SharePoint file filtering

 

Applies to: Forefront Security for SharePoint

The System Center Endpoint Protection file filter feature gives you the ability to search for files with a specific name, type, and size. If a match is found, the file filter can be configured to perform actions on the file such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect specific files that are being uploaded to or downloaded from the SharePoint server.

Additionally, FSSP scans the contents of compressed files for file filtering matches. For example, if you configure a filter to delete all .exe files, FSSP will delete them inside compressed files, while leaving all files that are not .exe files intact. FSSP can scan all compressed files and variations of compressed formats (such as PKZIP, WINZIP, or GZIP), with the exception of password-protected compressed files. FSSP also scans for files embedded in other container files, such as Word documents.

File filtering can be configured to assess several aspects of a file: the file name and extension, the actual file type, and the file size. By using these criteria, you can filter files in a variety of ways.

Creating a file filter

You can configure the file filter by file types, extensions, or names. For more information, see Filtering by file type, Filtering by extension, and Filtering by name.

To configure the file filter

  1. In the Shuttle Navigator click FILTERING, and then click the File icon. The File Filtering pane appears.

  2. In the upper work pane, select the scan job for which you would like to create the file filter.

  3. To detect file files with a particular file name, add the file name to the File Names section of the work pane. Click the Add button and type the name of the file to be detected. (There are also buttons with which to Edit and Delete existing entries.) Use the up and down arrows (on the same line with File Names) to change the order in which a selected filter is executed.

    Optionally, the file filter can be configured to filter files based on their size. To detect files by size, specify a comparison operator (=, >, <, >=, <=) and a file size in kilobytes (KB), megabytes (MB), or gigabytes (GB). These are placed immediately after the file name, with no spaces between the file name and the operator or the operator and the file size. File sizes must be entered using the English size keywords KB (for kilobytes), MB (for megabytes), and GB (for gigabytes). The General Options setting Max Container File Size specifies the maximum container file size (in bytes) that FSSP will attempt to clean or repair in the event that it discovers an infected file.

    Examples:

    *.bmp>=1.2MB   all files with a .bmp filename extension that are larger than or equal to 1.2 megabytes

    *.com>150KB   all files with a .com filename extension that are larger than 150 kilobytes

    *.*>5GB   all files, regardless of name, that are larger than 5 gigabytes

  4. Specify the list of File Types that can be associated to the selected File Name. You can select one or more file types from the list or select All Types located below the list. If the file type you want to associate to the selected file name is not available in the list, then select All Types. For more information, see Filtering by file type. (For a description of the file types listed in the selection box, see SharePoint file types list.)

    The All Types selection configures System Center Endpoint Protection to filter based only on the file name and file extension. By selecting All Types, System Center Endpoint Protection is configured to detect the selected file name no matter what the true file type. This prevents users potentially bypassing the filter by simply changing the extension of a file.

    If you know the file type you are searching for, System Center Endpoint Protection will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, create the file name filter *.* and set the file type to EXE.

  5. Ensure that the file filter is set to Enabled. It is enabled by default.

  6. Indicate the Action to take if there is a filter match.

  7. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see SharePoint E-mail notifications). It is disabled by default.

  8. Indicate whether to Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted files to be stored, making it possible for you to recover them.

  9. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text.

    Note

    System Center Endpoint Protection provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about keywords, see SharePoint keyword substitution macros.

  10. Click Save to save your filter.

Filtering by file type

If you want to filter certain file types, you can create the filter *.* and set the File Types selection to the exact file type you want to filter.

For example: Create the filter *.* and set the File Types to MP3. This ensures that all MP3 files are filtered no matter what their file name or extension.

After you create a file filter, the All Types check box is selected by default (in the File Types section). If you know, for example, that you are searching for a Word document, you can clear All Types, and then select DOCFILE from the File Types list. This causes FSSP to work more efficiently. However, if you are not sure of the type, you can add resume.* to the File Names list and leave All Types selected. This will ensure that all files with the name resume will be detected, regardless of their extension or type.

One advantage of setting a generic filter (for example, *.*) and associating it with a certain file type (for example, EXE) is that it prevents the potential of users bypassing the filter by simply changing the extension of a file.

Note

If you want to filter Office 2003 and older Microsoft Excel® files, you must enter .xls or .* in the File Name box and then select both WINEXCEL and DOCFILE in the File Type list. Excel 1.x files are WINEXCEL type files but newer versions of Excel are DOCFILE file types.
For Office 2007 documents (Word, Excel, and PowerPoint) you should use the proper file extension in the File Name box and then select OPENXML in the File Types list.

Filtering by extension

If you want to filter any file that has a certain extension, you can create a generic filter for the extension and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: Create the filter *.exe* and set the File Types selection to All Types. This ensures that all files with an .exe extension are filtered.

Important

When creating generic file filters to stop all of a certain type of file (for example .exe files), it is recommended that you write the filter in this format: .exe. The second asterisk (*) prevents files with extra characters appended after the file extension from bypassing the filter.

Note

Microsoft recommends avoiding the use of the generic filter * with the File Types set to All Types. This filter configuration could result in the reporting of repeated detections.

Filtering by name

If you want to filter all files with a certain name, you can create a filter using the file name and set the File Types selection to All Types. Filter matching is not case-sensitive.

For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This ensures that any file named payload.doc is filtered, no matter what the file type.

Detecting file files by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it. A perfect example of this was the Melissa worm. It resided in a file named List.doc and could have been detected by System Center Endpoint Protection using a file filter even before virus scanners could detect it.

Action

Choose the action that you want System Center Endpoint Protection to perform when a file filter is matched. There are different actions available for Realtime and Manual scans.

Note

You must set the action for each file filter you configure. The Action setting is not global.

Skip: Detect only

Records the number of messages that meet the filter criteria, but enables files to be uploaded and downloaded. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. This choice is only available for Manual scans, and is the default.

Delete: Remove contents

Deletes the detected file, inserting the Deletion Text in its place. This choice is only available for Manual scans.

Block: prevent transfer

FSSP stops scanning for viruses and users are blocked from accessing that file. This is the only available choice for Realtime scans.

Editing a file filter

Once you have created a file filter, it can be modified.

To edit a file filter

  1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering pane appears.

  2. In the upper work pane, select the scan job for which you would like to modify the file filter.

  3. Make the required changes to the various fields. The changes apply to the selected scan job.

  4. Click Save to save your filter changes.

Making any change to the configuration activates the Save and Cancel buttons If you make a change to the selected scan job and try moving to another scan job or shuttle icon without saving it, you will be prompted to save or discard your changes.

Matching patterns in the file name with wildcard characters

Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters:

*

Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage:

Single: Any of these single wildcard character patterns would detect veryevil.doc:

veryevil.*, very*.doc, very*, *il.doc.

Multiple: Any of these multiple wildcard character patterns would detect eicar.com:

e*c*r*om, ei*.*, *car.*.

Note

Use multiple asterisks to filter file attachments with multiple extensions. For example: love*..

?

Used to match any single character in a name where a single character may change. For example:

virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. However, this filter would not find virus.exe.

[set]

A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. For example:

klez[a-h].exe would find kleza.exe through klezh.exe.

[^set]

Used to exclude characters that you know are not used in the file name. For example:

klez[^m-z].exe would not find klezm.exe through klezz.exe.

range

Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example:

klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe.

\char

Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. For example:

If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

Note

You must use a \ before each special character.

Filtering container files

Container files can be broadly described as complex files that can be broken down into various parts. System Center Endpoint Protection can scan the following container files for filter matches:

  • PKZip (.zip)

  • GNU Zip (.gzip)

  • Self-Extracting .zip archives

  • Zip files (.zip)

  • Java archive (.jar)

  • TNEF (Winmail.dat)

  • Structured storage (for example:.doc, .xls, or .ppt)

  • Open XML (for example: .docx, .xlsx, or .pptx)

  • MIME (.eml)

  • SMIME (.eml)

  • UUENCODE (.uue)

  • Unix tape archive (.tar)

  • RAR archive (.rar)

  • MACBinary (.bin)

System Center Endpoint Protection scans all parts of the container file and re-packs the file as necessary. For example, if you configure a file filter to delete all .exe files, System Center Endpoint Protection deletes .exe files inside container files (replacing them with the Deletion Text) but leaves all other files in the container intact.

Note

System Center Endpoint Protection cannot scan password protected files or encrypted files. Although FSS does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.

Excluding the contents of a container file from file filtering

To exclude the contents of a .zip (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list and set the action to Skip. Ordering of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, file filters are not applied to the contents of the container. The file is, however, scanned for viruses. If you would like to skip all .zip files, create the filter: *.zip and set the action to Skip.

Note

By default, this functionality only applies to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and Self-Extracting .zip archives), you can set the following DWORD registry values:

  • Realtime Scan JobSkipFileFilterWithinCompressedRealtime

  • Manual Scan JobSkipFileFilterWithinCompressedManual

Note

OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.

Using file filtering to block most file types

You can use file filters to block some file types and permit others. The files permitted to be uploaded or downloaded in this example are Office files, which tend to be safer than other kinds. It takes two file filters for this to work properly.

Note

Be sure that file filter 1 is created before file filter 2, as the filters are applied, in order, from top to bottom.

First, create a file filter to permit Office files to be uploaded or downloaded. For this example, we will call it File Filter 1.

To create File Filter 1

  1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears.

  2. Create a new file filter by following these steps:

    1. Click Add.

    2. Type <in>* as the file name and press ENTER.

    3. Clear All Types in the File Types section.

    4. Click Yes to confirm.

    5. Select the DOC, OPENXML, TNEF file types. (TNEF is required since it is the wrapper around file files for internal mail.)

    6. Set the Action to Skip: detect only.

    7. Clear Quarantine Files.

    8. Save the filter.

Next, create a filter to block all files. We will call it File Filter 2. As long as you have created File Filter 1 first, Office files are permitted and all other files are blocked.

To create File Filter 2

  1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears.

  2. Create a new file filter by following these steps:

    1. Click Add.

    2. Type * as the file name and press ENTER.

    3. Ensure that All Types is selected in the File Types section.

    4. Set the action to Block or Purge, as desired.

    5. Select Quarantine Files.

    6. Select Send Notifications.

    7. Save the filter.

File filter lists

As well as creating individual file filters, you can create lists of them to have collections of filters for use by different scan jobs or simply to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.

Creating a file filter list

Begin by creating a new file filter list.

To create a file filter list

  1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon.

  2. In the List Types pane, select Files.

  3. In the List Names section, click the Add button.

  4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section.

  5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add file names to the list.

  6. In the Include In Filter section, click the Add button.

  7. Type a file name to be included in the filter list. Press ENTER when you are finished typing. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single file filters.

    The Exclude From Filter section is used to enter file names that should never be included on the file filter list. This prevents those file names from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list.

  8. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names.

  9. Click Save to save the list.

  10. Configure the filter list the same way as described in Creating a file filter.

Importing items into a filter list

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list using the Forefront Server Security Administrator. Note that System Center Endpoint Protection can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported.

To create and import entries into a filter list

  1. Create a list and save it as a text file. Place each item on its own line in the file.

  2. In the FILTERING section of the Shuttle Navigator, click Filter Lists.

  3. Select the filter list into which you will be importing data.

  4. Click Edit. The Edit Filter List dialog box appears.

  5. Click the Import button. A File Explorer window opens. Use it to navigate to the text file you created in step 1.

  6. Select the file and click Open.

  7. The file is imported into the middle (New Items) pane of the Import List editor to enable you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter pane or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import pane.

  8. When you have moved all the desired items, click OK.

  9. Click Save.

Viewing filter list contents

You can view the contents of any selected filter list by clicking the Lists button (in the Filter Lists section of the File Filtering work pane), selecting an item, and then clicking View List. To change the contents, see Editing a file filter.

Click the Back button (the left-pointing arrow) when you are finished viewing the contents.

Filter set templates

Filter set templates can be created for use with any System Center Endpoint Protection scan job. A single filter set template can be associated with any or all of the scan jobs and you can also create multiple filter set templates for use on different servers or different scan jobs.

Creating a filter set template

Start by creating a filter set template.

To create a filter set template

  1. If the templates are not visible, display them by clicking File, clicking Templates, and then clicking View Templates.

  2. Click File, click Templates, and then click New. The New Template dialog box appears.

  3. Select Filter Set, enter a name for it, and then click OK. The name has a maximum of 19 characters. Your new filter set template now appears in the list in the top pane, ready to be configured.

Configuring a filter set template

After you have created a filter set, you must configure it.

To configure a filter set template

  1. In the FILTERING section of the Shuttle Navigator, click File. The File Filtering work pane appears.

  2. In the upper pane, select the name of the filter set template to be configured.

  3. Using the Add button, add a File Filter, and then specify the criteria for that filter. You may create multiple filters within a filter set template.

  4. Click Save to save your work.

Associating a filter set template with a scan job

After you have created and configured a filter set template, associate it with a scan job. During scanning, System Center Endpoint Protection uses the filter set template configuration first and then uses any other filter setting you have specified when setting up the scan job.

To associate a filter set template with a scan job

  1. In the SETTINGS section of the Shuttle Navigator, select Templates.

  2. Select a scan job in the Job List.

  3. Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are unsure about the contents of the filter set template, click View Filter Set. Click the Back button (the left-pointing arrow) when you are finished viewing the contents.

  4. Click Save. The filter set template is now associated with that scan job. During scanning, FSSP uses the filter set template configuration first and then any other filter settings that you specified when setting up the scan job.

Note

To cancel the association, repeat the steps in the preceding procedure and select None from the Filter Set list (or select a different filter set template).

Editing a filter set template

You can modify the settings in a filter set template.

To edit a filter set template

  1. In the FILTERING section of the Shuttle Navigator, click File. The File Filtering work pane appears.

  2. In the upper pane, select the filter set template.

  3. In the lower pane, select the filter whose configuration you want to modify.

  4. Click Edit and make your changes.

  5. Click Save.

Note

File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however they cannot be selected for modification in the File Names section. To modify a filter set template, you must select its template in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set are not visible unless View Templates is selected in the File option of the menu bar.

Deleting a filter set template

You may delete a filter set template.

To delete a filter set template

  1. If the filter set template has been associated with a scan job, you have to remove the association. Follow the directions in Associating a filter set template with a scan job and either reset the association to None or select a different filter set template for the association.

  2. In the Job List of the Template Settings work pane, select the filter set.

  3. Click File, click Templates, and then click Delete.

  4. Confirm the deletion request.

Renaming a filter set template

You can rename a filter set template.

To rename a filter set template

  1. In the Job List of the Template Settings work pane, select the filter set.

  2. Click File, select Templates, and then click Rename. The Rename Template dialog box appears.

  3. Type the template's new name. The name has a maximum of 19 characters.

  4. Click OK.

Distributing filter set templates to remote servers

Filter set templates can be distributed to remote servers using a Deployment Job in the Microsoft Forefront Server Security Management Console (FSSMC). For more information about using FSSMC, refer to the "Microsoft Forefront Server Security Management Console User Guide".

You can also use FSCStarter from a command prompt to manually install filter set templates on remote servers. For complete FSCStarter instructions, see "Deploying named templates" in SharePoint Templates.

International character sets

Support for file filtering by name in System Center Endpoint Protection extends beyond the English character set. For example, files with names that include Japanese characters are handled in the same manner as English character sets.

Statistics logging

The Incidents work pane in the REPORT shuttle contains statistics counters that log the number of files that meet specified criteria and thus caused those files to be purged. These counters can also be found in the Windows Performance snap-in.