IM Scan Job

  • Article

 

Applies to: Forefront Security for Office Communications Server

The Microsoft Forefront Security for Office Communications Server (FSOCS) IM Scan Job scans, in real time, messages and files transferred through the IM server. When messages or files are sent by users, FSOCS intercepts them and scans them for viruses and content, based on the settings configured by the administrator. Messages or files that are found to be infected or that match filters are handled based on the action selected by the administrator.

Configuring the IM Scan Job

Configure the IM Scan Job to specify what combination of inbound, outbound, and internal messages should be scanned. You can optionally specify deletion text.

To configure the IM Scan Job

  1. In the Shuttle Navigator, in the SETTINGS section, select Scan Job.

  2. In the Scan Job Settings pane, in the top portion (which contains a list of configurable scan jobs), select IM Scan Job.

  3. In the Scan Job Settings pane, in the IM Messages section, use the check boxes to select the combination of Inbound, Outbound, and Internal messages to be scanned. For more information, see About message queues.

  4. Optionally, you can specify deletion text, which is used to replace the contents of an infected file during a delete operation. To modify it or view its current text, click the Deletion Text button. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To modify the existing text in order to create your own custom message, click Deletion Text.

    Note

    FSOCS provides keywords that can be used in the deletion text field in order to obtain information from the message in which the infection was found. For more information about this feature, see FSOCS keyword substitution macros.

  5. Click Save.

Configuring antivirus settings

There are various settings that you can adjust for the IM Scan Job. These include file-scanner selection, bias, action, notifications, and quarantining.

To configure antivirus settings

  1. In the Shuttle Navigator, in the SETTINGS section, click the Antivirus icon.

  2. In the Antivirus Settings pane, in the list at the top, click IM Scan Job. The current settings are displayed in the bottom half of the pane.

  3. In the File Scanners section, in the list of available third-party scanners, click the file-scanning engines. To disable virus scanning, while retaining the ability to run filtering, do the following:

    1. In the Shuttle Navigator, in the OPERATE section, click the Run Job icon.
    2. In the Run Job pane, clear the Virus Scanning check box, while leaving some combination of the File Filtering, Content Filtering, and Keyword Filtering check boxes selected.

  4. Select the Bias in order to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see FSOCS multiple scan engines.

  5. Choose the action that you want FSOCS to perform when a virus is detected. The action choices are:

    • Skip: detect only—Make no attempt to clean or delete the infection. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions causes the item to be deleted. For more information about General Options, see FSOCS Forefront Server Security Administrator.
    • Clean: repair attachment—Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, FSOCS replaces the attachment or message body with the deletion text. This is the default setting.
    • Delete: remove infection—Delete the attachment without attempting to clean it. The detected attachment is removed from the message, and the deletion text is inserted in its place.
    • Block—Prevents the IM message or transferred file from reaching the intended recipient.

  6. To enable e-mail notifications, select the Send Notifications check box. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications. (For more information about configuring notifications, see FSOCS event notifications) Notifications are disabled by default.

  7. To enable or disable saving infected attachments detected by the file-scanning engines, select or clear the Quarantine Files check box. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

  8. Click Save.

Editing the IM Scan Job

In the SETTINGS section of the Shuttle Navigator, select Scan Job or Antivirus, depending on the settings you want to modify. Making any change to the configuration makes the Save and Cancel buttons available. If you make a change to the IM Scan Job and try to navigate to another pane without saving it, you are prompted to save your changes.

Controlling the IM Scan Job

In order to control the IM Scan Job, follow these steps.

To control the IM Scan Job

  1. To control the IM Scan Job, in the Shuttle Navigator, click OPERATE, and then click the Run Job icon.

  2. At the top of the Run Job pane, in the list, select the IM Scan Job . The bottom portion of the Run Job pane shows the status and results of the currently selected scan job.

Enabling and disabling the IM Scan Job

With the IM Scan Job selected, the Enable and Bypass buttons control the operation of the job.

To disable the IM Scan Job

  1. In the Shuttle Navigator, click SETTINGS, and then click the General Options icon.

  2. To disable the IM Scan Job, in the General Options pane, in the Enable Forefront option, select Disable. For more information about recycling services, see FSOCS services.

Bypass specifies whether IM scanning should be bypassed. Unlike disabling the IM Scan Job, Bypass continues to send messages to the scan engines. However, the scan engines always report that the files are clean.

To turn on the Bypass mode

  • In the Shuttle Navigator, click OPERATE, and then click the Run Job icon. In the Run Job pane, click the Bypass button.

    Note

    The Bypass mode should only be used for troubleshooting. In that respect, it is convenient because there is no need to recycle services. However, when Bypass is in effect, there is no protection from viruses.

To turn off the Bypass mode

  • In the Shuttle Navigator, click OPERATE, and then click the Run Job icon. In the Run Job pane, click the Enable button.

Selecting virus scans, file filtering, or keyword filtering

The IM Scan Job can scan for viruses, perform file filtering, content filtering, or keyword filtering, or a combination of the tasks.

To set the scanning combination

  1. In the Shuttle Navigator, click OPERATE, and then click the Run Job icon.

  2. In the Run Job pane, select and clear the Virus Scanning, File Filtering, Content Filtering, and Keyword Filtering check boxes in order to make the appropriate selections.

    Note

    Any change to these settings is immediate, even if the job is currently running.

Checking results and status

The lower portion of the Run Job pane shows the infections or filtered results found by the IM Scan Job. The FSCController stores these results to disk in the virus log file, and the results are not dependent on the Forefront Server Security Administrator remaining open.

This is the information that FSOCS reports for each incident found by the IM Scan Job:

Item

Description

Time

The date and time of the incident.

State

The action taken by FSOCS.

Folder

Indicates if the message was internal, inbound, or outbound.

File

The name of the virus or name of the file that matched a file filter or content filter.

Incident

The type and name of the incident detected.

Sender Address

The e-mail address of the person who sent the infected or filtered message.

Recipient Address

The e-mail address of the recipient of the infected or filtered message.

The virus log file can be cleared when no longer needed by using the Clear Log button on the Run Job pane. This does not affect the incidents log.

A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key removes the subset from the virus log file.

Note

If a large number of entries is selected, the deletion process may potentially take a long time. In this case, a message box appears to ask you to confirm the deletion.

Use the Export button in order to save the results to a text file.

About IM scan recovery

In the event that the IM Scan Job takes longer than a specified amount of time to scan a message (default is 5 minutes or 300,000 milliseconds), the process is terminated, and FSOCS attempts to restart the service. If successful, IM scanning resumes, and a notification is sent to the administrator, stating that the IM Scan Job stopped and recovered.

When the new IM scan process starts, the message that caused it to terminate is reprocessed according to the action set in the IM Scan Timeout Action setting in General Options. For example, if it is set to Delete, FSOCS deletes the file, replaces its contents with the deletion text for the IM Scan Job, logs the information, and quarantines and archives the file. For more information about General Options, see FSOCS Forefront Server Security Administrator.

If the process cannot be restarted, a notification is sent to the administrator, stating that the IM Scan Job stopped. In this event, IM scanning will not function, and the IM message stream will not be scanned.

If you continue to have time-out problems, you may try increasing the time specified in the IMTimeout registry value. Because this is a hidden registry value, you must create a new double word (DWORD) registry value called IMTimeout, set the Base to Decimal, and type the time, in milliseconds, in the Value data box. Recycle the OCS and FSOCS services in order for the change to take effect. For more information about registry values, see FSOCS registry keys.

About message queues

Forefront Security for Office Communications Server offers flexibility in choosing which logical message queues to scan with the IM Scan Job: inbound, outbound, or internal. You can configure FSOCS to only scan one queue or all three. In the Scan Job Settings pane, there are the following three check boxes for making queue selections: Inbound, Outbound, and Internal.

Scanning the inbound queue

Selecting the Inbound check box on the Scan Job Settings pane configures FSOCS to scan all messages that do not originate within your domain.

Scanning the outbound queue

Selecting the Outbound check box on the Scan Job Settings pane configures FSOCS to scan all outgoing messages that are leaving your domain.

Internal scanning

Selecting the Internal check box on the Scan Job Settings pane configures FSOCS to scan all messages that are being routed from one location inside your domain to another location inside your domain.

Scanning nested compressed files

Exceedingly nested compressed files can slow the performance of FSOCS and the OCS server. Multiple nesting is also a known denial-of-service attack against antivirus products. To minimize the potential impact on server performance and guard against denial-of-service attacks, there is a General Options setting, Max Nested Compressed Files, that enables FSOCS to scan nested, compressed files for viruses. The default value is a nesting depth of 5. Thus, files with more than five nestings are marked for deletion.

You may change this setting as needed for your environments in the General Options pane. For more information, see FSOCS Forefront Server Security Administrator.

Scanning files by type

By default, FSOCS is configured to scan all IM messages and file transfers for viruses. To perform scans as quickly and efficiently as possible, however, FSOCS can be configured to only scan data that is more likely to contain viruses. It does this by first determining the file type and then by determining if that file type is a common target for infection by a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. If you would like FSOCS to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to a value of 0. (ScanAllAttachments is a "hidden" key. That is, if it is not present, its value defaults to 1.)

Note

Setting the ScanAllAttachments key to 0 increases performance but also increases your risk that a virus can get through undetected.