Share via


Configuring the action when malware is detected

 

Applies to: Forefront Protection for Exchange

You must indicate the action that Forefront Protection 2010 for Exchange Server (FPE) should take when malware is detected. You must set the action for each scan job type (realtime, transport, scheduled, and on-demand) you configure. The action setting is not global. Also, for each scan job type except the on-demand scan (which does not support spyware scanning), you can configure different actions for virus and spyware detections. In cases where a file is detected as containing both a virus and spyware, the virus action setting takes precedence.

The available action options are listed and described in the following table. Click Save after making any changes to your action settings.

Action Description

Skip (detect only)

Makes no attempt to clean or delete. Malware is reported, but the files remain infected. If, however, Delete corrupted compressed files, Delete corrupted UUEncoded files, or Delete encrypted compressed files was selected in Global Settings - Advanced Options, a match to any of those conditions causes the item to be deleted.

Clean

Attempts to clean the malware. If successful, the infected attachment or message body is replaced with the clean version (even if part of a container file). If cleaning is not possible, the attachment or message body is replaced with the deletion text. For example, consider a scenario where an email message has an attachment named example.zip. The .zip file contains two documents: ex1.doc and ex2.doc. If ex1.doc is infected, and cleaned by FPE, and ex2.doc is not infected, a modified example.zip file that contains the cleaned ex1.doc and original ex2.doc file will arrive in the user’s mailbox. This is the default setting for each antivirus scan job type.

Delete

Deletes the file attachment without attempting to clean it. The detected file is removed from the message (even if part of a container file), and the deletion text is inserted in its place. This is the default setting for each antispyware scan job type.

Note

You can specify the extension type used for all deleted attachments (for example, .abc), making it easy to instantly identify deleted attachments. For more information, see Configuring the extension type for all deleted attachments.

Purge

Deletes the entire message from your mail system. It cannot be recovered unless you select to quarantine files.

Available Malware Scan Actions

The following table shows the available actions for each type of malware scan.

Server Role Virus Spyware

Edge or Hub Transport

Skip detect, Clean (default), Delete

Skip detect, Purge, Delete (default)

Mailbox Realtime

Skip detect, Clean (default), Delete

Skip detect, Purge, Delete (default)

Mailbox Scheduled

Skip detect, Clean (default), Delete

Skip detect, Purge, Delete (default)

Mailbox On-demand

Skip detect (default), Clean, Delete

Not applicable

Configuring the extension type for all deleted attachments

You can specify the extension type used for all deleted attachments (for example, .abc), making it easier to instantly identify deleted attachments.

To configure the extension type for all deleted attachments

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console's Policy Management view, in the tree, expand Global Settings, and then click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Scans section, specify a value in the Use this extension when replacing a deleted attachment with the deletion text field. The default value is txt.

    If you want to disable this feature (causing the original extension to be retained), replace txt with an empty string.

    If you want to specify a different extension, replace txt with another string, which must be between one and three characters long.

  3. Click Save.

See Also

Concepts

Configuring the transport scan
Configuring the realtime scan
Configuring the scheduled scan
Configuring the on-demand scan