Reporting and statistics

 

Applies to: Forefront Security for Exchange Server

Forefront Security for Exchange Server provides various mechanisms to help administrators analyze the state and performance statistics of the Forefront Security for Exchange Server services through the Forefront Server Security Administrator.

Incidents database

The Incidents database (Incidents.mdb) contains all virus and filter detections for a Microsoft® Exchange Server, regardless of the scan job that caught the infection or performed the filtering. To view the Incidents database, click REPORT in the Shuttle Navigator, and then click the Incidents icon. The Incidents work pane appears.

This is the information that Forefront Security for Exchange Server reports for each incident:

Time

The date and time of the incident.

State

The action taken by Forefront Security for Exchange Server.

Name

The name of the scan job that reported the incident.

Folder

The name of the folder where the file was found. This column also reports if messages were inbound or outbound when caught by the Transport scanner. Messages that are being relayed by the Edge Transport or Hub Transport server are reported as inbound and outbound to distinguish them from standard inbound and outbound messages.

Message

The subject line of the message or the name of the file that triggered the incident.

File

The name of the virus or name of the file that matched a file or content filter.

Incident

The type and name of the incident detected.

Sender Name

The name of the person who sent the infected or filtered message.

Sender Address

The e-mail address of the person who sent the infected or filtered message.

Recipient Names

The names of the people who received the infected or filtered message.

Recipient Addresses

The e-mail addresses of the people who received the infected or filtered message.

Cc Names

The names of the Cc recipients.

Cc Addresses

The e-mail addresses of the Cc recipients.

Bcc Names

The names of the Bcc recipients.

Bcc Addresses

The e-mail addresses of the Bcc recipients.

Note

Forefront Security for Exchange Server keyword filtering scans both plain text and HTML message body content. If Forefront Security for Exchange Server finds a match in both the HTML and the plain text, it will report two detections in the Incidents database and the Quarantine database.

VirusLog.txt

Incidents can also be written to a text file called VirusLog.txt file, located in the Microsoft Forefront Security for Exchange Server installation path. To enable this feature select Enable Forefront Virus Log in General Options (it is disabled by default).

The following is a sample entry from the VirusLog.txt file:

Thu. Apr 25 14:12:51 2002 (3184), "Information: Realtime scan found virus:

Folder: First Storage Group\Usera\Inbox

Message: Hello

File: Eicar.com

Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE

State: Cleaned"

Forefront Security for Exchange Server incidents

The following table describes the various incidents FSE reports. Several of the reported incidents are controlled through settings in General Options.

Reported incident General Options setting Description

CorruptedCompressedFile

Delete Corrupted Compressed Files

Forefront has deleted a corrupted compressed file.

CorruptedCompressedUuencodeFile

Delete Corrupted Uuencode Files

Forefront has deleted a corrupted compressed UUENCODE file

EncryptedCompressedFile

Delete Encrypted Compressed Files

Forefront has deleted an encrypted compressed file.

EngineLoopingError

Not applicable

Forefront has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file.

ExceedinglyInfected

Maximum Container File Infections

Forefront has deleted a container file because it exceeded the maximum number of infections, as set in Max Container File Infections in General Options.

ExceedinglyNested

Maximum Nested Compressed Files

Forefront has deleted a container file because it exceeded the maximum nested depth, as set in Max Nested Compressed Files in General Options.

ExceedinglyNested

Maximum Nested Attachments

Forefront has deleted a file because it exceeded the maximum nested attachment limit, as set in Max Nested Attachments in General Options. The default is 30 attachments. For more information, see MaxNestedAttachments in Registry keys.

FragmentedMessage

Not applicable

A fragmented SMTP message has been replaced with the fragmented message deletion text.

LargeInfectedContainerFile

Maximum Container File Size

Forefront has deleted a file because it exceeded the maximum container size that it will attempt to clean or repair. The default is 26 MB, but you may change the value with the Max Container File Size option in General Options.

ScanTimeExceeded

Max Container Scan Time (msec) - Realtime/Transport, or

Max Container Scan Time (msec) - Manual

Forefront has deleted a container file because it exceeded the maximum scan time. The default values, in milliseconds (msec), are 120000 msec (2 minutes) for Realtime/Transport scans and 600000 msec (10 minutes) for Manual scans.

UnReadableCompressedFile

Not applicable

Forefront has deleted a compressed file that it could not read.

UnWritableCompressedFile

Not applicable

Forefront has deleted a compressed file to which it cannot write (for example, during a cleaning operation).

Statistics

Forefront Security for Exchange Server tracks statistics for both messages and attachments for each scan job.

Message statistics

Several kinds of statistics are maintained for messages.

  • Messages Scanned. The number of messages scanned by Forefront Security for Exchange Server since the last restart of the services.

  • Messages Detected. The number of messages scanned that contained a virus or matched a file or content filter since the last restart of the services.

  • Messages Tagged. The number of messages tagged by Forefront Security for Exchange Server due to a filter match since the last restart of the services.

  • Messages Purged. The number of messages purged by Forefront Security for Exchange Server due to a virus detection or filter match since the last restart of the services. (Action set to Purge – Eliminate Message or a worm purge match.)

  • Total Messages Scanned. The number of messages scanned by Forefront Security for Exchange Server since the product was installed.

  • Total Messages Detected. The number of messages scanned that contained a virus or matched a file or content filter since the product was installed.

  • Total Messages Tagged. The number of messages tagged by Forefront Security for Exchange Server due to a filter match since the product was installed.

  • Total Messages Purged. The number of messages purged by Forefront Security for Exchange Server due to a virus detection or filter match since the product was installed.

Attachment statistics

Several kinds of statistics are maintained for message attachments.

  • Attachments Scanned. The number of attachments scanned by Forefront Security for Exchange Server since the last restart of the services.

  • Attachments Detected. The number of attachments scanned that contained a virus or matched a file or content filter since the last restart of the services.

  • Attachments Cleaned. The number of attachments that were cleaned by Forefront Security for Exchange Server due to a virus infection or filter match since the last restart of the services.

  • Attachments Removed. The number of attachments that were removed by Forefront Security for Exchange Server due to a virus infection or filter match since the last restart of the services.

  • Total Attachments Scanned. The number of attachments scanned by Forefront Security for Exchange Server since the product was installed or the Statistics pane was last reset.

  • Total Attachments Detected. The number of attachments scanned that contained a virus or matched a file or content filter since the product was installed or the Statistics pane was last reset.

  • Total Attachments Cleaned. The number of attachments that were cleaned by Forefront Security for Exchange Server due to a virus infection or filter match since the product was installed or the Statistics pane was last reset.

  • Total Attachments Removed. The number of attachments that were removed by Forefront Security for Exchange Server due to a virus infection or filter match since the product was installed or the Statistics pane was last reset.

FSE scans the message body and the attachments but reports all scanned message parts as attachments. A single message with one attachment, therefore, is reported as two attachments in the Statistics pane.

Managing statistics

To reset all statistics for a scan job, click the x next to the scan job's name in the Statistics section of the Incidents work pane.

To save the report and the statistics in either formatted text or delimited text formats, click the Export button (on the Incidents work pane)

Quarantine

Forefront Security for Exchange Server, by default, creates a copy of every detected file in its original form (that is, before a Clean, Delete, or Skip action occurs). These files are stored in an encoded format in the Quarantine folder under the Forefront Security for Exchange Server DatabasePath folder (which defaults to the installation folder). The actual file name of the detected attachment, the name of the infecting virus or the file filter name, and the message envelope information, along with other bookkeeping information, are saved in the file Quarantine.mdb in the Quarantine folder. The Quarantine database is configured as a system data source name (DSN) with the name Forefront Quarantine. This database can be viewed and manipulated using third-party tools.

Quarantine options

Forefront Security for Exchange Server performs two different quarantine operations: quarantine of entire messages or quarantine of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled.

When the General Options setting Quarantine Messages is set to Quarantine as Single EML File (only applies to the Transport Scan Job), messages are quarantined in an EML file format. If you want to view the attachments that are contained inside the EML file, you must save the file from the Quarantine database and use Outlook Express to view the contents of the file. If Outlook Express is not installed on the computer, the message's attachments cannot be separated from the EML file easily for viewing.

If you do not have Outlook Express installed on the server on which you are quarantining messages, you can choose to have messages quarantined in pieces by setting Quarantine Messages to Quarantine Message Body and Attachments Separately. Forefront Security for Exchange Server will then quarantine messages as separate pieces (bodies or attachments) so they can be viewed more easily after they are saved to disk from the Quarantine database.

Messages that have been quarantined can also be forwarded to a mailbox. When the Quarantine Messages option is set to Quarantine Message Body and Attachments Separately, you must forward each piece of the message that was quarantined if you want the recipient to see the entire contents of the original message. If the Quarantine Messages option is set to Quarantine as Single EML File, only the quarantined EML file needs to be forwarded, and the recipient will receive the original message and any attachments as a single attachment to a new message.

An administrator can access the Quarantine pane to delete or extract stored detected file attachments. To view the Quarantine log, click REPORT in the Shuttle Navigator, and then click the Quarantine icon. The Quarantine work pane appears.

The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as virus or filter match), the name of the infecting virus or the filter name, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses.

Saving quarantine database items to disk

Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.

Delivering quarantined messages

The Deliver button on the Quarantine work pane enables administrators to deliver quarantined messages to the intended recipients or any other designated recipients. When the Deliver button is clicked, the Confirm Delivery dialog box appears. It enables the administrator to indicate the recipients and the delivery action for the message being delivered.

If a single file is selected for delivery, the original recipients populate the To:, Cc:, and Bcc: fields. If multiple files are selected, the recipients fields are initially empty.

There are three choices in the Delivery Action section:

  • Original Recipients—The recipients fields are disabled. Click OK to deliver the selected files to their original recipients.

  • Above Recipients—The recipients fields are enabled and can be changed by the administrator. Click OK to deliver the selected files to the named recipients.

  • Original and Above Recipients—The recipients fields are enabled and the administrator can change them. Click OK to deliver the selected files to both the original recipients and any additional ones entered.

When quarantined messages are delivered to the user's mailbox, the original message is included as an attachment. When the user opens the attachment, the original message launches within Outlook as a separate message.

Note

On an Edge Server, since Forefront has no access to the Active Directory, you must enter a full e-mail address with a fully qualified domain name, even if delivery is to an addressee inside your Exchange organization. Failure to enter a fully qualified domain name results in the inability of Forefront to deliver mail from quarantine.

DeliverLog.txt

When a message file is delivered from the Quarantine database, a text file named DeliverLog.txt is created and saved in the folder where Forefront Security for Exchange Server is installed. This file provides a log of messages and attachments that have been delivered from quarantine.

Forwarding attachments

Attachments that were quarantined by the virus scanner or the file filter can be forwarded.

Forwarding attachments quarantined by the virus scanner

Attachments that were quarantined by the virus scanner cannot be forwarded unless the scan jobs are disabled. Any forwarded attachment that contains a virus is redetected and treated appropriately.

Forwarding attachments quarantined by the file filter

Attachments that were quarantined by the file filter are scanned for filter matches unless the General Option setting Deliver from Quarantine Security is set to Compatibility Mode. This enables messages to be forwarded without being redetected by any of the scan jobs. If you want to run a manual scan and have forwarded attachments redetected, you must create the ManuallyScanForwardedAttachments registry value and set it to 1. If the value is not present, it assumes the default value of 0.

To enable attachments to be delivered without being redetected, Forefront Security for Exchange Server adds a special tag to the subject line of the message. You may customize this tag by changing the entry in the registry key value ForwardedAttachmentSubject. This value enables administrators to specify the tag text to use in the subject line. The subject line tag text can be changed to a unique string for the organization or changed into a local language.

Note

If the General Option Deliver from Quarantine Security is set to Compatibility Mode and the subject line tag text is changed, filters are applied to messages already in the organization that were tagged with old tag text in the subject line if they are re-scanned.

Forwarding attachments and manual scans

By default, a manual scan does not perform file filtering on messages that were forwarded from quarantine. If the ForwardedAttachmentSubject registry key is changed, a manual scan performs file filtering on messages already in the organization with the subject line that was in this registry key before the change.

The ExtractFiles tool

Forefront Security for Exchange Server includes a console tool, ExtractFiles, that enables you to extract all, or a subset, of the quarantined files to a specified directory.

This is the syntax of ExtractFiles:

extractfiles <path> <type>

Path: The absolute path of the folder in which to save the extracted quarantined files.

Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example:

Jerusalem.Standard   Extracts files that were infected with the virus named Jerusalem.Standard.

*.doc   Extracts quarantined files having a .doc extension.

*.*   Extracts all quarantined files

Examples:

extractfiles C:\temp\quarantine Jerusalem.Standard

extractfiles C:\extract\ *.doc

Using the ExtractFiles tool for fast mail recovery

You can use the ExtractFiles utility as part of a fast mail recovery scenario from quarantine: this only works when choosing the Quarantine as Single EML File option for the Quarantine Messages setting in General Options. This is helpful when delivering a large amount of quarantined e-mails. Such a situation can arise if there is a change in your company's filtering policy, due to a management request, or if e-mails were accidentally quarantined because of an incorrectly configured filter.

To use the ExtractFiles tool for fast mail recovery

  1. Extract all the files with the *.* syntax described previously. This extracts all quarantined files, both EML files and attachments.

    Note

    Be sure you understand which EML files you need to deliver.

  2. Copy the needed EML files into the Pickup folder on your Exchange server. Be aware that the usage of this folder is supported only under the following circumstances.

    1. These operations are performed outside of normal business hours.

    2. When copying many .eml files, you must copy them into the Pickup directory in batches. Try 10,000 files and see how long processing takes. There are many factors that can impact how long it takes to process the messages, such as server hardware, the load on the server, the volume of messages being processed, and so on. It may be possible to increase the batch size to 15,000 or 20,000 .eml files, or it may need to be reduced to 5,000 files.

    For basic instructions about the Exchange server Pickup folder, go to the following URL: https://go.microsoft.com/fwlink/?LinkId=140655. If you need further assistance on submitting mail via the Pickup folder, contact Microsoft Help and Support.

Maintaining the databases

There are several other tasks you can perform with the Incidents or Quarantine databases. You can clear the databases, export database items, purge database items, filter database views, move the databases, and change the database compaction time.

Clearing the databases

Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2 GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to all those having a notification role of Virus Administrators, warning that the database is nearing its limit. An administrator can then clear the database to ensure that future incidents and quarantined items will be saved.

The subject line of the message reads:

Microsoft Forefront Security for Exchange Server Database Warning

The body of the message reads:

The Microsoft Forefront Security for Exchange Server <<database name>> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB.

If this database grows to 2 GB, updates to the <<database name>> will not occur. Please see the user guide for information about database maintenance.

If for some reason the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.

Clearing the incidents database

The Incidents database can be cleared when it becomes too large.

To clear the Incidents database

  1. On the Incidents work pane on the REPORT section of the Shuttle Navigator, click Clear Log. This clears all the items from the Incidents work pane. You will be asked to confirm your decision.

  2. In the OPERATE section of the Shuttle Navigator, select Run Job. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database.

After you have cleared the entries in both places, they no longer appear in the work panes. However, they are actually deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from both locations, as indicated above.

Note

If a large number of entries is selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Clearing the quarantine database

The Quarantine database can be cleared when it becomes too large.

To clear the Quarantine database, click Clear Log on the Quarantine work pane on the REPORT section of the Shuttle Navigator. This clears all the items from the Quarantine work pane. You will be asked to confirm your decision.

After you have cleared the entries, they no longer appear in the work pane. However, they are actually deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).

You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from the Quarantine listing.

Note

If a large number of entries is selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.

Exporting database items

Click Export on the Incidents or Quarantine work panes to save all the results from the Incidents or Quarantine databases as a text file. Clicking Export displays a standard Windows® Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file.

In addition to the Export button, the Quarantine pane has a Save As button, used to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each is saved as a separate file.

Purging database items

You can instruct Forefront Security for Exchange Server to remove items from the databases after they are a certain number of days old. The number of days is indicated by the Purge field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database, all files older than the specified number of days are flagged for removal from that database.

To purge database items after a certain number of days

  1. On either the Incidents or the Quarantine work pane in the REPORT section of the Shuttle Navigator, select the Purge check box. This causes the Days field to become available.

  2. In the Days field, indicate the number of days after which items will be purged. All items older than that number of days will be deleted from the database. The default is 30 days.

  3. Click Save. Setting or changing the purge value takes effect only after being saved.

To suspend purging, clear the Purge check box. The value in the Days field will remain, but no purging will take place until Purge is selected again.

Filtering database views

You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed.

To filter the database view

  1. On the Incidents or Quarantine work pane, select the Filtering check box.

  2. Select the items you want to see with the Field option. Each choice in Field corresponds to one of the columns in the display. (For example, you can show only those Incidents whose State is "Purged".) If you select any column other than Time (on the Incidents pane) or Date (on the Quarantine pane), the Value field appears. If you select Time or Date, you get entry fields for beginning date and time, and ending date and time.

  3. If you selected Time or Date, enter the beginning and ending date and time. Otherwise, enter a string in the Value field. Wildcard characters can be used. They are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are:

    _ (underscore)—Matches any single character. (The * and ? characters, which are common wildcard characters, are literals in this instance.)

    [ ]—Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]).

    [!]—Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]).

  4. Click Save to apply the filter. The only items you now see are those that match your parameters.

  5. To see all the items again, remove the filter by clearing the Filtering check box and clicking Save.

Moving the databases

You can move the Quarantine and Incidents databases. However, for FSE to function properly, you must move both databases, as well as all related databases and support files.

To move the databases and all related files

  1. Create a new folder in a new location (for example: C:\Moved Databases).

  2. Set the permissions for the new folder:

    1. Right-click the new folder, and then select Properties.

    2. On the Security tab, add Network Service with Full Control privileges.

    3. Enable all permissions for Administrators and System.

  3. Stop Exchange and any Forefront Security for Exchange Server services that might still be running after the Exchange server is stopped.

  4. Copy the entire contents of the Data folder, including the subfolders, from Microsoft Forefront Security\Exchange Server into the folder created in step 1. (This results in a folder called, for example, C:\Moved Databases\Data.)

  5. Change the path in the DatabasePath registry key to point to the new Data folder location:

    (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server)

  6. Restart the Exchange services.

Changing the database compaction time

Typically, Forefront Security for Exchange Server runs daily database management functions on the Incident.mdb and Quarantine.mdb databases. The CompactIncidentDB function and the CompactQuarantineDB function are run to delete old database records and to delete stale Quarantine items.

By default, these functions are run at 02:00 local time. However, you may want to compact the databases at a different time. To run the compaction functions at a different time, you must add a registry entry.

To change the database compaction time

  1. Click Start, click Run, type regedit, and then click OK.

  2. In Registry Editor, expand the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Software\Forefront Security for Exchange

  3. On the Edit menu, point to New, and then click String Value.

  4. Type CompactDatabaseTime, and then press ENTER.

  5. Right-click CompactDatabaseTime, and then click Modify.

  6. In the Value data box, type a new value, for example 21:00, and then click OK.

    Note

    Enter the time value using the 24-hour (hh:mm) format. The value should be based on the local time during which you want the compaction functions to run.

  7. Exit the Registry Editor.

  8. Click Start, point to Settings, and then click Control Panel.

  9. Double-click Administrative Tools, and then click Services.

  10. Right-click FSCController, and then click Restart.

  11. Close Services and Control Panel.

Windows Event Viewer

Forefront Security for Exchange Server stores virus detections, stop codes, system information, and other general application events in the Windows application log. Use Windows Event Viewer to access the log.

Additionally, these events are stored in ProgramLog.txt located in the Data subdirectory of Microsoft Forefront Security\Exchange Server.

Performance

All Forefront Security for Exchange Server statistics can be displayed using the Performance snap-in (Perfmon.exe) provided by Windows and usually found in Administrative Tools. The performance object is called Microsoft Forefront Server Security.

Reinstalling Forefront Security for Exchange Server performance counters

In the event that the Forefront Security for Exchange Server performance counters are deleted, they can be reinstalled in two ways:

  • By reinstalling Forefront Security for Exchange Server.

  • By issuing PerfMonitorSetup from a command prompt.

The PerfMonitorSetup command will reinstall the performance counters without the need to reinstall Forefront Security for Exchange Server.

To reinstall performance counters from a command prompt

  1. Open a command prompt window.

  2. Navigate to the Forefront Security for Exchange Server installation folder (default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server).

  3. Enter the command: PerfMonitorSetup –install