttle. This clears all of the items from the Quarantine work pane. You will be asked to confirm your decision.

After you have cleared the entries, they no longer appear in the work pane. However, they are actually deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then pressing the DELETE key to remove them from the Quarantine listing.

Note

If a large number of entries are selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Exporting database items

Click Export on the Incidents or Quarantine work panes to save all the results from the Incidents or Quarantine databases as a text file. Clicking Export displays a standard Windows Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file, and then choose a format of formatted text or delimited text. Entries in the delimited text format are separated by a vertical bar ( | ).

In addition to the Export button, the Quarantine pane has a Save As button. This is used to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each is saved as a separate file.

Purging database items

You can instruct Antigen to remove items from the databases after they are a certain number of days old. The number of days is indicated by the after field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database (by means of its associated check box), all files older than the specified number of days are flagged for removal from that database.

To purge database items after a certain number of days

  1. On either the Incidents or the Quarantine work pane in the REPORT shuttle, select the Purge check box. This causes the after field to become available.

  2. In the after field, indicate the number of days after which items will be purged. All items older than that number of days will be deleted from the database. The default is 30 days.

  3. Click Save. Setting or changing the purge value takes effect only after being saved.

To suspend purging, clear the Purge check box. The value in the after field will remain, but no purging will take place until the Purge check box is selected again.

Filtering database views

You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed.

To filter the database view

  1. Select the Filtering check box on the Incidents or Quarantine work pane.

  2. Select the item that you want to see with the Col option. Each choice in Col corresponds to one of the columns in the display (for example, State).

  3. In the Filter edit box, type the string specifying your filter view. For example, you can specify to show only those Incidents whose State is Purged. You can use wildcard characters. The wildcard characters are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are:

    _ (underscore)—Matches any single character.

    [ ]—Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]). To filter for multiple days, specify the date using a range. For example, to filter for incidents that occurred between July 20 and July 25, you would use the following value in the Filter field: 7/2[0 5].

    [!]—Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]).

  4. Click Save to apply the filter. The only items that you see now are those that match your parameters.

Moving the databases

You can move the Quarantine and Incidents databases. However, for Antigen for SMTP Gateways to function properly, you must move both databases, as well as all related databases and support files.

To move the databases and all related files

  1. Create a new folder in a new location (for example: C:\Moved Databases).

  2. Stop the SMTP and Antigen services.

  3. Copy the Quarantine folder from the Antigen installation folder into the folder created in step 1. (This results in a folder called C:\Moved Databases\Quarantine.)

  4. Move ProgramLog.txt, Incidents.mdb, AntigenHRLog.txt, and all .adb files to the new location (C:\Moved Databases).

  5. Change the path in the following DatabasePath registry key to point to the new Quarantine folder location:

    HKEY_LOCAL_MACHINE/Software/Antigen

  6. Restart the services.

Changing the database compaction time

Typically, Antigen runs daily database management functions on the Incident.mdb and Quarantine.mdb databases. The CompactIncidentDB function and the CompactQuarantineDB function are run to delete old database records and to delete stale Quarantine items.

By default, these functions are run at 02:00 local time. However, you may want to compact the databases at a different time. To run the compaction functions at a different time, you must add a registry entry.

To change the database compaction time

  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, expand the following registry subkey.

    HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for SMTP

  3. On the Edit menu, point to New, and then click String Value.

  4. Type CompactDatabaseTime, and then press ENTER.

  5. Right-click CompactDatabaseTime, and then click Modify.

  6. In the Value data box, type a new value, for example 21:00, and then click OK.

    Note

    Type the time value by using the 24-hour (hh:mm) format. Type the time value based on the local time during which you want the compaction functions to run.

  7. Exit Registry Editor.

  8. Click Start, point to Settings, and then click Control Panel.

  9. Double-click Administrative Tools, and then click Services.

  10. Right-click AntigenService, and then click Restart.

  11. Close the Services Microsoft Management Console (MMC) snap-in.

About Windows Event Viewer

Antigen for SMTP Gateways stores virus detections, stop codes, system information, and other general application events in the Windows application log. Use Windows Event Viewer to access the log.

Additionally, these events are stored in ProgramLog.txt in the Antigen installation directory as a method for logging events when the application log is full.

The ProgramLog.txt file size can be controlled by using the registry key ProgramLogMaxSize. This key specifies in KB the maximum size of the ProgramLog.txt file.

About Performance Monitor

All Antigen for SMTP Gateways virus scan statistics can be displayed using the Performance Monitor (Perfmon.exe) that is provided by Windows and is usually found in Administrative Tools. The performance object is called Antigen Scan.

Reinstalling Antigen performance counters

In the event that the Antigen for SMTP Gateways performance counters are deleted, they can be reinstalled by reinstalling Antigen for SMTP Gateways, or by issuing AntigenPMSetup from a command prompt. The AntigenPMSetup command reinstalls the performance counters without the need to reinstall Antigen for SMTP Gateways.

To reinstall the counters from a command prompt

  1. Open a Command Prompt window.

  2. Navigate to the Antigen installation folder. The default is:

    C:\Program Files\Microsoft Antigen for SMTP

  3. Enter the command: AntigenPMSetup –install

Chapter 14 - Using e-mail notifications

Chapter 16 - File scanner updating overview