Configuring the transport scan

  • Article

 

Applies to: Forefront Protection for Exchange

There are various configuration settings that you can adjust for the transport scan in order to meet the needs of your environment. These include selecting the number of scan engines to use for each scan, setting the action to take when malware is detected, and specifying whether or not to quarantine detected files.

To configure the transport scan

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Antimalware, click Hub - Transport (if you are using an Edge Transport server, Edge - Transport appears instead of Hub - Transport).

  2. In the Antimalware - Hub Transport pane, under the General Settings section, configure the following settings:

    1. Enable transport antivirus scan—Select or clear this check box to enable or disable the transport antivirus scan. This setting is enabled by default.

    2. Enable transport antispyware scan—Select or clear this check box to enable or disable the transport antispyware scan. This setting is enabled by default.

  3. In the Antimalware - Hub Transport pane, under the Engines and Performance section, select the number of scan engines that should be used for this scan. For more information, see Configuring the number of scan engines used for each scan.

  4. In the Antimalware - Hub Transport pane, under the Scan Actions section, configure the following settings:

    1. Action—Select the action that you want performed when a virus or spyware is detected. For virus detections, you can select Skip detect, Clean (the default), and Delete. For spyware detections, you can select Skip detect, Delete (the default), and Purge. For more information, see Configuring the action when malware is detected.

    2. Quarantine Files—Using the drop-down list, enable (by selecting Yes) or disable (by selecting No) saving infected files detected by the file-scanning engines. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored in a secure location, from which you can recover them. However, worm-purged messages are not recoverable. For more information about quarantine, see Viewing and managing quarantine.

    3. Edit Malware Deletion Text—You can specify deletion text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the malware found. To change the default deletion text, click Edit Malware Deletion Text, make the modifications to the deletion text in the Edit Malware Deletion Text dialog box, and then click Apply and Close to return to the Antimalware - Hub Transport pane.

      Note

      FPE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. To use them, in the Edit Malware Deletion Text dialog box, right-click, select Insert Field, and then select the desired macro. For more information about this feature, see Keyword substitution macros.

  5. Click Save.

Configuring additional transport scanning options

You can configure the following additional settings located under the Additional Options section of the Antimalware - Hub Transport pane. Click Save after making any changes to your settings.

  • Scan doc files as containers—Configures the transport scan to scan files that use structured storage and the OLE embedded data format (for example, .doc, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential malware carriers. This setting is disabled by default.

  • Purge if message body is deleted—Configures whether entire messages should be purged if the message body is deleted by the transport scanner. This setting is disabled by default.

    Some messages carry malware in the body of the message file. When all or part of the message body is deleted to remove malware, the part of the message body that is deleted is replaced with deletion text. If you do not want e-mail users receiving cleaned messages that contain deletion text, you can purge messages where all or part of the message body has been deleted and there are no attachments. For example, if a message contains both HTML and plain text, and the HTML is deleted, the entire message will be purged.

  • Optimize for performance by not rescanning messages already virus scanned—Configures FPE to skip scanning for messages that were previously scanned by any instance of FPE in any configuration. This applies to messages being received on Transport servers that have been scanned by FPE on another Transport server within the Exchange organization. This setting is enabled by default.

  • Suppress malware notifications—Suppresses the sending of Virus found, Spyware found, and Worm found notifications, even if these notifications are enabled. This setting is disabled by default.

  • Illegal MIME header action—Configures what action to take when an illegal MIME header is encountered during a scan. Illegal MIME headers are messages where any of the following properties are not valid: Content-Disposition, Content-Type header, and Multiple Content-Transfer-Encoding. You can select Purge or Ignore. The default value is Purge.

    Messages detected as having illegal MIME headers are quarantined by default if the action is set to Purge. If you do not want purged messages to be quarantined, access the Forefront Management Shell (click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell) and type the following Windows PowerShell command to disable quarantining of these items:

    Set-FseTransportScan -IllegalMIMEHeaderQuarantine $false

  • Transport sender information—Configures which sender information to use for the transport scan. Select one of the following options:

    • Use MIME header—The MIME FROM header sender address is used for the transport scan. When a MIME Sender header is also present, this is the header information that is used. This is the default value.

    • User sender address from SMTP protocol—The MAIL FROM sender address from the SMTP protocol is used for the transport scan. The address in this field is used anywhere the sender address is used.

  • Process count—Configures the number of processes you want running per Transport server. The default value is 4; the maximum value is 10.

    When multiple transport processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. When the server runs out of scanning processes to use, the scan is queued until a scanning process becomes available.

    On systems with greater than 4 processor cores, performance may be improved by increasing the number of processes towards the total number of CPU cores available. Each additional process will consume additional system resources. When increasing this setting, you should closely monitor resource consumption and performance prior to making additional adjustments.

    Important

    You must stop and then start the Microsoft Exchange Transport service in order for changes to this setting to take effect. Do not use the Restart function.

  • Scanning timeout (seconds)—Configures the number of seconds that the transport scan scans a file before timing out. The default value is 300 seconds.

    In the event that the transport scan exceeds the specified time to scan a message, the process is terminated, and FPE attempts to restart the service. If successful, transport scanning resumes and a notification is sent to the administrator stating that the transport scan stopped and recovered.

    When the new transport scan process starts, the message that caused it to terminate is reprocessed according to the Scan timeout action setting. For example, if it is set to Delete, FPE deletes the file, replaces its contents with the deletion text for the transport scan, logs an ExceededTransportTimeout incident, and quarantines and archives the file.

    If the process cannot be restarted, a notification is sent to the administrator stating that the transport scan stopped. In this event, transport scanning does not function and the mail stream is not scanned.

    Important

    You must stop and then start the Microsoft Exchange Transport service in order for changes to this setting to take effect. Do not use the Restart function.

  • Scan timeout action—Configures what action to take when the transport scan times out while scanning a file. The options are:

    • Ignore—Lets the file pass without being scanned.

    • Skip detect—Reports in the Incidents log and the Program log that the file exceeded the scan time and lets it pass without being scanned.

    • Delete—Reports the event and replaces the contents of the file with the deletion text. Delete is the default value.

    Note

    If the Scan timeout action is set to Skip detect or Delete, and if quarantining is enabled, then a copy of the file is stored in the database.

  • Maximum container scan time (seconds)—Configures the number of seconds that the transport scan scans a compressed attachment before reporting it as a ScanTimeExceeded incident. This option is intended to prevent the risk of denial of service due to zip-of-death attacks. The default value is 120 seconds.

Disabling or bypassing the transport scan

You can configure FPE to disable or bypass transport scanning of all e-mail messages.

When you disable transport scanning, no malware scanning or filtering is performed by the transport scan job. When you configure FPE to bypass transport scanning, the transport scan is still enabled but the scan bypasses malware and filter scanning.

Important

Disabling or bypassing the transport scan should only be used for troubleshooting and under the direction of a Customer Service and Support (CSS) engineer. When transport scanning is disabled (it is enabled by default) or the bypass is enabled (it is disabled by default), the transport scan offers no protection from malware and there is the potential for unscanned malware to leave or enter your organization.

To disable transport scanning

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Scan Options.

  2. In the Global Settings – Scan Options pane, under the Scan Targets – Transport section, clear the Enable scanning check box. When the pop-up message appears, click OK.

  3. Click Save.

    Important

    You must stop and then start the Microsoft Exchange Transport service in order for changes to this setting to take effect. Do not use the Restart function.

To bypass transport scanning

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Scan Options.

  2. In the Global Settings – Scan Options pane, under the Scan Targets – Transport section, select the Bypass scanning check box. When the pop-up message appears, click OK.

  3. Click Save.

Important

When you are finished troubleshooting, in order to once again be protected against malware, you must restore scanning by disabling the bypass. Do this by clearing the Bypass scanning check box and then clicking Save. You do not need to stop and then start any services for changes to this setting to take effect.

See Also

Concepts

Scanning inbound, outbound, and internal message queues
Selecting the scan engines used for each scan
Deleting corrupted compressed files
Configuring maximum file sizes and other threshold levels