FSOCS keyword filtering

  • Article

 

Applies to: Forefront Security for Office Communications Server

Keyword filtering in Microsoft Forefront Security for Office Communications Server (FSOCS) identifies unwanted IM messages by analyzing the contents of the message body or text-based file attachments. By creating keyword lists, you can filter messages and text attachments based on a variety of words, phrases, and sentences.

Creating new keyword lists

For maximum flexibility, you can create your own lists of keywords for which to scan. You can thus maintain individual lists of filters for use by different scan jobs.

To create a new keyword list

  1. In the Shuttle Navigator, in the FILTERING section, click the Filter Lists icon.

  2. In the List Types section, select Keywords.

  3. In the List Names section, click the Add button.

  4. In the box that appears, type a name for the new list, and then press ENTER.

  5. In the List Names section, select the new list, and then click the Edit button.

  6. In the Edit Filter List dialog box, add content to your filter list.

    1. In the Include In Filter section, click the Add button.
    2. Type a word or phrase to be included in the filter list. When you are finished typing, press ENTER. You may have as many words or phrases as you want, but each must be entered separately.
    3. In the Exclude From Filter section, enter keywords or phrases that should never be included on the keyword list. This prevents those words and phrases from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.
    4. When you are finished adding items, click OK. The list of words you just entered appears, alphabetically, in the Filter Lists pane, next to List Names.

  7. Click Save.

Configuring keyword lists

After you have created a keyword list, you must configure it.

To configure a keyword list

  1. In the Shuttle Navigator, click FILTERING.

  2. Click the Keyword icon.

  3. In the Keyword Filtering pane, select IM Scan Job.

  4. In the Keyword Fields section, click Message or Text File.

  5. Select one of the filter lists you have created, and in the Filter drop-down, click Enabled.

  6. In the Action field, set the action. For more information, see Keyword filter actions.

  7. If you would like to enable notification, select the Notify Admin/Sender check box.

  8. If you would like to quarantine files that match the keyword filter, select the Quarantine check box. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

  9. Indicate what combination of inbound, outbound, and internal messages and files should be scanned by selecting and clearing the Inbound, Outbound, and Internal check boxes.

  10. In the Minimum Unique Keyword Hits field, specify how many unique keywords must be matched for the action to be taken. The default value is 1. For example, you have set the Minimum Unique Keyword Hits value to 3. The word "wonderful", which is in the list, appears three times in the message. However, no other word in the list appears at all. The keyword filter has not been matched, because only one term in the list was matched.

  11. Click Save.

Filters for racial discrimination, sexual discrimination, spam, and any other custom lists must be created individually. For profanity filters, see Example lists.

Keyword filter actions

You must indicate the action that FSOCS should take upon detecting a match to your filter criteria.

Note

You must set the action for each keyword filter you configure. The action setting is not global.

The action choices are:

Action Description

Skip: detect only

Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, the Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files check boxes are selected in General Options, a match to any of those conditions causes the item to be deleted.

Block: prevent transfer

Prevents the IM message or transferred file from reaching the intended recipients.

Note

FSOCS keyword filtering scans both plain text and Rich Text Format (RTF) message content. If FSOCS finds a match in both the RTF and the plain text, it reports two detections: one in the incidents log and one in the quarantine database.

Keyword list syntax rules

The following are the syntax rules for a keyword list:

  • Each item (line of text) is considered a search query.
  • Queries use the OR operator. It is considered to be a positive detection if any entry is a match.
  • Queries may contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:
    • _AND_ (Logical AND). For example, apple•_AND_•orange juice.
    • _NOT_ (Negation). For example, apple•_AND__NOT_•juice.
    • _ANDNOT_ (Same as _AND__NOT_). For example, apple•_ANDNOT_•juice
    • _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example, free•_WITHIN[10]OF_•offer. (If "free" is within 10 words of "offer", this query is true.)
    • _HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example, _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator is implicitly assumed and has a default value of 1 when it is not specified.
    • Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are permitted in a single query. The precedence of the operators is (from highest to lowest):
      1) _WITHIN[#]OF_
      2) _HAS[#]OF_
      3) _NOT_
      4) _AND_
      This precedence cannot be overridden with parentheses.
  • The logical operators must be entered in uppercase letters.
  • Phrases may be used as keywords. For example, apple juice or get rich quick.
  • Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, A••••B is treated as A•B and matches the phrase A•B.
  • In HTML-encoded message texts, punctuation (any non-alphanumeric character) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter '<html>' will match '<html>', but not 'html'.

Examples (the • character represents a space):

  • apple•_AND_•orange•_AND_•lemon•_WITHIN[50]OF_•juice
  • confidential•_WITHIN[10]OF_•project•_AND_•banana•_WITHIN[25]OF_•shake
  • _HAS[2]OF_•get rich•_WITHIN[20]OF_•quick

Case-sensitive filtering

The Case Sensitive Keyword Filtering setting in General Options causes FSOCS to use case-sensitive comparisons for all keyword filters. By default, comparisons are not case-sensitive. For more information, see "General Options" in FSOCS Forefront Server Security Administrator.

Example lists

To aid you in filtering for profanity, example lists in various languages are included with the product. This is an optional component of FSOCS and must be installed separately.

If you want to install one or more of these lists, follow these steps.

To install the example lists

  1. In the installation folder, double-click the file called KeywordInstaller.msi.

    Note

    The .msi file is not present on any computer which has had an Administrator-only installation or on one that does not contain a Forefront product.

  2. You must read and consent to the license agreement and disclaimer.

  3. In the list of available files, select any number of the various language files. The files you select are placed into a folder called Example Keywords in the database directory, which by default is in the following location:
    C:\Program Files (x86)\Microsoft Forefront Security\Office Communications Server\Data

  4. After the files have been extracted, import them into your filters. For more information on importing files, see Importing items into a filter list.

Note

It is your responsibility to visually inspect all of the selected files in order to determine if there are words that are completely harmless in your environment, especially if you are using more than one language file. You must review the imported list and decide if you are going to eliminate any word clashes. If a certain word is unacceptable in one language but harmless in another, you must determine what is more important to you: catching everything (the default, if you accept all the words in all the selected lists) at the risk of false positives, or risking not detecting something by deleting words from the list (which avoids those false positives).

Allowed sender-recipient lists

FSOCS provides allowed sender-recipient list functionality so that administrators can maintain lists of safe e-mail addresses or domains that are not subjected to filtering by the IM Scan Job. (The allowed sender-recipient lists have no effect on scanning for viruses.) FSOCS checks the sender-recipient address or domain against the allowed sender-recipient list. If the address or domain appears on the allowed sender-recipient list, FSOCS will bypass all filtering that has been enabled for the list.

To create an allowed sender-recipient list

  1. In the Shuttle Navigator, in the FILTERING section, click the Filter Lists icon.

  2. In the List Types section, select Allowed User Lists.

  3. In the List Names section, click the Add button.

  4. In the box that appears, type a name for the new list, and then press ENTER. The empty list appears in the List Names section.

  5. Select the new list name, and then click the Edit button.

  6. In the Edit Filter List dialog box, enter SIP addresses or SIP domains to include in the allowed-senders list.

    1. In the Include In Filter section, click the Add button.
    2. In the box that appears, type a SIP address or domain to be included in the filter list. When you are finished typing, press ENTER. User addresses should be entered in the following format: someone@example.com. SIP domain names should be entered in the following format: *****example. You may have as many allowed senders as you want, but each address or domain must be entered separately.
    3. In the Exclude From Filter section, enter addresses or domains that should never be included on the allowed-senders list. This prevents those addresses and domains from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.
    4. When you are finished adding items, click OK. The list of addresses and domains you just entered appears, alphabetically, in the pane next to List Names.

  7. Click Save.

Enabling allowed sender-recipient lists

After you have created an allowed sender-recipient list, you must enable it.

To enable an allowed sender-recipient list

  1. In the Shuttle Navigator, in the FILTERING section, click the Allowed User Lists icon.

  2. In the Allowed Sender/Recipient pane, select IM Scan Job.

  3. In the Sender/Recipient Lists section, select the name of the allowed sender-recipient list.

  4. In the List State drop-down, set the state to Enabled.

  5. In the Skip Scanning for section, indicate what types of filtering the allowed sender-recipient list should apply to by selecting or clearing the Content Filtering, Keyword Filtering, or File Filtering check boxes.
    If you want to select all three types of filtering, select the All Types check box.
    If none of the check boxes are selected, the filter is effectively disabled.

  6. Click Save.

Importing items into a filter list

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list by using the Forefront Server Security Administrator. Note that FSOCS can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported.

To create and import entries into a filter list

  1. When creating a list, place each filter on its own line in the file, and then save the list as a text file.

  2. In the Shuttle Navigator, in the FILTERING section, click the Filter Lists icon.

  3. In the Filter Lists pane, in the List Type section, select the filter list into which you will be importing data, and then click Edit.

  4. In the Edit Filter List dialog box, click the Import button. A Windows Explorer window opens. Use it to navigate to the text file you created in step 1.

  5. Select the file, and then click Open. The file is imported into the middle pane of the Import List editor.

  6. If you want to move all the items into the Include In Filter section, use the <=== button.
    If you want to move single items into the Include In Filter section, use the <--- button to move single items.
    If you want to move items into the Exclude From Import section, use the right-pointing arrows.

  7. When you have moved all the desired items, click OK.

  8. Click Save.

Keyword Filtering can be used to block links to malicious Web sites referenced in IM messages and attachments. To block links, create a keyword-filter list that either contains the addresses of specific links to be blocked or generic URLs that will block all messages and attachments with links. For example:

  • To block the transmission of specific website links in messages or attachments, create a keyword-filter list that contains their URLs. For example:
    https://www.contoso.com
    https://www.fabrikam.com
    https://www.treyresearch.net
  • To block all website links in IM communications, create a keyword-filter list with two items: http and www. FSOCS detects any message or attachment containing a URL beginning with either of these strings.

After you create the keyword filter list, specify an action of Block. This prevents the message and its attachments from reaching the intended recipients.