Purging IM messages and file transfers infected by worms
Applies to: Forefront Security for Office Communications Server
Microsoft Forefront Security for Office Communications Server (FSOCS) enables you to configure the IM Scan Job in order to purge messages and files infected by worms. Worm purging is a powerful feature for containing attacks before they harm your network. FSOCS identifies worm messages by using a regularly updated worm list called WormPrge.dat, which is maintained by Microsoft and updated like the antivirus scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current third-party scan engines.
Note
Each scan engine may report the worm name differently.
Note
The definitions in the worm list differ from the definitions that are used by the antivirus scan engines. The worm list includes generic worm name entries. These entries may help provide more protection against future worms that are part of a worm family that has already been detected. For example, if a new worm that is named Win32/abcdef.A@mm is detected, FSOCS updates the worm list to include a generic entry such as abcdef. This entry covers any new variant of the same virus, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, the worm list does not have to be updated as frequently as the antivirus scan engines are.
Purging by the IM Scan Job
When the IM Scan Job determines that a message or file is infected with a worm, it purges the message or file by deleting it entirely. Messages purged by the IM scanner are not recoverable.
The IM Scan Job can be configured to send notifications to the administrator and the sender by selecting the Send Notifications check box in the File Filtering pane. The IM Scan Job cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm-generated messages.
Worm viruses (messages and attachments) that are purged by the IM scanner are not quarantined even if quarantine is enabled. This is to prevent the quarantine database from receiving hundreds or thousands of copies of the same message.
Using file filtering in order to block new worm viruses
To prevent a new worm threat from spreading before a scanner engine is updated, the file names for worm-generated messages can be placed in the file filter list under the File Filtering pane.
Access the File Filtering pane (for more information, see FSOCS file filtering), and add a new entry to the file names list. Set the Action to Block: prevent transfer.
The file filter is configured to send notifications to the administrator and the sender by default.
Notifications for worm purging
The IM Scan Job can be configured to send notification messages to the Administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified, as needed, in the Notification Setup pane. For more information, see FSOCS event notifications.
Enabling and disabling worm purging
When you install or upgrade FSOCS, the worm purge feature is enabled by default. WormPrge.dat is installed in the following folder, which can be found in the directory where FSOCS was installed:
Data\Engines\x86\Wormlist\Bin
To disable the worm-purge feature for the IM Scan Job, you must set up the IMPurge registry key with a value of 0. For more information about these keys, including their location, see FSOCS registry keys.
Note
Each time you alter these registry values, you must recycle the ForefrontRTCProxy service in order for the change to take effect. If you prefer not to recycle the services, another way for the new setting to take effect is to disable and then enable the scan job by using the FSCStarter. (For more about the FSCStarter, see FSOCS templates.
Updating the worm-purge list
As new worm threats are identified, the worm identification list is updated by Microsoft, and the new update becomes available for download by the same process that is used for updating virus scan engines. Updates can be scheduled or performed manually. After a successful update, the newest version of the WormPrge.dat file will be contained in the following folder:
Data\Engines\x86\Wormlist\Bin
The previous WormPrge.dat file will be contained in the following folder:
LastKnownGood
For more information about performing updates, see FSOCS file scanner updating.
Creating a custom worm-purge list
Administrators can create a custom worm-purge list (CustPrge.dat) either to specify additional virus names not already included in the Wormprge.dat file or to create a list to purge all messages that are identified as infected by a virus. Infected messages and files are then checked against both the worm-purge list and the custom purge list.
To create a custom worm-purge list
Create a new folder named CustomList within the following folder:
Microsoft Forefront Security\Office Communications Server\Data\Engines\x86\WormlistIn the CustomList folder, create a file named CustPrge.dat.
Using a text editor, in CustPrge.dat, enter the names of the viruses you would like to have purged. Place only a single virus name on each line, followed by a carriage return. These names can be obtained from antivirus-engine update notifications or antivirus-engine vendor Web sites. Entries may contain asterisk (*) wildcard characters.
Note
If different antivirus companies refer to the same virus by different names, you should include each of the names in the CustPrge.dat file.
If you would like all virus-infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. This results in all messages identified as infected being purged.
Note
Because this would result in all infected messages being purged and unrecoverable, it is not recommended that you use this procedure. Instead, use the Delete or Clean options for non-worm viruses, because these options allow infected messages and files to be quarantined.
Recycle the ForefrontRTCProxy service.