Export (0) Print
Expand All

Chapter 19 - Reporting and statistics overview

 

Applies to: Microsoft Antigen

Topic Last Modified: 2009-02-04

Antigen provides a variety of reports designed to help administrators analyze the state and performance statistics of the Antigen services through the Administrator interface.

The Incidents database (Incidents.mdb) stores all virus and filter detections for a Microsoft® Exchange Server, regardless of which scan job caught the infection or performed the filtering. Antigen collects statistics on a per-storage-group basis for the Manual and Realtime Scan Jobs. To view the virus Incidents log, click REPORT in the left navigation shuttle, and then click the Incidents icon. The Incidents work pane opens on the right.

The results are stored to disk in the Incidents database by the AntigenService service and are not dependent on the Administrator remaining open.

Antigen reports a variety of information in the Incidents work pane. The various values are described in the following table.

 

Value Description

Time

Date and time of the incident.

State

Action taken by Antigen.

Name

Name of the scan job that reported the incident.

Folder

Name of the folder where the file was found. This column also reports whether messages were inbound or outbound when caught by the SMTP scanner. Messages that are being relayed by the SMTP server are reported as inbound and outbound to distinguish them from standard inbound and outbound messages.

Message

Subject line of the message or the name of the file that triggered the incident.

File

Name of the virus or name of the file that matched a file or content filter.

Incident

Type of incident that occurred. For example: VIRUS, FILE FILTER, SENDER FILTER, and SUBJECT FILTER. Each type is followed by either the name of the virus caught, or the file or content filter that triggered the event.

Sender Name

Name of the person who sent the infected or filtered message.

Sender Address

E-mail address of the person who sent the infected or filtered message.

Recipient Name

Names of the people who received the infected or filtered message.

Recipient Addresses

E-mail addresses of the people who received the infected or filtered message.

noteNote:
Antigen keyword filtering scans both plain text and HTML message body content. If Antigen finds a match in both the HTML and the plain text, it will report two detections in the Virus Incidents pane and in the Quarantine database, respectively.

Incidents can also be written to a text file called VirusLog.txt, located under the Antigen for Exchange installation path. To enable this feature, select the Enable Antigen Virus Log check box in the General Options work pane (it is disabled by default).

The following is a sample entry from the VirusLog.txt file:

Thu. Apr 25 14:12:51 2002 (3184), “Information: Realtime scan found virus:

Folder: First Storage Group\Usera\Inbox

Message: Hello

File: Eicar.com

Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE

State: Cleaned”

The following table describes the various incidents that Antigen reports. Many of the reported incidents are generated by Antigen settings that are controlled through the General Options work pane.

 

Reported Incident General Options Setting Description

CorruptedCompressedFile

Delete Corrupted Compressed Files

Antigen has deleted a corrupted compressed file.

CorruptedCompressedUuencodeFile

Delete Corrupted Uuencode Files

Antigen has deleted a corrupted compressed Uuencode file.

EncryptedCompressedFile

Delete Encrypted Compressed Files

Antigen has deleted an encrypted compressed file.

EngineLoopingError

Not applicable

Antigen has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file.

ExceedinglyInfected

Maximum Container File Infections

Antigen has deleted a container file that has exceeded the maximum number of infections. When the number is exceeded, the entire container is deleted.

ExceedinglyNested

Maximum Nested Compressed Files

Antigen has deleted a compressed file that has exceeded the maximum number of infections. When the number is exceeded, the entire container is deleted.

ExceedinglyNested

Maximum Nested Attachments

Antigen has deleted a compressed file that has exceeded the maximum nested depth. When the number is exceeded, the entire file is deleted.

FragmentedMessage

Not applicable

A fragmented SMTP message has been replaced with the fragmented message deletion text. This setting is enabled by default, but can be turned off by setting the registry value MIMEDeletePartialMessages to 0.

LargeInfectedContainerFile

Maximum Container File Size

Antigen has deleted a file that has exceeded the maximum container size that it will attempt to clean or repair.

ScanTimeExceeded

Max Scan Time

Antigen has deleted a container file that has exceeded the maximum amount of scan time in milliseconds (msec).

UnReadableCompressedFile

Not applicable

Antigen has deleted a compressed file that it could not read.

UnWritableCompressedFile

Not applicable

Antigen has deleted a compressed file to which it cannot write (for example, during a cleaning operation).

Antigen maintains three basic groups of statistics:

  • Event Rate—Tracks the number of events per second (monitored in the Performance Monitor).
  • Events—Tracks the number of events for the current Antigen session (the time since the last restart of the Antigen services).
  • Total Events—Tracks the total number of events since Antigen was installed or the statistics pane was reset.

Several kinds of statistics are maintained for messages:

  • Messages Scanned—The number of messages scanned by Antigen since the last restart of the services.
  • Messages Detected—The number of messages scanned that contained a virus or matched a file, content, or spam filter since the last restart of the services.
  • Messages Tagged—The number of messages tagged by Antigen due to a filter match since the last restart of the services.
  • Messages Purged—The number of messages purged by Antigen due to a virus detection or filter match since the last restart of the services. (Action set to Purge – Eliminate Message or a worm purge match.)
  • Total Messages Scanned—The number of messages scanned by Antigen since the product was installed or since the Statistics pane was last reset.
  • Total Messages Detected—The number of messages scanned that contained a virus or matched a file, content, or spam filter since the product was installed or since the Statistics pane was last reset.
  • Total Messages Tagged—The number of messages tagged by Antigen due to a filter match since the product was installed or since the Statistics pane was last reset.
  • Total Messages Purged—The number of messages purged by Antigen due to a virus detection or filter match since the product was installed or since the Statistics pane was last reset.

Several kinds of statistics are maintained for message attachments:

  • Attachments Scanned—The number of attachments scanned by Antigen since the last restart of the services.
  • Attachments Detected—The number of attachments scanned that contained a virus or matched a file, content, or spam filter since the last restart of the services.
  • Attachments Cleaned—The number of attachments that were cleaned by Antigen due to a virus infection or filter match since the last restart of the services.
  • Attachments Removed—The number of attachments that were removed by Antigen due to a virus infection or filter match since the last restart of the services.
  • Total Attachments Scanned—The number of attachments scanned by Antigen since the product was installed or since the Statistics pane was last reset.
  • Total Attachments Detected—The number of attachments scanned that contained a virus or matched a file, content, or spam filter since the product was installed or since the Statistics pane was last reset.
  • Total Attachments Cleaned—The number of attachments that were cleaned by Antigen due to a virus infection or filter match since the product was installed or since the Statistics pane was last reset.
  • Total Attachments Removed—The number of attachments that were removed by Antigen due to a virus infection or filter match since the product was installed or since the Statistics pane was last reset.

Event statistics are maintained on a physical basis as well as a logical basis for the different Antigen scan jobs. Antigen makes a distinction between the number of times the attachment has been actually scanned (physical), and the number of times the same attachment can potentially be scanned (logical). For example, if three recipients receive the same mail message with one attachment, the attachment will be reported as physically scanned once, and logically scanned three times.

noteNote:
Antigen scans the message body and the attachments, but reports all scanned files as attachments. A single message with one attachment, therefore, will be reported as two attachments in the Statistics work pane.

To reset all the statistics for a scan job, click the x next to the scan job's name (Internet, Realtime, Manual, or MTA) in the Statistics work pane. The following image shows the Statistics work pane:

3bd7591d-866e-4b11-9f25-8c37a9e9d2b0

You will be asked to confirm the reset. Clicking Yes will reset all the statistics for the selected scan job.

To save the report statistics in either formatted text or delimited text formats, click the Export button on the Incidents work pane.

Antigen will, by default, create a copy of every detected file before a clean, delete, or skip action occurs. These files are stored in an encoded format in the Quarantine folder under the Antigen installation folder. Each detected file is saved under the name Filex, where x is the ID number of the file. The actual file name of the detected attachment, the name of the infecting virus or the file filter name, its associated ID value, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses, along with other bookkeeping information, are saved in the file Quarantine.mdb and in the Quarantine folder. The Quarantine database consists of two tables stored inside the Quarantine.mdb file. This database is configured as a system data source name (DSN) with the name Antigen Quarantine. This database can be viewed and manipulated by using third-party tools.

Antigen performs two different quarantine operations: quarantine of entire messages or quarantine of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled.

When the General Options setting SMTP Quarantine Messages is set to Quarantine as Single EML File (which applies only to the SMTP Scan Job), the quarantined messages are quarantined in an EML file format. If you want to view the attachments that are contained inside the EML file, you must save the file from the Quarantine database and use Microsoft® Office Outlook® Express to view the contents of the file. If Outlook Express is not installed on the computer, the message's attachments cannot be easily separated from the EML file for viewing.

If you do not have Outlook Express installed on the server on which you are quarantining messages, you can choose to have messages quarantined in pieces by setting SMTP Quarantine Messages to Quarantine Message Body and Attachments Separately. Antigen will quarantine messages as separate pieces (bodies or attachments) so that they can be viewed more easily after they are saved to disk from the Quarantine database.

Messages that have been quarantined can also be forwarded to a mailbox. When the SMTP Quarantine Messages option is set to Quarantine Message Body and Attachments Separately, you must forward each piece of the message that was quarantined if you want the recipient to see the entire contents of the original message. If the SMTP Quarantine Messages option is set to Quarantine as Single EML File, only the quarantined EML file needs to be forwarded, and the recipient will receive the original message and any attachments as a single attachment to a new message.

noteNote:
These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

The Quarantine database (Quarantine.mdb) contains the following tables:

HeaderInfo Table—Contains the quarantine version, the number of quarantined files, and the ID to use for the next quarantined file.

 

Field Name Type

Version

Int

Count

Int

NextDetectedId

Int

Quarantine Table—Contains all the details for the quarantined message.

 

Field Name Type Size Description

FileName

Text

255

Attachment file name

VirusIncident

Text

255

Virus name

Message

Memo

5000

Subject line

SenderName

Text

255

Sender name

SenderAddress

Text

255

Sender address

RecipientNames

Memo

255

Recipient names

RecipientAddresses

Memo

255

Recipient addresses

ccNames

Text

255

cc names

ccAddresses

Text

255

cc addresses

bccNames

Text

255

bcc names

bccAddresses

Text

255

bcc addresses

_DateTime

Date/Time

Not applicable

Date and time file was quarantined

DetectedFileId

Int

Not applicable

File ID used to save renamed quarantined file (for example, File9)

ID

AutoNumber

Not applicable

Identifies a row in the table

An administrator can access the Quarantine work pane to delete or extract stored detected file attachments. To view the Quarantine log, click REPORT in the left navigation shuttle, and then click the Quarantine icon. The Quarantine work pane appears on the right.

The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as a virus or filter match), the name of the infecting virus or the filter file name, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses.

Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.

The Deliver button on the Quarantine work pane enables administrators to deliver quarantined messages to the intended recipients or any other designated recipients. When the Deliver button is clicked, a dialog box is displayed that lets you configure the recipients and the delivery action for the message being delivered. If a single file is selected for delivery, the original recipients populate the To, Cc, and Bcc fields. If multiple files are selected, the recipients' fields are initially empty.

There are three choices in the Delivery Action section:

  • Original Recipients—The recipients fields are disabled. Click OK to deliver the selected files to their original recipients.
  • Above Recipients—The recipients fields are enabled and can be changed by the administrator. Click OK to deliver the selected files to the named recipients.
  • Original and Above Recipients—The recipients fields are enabled and the administrator can change them. Click OK to deliver the selected files to both the original recipients and any additional ones entered.

When quarantined messages are delivered to the user’s mailbox, the original message is included as an attachment. When the user opens the attachment, the original message launches in Outlook as a separate message.

When a message file is delivered from the quarantine database, a text file named Deliverlog.txt is created and saved in the folder where Antigen is installed. This file provides a log of messages and attachments that have been delivered from quarantine.

Attachments that were quarantined by the virus scanner or the file filter can be forwarded.

Attachments that were quarantined by the virus scanner cannot be forwarded unless the scan jobs are disabled. Any forwarded attachment that contains a virus will be redetected and treated appropriately.

Attachments that were quarantined by the file filter are scanned for filter matches unless the General Options setting Deliver from Quarantine Security is set to Compatibility Mode. This allows messages to be forwarded without being redetected by any of the scan jobs. If you want to run a manual scan and have forwarded attachments redetected, you must set the ManuallyScanForwardedAttachments registry value to TRUE. This value is set to FALSE by default.

To allow attachments to be delivered without being redetected, Antigen adds a special tag to the subject line of the message. You can customize this tag by changing the entry in the registry key value ForwardedAttachmentSubject. This value enables administrators to specify the tag text to use in the subject line. The subject line tag text can be changed to a unique string for the organization or changed into a local language.

noteNote:
If the General Option Deliver from Quarantine Security is set to Compatibility Mode and the subject line tag text is changed, filters are applied to messages already in the organization that were tagged with old tag text in the subject line if they are rescanned.

By default, a manual scan does not perform file filtering on messages that were forwarded from quarantine. If the ForwardedAttachmentSubject registry key is changed, a manual scan will perform file filtering on messages already in the organization with the subject line that was in this registry key before the change.

Antigen includes a console tool, ExtractFiles, which enables you to extract all, or a subset, of the quarantined files to a specified directory.

This is the syntax of ExtractFiles:

extractfiles Path Type

Path: The absolute path of the folder in which to save the extracted quarantined files.

Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:

Wingtip.Toys Extracts files that were infected with the virus named Wingtip.Toys.

*.doc Extracts quarantined files having a .doc extension.

*.* Extracts all quarantined files

Examples:

extractfiles C:\temp\quarantine Wingtip.Toys

extractfiles C:\extract\ *.doc

You can use the ExtractFiles utility as part of a fast mail recovery scenario from quarantine: this only works when choosing the Quarantine as Single EML File option for the SMTP Quarantine Messages setting in General Options. This is helpful when delivering a large amount of quarantined e-mails. Such a situation can arise if there is a change in your company's filtering policy, due to a management request, or if e-mails were accidentally quarantined because of an incorrectly configured filter.

To use the ExtractFiles tool for fast mail recovery
  1. Extract all the files with the *.* syntax described previously. This extracts all quarantined files, both EML files and attachments.

    noteNote:
    Be sure you understand which EML files you need to deliver.
  2. Copy the needed EML files into the Pickup folder on your Exchange server. Be aware that the usage of this folder is supported only under the following circumstances.

    1. These operations are performed outside of normal business hours.
    2. When copying many .eml files, you must copy them into the Pickup directory in batches. Try 10,000 files and see how long processing takes. There are many factors that can impact how long it takes to process the messages, such as server hardware, the load on the server, the volume of messages being processed, and so on. It may be possible to increase the batch size to 15,000 or 20,000 .eml files, or it may need to be reduced to 5,000 files.

    For basic instructions about the Exchange server Pickup folder, go to the following URL: http://go.microsoft.com/fwlink/?LinkId=140655. If you need further assistance on submitting mail via the Pickup folder, contact Microsoft Help and Support.

You can also perform other tasks with the Incidents or Quarantine databases. For example, you can clear or move the databases, export or purge database items, filter database views, or change the database compaction time.

Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2 GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to all those having a notification role of Virus Administrators, warning that the database is nearing its limit. An administrator can then clear the database to ensure that future incidents and quarantined items will be saved.

The subject line of the message reads:

Microsoft Antigen for Microsoft Exchange Database Warning

The body of the message reads:

The Microsoft Antigen for Microsoft Exchange <<database name>> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB.

If this database grows to 2 GB, updates to the <<database name>> will not occur.

If the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.

The Incidents database can be cleared when it becomes too large.

To clear the Incidents database
  1. Click Clear Log on the Incidents work pane on the REPORT shuttle. This clears all the items from the Incidents work pane. You will be asked to confirm your decision.

  2. Select Run Job in the OPERATE shuttle. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database.

After you have cleared the entries in both places, they will no longer appear in Incidents the work pane. However, they will actually be deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then pressing the DELETE key to remove them from both locations, as indicated above.

noteNote:
If a large number of entries are selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

The Quarantine database can be cleared when it becomes too large.

To clear the Quarantine database, click Clear Log on the Quarantine work pane on the REPORT shuttle. This clears all of the items from the Quarantine work pane. You will be asked to confirm your decision.

After you have cleared the entries, they no longer appear in the work pane. However, they are actually deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then pressing the DELETE key to remove them from the Quarantine listing.

noteNote:
If a large number of entries are selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Click Export on the Incidents or Quarantine work panes to save all the results from the Incidents or Quarantine databases as a text file. Clicking Export displays a standard Windows® Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file, and then choose a format of formatted text or delimited text. Entries in the delimited text format are separated by a vertical bar
( | ).

In addition to the Export button, the Quarantine pane has a Save As button. This is used to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each is saved as a separate file.

You can instruct Antigen to remove items from the databases after they are a certain number of days old. The number of days is indicated by the after field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database (by means of its associated check box), all files older than the specified number of days are flagged for removal from that database.

To purge database items after a certain number of days
  1. On either the Incidents or the Quarantine work pane in the REPORT shuttle, select the Purge check box. This causes the after field to become available.

  2. In the after field, indicate the number of days after which items will be purged. All items older than that number of days will be deleted from the database. The default is 30 days.

  3. Click Save. Setting or changing the purge value takes effect only after being saved.

To suspend purging, clear the Purge check box. The value in the after field will remain, but no purging will take place until the Purge check box is selected again.

You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed.

To filter the database view
  1. Select the Filtering check box on the Incidents or Quarantine work pane.

  2. Select the item that you want to see with the Col option. Each choice in Col corresponds to one of the columns in the display (for example, State).

  3. In the Filter edit box, type the string specifying your filter view. For example, you can specify to show only those Incidents whose State is Purged. You can use wildcard characters. The wildcard characters are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are:

    _ (underscore)—Matches any single character.

    [ ]—Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]). To filter for multiple days, specify the date using a range. For example, to filter for incidents that occurred between July 20 and July 25, you would use the following value in the Filter field: 7/2[0 5].

    [!]—Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]).

  4. Click Save to apply the filter. The only items that you see now are those that match your parameters.

You can move the Quarantine and Incidents databases. However, for Antigen to function properly, you must move both databases, as well as all related databases and support files.

To move the databases and all related files
  1. Create a new folder in a new location (for example, C:\Moved Databases).

  2. Stop Exchange and any Antigen services that might still be running after the Exchange server is stopped.

  3. Copy the Quarantine folder from the Antigen installation folder into the folder that was created in step 1. (This results in a folder called
    C:\Moved Databases\Quarantine.)

  4. Move ProgramLog.txt, Incidents.mdb, AntigenHRLog.txt, and all .adb files to the new location (C:\Moved Databases).

  5. Change the path in the following DatabasePath registry key to point to the new Quarantine folder location:

    HKEY_LOCAL_MACHINE/Software/Antigen

  6. Restart the Exchange services.

Typically, Antigen runs daily database management functions on the Incident.mdb and Quarantine.mdb databases. The CompactIncidentDB function and the CompactQuarantineDB function are run to delete old database records and to delete stale Quarantine items.

By default, these functions are run at 02:00 local time. However, you may want to compact the databases at a different time. To run the compaction functions at a different time, you must add a registry entry.

To change the database compaction time
  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, expand the following registry subkey.

    HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange

  3. On the Edit menu, point to New, and then click String Value.

  4. Type CompactDatabaseTime, and then press ENTER.

  5. Right-click CompactDatabaseTime, and then click Modify.

  6. In the Value data box, type a new value, for example 21:00, and then click OK.

    noteNote:
    Type the time value by using the 24-hour (hh:mm) format. Type the time value based on the local time during which you want the compaction functions to run.
  7. Exit Registry Editor.

  8. Click Start, point to Settings, and then click Control Panel.

  9. Double-click Administrative Tools, and then click Services.

  10. Right-click AntigenService, and then click Restart.

  11. Close the Services Microsoft Management Console (MMC) snap-in.

Antigen stores virus detections, stop codes, system information, and other general application events in the Windows application log. Use Windows Event Viewer to access the log.

Additionally, these events are stored in ProgramLog.txt in the Antigen installation directory as a method for logging events when the application log is full.

The ProgramLog.txt file size can be controlled by using the registry key ProgramLogMaxSize. This key specifies in KB the maximum size of the ProgramLog.txt file.

All Antigen virus scan statistics can be displayed using the Performance Monitor (Perfmon.exe) that is provided by Windows and is usually found in Administrative Tools. The performance object is called Antigen Scan.

In the event that the Antigen performance counters are deleted, they can be reinstalled by reinstalling Antigen, or by issuing AntigenPMSetup from a command prompt. The AntigenPMSetup command reinstalls the performance counters without the need to reinstall Antigen.

To reinstall performance counters from a command prompt
  1. Open a Command Prompt window.

  2. Navigate to the Antigen installation folder (default: C:\Program Files\Microsoft Antigen for Exchange).

  3. Enter the command: AntigenPMSetup –install

 

Chapter 18 - Using e-mail notifications

Chapter 20 - File scanner updating overview

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft