Manual Scan Job
Applies to: Forefront Security for Exchange Server
Forefront Security for Exchange Server enables you to customize the Manual Scan Job to scan mailboxes that are not covered by the Realtime Scan Job or that contain messages that predate the installation of Forefront Security for Exchange Server. The Manual Scan Job is also useful for scanning with a third-party engine that is different from those being used by the Realtime Scan Job. It is recommended that you run a full manual scan after installing Forefront Security for Exchange Server for the first time.
Note
The Manual Scan Job can be configured to scan message bodies as well as attachments. This feature is disabled by default upon installation, but can be enabled by selecting Body Scanning - Manual in the General Options work pane. Message body scanning increases the time required to perform a manual scan of a server.
Configuring the Manual Scan Job
When you configure the Manual Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text.
To select the mailboxes and set the deletion text
In the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears.
In the top portion of the Scan Job Settings work pane (which contains a list of configurable scan jobs), select the Manual Scan Job.
In the Scan portion of the work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders.
Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text.
Note
FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros.
Click Save to save your scan job configuration.
Configuring antivirus settings
There are various settings that you can adjust for the Manual Scan Job. These include file scanner selection, bias, action, notifications, and quarantining.
To configure antivirus settings
In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears.
From the list in the top pane, select the Manual Scan Job. The file current settings are displayed in the bottom half of the work pane.
From the list of available third-party scanners in the File Scanners section, choose the file scanning engines to use. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Manual Scan Job.
In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines.
In the Action field, choose the action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are:
Skip: detect only
Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
Clean: repair attachment
Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
Delete: remove infection
Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default.
Enable or disable the saving of attachments detected by the file scanning engine by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
Click Save to save your antivirus settings.
Editing the Manual Scan Job
Select the Manual Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the job list. Making any change to the configuration activates the Save and Cancel buttons.
If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.
Running the Manual Scan Job
After the scan job and antivirus settings have been properly configured, you can run the Manual Scan Job.
To run the Manual Scan Job
Click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears.
In the top portion of the pane, select the Manual Scan Job.
Specify the scope of the Manual Scan Job by selecting or clearing the following options: Virus Scanning, File Filtering, or Content Filtering; the Manual Scan Job can perform any combination. Any change to these settings takes effect immediately, even if the job is currently running.
To send a notification to the Virus Administrator when the scan job has completed, select Send Summary Notification.
Click Start to begin the Manual Scan Job. There are also buttons to Pause and Stop the job.
Checking results and status
The lower portion of the Run Job work pane shows the infections or filtered results found by the Manual Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Incidents log.
A subset of the results can also be deleted by highlighting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will remove the subset from the virus log file.
Note
If a large number of entries is selected, the deletion process may potentially take a long time. In this case, a message box appears to ask you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text formats.
At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.
Forefront Security for Exchange Server sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Manual Scan work pane is selected. This e-mail message includes:
Total Mailboxes Scanned
Total Physical Attachments Scanned
Total Physical Attachments Detected
Total Physical Attachments Cleaned
Total Physical Attachments Deleted
Total Logical Attachments Scanned
Total Logical Attachments Detected
Total Logical Attachments Cleaned
Total Logical Attachments Deleted
Scheduling the Manual Scan Job
To schedule the Manual Scan Job, click OPERATE in the Shuttle Navigator, and then click the Schedule Job icon. The Schedule Job work pane appears.
The top portion of the Schedule Job work pane shows the Manual Scan Job and indicates whether it is enabled or disabled.
Select the Manual Scan Job on the top. The bottom of the pane shows the scheduling information for the job.
To schedule the Manual Scan Job
Use the calendar in the Date section to set the date when the Manual Scan Job will activate. The red circle indicates today's date. The date you set is highlighted in blue.
Set the run time using the Time edit field to the right of the calendar.
Indicate the Frequency of the scheduled job: run it Daily, Weekly, Monthly, or only Once.
If the job is disabled, click Enable to enable it.
Click Save.
Performing a Quick Scan
There are times when you may want to perform a scan of a single mailbox or another one-time virus scanning job. Quick Scan enables you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in one work pane.
Quick Scan initially has the following default configuration: all mailboxes and public folders, the scan engines selected during installation, a bias of Favor Certainty, an action of Skip: detect only, notifications disabled, and quarantining enabled. You can make changes to any of these settings and FSE will preserve them for the next time you run a Quick Scan.
To perform a Quick Scan
Click OPERATE in the Shuttle Navigator, and then click the Quick Scan icon. The Quick Scan work pane appears. Your last Quick Scan configuration is displayed.
To run the Quick Scan with the same configuration, click Start. Otherwise, make changes as necessary.
Select the mailboxes and public folders to be scanned. For more information about the choices, see About mailboxes and public folders.
Select the File Scanners to use from the list of available third-party scanners.
Select the Bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple Scan Engines
Select the Action for FSE to perform if a virus is detected. The choices are:
Skip: detect only
Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
Clean: repair attachment
Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
Delete: remove infection
Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
Indicate whether to Send Notifications. The setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default.
Indicate whether to Quarantine Files. Quarantining, enabled by default, causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
Click Start.
Checking results and status
At the bottom of the screen, the status of the Quick Scan and the mailbox, folder, or file currently being scanned are reported.
About mailboxes and public folders
Forefront Security for Exchange Server offers flexibility in choosing what mailboxes, public folders, and items to scan in any specified scan job. You can configure scan jobs to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.
Note
Mailboxes and public folders with names that are made up entirely of backslashes () will not be scanned if Forefront Security for Exchange Server is configured for Selected scanning. If FSE is set to scan all mailboxes or public folders, those that use backslashes or other special characters will be scanned.
In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options:
All |
Scan all existing and newly-created mailboxes or public folders. |
None |
Do not scan any mailboxes or public folders. |
Selected |
Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to see a listing of mailboxes or public folders on the server. You can choose each mailbox or public folder to be scanned by clicking its name. You can use the accompanying buttons to select All or None of the mailboxes or public folders. The +/- button inverts the current selection. Note Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included. |
Scanning files by type
By default, Forefront Security for Exchange Server is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)