Purging worm-infected messages
Applies to: Forefront Protection for Exchange
Topic Last Modified: 2010-09-22
Forefront Protection 2010 for Exchange Server (FPE) enables you to configure the transport, real time, and scheduled scan jobs to purge messages infected by worms. A worm is a sub-class of malware that spreads from computer to computer. Unlike a virus, it does not need a host program and can self-replicate across computers. Worm purging is a powerful feature for containing attacks before they harm your network. (FPE does not support worm message-purging for the on-demand scan job.)
FPE identifies worm-infected messages by using a regularly updated worm list called WormPrge.dat, which is maintained by Microsoft and updated in the same way as the antimalware scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current scan engines. (Note that each scan engine may report the worm name differently.)
As new worm threats are identified, Microsoft updates the worm list, and the new update becomes available for download. You can schedule updates or perform them manually. For more information about performing updates, see Configuring engine and definition updates.
|The definitions in the worm list differ from the definitions that are used by the antimalware scan engines. The worm list includes generic worm name entries. These entries may help provide more protection against future worms that are part of a worm family that has already been detected. For example, if a new worm that is named "Win32/abcdef.A@mm" is detected, FPE updates the worm list to include a generic entry such as "*abcdef*". This entry covers any new variant of the same worm, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, it does not need to be updated as frequently as the antimalware scan engines.|
Worm purging is enabled by default. You can disable worm purging for specific scan jobs by using the Windows PowerShell command -EnableWormPurge. When worm purging is enabled (-EnableWormPurge is set to $true), if a worm is detected, FPE looks up the name in the worm list. If the name is found in the worm list, the item is purged; otherwise, the normal virus action is taken. When worm purging is disabled (-EnableWormPurge is set to $false), the normal virus action is taken, regardless of whether the name appears in the worm list.
|Worms (messages and attachments) that are purged by the scan jobs are not quarantined even if quarantine is enabled. This is to prevent the database from receiving many copies of the same message.|
Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell.
To disable worm purging for the transport scan job, type the following Windows PowerShell command:
Set-FseTransportScan -EnableWormPurge $false
To disable worm purging for the realtime scan job, type the following Windows PowerShell command:
Set-FseRealtimeScan -EnableWormPurge $false
To disable worm purging for the scheduled scan job, type the following Windows PowerShell command:
Set-FseScheduledScan -EnableWormPurge $false
|To re-enable worm purging for a specific scan job, replace $false with $true in the appropriate command above.|
To prevent a new worm threat from spreading before a scan engine is updated, you can add the attachment names for worm-generated messages as entries in a file filter list. Be sure to set the Action for the list to Purge. For more information about file filtering, see Creating a file filter list.
|When you select the Purge action, the entire message is deleted and is not recoverable. It is recommended that you only select this action for the purpose of purging worm messages prior to the release of engine or definition updates.|
Unlike quarantining for non-worm messages, even if you select to quarantine files, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems during file filtering for worm messages because the message body has no value and should not contain any other attachments.
Administrators can create a custom worm purge list (CustPrge.dat) either to specify additional names not already included in the Wormprge.dat file or to create a list to purge all messages that are identified as being infected. Infected messages and files are then checked against both the Microsoft worm purge list (WormPrge.dat) and your custom worm purge list (CustPrge.dat).To create a custom worm purge list
In the \Engines\x86\Wormlist folder, create a new folder named CustomList. For the default location of the Engines folder for your operating system, see Default folders.
In the CustomList folder, create a file named CustPrge.dat.
Using a text editor, enter the names of the viruses you would like to have purged into CustPrge.dat, and then save the file. Place only a single name on each line, followed by a carriage return. These names can be obtained from engine update notifications or engine vendor Web sites. Entries may contain asterisk (*) wildcard characters.
Note: If different engines refer to the same virus by different names, include each of the names in CustPrge.dat file in order to be fully protected.
If you would like all infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. Set the virus Action to Delete for each scan job type (transport, realtime, scheduled) for which you want to purge all viruses.
Restart the Microsoft Exchange Transport and Microsoft Exchange Information Store services.