Purging messages infected by worms
Applies to: Forefront Security for Exchange Server
Topic Last Modified: 2008-01-07
Forefront Security for Exchange Server enables you to configure the Transport Scan Job and the Realtime Scan Job to purge messages infected by worms. Worm purging is a powerful new feature for containing attacks before they harm your network. Forefront Security for Exchange Server identifies worm messages using a regularly updated worm list called WormPrge.dat, which is maintained by Microsoft and updated like the antivirus scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current third-party scan engines. (Note that each scan engine may report the worm name differently.)
|The definitions in the worm list differ from the definitions that are used by the antivirus scan engines. The worm list includes generic worm name entries. These entries may help provide more protection against future worms that are part of a worm family that has already been detected. For example, if a new worm that is named "Win32/abcdef.A@mm" is detected, Forefront Security for Exchange Server updates the worm list to include a generic entry such as "*abcdef*". This entry covers any new variant of the same virus, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, the worm list does not have to be updated as frequently as the antivirus scan engines are.|
The registry key RealtimePurge is used by the Realtime Scan Job to determine whether or not worm purging is enabled. The Microsoft registry key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS \VirusScan\EnableScanDeletion, determines whether VSAPI message purging is enabled.
If the EnableScanDeletion key is set (with a value of 1), when the Realtime Scan Job finds a message body or an attachment that should be purged, it will send the message VIRSCAN_DELETE_MESSAGE to FSEVSAPI and Exchange will delete the entire message.
Forefront Security for Exchange Server is not given access to the entire message before it is purged. FSE does not support quarantine for Realtime worm purging.
When the Transport scanner determines that a message is infected with a worm, it purges the message by deleting it entirely. Purging is handled for both inbound and outbound Edge Transport or Hub Transport messages. No message or notification is sent to the intended recipient of the infected message. Messages purged by the Transport scanner are not recoverable.
The Transport scanner can be configured to send notifications to the administrator and the sender by selecting Send Notifications on the File Filtering work pane. It cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm-generated messages.
Worm viruses (messages and attachments) that are purged by the Transport scanner are not quarantined even if quarantine is enabled. This is to prevent the quarantine database from receiving hundreds or thousands of copies of the same message.
Forefront Security for Exchange Server does not support message purging during a manual scan.
To prevent a new worm threat from spreading before a scanner engine is updated, the attachment names for worm-generated messages can be placed in the file filter list under the File Filtering work pane. This is done by accessing the File Filtering work pane (for more information see File filtering) and adding a new entry to the file names list with Purge: eliminate message as the action.
The file filter is configured to send notifications to the administrator and the sender by default. It cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm generated messages.
|When you select the Purge: eliminate message option, the entire message is deleted and is not recoverable. It is recommended that you only select this action for the purpose of purging worm messages prior to the release of virus scanner updates.|
Unlike quarantining for non-worm messages, even if you select Quarantine Message, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems when using filtering for worm messages because the message body has no value and should not contain any other attachments.
The Transport and Realtime scanners can be configured to send distinct notification messages to the Worm Administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified, as needed, in the Notification Setup work pane, described in E-mail notifications.
When you install or upgrade Forefront Security for Exchange Server, the worm purge feature is enabled by default. WormPrge.dat is installed in the Data\Engines\x86\Wormlist\Bin folder, which can be found in the directory where Forefront Security for Exchange Server was installed. To disable the worm purge feature for the Transport Scan Job, you must set up the TransportPurge registry key with a value of 0. To disable the worm purge feature for the Realtime Scan Job, you must set up the RealtimePurge registry key with a value of 0. For more information about these keys, including their location, see Registry keys.
|Each time you alter these registry values, you must recycle the Exchange IMC service for the change to take effect for the Transport Scan Job and recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job.|
As new worm threats are identified, the worm identification list is updated by Microsoft and the new update becomes available for download by the same process that is used for updating virus scan engines. Updates can be performed manually or by schedule. After a successful update, the Data\Engines\x86\Wormlist\Bin folder will contain the newest version of the WormPrge.dat file and a LastKnownGood folder will contain the previous WormPrge.dat file. For more information about performing updates, see File scanner updating.
Administrators can create a custom worm purge list (CustPrge.dat) either to specify additional virus names not already included in the Wormprge.dat file or to create a list to purge all messages that are identified as infected by a virus. Infected messages and files will then be checked against both the worm purge list and the custom purge list.To create a custom worm purge list
Create a new folder named CustomList in the Data\Engines\x86\Wormlist folder, located in the Microsoft Forefront Security\Exchange Server folder.
Create a file named CustPrge.dat in the CustomList folder.
Using a text editor, enter the names of the viruses you would like to have purged into CustPrge.dat. Place only a single virus name on each line, followed by a carriage return. These names can be obtained from antivirus engine update notifications or antivirus engine vendor Web sites. Entries may contain asterisk (*) wildcard characters.
Note: If different antivirus companies refer to the same virus by different names, include each of the names in CustPrge.dat file to be fully protected.
If you would like all virus-infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. This results in all messages identified as infected being purged.
Note: Because this would result in all infected messages being purged and unrecoverable, it is not recommended that you use this procedure. Instead, use the Delete or Clean options for non-worm viruses, because these options enable infected messages and files to be quarantined.
Recycle the Microsoft Exchange Transport service.