SharePoint reporting and statistics

  • Article

 

Applies to: Forefront Security for SharePoint

Forefront Security for SharePoint provides various mechanisms to help administrators analyze the state and performance of the Forefront Security for SharePoint services through the SharePoint Forefront Server Security Administrator interface.

Incidents database

The Incidents database (Incidents.mdb) contains all virus and filter detections for a Microsoft® SharePoint server, regardless of the scan job that caught the infection or performed the filtering. Results are stored in the database by FSCController and are not dependent on the Forefront Server Security Administrator remaining open.

To view the Incidents database, click REPORT in the Shuttle Navigator, and then click the Incidents icon. The Incidents work pane appears.

This is the information that Forefront Security for SharePoint reports for each incident:

Time   The date and time of the incident.

State   The action taken by Forefront Security for SharePoint.

Name   The name of the scan job that reported the incident.

Folder   The name of the folder where the file was found.

File   The name of the virus or the name of the file that matched a file filter or keyword filter.

Incident   The type of incident that occurred. The categories are: VIRUS and FILE FILTER. Each is followed by either the name of the virus caught or the name of the filter that triggered the event.

Author Name   The name of the author of the document.

Author's E-mail   The e-mail address of the author of the document.

Last Modified By   The name of the last user to modify the document.

Modified User's E-mail   The e-mail address of the last user to modify the document.

Note

The last four fields will be reported as N/A for the Realtime Scan Job because FSSP does not have access to this information during a real-time scan.

VirusLog.txt

Incidents can also be written to a text file called VirusLog.txt file, located in the Microsoft Forefront Security for SharePoint installation path. To enable this feature select Enable Forefront Virus Log in General Options (it is disabled by default). When enabled, all virus incidents are written to the VirusLog.txt text file, under the FSSP installation path (InstalledPath).

The following is a sample entry from the VirusLog.txt file:

Wed Dec 14 12:56:13 2005 (3184), "Information: Realtime scan found virus:

Folder: WorkSpace1\SavedFiles

File: Eicar.com

Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE

State: Cleaned"

Forefront Security for SharePoint incidents

The following table describes the various incidents FSSP reports. Most of the reported incidents are controlled through settings in General Options.

Reported incident General Options setting Description

CorruptedCompressedFile

Delete Corrupted Compressed Files

Forefront has deleted a corrupted compressed file.

EncryptedCompressedFile

Delete Encrypted Compressed Files

Forefront has deleted an encrypted compressed file.

EngineLoopingError

Not applicable

Forefront has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file.

ExceedinglyInfected

Maximum Container File Infections

Forefront has deleted a container file because it exceeded the maximum number of infections, as set in Max Container File Infections in General Options.

ExceedinglyNested

Maximum Nested Compressed Files

Forefront has deleted a container file because it exceeded the maximum nested depth, as set in Max Nested Compressed Files in General Options.

ExceedinglyNested

Maximum Nested Files

Forefront has deleted a file because it exceeded the maximum nested file limit, as set in Max Nested Files in General Options. The default is 30 files. For more information, see MaxNestedFiles in SharePoint registry keys.

LargeInfectedContainerFile

Maximum Container File Size

Forefront has deleted a file because it exceeded the maximum container size that it will attempt to clean or repair. The default is 26 MB, but you may change the value with the Max Container File Size option in General Options.

ScanTimeExceeded

Max Container Scan Time (msec) - Realtime, or

Max Container Scan Time (msec) - Manual

Forefront has deleted a container file because it exceeded the maximum scan time. The default values, in milliseconds (msec), are 120000 msec (2 minutes) for Realtime scans and 600000 msec (10 minutes) for Manual scans.

UnReadableCompressedFile

Not applicable

Forefront has deleted a compressed file that it could not read.

UnWriteableCompressedFile

Not applicable

Forefront has deleted a compressed file to which it cannot write (for example, during a cleaning operation).

Statistics

Forefront Security for SharePoint tracks statistics for each scan job. Several kinds of statistics are maintained for documents.

  • Documents Scanned The number of documents scanned by Forefront Security for SharePoint since the last restart of the services.
  • Documents Detected The number of documents scanned that contained a virus or matched a filter since the last restart of the services.
  • Documents Cleaned The number of documents cleaned by Forefront Security for SharePoint since the last restart of the services.
  • Documents Removed The number of documents removed by Forefront Security for SharePoint since the last restart of the services. (Action set to Purge – Eliminate Message.)
  • Total Documents Scanned The number of documents scanned by Forefront Security for SharePoint since the product was installed.
  • Total Documents Detected The number of documents scanned that contained a virus or matched a file or content filter since the product was installed.
  • Total Documents Cleaned The number of documents cleaned by Forefront Security for SharePoint since the product was installed.
  • Total Documents Removed The number of documents removed by Forefront Security for SharePoint since the product was installed.

Managing statistics

To reset all statistics for a scan job, click the 'x' next to the scan job's name in the Statistics section of the Incidents work pane. You will be asked to confirm the reset. Click Yes to reset all the statistics for the selected scan job.

To save the report and the statistics to a text file, click the Export button (on the Incidents work pane).

Quarantine

Forefront Security for SharePoint, by default, creates a copy of every detected file in its original form (that is, before a Clean, Delete, or Skip action occurs). These files are stored in an encoded format in the Quarantine folder under the Forefront Security for SharePoint DatabasePath folder (which defaults to the installation folder). The actual file name of the detected file, the name of the infecting virus or the file filter name, information about the author of the file and about the person who last modified it, as well as other bookkeeping information, are saved in the file Quarantine.mdb in the Quarantine folder. The Quarantine database is configured as a system data source name (DSN) with the name Forefront Quarantine. This database can be viewed and manipulated using third-party tools.

Quarantine options

An administrator can access the Quarantine pane to delete or extract quarantined items. To view the Quarantine log, click REPORT in the Shuttle Navigator, and then click the Quarantine icon. The Quarantine work pane appears.

The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as virus or filter match), the name of the infecting virus or the filter name, the author name, the author e-mail address, last modified by, and modified user’s e-mail

Saving quarantine database items to disk

Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.

ExtractFiles tool

Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.

This is the syntax of ExtractFiles:

extractfiles <path> <type>

  • <Path> The absolute path of the folder in which to save the extracted quarantined files.
  • <Type> The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:
    Jerusalem.StandardExtracts files that were infected with the virus named Jerusalem.Standard.
    *.docExtracts quarantined files having a .doc extension.
    *.*Extracts all quarantined files.

Examples:

extractfiles C:\temp\quarantine Jerusalem.Standard

extractfiles C:\extract\ *.doc

Maintaining the databases

There are several other tasks you can perform with the Incidents or Quarantine databases. You can clear the databases, export database items, purge database items, filter database views, and move the databases.

Clearing the databases

Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2 GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to all those having a notification role of Virus Administrators, warning that the database is nearing its limit. An administrator can then clear the database to ensure that future incidents and quarantined items will be saved.

The subject line of the message reads:

Microsoft Forefront Security for SharePoint Database Warning

The body of the message reads:

The Microsoft Forefront Security for SharePoint <<database name>> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB.

If this database grows to 2 GB, updates to the <<database name>> will not occur. Please see the user guide for information about database maintenance.

If for some reason the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.

Clearing the Incidents database

The Incidents database can be cleared when it becomes too large.

To clear the Incidents database

  1. On the Incidents work pane on the REPORT section of the Shuttle Navigator, click Clear Log. This clears all the items from the Incidents work pane. You will be asked to confirm your decision.

  2. In the OPERATE section of the Shuttle Navigator, select Run Job. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database.

After you have cleared the entries in both places, they no longer appear in the work panes. However, they are actually deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 0200 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from both locations, as indicated above.

Note

If a large number of entries is selected, the deletion process can take a long time. In this case, you will be asked to confirm the deletion request.

Clearing the Quarantine database

The Quarantine database can be cleared when it becomes too large.

To clear the Quarantine database, click Clear Log on the Quarantine work pane on the REPORT section of the Shuttle Navigator. This clears all the items from the Quarantine work pane. You will be asked to confirm your decision.

After you have cleared the entries, they no longer appear in the work pane. However, they are actually deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 0200 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from the Quarantine listing.

Note

If a large number of entries is selected, the deletion process can take a long time. In this case, you will be asked to confirm the deletion request.

Exporting database items

Click Export on the Incidents or Quarantine work panes to save all the results from the Incidents or Quarantine databases as a text file. Clicking Export displays a standard Windows Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file.

In addition to the Export button, the Quarantine pane has a Save As button, used to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each is saved as a separate file.

Purging database items

You can instruct Forefront Security for SharePoint to remove items from the databases after they are a certain number of days old. The number of days is indicated by the Purge field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database, all files older than the specified number of days are flagged for removal from that database.

To purge database items after a certain number of days

  1. On either the Incidents or the Quarantine work pane in the REPORT section of the Shuttle Navigator, select the Purge check box. This causes the Days field to become available.

  2. In the Days field, indicate the number of days after which items will be purged. All items older than that number of days will be deleted from the database. The default is 30 days.

  3. Click Save. Setting or changing the purge value takes effect only after being saved.

To suspend purging, clear the Purge check box. The value in the Days field will remain, but no purging will take place until Purge is selected again.

Filtering database views

You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed.

To filter the database view

  1. On the Incidents or Quarantine work pane, select the Filtering check box.

  2. Select the items you want to see with the Field option. Each choice in Field corresponds to one of the columns in the display. (For example, you can show only those Incidents whose State is “Deleted”.) If you select any column other than Time (on the Incidents pane) or Date (on the Quarantine pane), the Value field appears. If you select Time or Date, you get entry fields for beginning date and time, and ending date and time.

  3. If you selected Time or Date, enter the beginning and ending date and time. Otherwise, enter a string in the Value field. Wildcard characters can be used. They are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are:

    _ (underscore)   Matches any single character. (The * and ? characters, which are common wildcard characters, are literals in this instance.)

    [ ]   Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]).

    [!]   Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]).

  4. Click Save to apply the filter. The only items you now see are those that match your parameters.

  5. To see all the items again, remove the filter by clearing the Filtering check box and clicking Save.

Moving the databases

You can move the Quarantine and Incidents databases. However, for FSSP to function properly, you must move both databases, as well as all related databases and support files.

To move the databases and all related files

  1. Create a new folder in a new location (for example: C:\Moved Databases).

  2. Set the permissions for the new folder:

    1. Right-click the new folder, and then select Properties.
    2. On the Security tab, add Network Service with Full Control privileges.
    3. Enable all permissions for Administrators and System.

  3. Stop SharePoint and any Forefront Security for SharePoint services that might still be running after the SharePoint server is stopped.

  4. Copy the entire contents of the Data folder, including the subfolders, from Microsoft Forefront Security\SharePoint server into the folder created in step 1. (This results in a folder called, for example, C:\Moved Databases\Data.)

  5. Change the path in the DatabasePath registry key to point to the new data folder location. This key is found at:

    For 32-bit systems:

    HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint\DatabasePath

    For 64-bit systems:

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint\DatabasePath

  6. Restart the SharePoint services.

Windows event viewer

Forefront Security for SharePoint stores virus detections, stop codes, system information, and other general application events in the Windows application log. Use Windows Event Viewer to access the log.

Additionally, these events are stored in ProgramLog.txt located in the Data subdirectory of Microsoft Forefront Security\SharePoint. The maximum size of the ProgramLog.txt file is controlled by the Max Program Log Size field in General Options.

Performance

All Forefront Security for SharePoint statistics can be displayed using the Performance snap-in (Perfmon.exe) provided by Windows and usually found in Administrative Tools. The performance object is called Microsoft Forefront Server Security.

Reinstalling Forefront Security for SharePoint performance counters

In the event that the Forefront Security for SharePoint performance counters are deleted, they can be reinstalled in two ways:

  • By reinstalling Forefront Security for SharePoint.
  • By issuing PerfMonitorSetup from a command prompt

To reinstall performance counters from a command prompt

  1. Open a Command Prompt window.

  2. Navigate to the Forefront Security for SharePoint installation folder (default: C:\Program Files(x86)\Microsoft Forefront Security\SharePoint).

  3. Enter the following command: PerfMonitorSetup –install