Chapter 16 - Purging messages infected by worms


Applies to: Microsoft Antigen

Topic Last Modified: 2008-10-29

Antigen for Exchange enables administrators to configure the Internet Scan Job, the Realtime Scan Job, and the MTA Scan Job to purge messages infected by worms. Worm purging is a powerful feature for containing attacks before they harm your network. Antigen identifies worm messages by using a regularly updated worm list titled WormPrge.dat, which is maintained by Microsoft and updated like the antivirus scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current third-party scan engines. (Note that each scan engine may report the worm name differently.)

The definitions in the worm list differ from the definitions that are used by the antivirus scan engines. The worm list includes generic worm name entries. These entries may help provide more protection against future worms that are part of a worm family that has already been detected. For example, if a new worm that is named "Win32/abcdef.A@mm" is detected, Antigen updates the worm list to include a generic entry such as "*abcdef*". This entry covers any new variant of the same virus, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, the worm list does not have to be updated as frequently as the antivirus scan engines are updated.

Realtime purging is supported for Exchange 2003/VSAPI 2.5 servers.

The registry key RealtimePurge is used by the Realtime Scan Job to determine whether or not worm purging is enabled. The Microsoft registry key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\
VirusScan\EnableScanDeletion, determines whether VSAPI message purging is enabled.

If the EnableScanDeletion key is set (with a value of 1), when the Realtime Scan Job finds a message body or an attachment that should be purged, the Microsoft® Exchange Server will be directed to delete the entire message.

Antigen for Exchange is not given access to the entire message before it is purged. Antigen for Exchange does not support quarantine for Realtime worm purging.

Realtime purging is not enabled on Exchange 2000 Servers. Infected attachments on Exchange 2000 will be deleted, but the message will be delivered.

When the Internet scanner determines that a message is infected with a worm, it purges the message by deleting it entirely. Purging is handled for both inbound and outbound messages. No message or notification is sent to the intended recipient of the infected message. Messages purged by the Internet scanner are not recoverable.

The Internet scanner can be configured to send notifications to the administrator and the sender by selecting the Send Notifications check box on the File Filtering work pane. It cannot be configured to send notifications to the recipients of purged worm messages, because this would defeat the purpose of purging worm-generated messages.

Worm viruses (messages and attachments) that are purged by the Internet scanner are not quarantined even if quarantine is enabled. This is to prevent the quarantine database from receiving hundreds or thousands of copies of the same message.

Purging by the MTA scanner works in the same manner as the Internet scanner.

Antigen does not support message purging during a Manual Scan.

To prevent a new worm threat from spreading before a scanner engine is updated, the attachment names for worm-generated messages can be placed in the file filter list under the File Filtering work pane. This is done by accessing the File Filtering work pane and adding a new entry to the file names list with Purge: eliminate message as the action.

The file filter is configured to send notifications to the administrator and the sender by default. It cannot be configured to send notifications to the recipients of purged worm messages because this would prevent purging worm-generated messages.

When you select the Purge: eliminate message option, the entire message will be deleted and will not be recoverable. It is recommended that you select this action only for the purpose of purging worm messages prior to the release of virus scanner updates.

Unlike quarantining for non-worm messages, even if you select Quarantine Message, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems when using filtering for worm messages because the message body has no value and should not contain any other attachments.

The Internet, Realtime, and MTA scanners can be configured to send distinct notification messages to the Worm Administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified as needed in the Notification Setup work pane, described in Chapter 18 - Using e-mail notifications.

When you install or upgrade Antigen, the worm purge feature is enabled by default. WormPrge.dat is installed in the Antigen\Bin folder, which can be found in the directory where Antigen was installed. To disable the worm purge feature for the Internet Scan Job, you must set up the InternetPurge registry key with a value of 0. To disable the worm purge feature for the Realtime Scan Job, you must set up the RealtimePurge registry key with a value of 0. For more information about these keys, including their location, see Appendix B - Setting registry values.

Each time you change these registry values, you must recycle the Exchange IMC Service for the change to take effect for the Internet Scan Job and recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job.

As new worm threats are identified, the worm identification list is updated by Microsoft and the new update becomes available for download by the same process that is used for updating virus scan engines. Updates can be performed manually or by schedule. After a successful update, the Wormlist\Bin folder contains the newest version of the WormPrge.dat file and a LastKnownGood folder contains the previous WormPrge.dat file. For more information about performing updates, see Chapter 20 - File scanner updating overview.

Administrators can create a custom worm purge list (CustPrge.dat) either to specify additional virus names not already included in the Wormprge.dat file or to create a list that will purge all messages that are identified as infected by a virus. Infected messages and files will then be checked against both the worm purge list and the custom purge list.

To create a custom worm purge list
  1. Create a new folder named CustomList in the following folder:

    Microsoft Antigen for Exchange\Engines\x86\Antigen

  2. Create a text file named CustPrge.dat in the CustomList folder.

  3. Using a text editor, enter the names of the viruses that you would like purged into CustPrge.dat. Enter only a single virus name on each line, followed by a carriage return. These names can be obtained from antivirus engine update notifications or antivirus engine vendor Web sites. Entries may contain asterisk (*) wildcard characters.

    If different antivirus companies refer to the same virus by different names, you should include each of the names in CustPrge.dat to be fully protected.
  4. If you would like all virus-infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. This will result in all messages identified as infected being purged.

    Because this would result in all infected messages being purged and unrecoverable, it is not recommended that you use this procedure. Instead, use the Delete or Clean options for non-worm viruses, because these options allow infected messages and files to be quarantined.
  5. Recycle the Exchange IMC/SMTP services.


Chapter 15 - Using keyword filtering

Chapter 17 - Antigen Spam Manager overview