FSOCS content filtering

  • Article

 

Applies to: Forefront Security for Office Communications Server

Content filtering in Microsoft Forefront Security for Office Communications Server (FSOCS) allows administrators to filter messages based on sender-recipient and domain address criteria. Content filtering provides another tool in order to help manage the flow of messages entering and exiting your enterprise message stream.

Administrators may choose to scan any combination of inbound messages (those originating outside the enterprise), outbound messages (those leaving the enterprise), or internal messages (those within the company intranet). This selection is made on the Scan Job Settings dialog box (for more information, see IM Scan Job). They are all enabled by default.

Configuring sender-recipient filtering

Sender-recipient filtering enables you to filter messages from particular senders or domains or to particular recipients. Wildcard characters can be used to enable such filters as *@example.com in order to filter all messages from a certain domain.

To configure sender-recipient filtering

  1. In the Shuttle Navigator, click FILTERING, and then click the Content icon.

  2. In the Content Filtering pane, in the upper section, select the IM Scan Job.

  3. In the Content Fields pane, select Domain/Address, and then in the Content Filters section, click the Add button.

  4. In the box, type the sender or domain that you would like to filter. If you want to use a generic domain-name filter, you must use an asterisk (*) (which is a wildcard character) before the domain name.

    Examples:   

    A generic domain: *@example.com

    A specific sender: someone@example.com

  5. After you have typed the sender or domain, press ENTER. You may add as many entries as you like.

  6. Enable the filter with the Filter field.

  7. In the Action field, indicate the action to take if there is a filter match.

  8. If you wish to send notifications in the event of a filter match, select the Send Notifications check box. The content administrators are sent a notification that a message was filtered. In addition, you must also configure the notifications. For more information, see FSOCS event notifications.

  9. If you want to quarantine the item in the event of a filter match, select the Quarantine check box. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.

  10. Click Save.

When filtering using the Sender-Recipient field, FSOCS attempts to match the SIP address of the sender and recipient. This could include wildcards such as *.domain.com. If a match is found, the action enabled for the filter is applied to the message.

You can create a sender-recipient filter that filters messages from all users in a domain except for specific users in that domain. For more information, see Filtering messages from all users in a domain except for specific users.

Action

You must indicate the action that FSOCS should take upon detecting a match to your filter criteria.

Note

You must set the action for each content filter you configure. The action setting is not global.

These are the actions you can select:

Action Description

Skip: detect only

Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, the Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files check boxes are selected in General Options, a match to any of those conditions causes the item to be deleted.

Block: prevent transfer

Prevents the IM message or transferred file from reaching the intended recipient.

Editing a content filter

Once you have created a content filter, it can be modified.

To edit a content filter

  1. In the Shuttle Navigator, click FILTERING, and then select the Content icon.

  2. In the Content Filtering pane, in the upper pane, select the scan job for which you would like to modify the content filter.

  3. Make the desired changes to the various fields on the Content Filtering pane. The changes apply to the selected scan job.

  4. Click Save. Making any change to the configuration activates the Save and Cancel buttons. If you make a changes to the selected scan job and try moving to another scan job or shuttle icon without saving the changes, you are prompted to save or discard your changes.

Matching patterns with wildcards

Use wildcard characters in order to have your filter match patterns in the content. You can use any of the following to refine your filters.

Note

Wildcard characters can be used only in sender domains.

Wildcard character Description

*

Used to match any number of characters. You can use multiple asterisks. The following are some examples of its usage:

  • Single: Any of these single wildcard character patterns would detect tailspintoys.com: tails*, *toys.com, *il
  • Multiple: Any of these multiple wildcard character patterns would detect tailspintoys.com: t*i*s*i*t*y*, *tail*, *spin*

?

Matches any single character.

For example, you can filter sales1.tailspintoys.com with the following filter: sales?.tailspintoys.com

[set]

A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched.

For example, the set is useful for creating a single rule to match when the number zero (0) is used instead of the letter o (for example, pornography and p0rnography can be filtered using the following filter: p[o0]rnography).

[^set]

Used to exclude characters that you know are not used.

[range]

Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character.

For example, klez[ad-gp] would match kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr.

\char

Indicates that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character and indicates that a reserved control character is to be taken literally, as a text character.

For example, if you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

Note

You must use a \ before each special character.

Content filter lists

As well as creating individual sender-recipient content filters, you can create lists of them in order to have collections of filters for use by different scan jobs or to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.

Creating a content filter list

Begin by creating a new filter list for sender-recipient filters.

To create a content filter list

  1. In the Shuttle Navigator, in the FILTERING section, click the Filter Lists icon.

  2. In the List Types pane, select Sender-Recipients.

  3. In the List Names section, click the Add button.

  4. In the box that appears, type a name for the new list, and then press ENTER. The empty list is added to the List Names section.

  5. In the List Names section, select the new list, and then click the Edit button.

  6. In the Edit Filter List dialog box, add items to the list, either specific senders or generalized domains.

    1. In the Include In Filter section, click the Add button.
    2. In the text box that appears, type a sender, a recipient, or a domain to be included in the list. When you are finished typing, press ENTER. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single sender-recipients filters.
    3. In the Exclude From Filter section, enter data that should never be included in the filter list. This prevents this data from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.
    4. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names.

  7. Click Save.

  8. Configure the filter list the same way as described in Configuring sender-recipient filtering.

Importing items into a filter list

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list by using the Forefront Server Security Administrator. Note that FSOCS can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported.

To create and import entries into a filter list

  1. When creating a list, place each filter on its own line in the file, and then save the list as a text file.

  2. In the Shuttle Navigator, in the FILTERING section, click Filter Lists.

  3. Select the filter list into which you will be importing data or add a new one, and then click Edit.

  4. In the Edit Filter List dialog box, click the Import button. A Windows Explorer window opens. Use it to navigate to the text file you created in step 1.

  5. Select the file, and then click Open. The file is imported into the middle pane of the Import List editor.

  6. If you want to move all the items into the Include In Filter section, use the <=== button.
    If you want to move single items into the Include In Filter section, use the <--- button.
    If you want to move items into the Exclude From Import section, use the right-pointing arrows.

  7. When you have moved all the desired items, click OK.

  8. Click Save.

Filtering messages from all users in a domain except for specific users

This section describes how to configure FSOCS to filter messages from all users in a domain except for specific users in that domain.

To filter messages from all users in a domain except for specific users

  1. In the Shuttle Navigator, click FILTERING, and then select the Content icon.

  2. In the Content Filtering pane, in the upper pane, select the IM Scan Job.

  3. Set up content filters containing the addresses of specific users whose messages you do not want filtered. If both the sender and the recipient of a message are specified in content filters, no filtering takes place. If only one of them is specified in a content filter, then filtering takes place, including quarantining and notifications, if they were set up.

    1. In the lower-left corner, in the Content Fields section, select Domain/Address, and then in the Content Filters section, click Add.

    2. In the text box that appears, type the address of the specific user. For example, type someone@example.com, and then press ENTER.

    3. In the Action field, set the action to Skip: detect only.

      Note

      You can add multiple addresses, but each one must be entered separately. Repeat step 3 if you want to add more addresses whose messages you do not want filtered.

  4. Set up the name of the domain that you want filtered.

    1. In the lower-left corner, in the Content Fields section, select Domain/Address, and then in the Content Filters section, click Add.

    2. In the text box that appears, type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type *@example.com.

      Note

      Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose messages you do not want filtered. FSOCS works from the top of the list down.

    3. In the Action field, set the action to Block: prevent transfer, and then

  5. Click Save.

Another method is to set up an allowed sender-recipient list. Anyone on an allowed sender-recipient list can send to anyone else or receive from anyone else without the messages being filtered. However, there is no notification or quarantine available. (For more information about allowed sender-recipient lists, see "Allowed sender-recipient lists" in FSOCS keyword filtering.)

International character sets

Support for content filtering by name in FSOCS extends beyond the English character set. For example, messages with an attachment or subject line that includes Japanese characters, words, or phrases are handled in the same manner as English character sets.

Reporting

Messages that are filtered because of sender-recipient filtering are reported are reported under the Virus or Filter heading of the incidents log. Messages filtered because of sender-recipient matches are noted as the following: SENDER=<filter>. For activity and incidents logs, no file name is indicated. In the quarantine area, the body and each attachment is quarantined with the sender-recipient or subject-line filter indicated.

Filter set templates

Filter set templates can be created for use with any FSOCS scan job. A single filter set template can be associated with the IM Scan Job, and administrators can also create multiple filter set templates for use on different servers. You can create filter set templates for use with either file filters or content filters, however, filter set templates are not supported for keyword lists.

Creating a filter set template

Start by creating a filter set template.

To create a filter set template

  1. If the templates are not visible, in the menu, click File, click Templates, and then click View Templates.

  2. Click File, click Templates, and then click New.

  3. In the New Template dialog box, select Filter Set, enter a name for it, and then click OK. The name is limited a maximum of 19 characters. Your new filter set template now appears in the list in the top pane, ready to be configured.

Configuring a filter set template

After you have created a filter set template, you must configure it.

To configure a filter set template

  1. In the Shuttle Navigator, in the FILTERING section, depending on the type of filter set that you want, click File or Content.

  2. In the File Filters pane or in the Content Filters pane, in the upper pane, select the name of the filter set template to be configured.

  3. To add a file filter or a content filter to the filter set template, click the Add button, and then specify the criteria for that filter. You may create multiple filters within a filter set template. A filter set template may contain a combination of file filters and content filters.

  4. Click Save.

Associating a filter set template with a scan job

After you have created and configured a filter set template, associate it with a scan job. During scanning, FSOCS uses the filter set template configuration first and then uses any other filter setting you have specified when setting up the scan job.

To associate a filter set template with a scan job

  1. In the Shuttle Navigator, in the SETTINGS section, select Templates, and then select the IM Scan Job.

  2. In the lower pane, from the Filter Set list, select the filter set template that you want to associate with the IM Scan Job. You can associate a single filter set template with a scan job.
    If you are unsure about the contents of the filter set template, click View Filter Set. When you are finished viewing the contents, at the bottom of the pane, click the left arrow button.

  3. Click Save. The filter set template is now associated with that scan job.

Note

To cancel the association, repeat the preceding steps and select None from the Filter Set list (or select a different filter set template).

Editing a filter set template

You can modify the settings in a filter set template.

To edit a filter set template

  1. In the Shuttle Navigator, in the FILTERING section, click either File or Content.

  2. In the File Filters pane or in the Content Filters pane, in the upper section, select the filter set template.

  3. In the lower pane, select the filter whose configuration you want to modify.

  4. Click Edit, and then make your changes to the appropriate fields on the selected pane. When you are finished, click Save.

Note

File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however, they cannot be selected for modification in the File Names section. To modify a filter set template, you must select it in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set are not visible in the pane unless View Templates is selected in the File option of the menu bar.

Deleting a filter set template

You can delete a filter set template.

To delete a filter set template

  1. If the filter set template has been associated with a scan job, you have to remove the association. Follow the directions in Associating a filter set template with a scan job and either reset the association to None or select a different filter set template for the association.

  2. In the Template Settings pane, in the job list, select the filter set.

  3. Click File, click Templates, and then click Delete.

  4. Confirm the deletion request.

Renaming a filter set template

You can rename a filter set template.

To rename a filter set template

  1. In the Template Settings pane, in the job list, select the filter set.

  2. Click File, select Templates, and then click Rename.

  3. In the Rename Template dialog box, type the template's new name. The name is limited to a maximum of 19 characters.

  4. Click OK.

Distributing filter set templates to remote servers

You can use FSCStarter from a command prompt in order to manually install filter set templates on remote servers.

The following is the syntax of FSCStarter:

     FSCStarter t[options] [\servername]

The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them to the named server.

For complete FSCStarter instructions, see "Deploying named templates" in FSOCS templates.

For example, to update the content-filter settings on server1, you would enter the following:

     FSCStarter tc \server1