Antivirus settings for scan jobs

 

Applies to: Forefront Security for SharePoint

After you have configured the Scan Job Settings, select the engines to use, the Bias setting, and the Action to take.

Note

To configure FSSP scan jobs, administrators must log on to the SharePoint server using an account that has SharePoint Administrative rights. Otherwise, the Antivirus Settings work pane will be disabled.

To configure the antivirus settings

  1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears.

  2. From the list in the top pane, select either the Realtime Scan Job or the Manual Scan Job.

  3. From the list of available File Scanners, select the engines to use for the scan job. All the engines are listed, and the five you chose at installation are initially selected by default. (Although you may only use a maximum of five engines, you may use any five. You are not limited to the ones you selected during the installation.) To run jobs that only perform file filtering, disable all the scanners (by clearing their check boxes).

    Note

    If you have the maximum of five engines selected and you want to change the ones used, clear the check boxes of unwanted engines before selecting new ones. You may only have a maximum of five engines selected at a time.

  4. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information on bias settings, see the "Multiple scan engines" chapter of the "Microsoft Forefront Security for SharePoint User Guide".

  5. In the Action field, select the Action for FSSP to perform when it detects a virus:

    • Skip: detect only   Make no attempt to clean or delete the infection. Viruses will be reported, but the files will remain infected.

    • Clean: repair document   Attempt to replace the infected file with a clean version. If cleaning is not possible, the file is replaced with the Deletion Text.

    • Block: prevent transfer   An infected file will be blocked from being uploaded or downloaded. The user will receive a SharePoint message that the file was infected and could not be uploaded or downloaded. This choice is for the Realtime Scan Job only.

    • Delete: remove infection   Delete the file without attempting to clean it. Replace the file with the Deletion Text. This choice is for the Manual Scan Job only.

      Note

      Due to SharePoint restrictions, if FSSP deletes a file that has been checked in to a SharePoint document library, the file icon and extension remain the same, but the content is replaced with the Deletion Text.

  6. Enable or disable e-mail notifications by using the Send Notifications field. This setting does not affect reporting to the Incidents log. Notifications are disabled by default.

  7. Enable or disable saving files detected by the file scanning engines by using the Quarantine Files field. Quarantining is enabled by default.

  8. To have all attachments scanned, no matter what the type, set the ScanAllAttachments registry key to 1. To perform scans as quickly and efficiently as possible, FSSP normally scans only those files that can potentially contain viruses. It does this by first determining the file type and then by determining if that file type can be infected with a virus. The file type is determined by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This pre-scan check increases Forefront Security for SharePoint performance, while making sure no potentially infected file attachments pass without being scanned. The registry key can be found at:

    • For 32-bit systems   HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint
    • For 64-bit systems   HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint