Configuring maximum file sizes and other threshold levels

  • Article

 

Applies to: Forefront Protection 2010 for SharePoint

You can configure the maximum values that Microsoft Forefront Protection 2010 for SharePoint (FPSP) uses for various thresholds. These include the following: container file size, uncompressed file size, container file infections, and nested attachments. If a threshold value is exceeded, the file is deleted.

To configure maximum file sizes and other threshold levels

  1. In the Forefront Protection 2010 for SharePoint Administrator Console, click Policy Management, and in Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Threshold levels section, you can enter values for the following settings:

    1. Maximum container file infections—Specifies the maximum number of infections permitted in a container file. If this value is exceeded, the entire file is deleted and an ExceedinglyInfected incident is added to the log file (all infections prior to when the maximum number of infections is reached are also logged). A value of 0 (zero) means that a single infection causes the entire container to be deleted. The default value is 5 infections.

    2. Maximum container file size: (megabytes)—Specifies the maximum container file size (in megabytes) that FPSP attempts to scan. The default value is 25 MB. Files larger than the maximum size are deleted. FPSP reports these deleted files as LargeInfectedContainerFile incidents.

    3. Maximum compressed file size: (megabytes)—Specifies the maximum compressed size for a file within a .zip file or other compressed container file. Files larger than this size are treated as corrupted compressed. This setting works in conjunction with the Delete corrupted compressed files setting. In order to delete a file that exceeds the Maximum compressed file size, the Delete corrupted compressed files setting must be enabled. For more information, see Deleting corrupted compressed files. The size is specified in megabytes, with a valid range of values from 0 to 2047. The default value is 20 MB for 32-bit environments and 100 MB for 64-bit environments. A value of 20 means that all compressed files larger than 20 MB are deleted.

    4. Maximum uncompressed file size: (megabytes)—Sets the maximum uncompressed file size for a file within a .zip file, a .gzip file, or a .rar archive file. If a file is larger than the maximum permitted size, the entire container file is deleted and is reported as a LargeUncompressedFileSize incident. The default value is 100 MB for 32-bit environments and 750 MB for 64-bit environments. This setting works in conjunction with the Delete corrupted compressed files setting. In order to delete a file that exceeds the Maximum uncompressed file size, the Delete corrupted compressed files setting must be enabled. For more information, see Deleting corrupted compressed files.

      The .rar archive format enables one or more compressed files to be stored in multiple .rar volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. To prevent the volumes from being deleted, you must set a large enough value in order to exceed the uncompressed size of the largest file in the multipart .rar volumes.

      For concatenated .gzips, the Maximum uncompressed file size is applied to each part of the concatenated .gzip. For example, take a .gzip that has two parts. Part1 is within the size limit, and part2 is also within the size limit, but the combined size of part1 and part2 exceeds the limit. This is not considered exceeding the size limit and FPSP continues scanning.

    5. Maximum nested attachments—Specifies the limit for the maximum number of nested documents that can appear in MSG, TNEF, MIME, and UUEncoded files. If the maximum number is exceeded, FPSP deletes or suspends the document and reports an ExceedinglyNested incident. The default value is 30.

    6. Maximum nested depth compressed files—Specifies the maximum nested depth for a compressed file. If this is exceeded, FPSP deletes (for a scheduled scan) or suspends (for a realtime scan) the entire file and reports an ExceedinglyNested incident. A value of 0 (zero) indicates that an infinite amount of nestings is permitted. The default value is 5.

  3. Click Save.