Configuring the realtime scan

Applies to: Forefront Protection for Exchange

There are various configuration settings that you can adjust for the realtime scan in order to meet the needs of your environment. These include selecting the number of scan engines to use for each scan, setting the action to take when malware is detected, and specifying whether or not to quarantine detected files.

To configure the realtime scan

1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Antimalware, click Mailbox - Realtime.

2. In the Antimalware - Mailbox Realtime pane, under the General Settings section, configure the following settings:

   1. Enable realtime antivirus scan—Select or clear this check box to enable or disable the realtime antivirus scan. This setting is enabled by default.

   2. Enable realtime antispyware scan—Select or clear this check box to enable or disable the realtime antispyware scan. This setting is enabled by default.

3. In the Antimalware - Mailbox Realtime pane, under the Engines and Performance section, select the number of scan engines that should be used for this scan. For more information, see Configuring the number of scan engines used for each scan.

4. In the Antimalware - Mailbox Realtime pane, under the Scan Actions section, configure the following settings:

   1. Action—Select the action that you want performed when a virus or spyware is detected. For virus detections, you can select Skip detect, Clean (the default), and Delete. For spyware detections, you can select Skip detect, Delete (the default), and Purge. For more information, see Configuring the action when malware is detected.

   2. Quarantine Files—Using the drop-down list, enable (by selecting Yes) or disable (by selecting No) saving infected files detected by the file-scanning engines. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored in a secure location, from which you can recover them. However, worm-purged messages are not recoverable. For more information about quarantine, see Viewing and managing quarantine.

   3. Edit Malware Deletion Text—You can specify deletion text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the malware found. To change the default deletion text, click Edit Malware Deletion Text, make the modifications to the deletion text in the Edit Malware Deletion Text dialog box, and then click Apply and Close to return to the Antimalware - Mailbox Realtime pane.

      Note

      FPE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. To use them, in the Edit Malware Deletion Text dialog box, right-click, select Insert Field, and then select the desired macro. For more information about this feature, see Keyword substitution macros.

5. Click Save.

Configuring additional realtime scanning options

You can configure the following additional settings located under the Additional Options section of the Antimalware - Mailbox Realtime pane. Click Save after making any changes to your settings.

• Scan doc files as containers—Configures the realtime scan to scan files that use structured storage and the OLE embedded data format (for example, .doc, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential malware carriers. This setting is disabled by default.

• Scan message body—Configures the realtime scan to scan message bodies as well as attachments. Scanning message bodies is disabled by default because message-body scanning increases the time required to perform a scan.

• Scan after engine update—Configures the realtime scan to rescan previously scanned messages when they are accessed following an engine or definition update.

  This setting is disabled by default. When enabled, this setting provides heightened security protection of the Information Store by rescanning messages that have already been scanned. Messages are rescanned the first time an "on-access" event occurs and during every "on-access" event after the initial one if new updates have been received since the last time the message was scanned.

  Warning

  The Exchange server may experience increased malware scanning when this option is enabled. This may impact server performance. Also, be aware that enabling this setting automatically also enables Microsoft Exchange proactive scanning. With proactive scanning, Mailbox servers that contain public folder databases scan files as they are posted to the server. Proactive scanning also causes a scan of messages in the Sent Items folder in mailbox databases.

  Tip

  During a virus "outbreak" scenario, enable the Scan after engine update setting for the realtime scan, causing files to be scanned each time they are accessed after an engine update. You will achieve the best protection because you are always scanning with the latest definitions. When the outbreak passes, disable this setting again, because it can slow system performance.
  You would not normally enable this setting, but if your server has a lot of free capacity and the user experience is not impacted, having this enabled all the time ensures the best possible level of protection. Keep in mind that enabling this setting can have a considerable performance impact on a busy server, as it leads to significantly more scanning.

  Note

  Messages retrieved by Microsoft Office Outlook 2003 or Microsoft Office Outlook 2007 clients running in cache mode only generate an “on-access” event when they are originally synchronized to the client. They are not rescanned on the server when the messages are accessed on the local client and retrieved from the cache. To rescan these already retrieved messages, enable this setting. If the realtime scan detects malware in a message and cleans or purges the message, then the next time the Outlook client resynchronizes with the server, the already retrieved, infected message will be cleaned or purged.

• Suppress malware notifications—Suppresses the sending of Virus found, Spyware found, and Worm found notifications, even if these notifications are enabled. This setting is disabled by default.

• Process count—Configures the number of processes you want running per Mailbox server. The default value is 4; the maximum value is 10.

  When multiple realtime processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. When the server runs out of scanning processes to use, the scan is queued until a scanning process becomes available.

  On systems with greater than 4 processor cores, performance may be improved by increasing the number of processes towards the total number of CPU cores available. Each additional process will consume additional system resources. When increasing this setting, you should closely monitor resource consumption and performance prior to making additional adjustments.

  It is recommended that the number of realtime processes should be set to twice the number of effective processors on the server. For example, a two-processor server or a single processor dual core server should have the realtime Process count set to the default value of 4. If the server contains two processors each of which is dual core, the recommended setting is 8.

  Important

  You must stop and then start the Microsoft Exchange Information Store service in order for changes to this setting to take effect. Do not use the Restart function. (This service must be recycled because the updated settings are incorporated by the Forefront hook that is loaded by the Exchange Information Store service.)

• Scanning timeout (seconds)—Configures the number of seconds that the realtime scan scans a file before timing out. The default value is 150 seconds.

  In the event that the realtime scan exceeds the specified time to scan a message, the process is terminated, and FPE attempts to restart the service. If successful, realtime scanning resumes and a notification is sent to the administrator stating that the realtime scan exceeded the allotted scan time and was recovered.

  When the new realtime scan process starts, the message that caused it to terminate is reprocessed according to the Scan timeout action setting. For example, if it is set to Delete, FPE deletes the file, replaces its contents with the deletion text for the realtime scan, logs an ExceededRealtimeTimeout incident, and quarantines and archives the file.

  If the process cannot be restarted, a notification is sent to the administrator stating that the realtime scan stopped. In this event, realtime scanning for the particular storage group does not function, but the information store does not stop.

  Important

  You must stop and then start the Microsoft Exchange Information Store service in order for changes to this setting to take effect. Do not use the Restart function. (This service must be recycled because the updated settings are incorporated by the Forefront hook that is loaded by the Exchange Information Store service.)

• Scan timeout action—Configures what action to take when the realtime scan times out while scanning a file. The options are the following:

  • **Ignore—**Lets the file pass without being scanned.

  • **Skip detect—**Reports in the Incidents log and the Program log that the file exceeded the scan time and lets it pass without being scanned.

  • **Delete—**Reports the event and replaces the contents of the file with the deletion text. Delete is the default value.

  Note

  If the Scan timeout action is set to Skip detect or Delete, and if quarantining is enabled, then a copy of the file is stored in the database.

• Maximum container scan time (seconds)—Configures the number of seconds that the realtime scan scans a compressed attachment before reporting it as a ScanTimeExceeded incident. This option is intended to prevent the risk of denial of service due to zip-of-death attacks. The default value is 120 seconds.

Disabling or bypassing the realtime scan

You can configure FPE to disable or bypass realtime scanning of all e-mail messages.

When you disable realtime scanning, no malware scanning or filtering is performed by the realtime scan job. Additionally, disabling the realtime scan also disables the scheduled scan. When you configure FPE to bypass realtime scanning, the realtime scan is still enabled (therefore this setting does not affect scheduled scanning) but the scan bypasses malware and filter scanning.

To disable realtime scanning

1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Scan Options.

2. In the Global Settings – Scan Options pane, under the Scan Targets – Realtime section, clear the the Enable scanning check box. When the pop-up message appears, click OK.

3. Click Save.

   Important

   You must stop and then start the Microsoft Exchange Information Store service in order for changes to this setting to take effect. Do not use the Restart function. (This service must be recycled because the updated settings are incorporated by the Forefront hook that is loaded by the Exchange Information Store service.)

To bypass realtime scanning

1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Scan Options.

2. In the Global Settings – Scan Options pane, under the Scan Targets – Realtime section, select the Bypass scanning check box. When the pop-up message appears, click OK.

3. Click Save.

See Also

Concepts

Selecting which mailboxes and public folders to scan with the realtime scan
Selecting the scan engines used for each scan
Deleting corrupted compressed files
Configuring maximum file sizes and other threshold levels