Configuring the action when malware is detected


Applies to: Forefront Protection 2010 for SharePoint

Topic Last Modified: 2010-02-08

You must indicate the action that Microsoft Forefront Protection 2010 for SharePoint (FPSP) should take when malware is detected. You must set the action for each scan job type (realtime, scheduled, and on-demand) you configure. The action setting is not global. Also, for the realtime scan you can configure different actions for virus and spyware detections (the scheduled and on-demand scans do not support sypyware scanning). In cases where a file is detected as containing both a virus and spyware, the virus action setting takes precedence.

The available action options are listed and described in the following table. Click Save after making any changes to your action settings.


Action Description

Skip detect

Makes no attempt to clean, delete, or suspend. Malware is reported, but the files remain infected. If, however, Delete corrupted compressed files, Delete corrupted UUEncoded files, or Delete encrypted compressed files was selected in Global Settings - Advanced Options, a match to any of those conditions causes the item to be deleted. This is the default action for all filters and for viruses found by the on-demand scan.


Attempts to clean the malware. If successful, the infected file is replaced with the clean version (even if part of a container file). If cleaning is not possible, the file is replaced with deletion text. This is the default setting for viruses found by the realtime and scheduled scans.


Deletes the file without attempting to clean it. Deletion text is inserted in its place. Due to SharePoint restrictions, if a file that has been checked in to a SharePoint document library is deleted, the file icon and extension remain the same, even though the contents have been replaced with deletion text.

You can specify the extension type used for all deleted files (for example, .abc), making it easy to instantly identify them. For more information, see the next section in this topic.


Prevents an infected file from being uploaded or downloaded. The user receives a SharePoint message that the file was infected and cannot be uploaded or downloaded. This choice is for the realtime scan only. It is the default setting for spyware found by the realtime scan.

You can specify the extension type used for all deleted files (for example, abc), making it easy to instantly identify them.


To configure the extension type for all deleted attachments

  1. In the Forefront Protection 2010 for SharePoint Administrator Console, click Policy Management, and in Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Scan options section, specify a value in the Use this extension when replacing a deleted file with the deletion text field. The default value is txt.

    If you want to disable this feature (causing the original extension to be retained), replace txt with an empty string.

    If you want to specify a different extension, replace txt with some other string, which must be between one and three characters.

  3. Click Save.


Community Additions