General Options - important settings
Applies to: Forefront Security for Exchange Server
You should pay particular attention to these settings:
Critical Notification List |
In the event that FSE encounters issues and stops scanning properly (the Exchange Store starts and FSE is not hooked in or if the Store shuts down abnormally), FSE sends a notification to all the e-mail addresses listed in the Critical Notification List. Remember to separate multiple e-mail addresses with the semicolon character (;). It is recommended that you configure this setting as soon as the product is installed. |
Body Scanning – Realtime |
FSE can scan the actual message body for embedded viruses. Because message body scanning is performance-intensive, it is disabled by default in the Realtime Scan Job. Normally, the best practice is to keep it disabled for Realtime, except during a virus outbreak that might involve a message body virus. Message body scanning is always enabled for the Transport Scan Job. |
Delete Corrupted Compressed Files |
It is recommended that you keep this enabled (the default setting). You should select this option since Forefront cannot parse the file. |
Delete Corrupted Uuencode Files |
It is recommended that you keep this enabled (the default setting). You should select this option since Forefront cannot parse the file. |
Delete Encrypted Compressed Files |
You should select this option, since encrypted files cannot be scanned by antivirus scan engines. |
Treat Multipart RAR Archives as Corrupted Compressed |
See the discussion at RAR File Considerations. |
Scan Doc Files As Containers - Manual |
You should select this option, since viruses and worms can be embedded into container files (such as .doc, .xls, .ppt, and .shs). You should also enable the equivalent setting for the Transport and Realtime scan jobs. |
Optimize for Performance By Not Rescanning Messages Already Virus Scanned – Transport |
You should leave this option selected to obtain the performance enhancements provided by the AV Stamp. (To identify mail that has already been scanned, a secure antivirus header stamp is written to each e-mail when it is first scanned at the Edge or Hub server. Later scanning operations (Hub or Store) check for this stamp and if it is present the mail is not re-scanned.) When it is enabled, messages previously scanned successfully by another Transport server (Hub or Edge) are not rescanned. To force the mailbox server to rescan items, see the description below of the DisableAVStamping registry key in the “Scanning Considerations” section. |
Scan on Scanner Update |
During an "outbreak" scenario, it is recommended that you turn this option on, causing mail to be scanned each time an engine gets updated. This achieves the best protection because you are always scanning with the latest signatures. When the outbreak passes, turn it off again, since it can negatively impact system performance. Important When the Scan On Scanner Update option is enabled and an engine update occurs while a background scan is in progress, the background scan will restart at the first mail in the mailbox that was being scanned. If engine updates continue to occur before the background scan finishes, the background scan will continue to run indefinitely. We therefore recommend that you do not schedule a background scan for a large dataset if the Scan On Scanner Update option is enabled. |
Realtime Process Count |
To enhance performance, FSE permits additional processes to be created for the Realtime Scan Job. When multiple realtime processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FSE delivers files to the first process if it is available. Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step. It is recommended that the number of realtime processes should be set to twice the number of effective processors on the server. For example, a two-processor server or a single processor dual core server should have this parameter set to the default value of 4 (the maximum value is 10). If the server contains two processors each of which is dual core, the recommended setting is 8. |
Transport Process Count |
To enhance performance, FSE permits additional processes to be created for the Transport Scan Job. The default value is 4; the maximum value is 10. When multiple transport processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FSE delivers files to the first process if it is available. Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step. |
Deliver From Quarantine Security |
While it is recommended that you select the default Secure Mode because it is more secure, there can be a lot of administrative overhead involved in that choice. With Secure Mode, if you have a quarantined file that must be released, you must completely disable the file filter that caused the file to be quarantined before you can release it, then go back and enable the filter again. Therefore, you may find that Compatibility Mode is more suitable. |
Max Container File Size |
It is recommended that you change this value to match your email policy concerning the largest permissible file attachment size. If a filter match or a virus is detected, attachments larger than this value will automatically be deleted. By default, this setting is 26,214,400 bytes. |
Internal Address |
It is recommended that you set up the addresses that FSE considers to be internal. Use this field for a small number of addresses or the external Domains.dat file if you have a large number of them. Entries in the Internal Address field must be separated by semicolons (";") and there must be no spaces between the items. |
Enable Background Scan if 'Scan On Scanner Update' Enabled |
Initiates a background scan every time a scan engine is updated if the General Option setting Scan on Scanner Update is enabled. It is recommended that you leave this enabled, even when Scan on Scanner Update is disabled. Background Scanning only applies to a Mailbox server role that has FSE installed. |
Scan messages received within the last x days |
For the Store, it is recommended that you set FSE to scan the email received during the prior two days (the default). Background scanning settings in General Options only take effect if a Background Scan is scheduled. It is recommended that background scanning be run during mailbox server off-peak usage hours. |
RAR file considerations
A RAR archive can contain both full and partial RAR files. Those containing partial files are known as multipart RAR archives. For example, assume that you receive two RAR files (either in a single e-mail or in two e-mails). The first contains 50 full compressed RAR files and a part of another. The second has the rest of the partial file and an additional 25 full compressed RAR files. Subsequent actions are based on the values of two General Options: “Treat multipart RAR archive as corrupted compressed” and “Delete corrupted compressed”. These are the various combinations:
| Treat Multipart RAR Archive as Corrupted Compressed | Delete Corrupted Compressed | Result |
|---|---|---|
Enabled |
Enabled |
The archive is treated as corrupted compressed and these e-mail attachments are deleted without being scanned for viruses. While this combination offers the least flexibility for using compression formats, these are the default settings and should be used if support for multipart RAR archives is not needed. |
Disabled |
Disabled |
A non-corrupted archive has each of its files scanned by the virus engines; it is also scanned as a whole. An archive containing one or more corrupted files is only scanned as a whole. In either case, if an engine detects a virus, an attempt will be made to clean it. If the virus cannot be cleaned, the entire multipart RAR archive will be deleted. An e-mail containing archives with no detected viruses is sent to the recipient. While disabling these settings offers greater flexibility for using compression formats, we do not recommend doing this unless enabling them prevents the delivery of critical mail. |
Disabled |
Enabled |
An archive that contains one or more corrupted files is deleted, not scanned. A non-corrupted archive has each of its files scanned by the virus engines. Any detected virus that cannot be cleaned causes the file containing it to be deleted from the archive. The archive itself is then scanned as a whole and any detected virus that cannot be cleaned causes the entire multipart RAR archive to be deleted. An e-mail containing archives with no detected viruses is sent to the recipient. Since this combination of settings protects you against corrupted compressed files, it is recommended if support for multipart RAR archives is needed. |
Enabled |
Disabled |
All multipart RAR archives are treated as corrupted compressed. Only the archive as a whole is scanned and any detected virus that cannot be cleaned causes the entire multipart RAR archive to be deleted. An e-mail containing archives with no detected viruses is sent to the recipient. Since this combination of settings offers the lowest antivirus scanning effectiveness, we do not recommend it. |