Chapter 12 - Purging messages infected by worms

Applies to: Microsoft Antigen

Antigen for SMTP Gateways enables administrators to configure the SMTP Scan Job to purge messages infected by worms. Worm purging is a powerful feature for containing attacks before they harm your network. Antigen for SMTP Gateways identifies worm messages using a regularly updated worm list titled WormPrge.dat, which is maintained by Microsoft and updated like the antivirus scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current third-party scan engines. (Note that each scan engine may report the worm name differently.)

Purging by the Internet scanner

When the Internet scanner determines that a message is infected with a worm, it purges the message by deleting it entirely. Purging is handled for both inbound and outbound messages. No message or notification is sent to the intended recipient of the infected message. Messages purged by the Internet scanner are not recoverable.

The Internet scanner can be configured to send notifications to the administrator and the sender by selecting the Send Notifications check box on the File Filtering work pane. It cannot be configured to send notifications to the recipients of purged worm messages, because this would defeat the purpose of purging worm generated messages.

Worm viruses (messages and attachments) that are purged by the Internet scanner are not quarantined even if quarantine is enabled. This prevents the quarantine database from receiving hundreds or thousands of copies of the same message.

Using file filtering to purge worm viruses

To prevent a new worm threat from spreading before a scanner engine is updated, the attachment names for worm generated messages can be placed in the file filter list under the File Filtering work pane. This is done by accessing the File Filtering work pane and adding a new entry to the file names list with Purge: eliminate message as the action.

The file filter is configured to send notifications to the administrator and the sender by default. It cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm generated messages.

Unlike quarantining for non-worm messages, even if you select Quarantine Message, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems when using filtering for worm messages because the message body has no value and should not contain any other attachments.

Using notifications

The Internet scanner can be configured to send distinct notification messages to the administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified as needed in the Notification Setup work pane, described in Chapter 14 - Using e-mail notifications.

Enabling and disabling worm purging

When you install or upgrade Antigen for SMTP Gateways, the worm purge feature is enabled by default. WormPrge.dat is installed in the Antigen\Bin folder, which can be found in the directory where Antigen was installed. To disable the worm purge feature for the Internet Scan Job, you must set up the InternetPurge registry key with a value of 0. For more information about this registry key, see Appendix B - Setting registry keys.

Updating the worm purge list

As new worm threats are identified, the worm identification list is updated by Microsoft and the new update becomes available for download by the same process that is used for updating virus scan engines. Updates can be performed manually or scheduled. After a successful update, the Wormlist\Bin folder contains the newest version of the WormPrge.dat file and a LastKnownGood folder contains the previous WormPrge.dat file. For more information about how to perform updates, see Chapter 16 - File scanner updating overview.

Creating a custom worm purge list

Administrators can create a custom worm purge list (CustPrge.dat) either to specify additional virus names not already included in the Wormprge.dat file or to create a list that purges all messages that are identified as infected by a virus. Antigen for SMTP Gateways then checks infected messages and files against both the worm purge list and the custom purge list.

To create a custom worm purge list

1. Create a new folder named CustomList in the following folder:

   Microsoft Antigen for SMTP\Engines\x86\Antigen

2. Create a text file named CustPrge.dat in the CustomList folder.

3. Using a text editor, enter the names of the viruses you want purged into CustPrge.dat. Place only a single virus name on each line, followed by a carriage return. These names can be obtained from antivirus engine update notifications or antivirus engine vendor Web sites. Entries can contain asterisk (*) wildcard characters.

4. Note   If different antivirus companies refer to the same virus by different names, you should include each of the names in CustPrge.dat to be fully protected.

5. If you want all virus-infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. This results in all messages identified as infected being purged.

6. Note   Because this results in all infected messages being purged and unrecoverable, this procedure is not recommended. Instead, use the Delete or Clean options for non-worm viruses, because these options allow infected messages and files to be quarantined.

7. Recycle the SMTP services.