Share via


Forefront Server Security Administrator

 

Applies to: Forefront Security for Exchange Server

The Forefront Server Security Administrator is used to configure and run Forefront Security for Exchange Server locally or remotely. For the Forefront Server Security Administrator to launch successfully, the FSCController and Microsoft® Exchange Server must be running on the computer to which the Forefront Server Security Administrator is connecting. If you launch the Administrator and the Exchange server is not running, you will receive an error message.

Because the Forefront Server Security Administrator is the front end of the Forefront Security for Exchange Server software, it can be launched and closed without affecting the back-end processes being performed by the Forefront Security for Exchange Server services. The Forefront Server Security Administrator may also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface.

Note

The Forefront Server Security Administrator should not be used to connect to previous versions of Microsoft Antigen for Exchange.

Enabling Forefront Server Security Administrator

Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use Forefront Server Security Administrator on those operating systems, you must first enable the Administrator.

Important

Due to default security settings in Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows Server 2003 (SP 2), the Forefront Server Security Administrator will not run properly when first installed.

To enable the Forefront Server Security Administrator to run on Microsoft Windows XP SP2

  1. Click Start, click Run, and then enter dcomcnfg. The Component Services dialog box appears.

  2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer and then click Properties.

  3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user.

  4. Add the Forefront Server Security Administrator application to the Windows Firewall Exceptions list:

    1. Open Control Panel, and then select Security Center.

    2. Select Firewall Administrator. The Windows Firewall dialog box appears.

    3. Select the Exceptions tab.

    4. Click Add Program, select FSSAClient from the list, and then click OK. This adds the Forefront Server Security Administrator to the Programs and Services list.

    5. In the Programs and Services list, select the FSSAClient.

    6. Click Add Port, enter a name for the port, enter 135 as the port number, and then select TCP as the protocol.

    7. Click OK.

      Note

      If you are concerned about opening port 135 to all computers, it can be opened only for the servers running Forefront Security for Exchange Server. When you add port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be permitted access through port 135.

To enable the Forefront Server Security Administrator to run on Microsoft Windows Server 2003 SP2

  1. Click Start, select Run, and enter dcomcnfg. The Component Services dialog box appears.

  2. In the Console Root, expand Component Services.

  3. Expand Computers.

  4. Right-click My Computer.

  5. Select Properties, and then select the COM Security tab.

  6. Click Edit Limits under Access Permissions, and then Add anonymous logon account.

  7. Select the Allow check box for Remote Access for the Anonymous Logon user.

Launching the Forefront Server Security Administrator

You can launch Forefront Server Security Administrator from either the Start menu or from a command prompt.

To launch Forefront Server Security Administrator from the Start menu

  1. Click Start.

  2. Point to All Programs.

  3. Point to the Microsoft Forefront Server Security folder.

  4. Point to the Exchange Server folder.

  5. Click Forefront Server Security Administrator.

To launch Forefront Server Security Administrator from a command prompt

  1. Open a command prompt window.

  2. Navigate to the Forefront Security for Exchange Server installation directory.

    Default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server

  3. Enter FSSAclient.exe and then press Enter.

Connecting to a local server

The first time the Forefront Server Security Administrator is launched, it prompts you to connect to the Exchange server running on the local computer. You can use the server name or local alias to connect to the local Exchange server.

Connecting to a remote server

The Forefront Server Security Administrator can be connected to a remote Exchange server running Forefront Security for Exchange Server. This enables an administrator to use one installation of the Forefront Server Security Administrator to configure and control Forefront Security for Exchange Server throughout the network.

To connect to a remote server, when the Server prompt box appears, click the Browse button or enter the server name, IP address, or Domain Name System (DNS) name of the remote computer.

Note

Due to enhanced security settings in Windows Server 2003 Service Pack 1 (SP1), DCOM settings may need to be updated when Forefront Security for Exchange Server is installed on a server running Windows Server 2003 SP1, to permit remote access. Remote administrators need to have privileges enabled for both remote launch and remote activation.
Because Forefront Security for Exchange Server installs access control lists (ACLs) in the installation folder for both Administrator-only installations and the full product installation, a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting.
If you are having problems connecting the Forefront Server Security Administrator to the Exchange server, try using the PING command to test for server availability. If the server is available, be sure that no other Forefront Server Security Administrator instances are currently connected to it.

Connecting to a different server

To connect to a different server, select the Open command from the Forefront Server Security Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running FSE, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Forefront Server Security Administrator dialog box to quickly reconnect to a server.

Running in read-only mode

The Forefront Server Security Administrator may be run in a read-only mode. To do so, the administrator needs to modify the NTFS file system permissions on the Forefront Security for Exchange Server database directory to enable Modify access only to those users with permission to change Forefront Security for Exchange Server settings. By default, the database directory is Program Files(x86)\Microsoft Forefront Security\Exchange Server\Data.

To ensure proper configuration

  1. Launch Windows Explorer.

  2. Navigate to the Microsoft Forefront Security\Exchange Server folder on the first server.

  3. Right click the folder and select Properties. The Properties page appears.

  4. Click on the Security tab.

  5. Add a user or group that you want to have read-only access.

  6. Clear everything under Allow, except Read and Execute.

  7. Save and close the Properties pages.

  8. Navigate to Forefront Server Security registry key. This is found under HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

  9. Right-click and select Permissions.

  10. Add the user or group that you want to have read-only access.

  11. Clear everything under Allow except Read (Special Permissions might remain selected as well).

  12. Navigate to the Administrator registry key right under Forefront Server Security key.

  13. Right-click the key and select Permissions.

  14. Add the user or group that you want to have read-only access.

  15. Check Full Control.

  16. Launch DCOM config by typing dcomcnfg from Start/Run. The Component Services dialog box appears.

  17. In the Console Root section, expand Component Services.

  18. Expand Computers.

  19. Expand My Computer.

  20. Expand DCOM Config.

  21. Right-click DCOM Config and select Properties.

  22. Click the Security tab.

  23. Click the Edit button in the Launch and Activation Permissions section.

  24. Add the user or group that you want to have read-only access.

  25. Select all the Allow check boxes, and then click OK.

  26. Click the Edit button in the Access Permissions section.

  27. Add the user or group that you want to have read-only access.

  28. Select all the Allow check boxes, and then click OK.

  29. Save and close the Properties page.

When a user without modify access opens the UI, it does not permit any configuration changes.

Notes:

  • The system account and Exchange service account must have full control of the Forefront Security for Exchange Server folder or Forefront Security for Exchange Server will not run properly.

  • If you create a user that is part of the Administrators Group with read-only access rights to FSE, when that user logs on and tries to open the Forefront Server Security Administrator, the following error will occur:

    ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied.

    This error is caused by a Windows Server 2003 SP 1 security enhancement. To work around this problem, follow these steps:

    1. Run DCOMCNFG from START/Run. The Component Services dialog box appears.

    2. Expand Component Services.

    3. Expand Computers, My Computer, and DCOM Config.

    4. Right-click on FSCController, and then select Properties.

    5. Click the Security tab, and then click Edit in Launch and Activation Permissions.

    6. Add Domain Users, and click Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

    7. Click OK for both open dialog boxes.

Forefront Server Security Administrator user interface

The Forefront Server Security Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right.

The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes:

SETTINGS **—**The SETTINGS area enables you to configure scan jobs, antivirus settings, scanner updates, templates, and General Options.

FILTERING **—**The FILTERING area enables you to configure content filtering, keyword filtering, file filtering, allowed senders lists, and filter lists.

OPERATE **—**The OPERATE area enables you to control virus scanning and filter options, schedule and run scan jobs, and perform quick scans.

REPORT **—**The REPORT area enables you to configure notifications, view and manage incidents, and view and manage quarantined files.

General Options

General Options, accessed from the SETTINGS section of the Shuttle Navigator, provides access to a variety of system-level settings for Forefront Security for Exchange Server. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Enable Forefront Security for Exchange Scan, Transport Process Count, and Realtime Process Count require that the Forefront Security for Exchange Server services be restarted for the change to take effect.

Although there are many options that can be controlled through the General Options pane, each of them has a default (enabled, disabled, or a value) that is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time.

To access the General Options pane, click General Options in the SETTINGS section of the Shuttle Navigator. The General Options pane opens.

The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, and Background Scanning.

Diagnostics section

This table lists and describes the settings in the Diagnostics section of General Options.

Setting Description

Additional Transport

Additional diagnostic messages are added to programlog.txt for Transport scanning. Disabled by default.

Additional Manual

Additional diagnostic messages are added to programlog.txt for Manual scanning. Disabled by default.

Additional Realtime

Additional diagnostic messages are added to programlog.txt for Realtime scanning. Disabled by default.

Notify on Startup

Indicates that FSE should send a notification to all the e mail addresses listed in the Virus Administrators list whenever the Internet scanner starts. Disabled by default.

Archive Transport Mail

Enables administrators to archive inbound and outbound Edge Transport or Hub Transport e-mail in two folders (named In and Out) that are located in the Forefront Security for Exchange Server installation folder. Each message will be given a file name that consists of the year, day, month, time, and a three digit number. For example: 20022009102005020.eml.

These options are provided to help administrators and Forefront Security for Exchange Server support engineers diagnose and isolate problems that users may be experiencing.

The archiving options are:

No Archive (the default)No mail is archived.

Archive Before ScanMessages are archived prior to scanning.

Archive After ScanMessages are archived after scanning.

Archive Before and After ScanMessages are archived before and after scanning.

Critical Notification List

Indicates administrators and others who should be notified in the event that the Exchange store starts and Forefront Security for Exchange Server is not hooked in or if the Forefront Security store shuts down abnormally. Multiple e-mail addresses are separated by semicolons. Example: admin@microsoft.com;admin2@microsoft.com.

Logging section

This table lists and describes the settings in the Logging section of General Options.

Setting Description

Enable Event Log

Enables logging of FSE events to the event log. Enabled by default.

Enable Performance Monitor and Statistics

Enables the logging of FSE performance statistics in the Performance snap-in. Enabled by default.

Enable Forefront Program Log

Enables the Forefront program log (ProgramLog.txt). Enabled by default.

Enable Forefront Virus Log

Enables the Forefront virus log (VirusLog.txt). Disabled by default.

Enable Incidents Logging–Transport

Enables incident logging for the Transport Scan Job. Enabled by default.

Enable Incidents Logging–Realtime

Enables incident logging for the Realtime Scan Job. Enabled by default.

Enable Incidents Logging–Manual

Enables incident logging for the Manual Scan Job. Enabled by default.

Max Program Log Size

Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size.

For more information about the log files and the Performance snap-in, see Reporting and statistics.

Scanner Updates section

This table lists and describes the settings in the Scanner Updates section of General Options.

Setting Description

Redistribution Server

Indicates that this server is acting as the central hub to distribute scanner updates to other servers. Disabled by default. (For more information, see File scanner updating.)

Perform Updates at Startup

Indicates that engines should be automatically updated every time FSE is started. Disabled by default.

Send Update Notification

Indicates that a notification should be sent to the Virus Administrator each time a scan engine is updated. Disabled by default. (For more information about setting up notifications to administrators, see E-mail notifications.)

Use Proxy Settings

Indicates that proxy settings are to be used when retrieving antivirus scanner updates. Disabled by default, unless you indicated, during installation, that proxy settings were to be used. (For more information, see "Updating the file scanner through a proxy" in File scanner updating.)

Use UNC Credentials

Indicates that Universal Naming Convention (UNC) credentials are needed when retrieving antivirus scanner updates. Disabled by default. (For more information, see File scanner updating.) Credentials are not supported if you are using the Microsoft Forefront Server Security Management Console for redistribution. Therefore, be sure to clear this setting if you are using the Microsoft Server Security Management Console to manage antivirus engine updates.

Proxy Server Name/IP Address

The name or IP address of the proxy server. Required, if using proxy settings when retrieving antivirus scanner updates. If you indicated, during installation, that proxy settings were to be used, the value you entered then is used to populate this field.

Proxy Port

Indicates the port number of the proxy server. Required, if using proxy settings when retrieving antivirus scanner updates. The default is port 80. If you indicated, during installation, that proxy settings were to be used, the value you entered then is used to populate this field.

Proxy Username

The name of a user with access rights to the proxy server, if necessary. Optional field.

Proxy Password

The appropriate password for the proxy user name, if necessary. Optional field.

UNC Username

The name of a user with access rights to the UNC path, if necessary. Optional field.

UNC Password

The appropriate password for the UNC user name, if necessary. Optional field.

For more information about updating the scan engines, see File scanner updating.

Scanning section

This table lists and describes the settings in the Scanning section of General Options.

Setting Description

Body Scanning – Manual

Enables message body scanning for the Manual Scan Job. Disabled by default.

Body Scanning – Realtime

Enable message body scanning for the Realtime Scan Job. Disabled by default.

Delete Corrupted Compressed Files

Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for FSE.

When a corrupted compressed file is detected, FSE reports it as a CorruptedCompressedFile virus. This option is enabled by default.

Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0.

Note

In addition to CorruptedCompressedFile viruses, this setting also handles these file types:

UnwritableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file.

UnReadableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.

Delete Corrupted Uuencode Files

Specifies whether corrupted UUENCODE files are deleted. Typically, a Uuencoded file that FSE is unable to parse is considered corrupted. FSE reports those as a CorruptedCompressedUuencodeFile virus. Enabled by default.

Delete Encrypted Compressed Files

Specifies whether an encrypted compressed file with at least one encrypted item within its contents is deleted (encrypted files cannot be scanned by antivirus scan engines). Disabled by default. FSE reports those as an EncryptedCompressedFile virus.

Treat ZIP archives containing highly-compressed Files as corrupted compressed

Specifies whether ZIP archives containing highly-compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat can not be cleaned, the message will be deleted. If the file is compressed with an unknown algorithm, it is treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files are treated as corrupted compressed).

Treat multipart RAR archives as corrupted compressed

A file within a RAR archive can be compressed across multiple files or parts (hence “multipart”), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed.

Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted. Enabled by default.

Note

If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Registry keys.

Treat concatenated gzips as corrupted compressed

Multiple Gnu zip (gzip) files can be concatenated into a single file. Although FSE recognizes concatenated gzips, it may not recognize individual files split across concatenated gzips. Therefore, FSE treats concatenated gzips as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections.

Disabling the Treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case a virus may escape detection.

Scan Doc Files As Containers - Manual

Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see File types list. Disabled by default.

Scan Doc Files As Containers - Transport

Specifies that the Transport Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by default.

Scan Doc Files As Containers - Realtime

Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by defalut.

Case Sensitive Keyword Filtering

Specifies that keyword filtering should be case-sensitive. Disabled by default (that is, filtering is not case-sensitive).

Optimize for Performance by Not Scanning Messages That Were Already Virus Scanned - Transport

Configures Forefront Security for Exchange Server to skip scanning for messages that were previously scanned by any instance of Forefront Security for Exchange Server in any configuration. This applies to messages being received on Transport servers that have been scanned by Forefront Security for Exchange Server on another Transport server within the Exchange organization. Enabled by default.

Scan on Scanner Update

Causes previously scanned files to be re-scanned when accessed following a scanner update. This setting applies to messages stored on a Mailbox server or a Public Folder server. This setting provides heightened security protection to re-scan messages that have already been scanned. Messages are re-scanned the first time a mailbox server “on-access” event occurs and during every “on-access” event after the initial one if new virus signatures have been received since the last time the message was scanned. Disabled by default.

Warning

When this option is enabled and an engine update occurs while a background scan is in progress, the background scan restarts at the mail that was being scanned. If updates continue to occur before the background scan finishes, the background scan continues to run indefinitely. It is therefore recommended that you do not schedule a background scan for a large dataset if this option is enabled.

Important

When this option is enabled, the Mailbox server may experience increased virus scanning, which may impact server performance. Also, be aware that enabling this setting automatically also enables proactive scanning; for more information, see "About proactive scanning" in Realtime Scan Job.

Note

Messages retrieved by Microsoft Outlook 2003 or Microsoft Outlook 2007 clients running in cache mode only generate an “on-access” event when they are originally synchronized to the client. They are not re-scanned on the server when the messages are accessed on the local client and retrieved from the cache. To re-scan these already retrieved messages, use the Enable Background Scan if 'Scan on Scanner Update' Enabled option in the Background Scanning section of General Options. If the background scan detects a virus in a message and cleans or purges the message, then the next time the Outlook client re-synchronizes with the server, the already retrieved infected message will be cleaned or purged.

Perform Reverse DNS Lookups

Provides the ability to enable reverse DNS lookups for inbound and outbound determination if the Internal Address list contains entries other than the domain name of the server. The inbound or outbound determination is used by keyword and file filtering. When selected (enabled), Forefront Security for Exchange Server uses reverse DNS lookup to get the domain name and make the inbound or outbound determination. If the option is cleared (disabled), Forefront Security for Exchange Server will use the information in the Received header as well as secure routing information from the Exchange Transport Agent to make the inbound or outbound determination. Disabled by default.

Purge Message if Message Body Deleted – Transport

Some messages carry viruses in the body of the message file. When all or part of the message body is deleted to remove a virus, Forefront Security for Exchange Server inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Forefront Security for Exchange Server and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is selected. Disabled by default.

Enable Forefront Security for Exchange Scan

Permits administrators to enable or disable all or selected Forefront Security for Exchange Server jobs. The options are Disable All, Enable Store Scanning (Realtime and Manual), Enable Transport Scanning, and Enable All (the default). After changing this setting, the Forefront Security for Exchange Server services must be recycled. (For more information about recycling the services, see "Recycling the Forefront Security for Exchange Server services" in Forefront Security for Exchange Server Services.)

Transport Process Count

Used to change the number of FSCTransportScanning processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 Transport processes. After changing this setting, the Forefront Security and Exchange Server services must be recycled. (For more information about this setting, see Transport Scan Job.)

Realtime Process Count

Used to change the number of real-time processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 real-time processes. After changing this setting, the Forefront Security and Exchange Server services must be recycled. (For more information about this setting, see Realtime Scan Job.)

Forefront Manual Priority

Enables administrators to set the CPU priority of manual scans to: Normal (the default), Below Normal, or Low to permit more important jobs to take precedence over manual scans when demands on server resources are high.

Engine Error Action

Enables administrators to set the action that Forefront Security for Exchange Server should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which logs the error to the program log; Skip: detect only, which logs the error to the program log and displays an EngineError entry with the state Detected in the UI; and Delete, which logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI. The file that caused the engine error is always quarantined. The default value is Delete.

Illegal MIME Header Action

If Forefront Security for Exchange Server encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are messages where the Content-Disposition or Content-Type header is longer than it is supposed to be. Identified messages are quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.

Transport Scan Timeout Action

Indicates what to do in the event that the Transport Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and the program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Transport Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

Realtime Scan Timeout Action

Indicates what to do in the event that the Realtime Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Realtime Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

Quarantine Messages

Forefront Security for Exchange Server performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled. The choices are:

Quarantine as Single EML File (the default) - the quarantined message and all attachments are quarantined in an EML file format.

Quarantine Message Body and Attachments Separately - messages are quarantined as separate pieces (bodies and attachments).

For a complete description of this setting, see Quarantine.

Note that these settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

Deliver From Quarantine Security

This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode.

  • Secure Mode forces all messages and attachments delivered from quarantine to be re-scanned for viruses and filter matches. This is the default setting.

  • Compatibility Mode enables messages and attachments to be delivered from quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.

(For more information about using this setting, see Reporting and statistics.)

Transport Sender Information

By default, Forefront Security for Exchange Server uses the MIME FROM header sender address for the Transport Scan Job. This setting enables administrators to use the MAIL FROM sender address from the SMTP protocol for the Transport Scan Job. When Use Transport Protocol Mail From is selected, the address in that field is used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, or reporting in the Administrator. The options for this setting are:

  • Use MIME From: Header (the default).

  • Use Transport protocol MAIL FROM

Note that when MIME From is selected and a MIME Sender header is also present, the MIME Sender header information is used.

Max Container File Infections

Specifies the maximum number of infections permitted in a compressed file. If this is exceeded, the entire file is deleted and an incident is logged stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case the logged incident has "Container Removed" appended to the filter match. The default value is 5 infections.

Max Container File Size

Specifies the maximum container file size (in bytes) that FSE attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Forefront Security for Exchange Server reports these deleted files as LargeInfectedContainerFile virus.

Max Nested Attachments

Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUEncoded files. Note that for the Realtime Scan Job, a nested MSG file is not treated as a nested file with certain e-mail clients. If the maximum number is exceeded, FSE deletes the document and reports an ExceedinglyNested incident. The default value is 30.

Max Nested Compressed Files

Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSE sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is permitted. The default is 5.

Max Container Scan Time (msec) - Realtime/Transport

Specifies the number of milliseconds that the Realtime Scan Job or the Transport Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes).

Max Container Scan Time (msec) - Manual

Specifies the number of milliseconds that the Manual Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 milliseconds (ten minutes).

Internal Address

Forefront Security for Exchange Server can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;company.com) with no spaces. Any change to this value is immediately reflected in virus notifications.

When entering a domain name in the Internal Address field, be aware that its sub-domains are covered by the entry.

For example: domain.com includes subdomain.domain.com and subdomain2.domain.com.

Alternate domains such as domain.net or domain.org must be entered individually.

Values entered in Internal Address are used as a substring match of the end of an e-mail address. For example, “soft.com” would consider “someone@microsoft.com” and “someone@abcdef123soft.com” to be internal addresses.

Entries in the Internal Address field must be separated by semicolons (";") and there must be no spaces between the items.

If you have a large number of domains to be used as internal addresses, enter them in an external file called Domains.dat, and leave the Internal Address field blank. Domains.dat was created, as an empty file in the DatabasePath directory, during installation. It is a text file, into which you enter all your internal domains, each on a separate line. Unlike the Internal Address field, all sub-domains must be entered individually.

In order to use the external Domains.dat file, you must change the value of the UseDomainsDat registry key to 1 (its default value is 0). For more about this key, see Registry keys.

Note

The Domains.dat file is reloaded at 02:00 (2:00 A.M.) each day. This is when any changes you make to the file take effect.

(For more information about internal addresses and notifications, see E-mail notifications.)

Transport External Hosts

If you are using an Edge Transport or Hub Transport to route e-mail into your Exchange environment, you may enter the IP address of the edge transport server so that Forefront Security for Exchange Server will treat all mail coming from that server as inbound when determining which filters and scan jobs to utilize for a message. If you do not enter the IP address of your Edge Transport or Hub Transport, Forefront Security for Exchange Server will use its internal logic to determine if messages are inbound or not. IP addresses should be entered as a semicolon delimited list with no spaces.

Background Scanning section

This table lists and describes the settings in the Background Scanning section of General Options.

Setting Description

Enable Background Scan if 'Scan On Scanner Update' Enabled

Indicates that FSE should initiate a background scan every time a scan engine is updated if the General Option setting Scan on Scanner Update is enabled. Enabled by default.

Scan Only Messages With Attachments

Indicates that the background scan job should only scan messages that include attachments. Enabled by default.

Scan Only Unscanned Messages

Indicates that the background scan job should only scan messages that have not already been scanned. Disabled by default.

Scan Messages Received Within The Last <x> Days

Places limits on background scanning by enabling administrators to configure Forefront Security for Exchange Server to scan messages based on their age. The options are: Anytime, 4 hours, 6 hours, 8 hours, 12 hours, 18 hours, 1 Day, 2 Days (the default), 3 Days, 4 Days, 5 Days, 6 Days, 7 Days, and 30 Days.

Please use caution when setting this option. If the message arrival rate at the mailbox server is very high and too long a scan back period is selected, background scanning may run continuously which can have a negative impact on server performance. The selected scan back time should be set based on an understanding of a specific threat or to generally cover the always-present protection gap between when malware may have been released into the wild and the availability of protection signatures. If background scanning is scheduled to run on a daily basis (see Background scanning and on-access scanning) the recommended setting is to scan the previous two days worth of mail. However, the time should be set based on both security and performance considerations.    

Central management

Centralized management of Forefront Security for Exchange Server is handled by the Microsoft Forefront Server Security Management Console (FSSMC). FSSMC enables administrators to:

  • Install or uninstall FSE on local and remote servers.

  • Update all or individual scan engines on local and remote servers.

  • Run a manual scan on multiple servers simultaneously.

  • Check FSE, scan engine, and virus definition versions on multiple servers.

  • Deploy FSE template files.

  • Retrieve virus logs from multiple servers.

  • Retrieve quarantined files.

  • Retrieve the ProgramLog.txt file from single or multiple servers.

  • Retrieve virus incident information.

  • Deploy General Options settings.

  • Deploy Filter List templates.

  • Generate HTML reports.

  • Send outbreak alerts.

For detailed instructions about using FSSMC, refer to the "Microsoft Forefront Server Security Management Console User Guide".