Deleting corrupted compressed files

 

Applies to: Forefront Protection for Exchange

You can configure Forefront Protection 2010 for Exchange Server (FPE) to delete the following types of files when they are scanned:

  • Corrupted compressed files—Archive or compressed file types that FPE is unable to parse. An error may occur when parsing a file due to any number of reasons, including improper formatting, exceeding the file size limit, or exceeding the allowable scan time.

  • Corrupted UUEncoded files—UUEncoded files that FPE is unable to parse.

  • Encrypted compressed files—Compressed files that contain at least one encrypted item. Encrypted files cannot be parsed by FPE.

You can also configure FPE to treat specialty file settings as corrupted compressed files. Specialty file settings include multipart RAR archives and high-compression ZIP archives.

To delete corrupted compressed files

  1. In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, under the Deletion Criteria section, you can enable or disable the following settings:

    1. Delete corrupted compressed files—Configures whether corrupted compressed files are deleted. This setting is enabled by default.

      When a corrupted compressed file is detected, FPE reports it as a CorruptedCompressedFile incident.

      Note

      Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can override quarantining for these file types by clearing the Quarantine corrupted compressed files check box in Advanced Options and then clicking Save.

    2. Delete corrupted UUEncoded files—Configures whether corrupted UUEncoded files are deleted. This setting is enabled by default. When a corrupted UUEncoded file is detected, FPE reports it as a CorruptedCompressedUUEncodedFile incident.

    3. Delete encrypted compressed files—Configures whether encrypted compressed files are deleted. This setting is disabled (cleared) by default.

      When enabled, if one file in a container file is encrypted, then the entire container file is tagged as encrypted compressed and replaced with the deletion text. When an encrypted compressed file is deleted, FPE reports it as an EncryptedCompressedFile incident.

  3. In the Global Settings - Advanced Options pane, under the Specialty File Type Settings section, you can enable or disable the following settings. The action taken on these file types is dependent upon the Delete corrupted compressed files setting.

    1. Treat multi-part .rar archive as a corrupted compressed file—A file within a .rar archive can be compressed across multiple files or parts (hence “multi-part”), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This setting specifies whether .rar archives containing such parts are reported as corrupted compressed files.

      Disabling this option enables you to receive such files. However, in this case, malware may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

      If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted.

      If Delete corrupted compressed files is not enabled, only the .rar archive as a whole is passed to the engines to be scanned. If no threat is found when the archive is scanned, the message is delivered. If a threat is found and can be cleaned, the message is delivered. If a threat is found and cannot be cleaned, the message is deleted.

      Note

      If you are using multipart .rar archives in order to compress files that exceed 100 megabytes (MB) when uncompressed, you should be aware of the Maximum uncompressed file size setting. For more information, see Configuring maximum file sizes and other threshold levels.

    2. Treat high compression .zip file as a corrupted compressed file—Specifies whether .zip archives containing highly compressed files are reported as corrupted compressed.

      If the archive is reported as corrupted compressed, and if the setting to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the .zip archive are passed to the engines to be scanned, in their compressed form. The .zip archive itself is also passed to the engines. If scanned and no threat is found, the message is delivered. If a threat can be cleaned, the message is delivered. If a threat cannot be cleaned, the message is deleted. If the file is compressed with an unknown algorithm, it is treated as corrupted compressed, regardless of this setting. This setting is enabled by default (that is, .zip archives containing highly compressed files are treated as corrupted compressed).

  4. Click Save.

See Also

Concepts

Configuring maximum file sizes and other threshold levels