Keyword substitution macros

 

Applies to: Forefront Protection for Exchange

Forefront Protection 2010 for Exchange Server (FPE) provides keyword substitution macros that you can use in the deletion text and in the various fields of a notification (Cc, Bcc, Subject, and Message body). These macros obtain and display information from an item in which an infection was found or an item that matched a filter.

Note

When configuring notifications and deletion texts, macros can be used to fill in useful information about the message or file being processed and the server doing the processing. Notifications and deletion texts can be sent to any e-mail address that was part of the original message, including those outside your organization. When enabling or customizing notifications and deletion texts, it is recommended that you do not use any macros that could expose any information you do not want disclosed. (For notifications, you can leverage the internal and external roles to prevent information disclosure.)

Keyword substitution macros are surrounded by leading and trailing percent signs (%). To display the percent sign itself as part of the deletion text or in a notification field, use consecutive percent signs (%%).

The following are examples of the use of keyword-substitution macros:

  • The subject line of a malware notification could contain the name of the malware. In the Subject field, use the %Malware% keyword substitution macro. For example:

A file is infected with the %Malware% malware.

  • The message body of a notification e-mail to the Virus Administrator could contain multiple keyword substitution macros. For example:

The %MalwareEngines% scan engines detected the %Malware% malware in a file called %File%. This was an attachment in a message sent by %ISName%%ESName%, at %ISAddress%%ESAddress%. The malware was detected by the %ScanJob% scan job, on the %Server% server, and the item was %State%.

Note

There is no way for you to tell in advance if an incident is going to be caused by a message from an internal or an external sender. Therefore, to identify the sender in the text, use both the internal and the external name macros, with no space in between (that is, %ISName%%ESName%). Only one of them resolves into the name of the sender; the other is ignored. The same is true of the internal and external sender address.

Note

In Windows PowerShell, macros are used in the same way. However, the entire text string must be surrounded by quotation marks, and each group of one or more macro names must be surrounded by apostrophes. For example:
Set-FseNotification Administrator Event virus To VirAdmin@contoso.com Subject "Malware found" Body "The '%MalwareEngines%' scan engines detected the '%Malware%' malware in a file called '%File%'. This was an attachment in a message sent by '%ISName%%ESName%', at '%ISAddress%%ESAddress%'. The malware was detected by the '%ScanJob%' scan job, on the '%Server%' server, and the item was '%State%'." Enabled $true

The following table contains the FPE keyword substitution macros.

Macro Description

%Company%

The name of your organization, as found in the registry.

%EBccAddresses%

A list of the addresses of all the external Bcc recipients of the message.

%EBccNames%

A list of the names of all the external Bcc recipients of the message.

%ECcAddresses%

A list of the addresses of all the external Cc recipients of the message.

%ECcNames%

A list of the names of all the external Cc recipients of the message.

%ERAddresses%

A list of the addresses of all the external To recipients of the message.

%ERNames%

A list of the names of all the external To recipients of the message.

%ESAddress%

The address of the message sender, if external to the company.

%ESName%

The name of the message sender, if external to the company.

%File%

The name of the file in which the virus was detected or that matched a filter.

%Filter%

The name of the filter that detected the item.

%Folder%

The public or private mailbox and subfolders where the virus or attachment was found.

%IBccAddresses%

A list of the addresses of all the internal Bcc recipients of the message.

%IBccNames%

A list of the names of all the internal Bcc recipients of the message.

%ICcAddresses%

A list of the addresses of all the internal Cc recipients of the message.

%ICcNames%

A list of the names of all the internal Cc recipients of the message.

%IRAddresses%

A list of the addresses of all the internal To recipients of the message.

%IRNames%

A list of the names of all the internal To recipients of the message.

%ISAddress%

The address of the message sender, if internal to the company.

%ISName%

The name of the message sender, if internal to the company.

%Malware%

The name of the malicious software (malware), as reported by the file scanner.

%Message%

The subject field of the message.

%MIME%

The MIME header information.

%ScanJob%

The name of the scan job that scanned the attachment or performed the filtering operation.

%Server%

The name of the server that found the infection or performed the filtering operation.

%State%

The disposition of the detected item (Deleted, Cleaned, Removed, or Skipped).

%MalwareEngines%

A list of all the scan engines that detected the malware.

See Also

Concepts

Configuring e-mail notifications