Ex Users Guide

Microsoft Forefront Security for Exchange Server User Guide
Microsoft Forefront Security for Exchange Server Version 10

Microsoft Corporation Published: July 2009
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Forefront Security, Internet Explorer, Outlook, PowerPoint, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Privacy policy
Review the Microsoft Forefront Security Privacy Statement at the Microsoft Forefront Security Web site
Contents
Exchange Introduction ................................................................................................................... 11 Forefront Security for Exchange Server scanning overview ...................................................... 12 Premium spam protection .......................................................................................................... 14 Scanning order ........................................................................................................................... 15 Third-party file-level antivirus programs ..................................................................................... 16 Additional documentation ........................................................................................................... 16 Installing Forefront Security ........................................................................................................... 16 System requirements ................................................................................................................. 17 Installing on a local server .......................................................................................................... 18 Installing on a remote server ...................................................................................................... 20 Administrator-only installation .................................................................................................... 22 Guidelines for installing FSE in a Hyper-V virtual environment ................................................. 23 Verifying system requirements for using FSE in a Hyper-V environment .............................. 24 About FSE virtualization guidelines: ....................................................................................... 24 Tuning performance ................................................................................................................ 25 Optimizing guest and host operating system settings ............................................................ 25 About process counts ............................................................................................................. 25 Installing to multiple servers ....................................................................................................... 26 Initial scanning............................................................................................................................ 26 Post-installation security consideration ...................................................................................... 26 Upgrading ................................................................................................................................... 26 Uninstalling ................................................................................................................................. 27 Applying Exchange and FSE service packs and rollups ............................................................ 27 Product licensing information ..................................................................................................... 28 Evaluation version................................................................................................................... 29 Forefront Security for Exchange Server Services ......................................................................... 29 About services ............................................................................................................................ 29 FSCController ......................................................................................................................... 29 FSCMonitor ............................................................................................................................. 30 AdoNavSvc ............................................................................................................................. 30 FSEIMC .................................................................................................................................. 30 FSEMailPickup........................................................................................................................ 30 FSCRealtimeScanner ............................................................................................................. 31 FSCTransportScanner ............................................................................................................ 31 FSCStatisticsService .............................................................................................................. 31 Disabling the Forefront Security for Exchange Server services ................................................ 31 Recycling the Forefront Security for Exchange Server services ................................................ 32 Securing the service from unauthorized use .............................................................................. 32 Forefront Server Security Administrator ........................................................................................ 33
Enabling Forefront Server Security Administrator ...................................................................... 33 Launching the Forefront Server Security Administrator ............................................................. 34 Connecting to a local server ....................................................................................................... 35 Connecting to a remote server ................................................................................................... 35 Connecting to a different server ................................................................................................. 35 Running in read-only mode ........................................................................................................ 36 Forefront Server Security Administrator user interface .............................................................. 37 General Options ......................................................................................................................... 38 Diagnostics section ................................................................................................................. 38 Logging section ....................................................................................................................... 40 Scanner Updates section ........................................................................................................ 40 Scanning section..................................................................................................................... 42 Background Scanning section ................................................................................................ 56 Central management .................................................................................................................. 57 Multiple scan engines .................................................................................................................... 57 About engine rankings ............................................................................................................... 58 Setting the bias........................................................................................................................... 58 About bias settings.................................................................................................................. 59 Configuring the bias setting .................................................................................................... 60 Manual Scan Job ........................................................................................................................... 61 Configuring the Manual Scan Job .............................................................................................. 61 Configuring antivirus settings .................................................................................................. 61 Editing the Manual Scan Job .................................................................................................. 63 Running the Manual Scan Job ................................................................................................... 63 Checking results and status .................................................................................................... 63 Scheduling the Manual Scan Job............................................................................................... 64 Performing a Quick Scan ........................................................................................................... 65 Checking results and status .................................................................................................... 66 About mailboxes and public folders ........................................................................................... 66 Scanning files by type ................................................................................................................ 67 Realtime Scan Job......................................................................................................................... 67 About multiple Realtime processes ............................................................................................ 68 Configuring the Realtime Scan Job............................................................................................ 68 Configuring antivirus settings .................................................................................................. 69 Editing the Realtime Scan Job ................................................................................................ 70 Controlling the Realtime Scan Job ............................................................................................. 71 Enabling and disabling the Realtime Scan Job ...................................................................... 71 Selecting virus scans, file filtering, and content filtering ......................................................... 71 Checking results and status .................................................................................................... 71 About mailboxes and public folders ........................................................................................... 71 About proactive scanning ........................................................................................................... 73 About Realtime scan recovery ................................................................................................... 73 Scanning files by type ................................................................................................................ 74
Transport Scan Job ....................................................................................................................... 74 About multiple Transport processes........................................................................................... 74 Configuring the Transport Scan Job .......................................................................................... 75 Configuring antivirus settings .................................................................................................. 76 Editing the Transport Scan Job .............................................................................................. 77 Controlling the Transport Scan Job............................................................................................ 77 Enabling and disabling the Transport Scan Job ..................................................................... 77 Selecting virus scans, file filtering, or keyword filtering .......................................................... 77 Checking results and status .................................................................................................... 78 About Transport scan recovery .................................................................................................. 78 About message queues .......................................................................................................... 78 Scanning the inbound queue ............................................................................................... 79 Scanning the outbound queue ............................................................................................ 79 Internal scanning ................................................................................................................. 79 Scanning nested compressed files ............................................................................................ 79 Scanning files by type ................................................................................................................ 79 Background scanning and on-access scanning ............................................................................ 80 Scheduled background scanning ............................................................................................... 80 On-access scanning ................................................................................................................... 81 Heightened security on-access scanning .................................................................................. 81 Reporting incidents..................................................................................................................... 82 Templates ...................................................................................................................................... 82 Template uses ............................................................................................................................ 83 Creating a named template ........................................................................................................ 83 Renaming or deleting a named template ................................................................................... 84 Modifying templates ................................................................................................................... 84 Modifying default file scanner update templates ........................................................................ 85 Modifying notification templates ................................................................................................. 86 Using named templates ............................................................................................................. 86 Deploying templates during a remote installation ................................................................... 87 Deploying named templates ....................................................................................................... 88 Deploying schedule job templates .......................................................................................... 89 Template planning tips ............................................................................................................... 89 File filtering .................................................................................................................................... 89 Creating a file filter ..................................................................................................................... 89 Filtering by file type ................................................................................................................. 91 Filtering by extension .............................................................................................................. 91 Filtering by name .................................................................................................................... 92 Action ...................................................................................................................................... 92 Editing a file filter ........................................................................................................................ 93 Matching patterns in the file name with wildcard characters ..................................................... 94 Directional file filters ................................................................................................................... 95 Inbound filtering ...................................................................................................................... 95
Outbound filtering.................................................................................................................... 95 Inbound, outbound, and internal Filtering ............................................................................... 96 Filtering container files ............................................................................................................... 96 Excluding the contents of a container file from file filtering ........................................................ 97 Using file filtering to block most file types .................................................................................. 97 File filter lists ............................................................................................................................... 98 Creating a file filter list ............................................................................................................ 98 Importing items into a filter list ................................................................................................ 99 Filter set templates ................................................................................................................... 100 International character sets ...................................................................................................... 100 Statistics logging ...................................................................................................................... 100 Content filtering............................................................................................................................ 100 Configuring sender-domains filtering ....................................................................................... 101 Configuring subject line filtering ............................................................................................... 102 Action ....................................................................................................................................... 103 Editing a content filter ............................................................................................................... 103 Matching patterns with wildcards ............................................................................................. 104 Content filter lists ...................................................................................................................... 105 Creating a content filter list ................................................................................................... 105 Importing items into a filter list .............................................................................................. 106 Filtering mail from all users in a domain except for specific users ........................................... 106 International character sets ...................................................................................................... 107 Reporting .................................................................................................................................. 107 Filter set templates ................................................................................................................... 108 Creating a filter set template ................................................................................................. 108 Configuring a filter set template ............................................................................................ 108 Associating a filter set template with a scan job ................................................................... 108 Editing a filter set template ................................................................................................... 109 Deleting a filter set template ................................................................................................. 109 Renaming a filter set template .............................................................................................. 110 Distributing filter set templates to remote servers ................................................................ 110 Keyword filtering .......................................................................................................................... 110 Creating new keyword lists ...................................................................................................... 111 Configuring keyword lists ......................................................................................................... 111 Keyword filter actions ............................................................................................................ 112 Keyword list syntax rules ...................................................................................................... 113 Case-sensitive filtering .......................................................................................................... 115 Example lists ............................................................................................................................ 115 Allowed senders lists ................................................................................................................ 115 Enabling allowed senders lists .............................................................................................. 116 Importing items into a filter list .................................................................................................. 117 Purging messages infected by worms ......................................................................................... 117 Purging by the Realtime scanner ............................................................................................. 118
Purging by the Transport scanner ............................................................................................ 118 Purging by the Manual scanner ............................................................................................... 118 Using file filtering to purge worm viruses ................................................................................. 118 Notifications .............................................................................................................................. 119 Enabling and updating worm purging ...................................................................................... 119 Updating the worm purge list ................................................................................................... 119 Creating a custom worm purge list........................................................................................... 120 E-mail notifications....................................................................................................................... 120 How notifications are sent ........................................................................................................ 120 Configuring notifications ........................................................................................................... 121 Notification roles ....................................................................................................................... 122 Configuring internal addresses ................................................................................................ 123 Enabling and disabling a notification ........................................................................................ 124 Editing a notification ................................................................................................................. 124 Reporting and statistics ............................................................................................................... 124 Incidents database ................................................................................................................... 125 VirusLog.txt ........................................................................................................................... 126 Forefront Security for Exchange Server incidents ................................................................ 126 Statistics ................................................................................................................................ 128 Message statistics ............................................................................................................. 128 Attachment statistics.......................................................................................................... 129 Managing statistics ............................................................................................................... 129 Quarantine ................................................................................................................................ 129 Quarantine options................................................................................................................ 130 Saving quarantine database items to disk ............................................................................ 130 Delivering quarantined messages ........................................................................................ 131 DeliverLog.txt..................................................................................................................... 131 Forwarding attachments ....................................................................................................... 131 Forwarding attachments quarantined by the virus scanner .............................................. 131 Forwarding attachments quarantined by the file filter ....................................................... 132 Forwarding attachments and manual scans ..................................................................... 132 The ExtractFiles tool ............................................................................................................. 132 Using the ExtractFiles tool for fast mail recovery .............................................................. 133 Maintaining the databases ....................................................................................................... 133 Clearing the databases ......................................................................................................... 133 Clearing the incidents database ........................................................................................ 134 Clearing the quarantine database ..................................................................................... 134 Exporting database items ..................................................................................................... 135 Purging database items ........................................................................................................ 135 Filtering database views ....................................................................................................... 135 Moving the databases ........................................................................................................... 136 Changing the database compaction time ............................................................................. 137 Windows Event Viewer ............................................................................................................ 137 Performance ............................................................................................................................. 138
Reinstalling Forefront Security for Exchange Server performance counters ....................... 138 File scanner updating .................................................................................................................. 138 Automatic file scanner updating ............................................................................................... 139 Scheduling an update .............................................................................................................. 139 Scheduling updates on multiple servers ............................................................................... 141 Update Now .......................................................................................................................... 141 Update on load...................................................................................................................... 141 Scanner information .............................................................................................................. 141 Manifest.cab.......................................................................................................................... 141 Distributing updates ................................................................................................................. 142 Configuring servers to distribute and receive updates ......................................................... 142 Configuring the redistribution (hub) server and UNC credentials ..................................... 143 Configuring the spoke servers ........................................................................................... 143 Notifications following engine updates ..................................................................................... 144 Putting the new file scanner to use .......................................................................................... 144 Updating the file scanners through a proxy ............................................................................. 144 Adding and deprecating scan engines ..................................................................................... 145 Adding new scan engines ..................................................................................................... 145 Deprecating scan engines .................................................................................................... 145 Troubleshooting ........................................................................................................................... 146 Exchange not hooked in ........................................................................................................... 146 Getting help .............................................................................................................................. 146 Diagnostics ............................................................................................................................... 146 Forefront Security for Exchange Server installation failure ...................................................... 146 The FSC utility ............................................................................................................................. 147 Disabling and enabling Forefront Security for Exchange Server ............................................. 147 Registry keys ............................................................................................................................... 148 Scanner Update Settings registry keys .................................................................................... 154 Keyword substitution macros ....................................................................................................... 154 The macros .............................................................................................................................. 155 File types list ................................................................................................................................ 156 The FSC diagnostic tool .............................................................................................................. 162 Information collected ................................................................................................................ 162 Running the Forefront Security diagnostic tool ........................................................................ 162 Backing up and restoring Forefront Security for Exchange Server ............................................. 164 About backups.......................................................................................................................... 164 Preparing files for backup ........................................................................................................ 164 Backing up data files ................................................................................................................ 166 Restoring data files................................................................................................................... 167
Security and configuration notices............................................................................................... 169 Security policy changes ........................................................................................................... 169 General Options changes ........................................................................................................ 170 Other changes and updates ..................................................................................................... 171
Exchange Introduction
In Microsoft Exchange, viruses can enter the environment in file attachments to e-mails, e-mail bodies, and public folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange Transport stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real time with minimal impact on server performance or delivery times of messages. Microsoft Forefront Security for Exchange Server (FSE) is the solution for protecting Exchange environments. Forefront Security for Exchange Server is uniquely suited for Exchange Server 2007 environments. It uses the Exchange Virus Scanning Application Programming Interface (VSAPI) to tightly integrate with the Exchange servers to provide seamless protection. Forefront Security for Exchange Server provides powerful features that include: 1. Antivirus scanning using multiple antivirus scan engines. 2. Distributed protection on all storage and transport Exchange server roles, including Edge, Hub, and Mailbox/Public Folder servers. 3. File filtering by file name, extension, or size. 4. Comprehensive notifications for the administrator and the message sender and recipient. Forefront Security for Exchange Server provides powerful protection for your messaging servers and is the antivirus solution for Exchange 2007 environments. Benefits of using multiple scanning engines Antivirus vendors all try to release signatures as soon as possible, but with every virus threat there is variation between various antivirus research labs in how quickly virus samples are obtained and analyzed, and signatures are released. By using multiple antivirus scan engines, Forefront customers can realize the benefit of diversification. If all messages are scanned with five engines, it is more likely that one of the engines is equipped to handle a recently released virus than if only one antivirus engine was being used. Forefront offers configuration settings to enable you to choose a balance between performance and relative level of protection. Any number of engines can be chosen up to a maximum of five, and a bias setting can be chosen to determine if all engines scan every message or if a subset of the selected engines are used to scan each message. The recommended bias setting for increased protection is Favor Certainty. This setting configures Forefront to scan with all available engines that have been selected. (With Favor Certainty an engine may be bypassed if it is temporarily unavailable such as when it is in the middle of reloading to update its signatures.)
11
Forefront Security for Exchange Server scanning overview

Antivirus scanning on Edge Transport or Hub Transport servers is done by a Forefront AV Agent that is an E12 Transport agent registered with the Edge Transport.exe and loaded by that process. Antivirus scanning on the Mailbox server for Realtime and Background processing is done by an E12 compatible Forefront VSAPI.dll that is loaded by the Exchange Store. The actual antivirus scanning of messages is performed by separate Forefront Realtime and Transport processes that provide message scanning isolation from the Exchange Transport and Store processes.
Forefront Security for Exchange Server supports Exchange Edge Transport, Hub Transport, and Mailbox/Public Folder server roles. By distributing the scanning workload over the various Exchange servers, the impact on individual servers is reduced and duplicate scanning is eliminated. Forefront Security for Exchange incorporates new scanning logic that does not scan e-mail that has already been scanned. By default, e-mail scanned at an Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes. This approach minimizes antivirus scanning overhead to maximize mail system performance. It also: Significantly reduces scanning impact at the Information Store. Can be turned off to enable scanning at all points.
To identify mail that has already been scanned, a secure antivirus header stamp is written to each e-mail when it is first scanned at the Edge or Hub server. Later scanning operations (Hub or Store) check for this stamp and if it is present the mail is not re-scanned. When the message is submitted to the Store, the antivirus stamp properties are added to a MAPI property and maintained. To best utilize this scan once capability, it is recommended that all Exchange servers be configured with the same configuration settings so that scanning at various distributed points in the Exchange organization are all equivalent. There are several scanning scenarios: Scanning of inbound mail Mail is scanned at the Edge server. The mail is not rescanned at the Hub or when first deposited in the Mailbox servers. However, after the messages are deposited in the Mailbox server, the server can be configured to periodically rescan all or some of the content with newer signatures. Scanning of outbound mail By default, outgoing mail is not scanned on the mailbox server, but is scanned at the Hub server. If Mailbox and Hub server roles are deployed on the same computer, the mail is scanned by the Hub Transport role. If there is an Edge server deployed in the Exchange Organization, the mail is not rescanned at the Edge server.
12
Scanning of internal mail Mail is scanned at the Hub server as it is routed internally. By default the mail is not scanned at the Mailbox server where it originated or rescanned at the destination Mailbox server. In all of these scenarios, processing time and load is saved on the Mailbox servers. The AV stamp There are three conditions that must be met before the AV Transport Agent places an AV stamp on a message: The message must be scanned with at least one virus engine. Either no virus must be found or if a virus is found it must be cleaned or deleted. If the message was updated, Forefront must successfully write the updated message back to Exchange.
If Forefront is set to Skip:detect only mode for virus scanning, no stamp will be written if a virus is found. Only antivirus scanning sets the stamp; file filtering has no effect on it. Mailbox scanning Store scanning is handled by: Realtime scan job and Background Scanning Manual scan job
Proactive scanning (Scan when messages and files are written to the Store.) is turned off by default. By default, messages that arrive at a Mailbox server carry a Transport stamp and are not rescanned by the Realtime scanning processes. The Transport Hub that has scanned theses messages can either be located on a separate server or co-located with the Mailbox server. Content that has never been routed through a Transport Hub does not have an AV stamp and is scanned when first retrieved from the store by On-Access Scanning. By default, On-Access Scanning is used to scan a message when it is accessed only if it has not been scanned before. Access includes opening a message, viewing in the preview pane, and content indexing operations. Most retrieval has no impact on the Store since messages have been scanned in transit. On-access scan provides protection for messages in the Sent Items folder, the Outbox, and Public Folders. There are optional high security configuration settings that can be enabled on the Mailbox server to scan a message on access if new signatures have arrived since the message was last scanned. (See the Scan on scanner update option in Settings- General Options.) It is recommended that these high security settings be used only in the event of a serious threat that requires constant rescanning of mail to protect users from a known threat which requires this level of protection. When Outlook is running in cache mode, there are two copies of the user folders, one local and one on the server. Forefront is a server application and only has access to the server copy. This provides appropriate protection, because sending or receiving transfers the message to the server, where scanning takes place. 13
It should be noted that On-Access protection is limited. When the mail has already been downloaded to a client Outlook cache in Outlook 2003 or Outlook 2007 (if Outlook cache mode is on), then locally accessing the mail in Outlook does not cause an On-Access event on the Exchange server. Background scanning is useful for this case when the mail is already stored in the client cache. If Background scan detects a virus, the store copy of the message will be cleaned or deleted, forcing the client to re-synchronize the (cleaned or purged) messages the next time the client connects to Exchange. Background Scanning now provides incremental Background Scanning to enhance performance. This functionality enables administrators to configure Background scanning jobs to scan messages based on their age. For example, administrators can configure Forefront to schedule a background scan job to run at off peak hours and to only scan messages received in the past two days. Administrators can also run a background scan job to clean the mailbox server in response to a known event that has deposited infected items in the store. Incremental Background Scanning dramatically reduces Store overhead and provides a significant level of protection for the latest messages that may have been received on the Exchange server before the corresponding signatures for that virus were received. Background Scanning uses the same configuration settings configured in the Realtime Scan job. Microsoft recommends that Proactive scanning be turned on for a Public Folder server so that the content is scanned when it is posted to the server and does not incur any download delays when the content is accessed.
Premium spam protection

As a licensed user of Forefront Security for Exchange Server, you receive premium anti-spam services. This premium service updates the content filter daily, using Microsoft Update. In addition, the service includes the Spam Signature and IP Reputation Service updates, available on an as-needed basis, up to several times a day. Built upon the base level of anti-spam protection within Exchange 2007, these premium anti-spam services add: Microsoft IP Reputation Service, which provides sender reputation information about IP addresses that are known to send spam. This is an IP block list offered exclusively to Exchange 2007 customers. Premium spam protection also includes automated updates for this filter, available on an as-needed basis, up to several times a day. Spam Signature updates to identify the most recent spam campaigns. The signature updates are available on an as-needed basis, up to several times a day. Automated content filtering updates for Microsoft Smartscreen spam heuristics, phishing Web sites, and other Intelligent Message Filter (IMF) updates. Targeted spam signature data and automatic updates to identify the latest spam campaigns.
These capabilities help ensure that your organization has the most up-to-date protection against the latest spam attacks. For more information about anti-spam protection, see Managing Anti-Spam and Antivirus Features in the Microsoft Exchange Server 2007 documentation. 14
Scanning order
When FSE scans a file or an e-mail message, the following tasks are performed in the order listed: Allowed senders scanIf the allowed senders list functionality is enabled, FSE compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed. You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters or you can bypass all filters. For more information, see Keyword filtering. Content filtering scanContent filtering includes the following filters (for more information see Content filtering): Sender-domains filteringWhen sender-domains filtering is enabled, FSE compares the message sender to the senders and the domains that are in the sender-domains filter list. Subject line filteringWhen subject line filtering is enabled, FSE compares the contents of the message's subject line to the words in the subject line filter list.
Keyword filtering scanWhen keyword filtering is enabled, FSE compares the contents of the message to any keyword filter lists that have been created. For more information, see Keyword filtering. Attachment scanIf the e-mail message has an attachment, FSE scans it for worms and viruses: Worm purgeThe worm purge tool maintains the WormPrge.dat file, containing a list of known worms. This list is regularly updated and maintained by FSE. The contents of the message are compared to the list of known worms. For more information, see Purging messages infected by worms. File filteringWhen file filtering is enabled, FSE compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message. For more information, see File filtering. Virus cleaningFSE uses multiple virus scan engines to determine whether the attachment contains a virus. For more information, see Multiple scan engines.
Body scanThe body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, FSE then scans the body of the message for viruses. For more information, see Purging messages infected by worms and Multiple scan engines
15
Third-party file-level antivirus programs

If you use a third-party file-level antivirus program on a server containing Forefront Security for Exchange Server, you must ensure that the following program folders are not scanned in order to prevent corruption of FSE: <Drive:>\Program Files (x86)\ Microsoft Forefront Security (or whatever folder in which you installed FSE) <Drive:>\Program Files\Microsoft\Exchange Server The file-level antivirus scan can also cause a conflict when FSE tries to scan e-mail messages.
Additional documentation
The most current Microsoft Forefront Security for Exchange Server documentation, including the "Microsoft Forefront Security for Exchange Server Quick Start Guide", the "Microsoft Forefront Security for Exchange Server Best Practices Guide", and the "Microsoft Forefront Security for Exchange Server Cluster Installation Guide", is available at the Microsoft Forefront Security for Exchange Server TechNet Library.
Installing Forefront Security

This release of Forefront Security for Exchange Server (FSE) supports local and remote installations on Exchange Server 2007 and local installations on these Exchange cluster configurations: Local Continuous Replication (LCR) Standby Continuous Replication (SCR) Cluster Continuous Replication (CCR) Single Copy Cluster (SCC) Note: The procedures necessary to install Forefront Security for Exchange Server on a clustered system are found in the separate Microsoft Forefront Security for Exchange Server Cluster Installation Guide. If your system is configured to run a Network Load Balancer (NLB), there are no special installation procedures for Forefront Security for Exchange Server. Simply follow the instructions in this guide for a non-clustered installation. The Forefront Security for Exchange Server setup wizards can be used to install the product to a local Exchange server, to a remote Exchange server, or as an Administrator-only installation to a local workstation. You can also install FSE in a Hyper-V virtual environment. You must have administrative rights to the computer on which you are installing Forefront Security for Exchange Server. To begin the installation procedure, run Setup.exe from the directory containing the installation files. 16
System requirements
The following are the minimum server and workstation requirements for Forefront Security for Exchange Server. Note: All minimum system memory and disk space requirements for Microsoft Exchange Server 2007 must be met before installing Forefront Security for Exchange Server. Too little available memory or disk space may impact the ability of Forefront to scan large files. Minimum server requirements The following are the minimum server requirements. Note: If both the Exchange and SharePoint products are installed on the same server, only Forefront for Exchange can be installed, to protect Exchange. x64 Architecture-based computer with: Intel Xeon or Intel Pentium Family processor that supports Intel Extended Memory 64 Technology (Intel EM64T) or AMD Opteron or AMD Athalon 64 processor that supports AMD64 platform. Microsoft Windows Server 2003, Windows Small Business Server 2003, or Microsoft Windows Server 2008 Microsoft Exchange Server 2007 (Standard or Enterprise)
Server software:
1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended). Note: With each additional licensed scan engine, more memory is needed per scanning process.
2 GB of available disk space. This is in addition to the disk space required for Microsoft Exchange Server 2007. 1 gigahertz (GHz) Intel processor.
Minimum workstation requirements The following are the minimum workstation requirements: Windows Server 2003, Windows 2000 Professional, Windows XP, or Windows Vista 6 MB of available memory 10 MB of available disk space Intel processor, or equivalent
17
Installing on a local server

To install on a local Exchange server, you need to log on to the local computer using an account that has administrator rights. Click Next to continue after filling out a screen, unless otherwise directed. Note: As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSE features to work correctly. To install Forefront Security for Exchange Server on a local server 1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center. 2. The initial setup screen is Welcome. Click Next to continue. 3. Read the license at the License Agreement screen and click Yes to accept it. 4. On the Customer Information screen, enter User Name and Company Name, if needed. 5. On the Installation Location screen, select Local Installation. 6. On the Installation Type screen, select Full Installation. 7. Setup checks to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, at the end of the installation you are directed to the Microsoft Update Web site to do the opt-in manually. If you do have the correct version, Setup then checks if Microsoft Update is enabled. If it is not, the Use Microsoft Update dialog box appears, permitting you to enable it. 8. On the Quarantine Security Settings screen, select the desired setting. Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default. Compatibility Mode enables messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from Quarantine.
9. On the Engine Updates Required screen, read the warning about engine updates. 10. If you use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options.
18
Note: If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail. 11. If the server you are installing to is an edge server you may be asked if you want FSE to enable Anti-Spam Updates. If youve never made any change to the Anti-Spam Updates setting on the Exchange Management Console (that is, the setting is in its default state), you are offered this choice. If you have made a change to that setting, you will not see it. If you do not enable Anti-Spam Updates during FSE installation, you can turn them on by clicking Enable Anti-spam Updates in the Action section of the Exchange Management Console. Note: If you enable Anti-Spam Updates during the installation and subsequently uninstall FSE, they will be disabled. 12. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one. Default: Program Files(x86)\Microsoft Forefront Security\Exchange Server 13. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services. Default program folder: Microsoft Forefront Server Security\Exchange Server 14. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied. 15. After installation is complete, you can start or restart the Exchange Transport Service, depending on whether it was stopped or running when the installation began. For a clean install, the service was probably still running and needs to be recycled. If you are reinstalling the product, the service had to be stopped before FSE could be uninstalled. If the service was running, the Restart Exchange Transport Service screen appears; if the service was stopped, the Start Exchange Transport Service screen appears. In either case, you can start the Transport service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSE cannot scan mail being sent or received. 16. Depending on whether the Exchange Transport Service is being started or restarted (that is, you clicked Next on the prior screen), the Starting Exchange Transport Service screen or the Recycling Exchange Transport Service screen appears. Wait until the status changes to All services started, before clicking Next to continue. 17. If the Information Store Service was stopped when the install began, the Start Exchange Information Store screen appears. You can start the Information Store service 19
automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started, FSE cannot scan mail on the Store. If the Information Store was running when the installation began, this screen does not appear. 18. If the Information Store Service is being started (that is, you clicked Next on the prior screen), the Starting Exchange Services screen appears. Wait until the status changes to All services started, before clicking Next to continue. 19. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.
Installing on a remote server

To remotely install Forefront Security for Exchange Server on an Exchange server, you must log on to your local computer using an account that has administrator rights to the remote computer. Click Next to continue after filling out a screen, unless otherwise directed. Notes: Since the SMB protocol is used to copy the service to the remote server, you should ensure that you are working over a secure network. As in most installations, Setup updates shared Microsoft files on your computer. If you are requested to restart your computer, you do not have to do that immediately, but it may be necessary for certain Forefront Security for Exchange Server features to work correctly.
To install Forefront Security for Exchange Server on a remote server 1. The initial setup screen is Welcome. Click Next to continue. 2. Read the license at the License Agreement screen and click Yes to accept it. 3. On the Customer Information screen, enter User Name and Company Name, if needed. 4. On the Installation Location screen, select Remote Installation. If Forefront Security for Exchange Server is already installed on the remote Exchange server, this process can automatically stop the Exchange services, uninstall Forefront Security for Exchange Server, and restart the Exchange services prior to beginning the new installation. 5. On the Remote Server Information screen, enter the following: Server Name. The name of the computer to which you are installing Forefront Security for Exchange Server. Share Directory. The temporary location for the remote installation to use while setting up Forefront Security for Exchange Server. The default is C$.
20
6. On the Quarantine Security Settings screen, select the desired setting. Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default. Compatibility Mode enables messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages delivered from Quarantine.
For more information about this setting, see Reporting and statistics. 7. On the Engine Updates Required screen, read the warning about engine updates. 8. If you use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options. Note: If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail. 9. At this point, Setup determines if Exchange is installed and running on the remote computer. If Exchange is not running, Setup gives you the option of starting the Exchange services. The Exchange services must be running for installation to continue. 10. If the server you are installing to is an edge server you may be asked if you want FSE to enable Anti-Spam Updates. If youve never made any change to the Anti-Spam Updates setting on the Exchange Management Console (that is, the setting is in its default state), you are offered this choice. If you have made a change to that setting, you will not see it. If you do not enable Anti-Spam Updates during FSE installation, you can turn them on by clicking Enable Anti-spam Updates in the Action section of the Exchange Management Console. Note: If you enable Anti-Spam Updates during the installation and subsequently uninstall FSE, they will be disabled. 11. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one. 12. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services. 13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are 21
being copied. 14. After installation is complete, you can start or restart the Exchange Transport Service, depending on whether it was stopped or running when the installation began. For a clean install, the service was probably still running and needs to be recycled. If you are reinstalling the product, the service had to be stopped before FSE could be uninstalled. If the service was running, the Restart Exchange Transport Service screen appears; if the service was stopped, the Start Exchange Transport Service screen appears. In either case, you can start the Transport service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSE cannot scan mail being sent or received. 15. Depending on whether the Exchange Transport Service is being started or restarted (that is, you clicked Next on the prior screen), the Starting Exchange Transport Service screen or the Recycling Exchange Transport Service screen appears. Wait until the status changes to All services started, before clicking Next to continue. 16. If the Information Store Service was stopped when the install began, the Start Exchange Information Store screen appears. You can start the Information Store service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started, FSE cannot scan mail on the Store. If the Information Store was running when the installation began, this screen does not appear. 17. If the Information Store Service is being started (that is, you clicked Next on the prior screen), the Starting Exchange Services screen appears. Wait until the status changes to All services started, before clicking Next to continue. 18. When you have been informed that the installation was successful, click Next to perform another remote installation, or click Cancel to exit the installation program. If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it.
Administrator-only installation
Performing an Administrator-only installation installs the Microsoft Forefront Server Security Administrator onto any workstation or server, which can then be used to centrally manage the FSE service running on remote Exchange servers. Administrator-only installation requires approximately 2.5 MB of disk space. To install the Administrator only 1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center. 2. The initial setup screen is Welcome. Click Next to continue. 3. Read the license at the License Agreement screen and click Yes to accept it. 22
4. On the Customer Information screen, enter User Name and Company Name, if needed. 5. On the Installation Location screen, select Local Installation. 6. On the Installation Type screen choose Client - Admin Console Only. 7. If Microsoft Update is not enabled, the Use Microsoft Updateto help keep your computer secure and up to date screen appears. If you select the option to use Microsoft Update, Setup will check to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, you are directed to get it at the end of the installation and complete the opt-in online. 8. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one. Default: Program Files(x86)\Microsoft Forefront Security\Exchange Server 9. On the Select Program Folder screen, choose a program folder for Forefront. Default: Microsoft Forefront Server Security\Exchange Server 10. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.
Guidelines for installing FSE in a Hyper-V virtual environment

FSE supports the Hyper-V platform. Hyper-V is a hypervisor-based server virtualization technology that enables you to consolidate multiple server roles as separate virtual machines running on a single physical machine. For more information about Hyper-V, see the Hyper-V and Virtualization TechCenter. The deployment, configuration, and operation of FSE are the same in Hyper-V virtual server environments as on physical servers. This section provides guidelines for installing FSE in a Hyper-V virtual environment. Note: FSE is also approved for any hypervisor-based virtualization technology certified under the Microsoft Server Virtualization Validation program.
23
Verifying system requirements for using FSE in a Hyper-V environment

The minimum server and client requirements for FSE are essentially the same when installing in a virtual Hyper-V environment as on a physical server. For information about FSE system requirements, see System Requirements. However, the application, operating system, and hardware platform versions must be supported by Microsoft Exchange Server on the Hyper-V platform. For details about Exchange Server support recommendations on Hyper-V, see Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments. For another resource to see if your virtualization configuration is supported, you can access the Virtualization Support Wizard at the following URL: http://go.microsoft.com/fwlink/?LinkId=157617
About FSE virtualization guidelines:

Once the requirements for running Exchange Server in a Hyper-V environment are met, the following guidelines must be followed for the host computer: The host computer must have enough hardware resources to accommodate the virtual machines being deployed and their intended roles, and the host computer should be deployed with only the virtualization role. Memory and CPU intensive applications should not be run on the same host computer as the guest hypervisor. File-level antivirus scanning should be disabled on directories hosting the guest virtual hard drives (VHD). For more information, see "Third-party file-level antivirus programs" in Exchange Introduction. The size of the guest .vhd file must be a fixed value. Predefining the size of the .vhd file ensures that the host computer does not run out of hard drive space. For performance reasons, it is recommended that you choose Small Computer System Interface (SCSI) or Internet SCSI-based (iSCSI) storage in order to host the FSE database, preferably separately from the guest operating system. File-level antivirus scanning should exclude all necessary Exchange and FSE directories. For more information, see "Third-party file-level antivirus programs" in Exchange Introduction. Snapshots in guest virtual machines are strongly discouraged and are not supported. Note: You may encounter network bottlenecks if you are running more than one guest computer and the host computer only has a single network card. You should add a second network card and create an additional Virtual Network adapter. Network bottlenecks may also occur if you are running more than one guest computer and the host computer only has a single hard drive. Ideally, each VHD should be on its own hard
The following are guidelines for the guest computer on which FSE will be installed:
24
drive to prevent slowdowns due to multiple computers accessing the same physical hard drive.
Tuning performance
Adding FSE increases the resources utilized by your Exchange environment. To ensure that your virtual environment can handle the anticipated load from Exchange and FSE, it is recommended that you measure the performance counters before and after installing FSE. Based on the differences in the performance data from before and after the FSE installation, you may want to adjust your virtual hardware requirements. This can include allocating more memory, CPU affinity, and improved disk I/O. Memory and CPU utilization are usually the most heavily impacted by FSE. Note: For more information on using performance counters, see Performance and Reliability Monitoring Step-by-Step Guide for Windows Server 2008 or Windows Server 2003 Performance Counters Reference.
Optimizing guest and host operating system settings

Because guest and host operating system settings such as video, sound cards, floppy disk drives, and virtual hardware require resources, it is recommended that you configure all nonessential items for "best performance." If you are not using it, you may also want to consider disabling or removing any nonessential item. This helps optimize performance in general of both the guest and host computers.
About process counts

Be cautious when adjusting the number of processes you want running per server for the FSE scan jobs (transport or realtime scan jobs only), as this can quickly deplete memory resources in your guest virtual machine. For example, transport scanning is set by default to 4 process counts. If all 4 are in use, then the number of selected scan engines is multiplied by the number of transport processes in use plus the size of the files being scanned. For example, if you are using the default transport process count of 4, the maximum of 5 scan engines for the transport scan job, and each engine is using 100 megabytes (MB) of memory, then you can estimate the overall memory utilization by using the following computation: 4 (transport processes) x 5 (scan engines) x 100 (MB) + file sizes of scanned attachments = memory utilization Note: This is an example only and real world results may vary. Memory is quickly exhausted if you increase the transport or realtime process counts, add more scan engines, and increase the bias. In most cases, the default number of process counts is adequate; however, you should consult Transport Scan Job and Realtime Scan Job for more 25
information on fine tuning these settings. Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.
Installing to multiple servers

The Microsoft Forefront Server Security Management Console (FSSMC) should be used to install Forefront Security for Exchange Server to multiple Exchange servers. For complete installation instructions, see the Microsoft Forefront Server Security Management Console User Guide.
Initial scanning
When FSE is first installed, all mail up to one day old is scanned. (A registry key called OnAccessCutoff has an initial value of 24 hours). Each day, FSE adds 24 hours to the OnAccessCutoff value, so that progressively older and older mail is scanned. Mail that is older than the current value of OnAccessCutoff is not scanned, even if accessed. This keeps your system from being overwhelmed by the initial scan when FSE is installed.
Post-installation security consideration

When you install Forefront Security for Exchange Server, it is configured to permit everyone access to FSCController. To restrict access to FSCController, use DCOMCNFG to modify the security settings. For more information about securing access to FSCController, see "Securing the service from unauthorized use" in Forefront Security for Exchange Server Services.
Upgrading
You can upgrade prior versions of Forefront Security for Exchange Server 10.0 to SP1 without uninstalling the older version. (You must uninstall versions older than 10.0 in order to upgrade to SP1.) If Exchange Server 2007 has already been upgraded, you do not need to uninstall a 10.0 version of FSE. If you are upgrading both FSE and Exchange Server, upgrade FSE first. It is not necessary to upgrade Exchange Server in order to upgrade FSE. If, however, you are upgrading Exchange 2007 to Exchange 2007 SP1, FSE must also be upgraded to SP1, and then disabled during the Exchange upgrade, or it will no longer function correctly. Your configuration settings remain intact. When you start the upgrade installation, Setup detects the old version and asks you to confirm the upgrade. You are asked if you want to stop the Exchange Information Store, the Exchange Transport Service, the Microsoft Operations Manager (MOM), and the Performance Logs and Alerts Service. All these services will be stopped, updated, and started again, without the need for restarting the server. During an upgrade, the only setting that can be changed is the Installation Mode (Secure Mode or Compatibility Mode).
26
Note: To upgrade in a cluster installation, see the Microsoft Forefront Security for Exchange Server Cluster Installation Guide.
Uninstalling
To uninstall Forefront Security for Exchange Server, log on to the computer on which it is installed. Note: For the procedures to uninstall FSE from a clustered server, see the Microsoft Forefront Security for Exchange Server Cluster Installation Guide. To uninstall Forefront Security for Exchange Server 1. Ensure that the Forefront Server Security Administrator is not running. 2. Open Services in the Control Panel. 3. Stop the FSCController service. This causes the Microsoft Exchange Transport Service and Microsoft Exchange Information Store to be stopped also. 4. When all these services have stopped, close the Services dialog box. 5. Open Add or Remove Programs in the Control Panel. 6. Remove Microsoft Forefront Security for Exchange Server. Click Yes to confirm the deletion. 7. At the Uninstall Complete screen, click Finish. 8. Any settings that you have made still remain in .fdb files in the Microsoft Forefront Security folder in Program Files(x86) (or whatever folder you installed to). Additionally, the incidents and quarantine database files remain, as well as Statistics.xml. If you will be reinstalling FSE and want to retain those settings, do nothing. If you will not be reinstalling FSE or if you want to start with fresh settings, delete that folder. 9. If you are not planning to re-install Forefront Security for Exchange Server, restart the stopped Exchange services.
Applying Exchange and FSE service packs and rollups

This section describes how to apply Exchange and FSE service packs and rollups. For cluster installations, follow the instructions in Installing FSE On a Cluster in the Microsoft Forefront Security for Exchange Server Cluster Installation Guide.
27
To install an Exchange service pack or rollup 1. Disable FSE using the steps described in The FSC utility. 2. Follow the instructions provided with the specific service pack or rollup that you are installing. 3. After the installation is complete and the Exchange services have been restarted, verify that mail is flowing. 4. Enable FSE using the steps described in The FSC utility. Note: Some Exchange service packs and rollups require you to download and install an FSE update in order to ensure that FSE operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support. To install an FSE service pack or rollup 1. Run the installer by double-clicking the service pack or rollup executable file. Note: While the installer is running, the Exchange and FSE services are stopped, and your mail flow is temporarily halted. 2. After the installation is complete and the Exchange and FSE services have been restarted (this occurs automatically during the installation), verify that FSE is working properly. Note: FSE service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when running the installer by double-clicking the executable file.
Product licensing information

After you have activated your product, you can enter licensing information (which can be obtained from Microsoft Sales). These are the reasons to license your product: You can align when your product expires with your license agreement (otherwise, the expiration is three years from the installation date). You can easily renew your license by entering a new expiration date.
To license FSE, select Register Forefront Server from the Help menu. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product License Agreement and Expiration dialog box appears. If 28
you have activated FSE, only the Product Licensing Agreement and Expiration dialog box appears. Enter your 7-digit License Agreement Number and then an expiration date. You should enter a date that corresponds to the expiration of your license agreement, to coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.
Evaluation version
Microsoft provides a fully functional version of Forefront Security for Exchange Server for a 120day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version. After 120 days, the evaluation version of FSE continues to operate and report detected files. It does, however, cease to clean, delete, and purge files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled and scan engines no longer update. To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Register Forefront Server from the Help menu.
Forefront Security for Exchange Server Services

The Forefront Security for Exchange Server services are the components that run on the Exchange server and control all back-end functionality of FSE. The services process requests from the Microsoft Forefront Server Security Administrator, control the scanning processes, generate e-mail notifications, and store virus incident data (which can be viewed using the Forefront Server Security Administrator). An Administrator-only installation does not install the Forefront Security for Exchange Server services.
About services
The following sections describe the services used by Forefront Security for Exchange server.
FSCController
FSCController acts as the server component that Forefront Server Security Administrator connects to for configuration and monitoring. FSCController coordinates all Realtime, Manual, and Transport scanning activities. The FSCController startup type defaults to manual. 29
Note: If you change the startup type to anything other than Manual, FSE may not scan properly. After being installed, the FSCController becomes a dependency on the FSEIMC service. Due to other dependencies, whenever the Microsoft Exchange Information Store service is started or stopped, the same occurs with the FSCController. The Task Scheduler service must be operating properly for the FSCController to initialize. Note: The FSCMonitor must run under the Local System account on Exchange 2007. If it is changed to run under a different account, Forefront Security for Exchange Server may not start. Important: For a mailbox-only role, if FSCController or FSCMonitor is disabled, mail continues to flow, but is not scanned for viruses. For all other roles, you must also stop the Exchange services (by selecting Yes when the Stop Other Services prompt appears).
FSCMonitor
FSCMonitor monitors the Exchange Information Store, Transport stack, and Forefront Security processes to ensure that Forefront Security for Exchange Server provides continuous protection of your messaging environment.
AdoNavSvc
AdoNavSvc is used for browsing the active directory for mailbox names. It will always be in a stopped state unless you are using the Forefront Server Security Administrator to browse mailboxes or public folders in Active Directory or if there is a manual scan or quick scan in progress.
FSEIMC
FSEIMC registers the FSE Agent to ensure that messages are scanned by the FSCTransportScanner process. FSEIMC becomes a dependency on the Microsoft Exchange Transport service on Exchange Server 2007. This service normally only runs for a brief time (less than a minute) when Forefront Security for Exchange Server initializes. It then shuts down and does not need to be running for Transport scanning to take place.
FSEMailPickup
FSEMailPickup delivers messages generated by Forefront Server Security, such as notifications, to Exchange for mail pickup. It also handles the delivery of messages from quarantine. If this service is disabled, no notifications are generated and items cannot be delivered from quarantine.
30
FSCRealtimeScanner
FSCRealtimeScanner provides immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders resident on the Exchange server.
FSCTransportScanner
FSCTransportScanner ensures that all messages that pass through the Transport stack are scanned prior to delivery.
FSCStatisticsService
The FSCStatisticsService logs scanning statistics for all Forefront Security scan jobs. This information is then available for retrieval by the Microsoft Forefront Security Enterprise Manager.
Disabling the Forefront Security for Exchange Server services

The Forefront Security for Exchange Services can be disabled using the Enable Forefront Security for Exchange Scan option in the General Options work pane. To disable the Forefront Security for Exchange Server services 1. Open the Forefront Server Security Administrator. 2. In the SETTINGS section of the Shuttle Navigator, click General Options. The General Options work pane opens. 3. In the Enable Forefront Security for Exchange Scan field in the Scanning section, select Disable all. 4. Click Save. 5. Recycle Forefront Security services for the change to take effect. (For more information, see Recycling the Forefront Security for Exchange Server services.) The Forefront Security for Exchange Server services can be enabled by following the same procedure and selecting one of the enabling choices. You can enable all the services, or choose between enabling Store scanning and Transport scanning. The choices in the Enable Forefront Security for Exchange Scan field are: Enable Store Scanning (Realtime, Manual) Enable Transport Scanning Enable all
Note Forefront Security services must be recycled for the change to take effect.
31
Recycling the Forefront Security for Exchange Server services

The Service Control Manager is used to recycle the Forefront Security for Exchange Server services. To recycle the services 1. Stop all Forefront Security for Exchange Server services. (For details, see Disabling the Forefront Security for Exchange Server services.) 2. Wait for all services to complete shutting down. 3. Use Task Manager to make sure that no Forefront Security for Exchange Server processes are still running. 4. Start all Forefront Security for Exchange Server services. Warning: While the Forefront Security for Exchange Server services are unavailable, mail will continue to flow but will not be scanned for viruses.
Securing the service from unauthorized use

The Forefront Security for Exchange Service utilizes Distributed COM (DCOM) to launch and authenticate Forefront Server Security Administrator connections. You can build an access list of authorized users who can connect to the FSCController utilizing the Forefront Server Security Administrator. To build an access list of authorized users 1. Open a Command Prompt window. 2. Type DCOMCNFG and press ENTER. The Component Services dialog box appears. 3. In the Console Root section, expand Component Services. 4. Expand Computers. 5. Expand My Computer. 6. Expand DCOM Config. 7. Right-click FSCController from the Applications list. The FSCController property dialog appears. 8. Click the Identity tab and configure your user accounts. 9. Click the Security tab and use the permissions lists to control which user accounts have rights to launch and activate the FSCController, access the FSCController, or change the DCOM configuration. 10. Click OK to close the Properties dialog.
32
Forefront Server Security Administrator

The Forefront Server Security Administrator is used to configure and run Forefront Security for Exchange Server locally or remotely. For the Forefront Server Security Administrator to launch successfully, the FSCController and Microsoft Exchange Server must be running on the computer to which the Forefront Server Security Administrator is connecting. If you launch the Administrator and the Exchange server is not running, you will receive an error message. Because the Forefront Server Security Administrator is the front end of the Forefront Security for Exchange Server software, it can be launched and closed without affecting the back-end processes being performed by the Forefront Security for Exchange Server services. The Forefront Server Security Administrator may also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface. Note: The Forefront Server Security Administrator should not be used to connect to previous versions of Microsoft Antigen for Exchange.
Enabling Forefront Server Security Administrator

Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use Forefront Server Security Administrator on those operating systems, you must first enable the Administrator. Important: Due to default security settings in Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows Server 2003 (SP 2), the Forefront Server Security Administrator will not run properly when first installed. To enable the Forefront Server Security Administrator to run on Microsoft Windows XP SP2 1. Click Start, click Run, and then enter dcomcnfg. The Component Services dialog box appears. 2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer and then click Properties. 3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user. 4. Add the Forefront Server Security Administrator application to the Windows Firewall Exceptions list: a. Open Control Panel, and then select Security Center. b. Select Firewall Administrator. The Windows Firewall dialog box appears. c. Select the Exceptions tab. 33
d. Click Add Program, select FSSAClient from the list, and then click OK. This adds the Forefront Server Security Administrator to the Programs and Services list. e. In the Programs and Services list, select the FSSAClient. f. Click Add Port, enter a name for the port, enter 135 as the port number, and then select TCP as the protocol.
g. Click OK. Note: If you are concerned about opening port 135 to all computers, it can be opened only for the servers running Forefront Security for Exchange Server. When you add port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be permitted access through port 135. To enable the Forefront Server Security Administrator to run on Microsoft Windows Server 2003 SP2 1. Click Start, select Run, and enter dcomcnfg. The Component Services dialog box appears. 2. In the Console Root, expand Component Services. 3. Expand Computers. 4. Right-click My Computer. 5. Select Properties, and then select the COM Security tab. 6. Click Edit Limits under Access Permissions, and then Add anonymous logon account. 7. Select the Allow check box for Remote Access for the Anonymous Logon user.
Launching the Forefront Server Security Administrator

You can launch Forefront Server Security Administrator from either the Start menu or from a command prompt. To launch Forefront Server Security Administrator from the Start menu 1. Click Start. 2. Point to All Programs. 3. Point to the Microsoft Forefront Server Security folder. 4. Point to the Exchange Server folder. 5. Click Forefront Server Security Administrator.
34
To launch Forefront Server Security Administrator from a command prompt 1. Open a command prompt window. 2. Navigate to the Forefront Security for Exchange Server installation directory. Default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server 3. Enter FSSAclient.exe and then press Enter.
Connecting to a local server

The first time the Forefront Server Security Administrator is launched, it prompts you to connect to the Exchange server running on the local computer. You can use the server name or local alias to connect to the local Exchange server.
Connecting to a remote server

The Forefront Server Security Administrator can be connected to a remote Exchange server running Forefront Security for Exchange Server. This enables an administrator to use one installation of the Forefront Server Security Administrator to configure and control Forefront Security for Exchange Server throughout the network. To connect to a remote server, when the Server prompt box appears, click the Browse button or enter the server name, IP address, or Domain Name System (DNS) name of the remote computer. Notes: Due to enhanced security settings in Windows Server 2003 Service Pack 1 (SP1), DCOM settings may need to be updated when Forefront Security for Exchange Server is installed on a server running Windows Server 2003 SP1, to permit remote access. Remote administrators need to have privileges enabled for both remote launch and remote activation. Because Forefront Security for Exchange Server installs access control lists (ACLs) in the installation folder for both Administrator-only installations and the full product installation, a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting. If you are having problems connecting the Forefront Server Security Administrator to the Exchange server, try using the PING command to test for server availability. If the server is available, be sure that no other Forefront Server Security Administrator instances are currently connected to it.
Connecting to a different server

To connect to a different server, select the Open command from the Forefront Server Security Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running FSE, select one that you have connected to before from the drop-down list, or 35
click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Forefront Server Security Administrator dialog box to quickly reconnect to a server.
Running in read-only mode

The Forefront Server Security Administrator may be run in a read-only mode. To do so, the administrator needs to modify the NTFS file system permissions on the Forefront Security for Exchange Server database directory to enable Modify access only to those users with permission to change Forefront Security for Exchange Server settings. By default, the database directory is Program Files(x86)\Microsoft Forefront Security\Exchange Server\Data. To ensure proper configuration 1. Launch Windows Explorer. 2. Navigate to the Microsoft Forefront Security\Exchange Server folder on the first server. 3. Right click the folder and select Properties. The Properties page appears. 4. Click on the Security tab. 5. Add a user or group that you want to have read-only access. 6. Clear everything under Allow, except Read and Execute. 7. Save and close the Properties pages. 8. Navigate to Forefront Server Security registry key. This is found under HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server 9. Right-click and select Permissions. 10. Add the user or group that you want to have read-only access. 11. Clear everything under Allow except Read (Special Permissions might remain selected as well). 12. Navigate to the Administrator registry key right under Forefront Server Security key. 13. Right-click the key and select Permissions. 14. Add the user or group that you want to have read-only access. 15. Check Full Control. 16. Launch DCOM config by typing dcomcnfg from Start/Run. The Component Services dialog box appears. 17. In the Console Root section, expand Component Services. 18. Expand Computers. 19. Expand My Computer. 20. Expand DCOM Config. 21. Right-click DCOM Config and select Properties. 22. Click the Security tab. 36
23. Click the Edit button in the Launch and Activation Permissions section. 24. Add the user or group that you want to have read-only access. 25. Select all the Allow check boxes, and then click OK. 26. Click the Edit button in the Access Permissions section. 27. Add the user or group that you want to have read-only access. 28. Select all the Allow check boxes, and then click OK. 29. Save and close the Properties page. When a user without modify access opens the UI, it does not permit any configuration changes. Notes: The system account and Exchange service account must have full control of the Forefront Security for Exchange Server folder or Forefront Security for Exchange Server will not run properly. If you create a user that is part of the Administrators Group with read-only access rights to FSE, when that user logs on and tries to open the Forefront Server Security Administrator, the following error will occur: ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied. This error is caused by a Windows Server 2003 SP 1 security enhancement. To work around this problem, follow these steps: a. Run DCOMCNFG from START/Run. The Component Services dialog box appears. b. Expand Component Services. c. Expand Computers, My Computer, and DCOM Config. d. Right-click on FSCController, and then select Properties. e. Click the Security tab, and then click Edit in Launch and Activation Permissions. f. Add Domain Users, and click Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
g. Click OK for both open dialog boxes.
Forefront Server Security Administrator user interface

The Forefront Server Security Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right. The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes: SETTINGSThe SETTINGS area enables you to configure scan jobs, antivirus settings, scanner updates, templates, and General Options.
37
FILTERINGThe FILTERING area enables you to configure content filtering, keyword filtering, file filtering, allowed senders lists, and filter lists. OPERATEThe OPERATE area enables you to control virus scanning and filter options, schedule and run scan jobs, and perform quick scans. REPORTThe REPORT area enables you to configure notifications, view and manage incidents, and view and manage quarantined files.
General Options
General Options, accessed from the SETTINGS section of the Shuttle Navigator, provides access to a variety of system-level settings for Forefront Security for Exchange Server. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Enable Forefront Security for Exchange Scan, Transport Process Count, and Realtime Process Count require that the Forefront Security for Exchange Server services be restarted for the change to take effect. Although there are many options that can be controlled through the General Options pane, each of them has a default (enabled, disabled, or a value) that is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time. To access the General Options pane, click General Options in the SETTINGS section of the Shuttle Navigator. The General Options pane opens. The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, and Background Scanning.
Diagnostics section
This table lists and describes the settings in the Diagnostics section of General Options.
Setting Description
Additional Transport
Additional diagnostic messages are added to programlog.txt for Transport scanning. Disabled by default. Additional diagnostic messages are added to programlog.txt for Manual scanning. Disabled by default. Additional diagnostic messages are added to programlog.txt for Realtime scanning. Disabled by default. Indicates that FSE should send a notification to 38
Additional Manual
Additional Realtime
Notify on Startup
Setting
Description
all the e mail addresses listed in the Virus Administrators list whenever the Internet scanner starts. Disabled by default. Archive Transport Mail Enables administrators to archive inbound and outbound Edge Transport or Hub Transport email in two folders (named In and Out) that are located in the Forefront Security for Exchange Server installation folder. Each message will be given a file name that consists of the year, day, month, time, and a three digit number. For example: 20022009102005020.eml. These options are provided to help administrators and Forefront Security for Exchange Server support engineers diagnose and isolate problems that users may be experiencing. The archiving options are: No Archive (the default)No mail is archived. Archive Before ScanMessages are archived prior to scanning. Archive After ScanMessages are archived after scanning. Archive Before and After ScanMessages are archived before and after scanning. Critical Notification List Indicates administrators and others who should be notified in the event that the Exchange store starts and Forefront Security for Exchange Server is not hooked in or if the Forefront Security store shuts down abnormally. Multiple e-mail addresses are separated by semicolons. Example: admin@microsoft.com;admin2@microsoft.com.
39
Logging section
This table lists and describes the settings in the Logging section of General Options.
Setting Description
Enable Event Log
Enables logging of FSE events to the event log. Enabled by default. Enables the logging of FSE performance statistics in the Performance snap-in. Enabled by default. Enables the Forefront program log (ProgramLog.txt). Enabled by default. Enables the Forefront virus log (VirusLog.txt). Disabled by default. Enables incident logging for the Transport Scan Job. Enabled by default. Enables incident logging for the Realtime Scan Job. Enabled by default. Enables incident logging for the Manual Scan Job. Enabled by default. Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size.
Enable Performance Monitor and Statistics
Enable Forefront Program Log
Enable Forefront Virus Log Enable Incidents LoggingTransport Enable Incidents LoggingRealtime Enable Incidents LoggingManual
Max Program Log Size
For more information about the log files and the Performance snap-in, see Reporting and statistics.
Scanner Updates section

This table lists and describes the settings in the Scanner Updates section of General Options.
Setting Description
Redistribution Server
Indicates that this server is acting as the central hub to distribute scanner updates to other servers. Disabled by default. (For more information, see File scanner updating.) Indicates that engines should be automatically updated every time FSE is started. Disabled by 40
Perform Updates at Startup
Setting
Description
default. Send Update Notification Indicates that a notification should be sent to the Virus Administrator each time a scan engine is updated. Disabled by default. (For more information about setting up notifications to administrators, see E-mail notifications.) Indicates that proxy settings are to be used when retrieving antivirus scanner updates. Disabled by default, unless you indicated, during installation, that proxy settings were to be used. (For more information, see "Updating the file scanner through a proxy" in File scanner updating.) Indicates that Universal Naming Convention (UNC) credentials are needed when retrieving antivirus scanner updates. Disabled by default. (For more information, see File scanner updating.) Credentials are not supported if you are using the Microsoft Forefront Server Security Management Console for redistribution. Therefore, be sure to clear this setting if you are using the Microsoft Server Security Management Console to manage antivirus engine updates. The name or IP address of the proxy server. Required, if using proxy settings when retrieving antivirus scanner updates. If you indicated, during installation, that proxy settings were to be used, the value you entered then is used to populate this field. Indicates the port number of the proxy server. Required, if using proxy settings when retrieving antivirus scanner updates. The default is port 80. If you indicated, during installation, that proxy settings were to be used, the value you entered then is used to populate this field. The name of a user with access rights to the
Use Proxy Settings
Use UNC Credentials
Proxy Server Name/IP Address
Proxy Port
Proxy Username
41
Setting
Description
proxy server, if necessary. Optional field. Proxy Password The appropriate password for the proxy user name, if necessary. Optional field. The name of a user with access rights to the UNC path, if necessary. Optional field. The appropriate password for the UNC user name, if necessary. Optional field.
UNC Username
UNC Password
For more information about updating the scan engines, see File scanner updating.
Scanning section
This table lists and describes the settings in the Scanning section of General Options.
Setting Description
Body Scanning Manual Body Scanning Realtime
Enables message body scanning for the Manual Scan Job. Disabled by default. Enable message body scanning for the Realtime Scan Job. Disabled by default. Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for FSE. When a corrupted compressed file is detected, FSE reports it as a CorruptedCompressedFile virus. This option is enabled by default. Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0. Note: 42
Delete Corrupted Compressed Files
Setting
Description
In addition to CorruptedCompressedFile viruses, this setting also handles these file types: UnwritableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file. UnReadableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive. Delete Corrupted Uuencode Files Specifies whether corrupted UUENCODE files are deleted. Typically, a Uuencoded file that FSE is unable to parse is considered corrupted. FSE reports those as a CorruptedCompressedUuencodeFile virus. Enabled by default. Specifies whether an encrypted compressed file with at least one encrypted item within its contents is deleted (encrypted files cannot be scanned by antivirus scan engines). Disabled by default. FSE reports those as an EncryptedCompressedFile virus. Specifies whether ZIP archives containing highly-compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat can not be cleaned, the message will be deleted. If the file is compressed with an 43
Delete Encrypted Compressed Files
Treat ZIP archives containing highlycompressed Files as corrupted compressed
Setting
Description
unknown algorithm, it is treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files are treated as corrupted compressed). Treat multipart RAR archives as corrupted compressed A file within a RAR archive can be compressed across multiple files or parts (hence multipart), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed. Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted. Enabled by default. Note: If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Registry keys. Treat concatenated gzips as corrupted compressed Multiple Gnu zip (gzip) files can be concatenated into a single file. Although FSE recognizes concatenated gzips, it may not 44
Setting
Description
recognize individual files split across concatenated gzips. Therefore, FSE treats concatenated gzips as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections. Disabling the Treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case a virus may escape detection. Scan Doc Files As Containers - Manual Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see File types list. Disabled by default. Specifies that the Transport Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by default. Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by defalut.
Scan Doc Files As Containers - Transport
Scan Doc Files As Containers - Realtime
45
Setting
Description
Case Sensitive Keyword Filtering
Specifies that keyword filtering should be casesensitive. Disabled by default (that is, filtering is not case-sensitive). Specifies whether FSE should fix bare carriage returns and bare line feeds. This corrects a discrepancy between the MIME header parsing method used by Microsoft Outlook and Outlook Express and the RFC 822 specification on how "bare carriage return (CR)" (0x0d) and "bare line feed (LF)" (0x0a) are handled in MIME headers. Disabled by default. If enabled, it corrects out-of-compliance MIME messages to be compliant with the RFC 2822 specification, meaning that bare carriage returns and bare line feeds are replaced by a "CR-LF" combination. Messages with bare carriage returns or bare line feeds can be parsed differently by different e-mail clients. By design, FSE parses these messages in the same manner as Microsoft Outlook and Outlook Express. If this feature is enabled, FSE alters these messages to be compliant with the RFC 2822 specification and, as a result, all e-mail clients will parse them in the same manner. If this feature is disabled, e-mail clients other than Microsoft Outlook and Outlook Express may parse messages with bare carriage returns or bare line feeds differently than FSE. Because of this, a virus could avoid detection. To maximize system performance, this feature is disabled by default. If your organization uses e-mail clients that interpret messages with bare carriage returns or bare line feeds differently than Microsoft Outlook and Outlook Express, you should enable this feature for maximum security. Configures Forefront Security for Exchange Server to skip scanning for messages that were previously scanned by any instance of Forefront Security for Exchange Server in any 46
Fix Bare CR or LF in Mime Headers
Optimize for Performance by Not Scanning Messages That Were Already Virus Scanned Transport
Setting
Description
configuration. This applies to messages being received on Transport servers that have been scanned by Forefront Security for Exchange Server on another Transport server within the Exchange organization. Enabled by default. Scan on Scanner Update Causes previously scanned files to be rescanned when accessed following a scanner update. This setting applies to messages stored on a Mailbox server or a Public Folder server. This setting provides heightened security protection to re-scan messages that have already been scanned. Messages are rescanned the first time a mailbox server onaccess event occurs and during every onaccess event after the initial one if new virus signatures have been received since the last time the message was scanned. Disabled by default. Caution: When this option is enabled and an engine update occurs while a background scan is in progress, the background scan restarts at the mail that was being scanned. If updates continue to occur before the background scan finishes, the background scan continues to run indefinitely. It is therefore recommended that you do not schedule a background scan for a large dataset if this option is enabled. Important: When this option is enabled, the Mailbox server may experience increased virus scanning, which may impact server performance. Also, be aware that enabling this setting automatically also enables proactive scanning; for more information, see "About proactive scanning" in Realtime 47
Setting
Description
Scan Job. Note: Messages retrieved by Microsoft Outlook 2003 or Microsoft Outlook 2007 clients running in cache mode only generate an on-access event when they are originally synchronized to the client. They are not re-scanned on the server when the messages are accessed on the local client and retrieved from the cache. To re-scan these already retrieved messages, use the Enable Background Scan if 'Scan on Scanner Update' Enabled option in the Background Scanning section of General Options. If the background scan detects a virus in a message and cleans or purges the message, then the next time the Outlook client resynchronizes with the server, the already retrieved infected message will be cleaned or purged. Perform Reverse DNS Lookups Provides the ability to enable reverse DNS lookups for inbound and outbound determination if the Internal Address list contains entries other than the domain name of the server. The inbound or outbound determination is used by keyword and file filtering. When selected (enabled), Forefront Security for Exchange Server uses reverse DNS lookup to get the domain name and make the inbound or outbound determination. If the option is cleared (disabled), Forefront Security for Exchange Server will use the information in the Received header as well as secure routing information from the Exchange Transport Agent to make the inbound or outbound determination. Disabled by default. Some messages carry viruses in the body of 48
Purge Message if Message Body Deleted
Setting
Description
Transport
the message file. When all or part of the message body is deleted to remove a virus, Forefront Security for Exchange Server inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Forefront Security for Exchange Server and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is selected. Disabled by default. Permits administrators to enable or disable all or selected Forefront Security for Exchange Server jobs. The options are Disable All, Enable Store Scanning (Realtime and Manual), Enable Transport Scanning, and Enable All (the default). After changing this setting, the Forefront Security for Exchange Server services must be recycled. (For more information about recycling the services, see "Recycling the Forefront Security for Exchange Server services" in Forefront Security for Exchange Server Services.) Used to change the number of FSCTransportScanning processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 Transport processes. After changing this setting, the Forefront Security and Exchange Server services must be recycled. (For more information about this setting, see Transport Scan Job.) Used to change the number of real-time processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 real-time processes. After changing this setting, the Forefront 49
Enable Forefront Security for Exchange Scan
Transport Process Count
Realtime Process Count
Setting
Description
Security and Exchange Server services must be recycled. (For more information about this setting, see Realtime Scan Job.) Forefront Manual Priority Enables administrators to set the CPU priority of manual scans to: Normal (the default), Below Normal, or Low to permit more important jobs to take precedence over manual scans when demands on server resources are high. Enables administrators to set the action that Forefront Security for Exchange Server should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which logs the error to the program log; Skip: detect only, which logs the error to the program log and displays an EngineError entry with the state Detected in the UI; and Delete, which logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI. The file that caused the engine error is always quarantined. The default value is Delete. If Forefront Security for Exchange Server encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are messages where the Content-Disposition or Content-Type header is longer than it is supposed to be. Identified messages are quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.
Engine Error Action
Illegal MIME Header Action
50
Setting
Description
Transport Scan Timeout Action
Indicates what to do in the event that the Transport Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and the program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Transport Scan Timeout Action is set to either Skip or Delete. The default value is Delete. Indicates what to do in the event that the Realtime Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Realtime Scan Timeout Action is set to either Skip or Delete. The default value is Delete. Forefront Security for Exchange Server performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled. The choices are: Quarantine as Single EML File (the default) the quarantined message and all attachments are quarantined in an EML file format. Quarantine Message Body and Attachments Separately - messages are quarantined as 51
Realtime Scan Timeout Action
Quarantine Messages
Setting
Description
separate pieces (bodies and attachments). For a complete description of this setting, see Quarantine. Note that these settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected. Deliver From Quarantine Security This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode. Secure Mode forces all messages and attachments delivered from quarantine to be re-scanned for viruses and filter matches. This is the default setting. Compatibility Mode enables messages and attachments to be delivered from quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.
(For more information about using this setting, see Reporting and statistics.) Transport Sender Information By default, Forefront Security for Exchange Server uses the MIME FROM header sender address for the Transport Scan Job. This setting enables administrators to use the MAIL FROM sender address from the SMTP protocol for the Transport Scan Job. When Use Transport Protocol Mail From is selected, the address in that field is used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, or reporting in the Administrator. The options for this setting are: 52
Setting
Description
Use MIME From: Header (the default). Use Transport protocol MAIL FROM
Note that when MIME From is selected and a MIME Sender header is also present, the MIME Sender header information is used. Max Container File Infections Specifies the maximum number of infections permitted in a compressed file. If this is exceeded, the entire file is deleted and an incident is logged stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case the logged incident has "Container Removed" appended to the filter match. The default value is 5 infections. Specifies the maximum container file size (in bytes) that FSE attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Forefront Security for Exchange Server reports these deleted files as LargeInfectedContainerFile virus. Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUEncoded files. Note that for the Realtime Scan Job, a nested MSG file is not treated as a nested file with certain e-mail clients. If the maximum number is exceeded, FSE deletes the document and reports an ExceedinglyNested incident. The default value is 30. Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSE sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is permitted. The default is 53
Max Container File Size
Max Nested Attachments
Max Nested Compressed Files
Setting
Description
5. Max Container Scan Time (msec) Realtime/Transport Specifies the number of milliseconds that the Realtime Scan Job or the Transport Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes). Specifies the number of milliseconds that the Manual Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 milliseconds (ten minutes). Forefront Security for Exchange Server can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;company.com) with no spaces. Any change to this value is immediately reflected in virus notifications. When entering a domain name in the Internal Address field, be aware that its sub-domains are covered by the entry. For example: domain.com includes subdomain.domain.com and subdomain2.domain.com. Alternate domains such as domain.net or domain.org must be entered individually. Values entered in Internal Address are used as a substring match of the end of an e-mail address. For example, soft.com would consider someone@microsoft.com and someone@abcdef123soft.com to be internal 54
Max Container Scan Time (msec) - Manual
Internal Address
Setting
Description
addresses. Entries in the Internal Address field must be separated by semicolons (";") and there must be no spaces between the items. If you have a large number of domains to be used as internal addresses, enter them in an external file called Domains.dat, and leave the Internal Address field blank. Domains.dat was created, as an empty file in the DatabasePath directory, during installation. It is a text file, into which you enter all your internal domains, each on a separate line. Unlike the Internal Address field, all sub-domains must be entered individually. In order to use the external Domains.dat file, you must change the value of the UseDomainsDat registry key to 1 (its default value is 0). For more about this key, see Registry keys. Note: The Domains.dat file is reloaded at 02:00 (2:00 A.M.) each day. This is when any changes you make to the file take effect. (For more information about internal addresses and notifications, see E-mail notifications.) Transport External Hosts If you are using an Edge Transport or Hub Transport to route e-mail into your Exchange environment, you may enter the IP address of the edge transport server so that Forefront Security for Exchange Server will treat all mail coming from that server as inbound when determining which filters and scan jobs to utilize for a message. If you do not enter the IP address of your Edge Transport or Hub Transport, Forefront Security for Exchange Server will use its internal logic to determine if messages are inbound or not. IP addresses should be entered as a semicolon delimited list 55
Setting
Description
with no spaces.
Background Scanning section

This table lists and describes the settings in the Background Scanning section of General Options.
Setting Description
Enable Background Scan if 'Scan On Scanner Update' Enabled
Indicates that FSE should initiate a background scan every time a scan engine is updated if the General Option setting Scan on Scanner Update is enabled. Enabled by default. Indicates that the background scan job should only scan messages that include attachments. Enabled by default. Indicates that the background scan job should only scan messages that have not already been scanned. Disabled by default. Places limits on background scanning by enabling administrators to configure Forefront Security for Exchange Server to scan messages based on their age. The options are: Anytime, 4 hours, 6 hours, 8 hours, 12 hours, 18 hours, 1 Day, 2 Days (the default), 3 Days, 4 Days, 5 Days, 6 Days, 7 Days, and 30 Days. Please use caution when setting this option. If the message arrival rate at the mailbox server is very high and too long a scan back period is selected, background scanning may run continuously which can have a negative impact on server performance. The selected scan back time should be set based on an understanding of a specific threat or to generally cover the always-present protection gap between when malware may have been released into the wild and the availability of protection signatures. If background scanning is scheduled to run on a daily basis (see Background scanning and on56
Scan Only Messages With Attachments
Scan Only Unscanned Messages
Scan Messages Received Within The Last <x> Days
Setting
Description
access scanning) the recommended setting is to scan the previous two days worth of mail. However, the time should be set based on both security and performance considerations.
Central management
Centralized management of Forefront Security for Exchange Server is handled by the Microsoft Forefront Server Security Management Console (FSSMC). FSSMC enables administrators to: Install or uninstall FSE on local and remote servers. Update all or individual scan engines on local and remote servers. Run a manual scan on multiple servers simultaneously. Check FSE, scan engine, and virus definition versions on multiple servers. Deploy FSE template files. Retrieve virus logs from multiple servers. Retrieve quarantined files. Retrieve the ProgramLog.txt file from single or multiple servers. Retrieve virus incident information. Deploy General Options settings. Deploy Filter List templates. Generate HTML reports. Send outbreak alerts.
For detailed instructions about using FSSMC, refer to the "Microsoft Forefront Server Security Management Console User Guide".
Multiple scan engines

Forefront Security for Exchange Server (FSE) provides you with the ability to employ multiple scan engines (up to five) to detect and clean viruses. Multiple engines provide extra security by enabling you to draw upon the expertise of various virus labs to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three. Multiple engines also permit a variety of scanning methods. Forefront Security for Exchange Server integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendor's Web site. Links are provided at Microsoft Help and Support. 57
All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin. Multiple engines are easy to configure. You can select only the engines you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings pane) enable the FSE Multiple Engine Manager (MEM) to properly control the selected engines during the scan job. MEM uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.
About engine rankings

MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information enables MEM to weight each engine so that better-performing ones are used more during scanning and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and bestperforming engines have more influence in the scanning process. If two or more engines are equally ranked, FSE invokes them by cycling through various engine order permutations.
Setting the bias

The bias setting controls how each of the selected engines should be used in order to provide you with an acceptable probability that your system is protected. There is a trade-off between increasing the probability of catching a virus and maximizing your system performance. The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your system's performance. You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your mailbox server, to maximize its system performance. Then, you can use several engines on your Edge or Hub transport servers. Note: The bias setting only applies to virus scanning. It is not used in filtering. You must select the policy for each scan (realtime, transport, manual, and quick scan) you configure; it is not global.
58
About bias settings

There are several possible bias settings. Each scan (other than one with a bias setting of Favor Certainty or Maximum Certainty) independently selects the engines to use. Maximum Performance FSE heuristically chooses only one engine from the selected engines, based on recent results. (Results are determined by when the engine or its definitions were last updated, and whether the engine recently incurred any errors.) This option increases system performance but is not the optimal setting for catching viruses since only one engine is used. FSE fluctuates between heuristically choosing only one engine from the selected engines and approximately half of the selected engines, based on recent results. (Results are determined by when the engine or its definitions were last updated, and whether the engine recently incurred any errors.) Performance is dependent on the number of engines being used, but in general this setting favors system performance. FSE heuristically chooses from the selected engines, based on recent results. (Results are determined by when the engine or its definitions were last updated, and whether the engine recently incurred any errors.) On average, half of the selected engines are used in scanning any single object, so this setting does not favor system performance over virus catching (and vice versa). Scans with all selected engines that are available. Scans continue with the available engines when one of the selected engines is being updated. Depending on the number of engines that you have selected for each scan job, this option generally increases the probability of virus catching but not at the expense of delays in mail flow. This is the default value.
Favor Performance
Neutral
Favor Certainty
59
Maximum Certainty
Scans each item with all of the selected engines. Queues scanning if any selected engine becomes busy, such as during engine updates. Depending on the number of engines that you have selected for each scan job, this option generally increases the probability of virus catching at the expense of system performance.
Assuming you select five engines (the maximum you can use), the following table shows how each of the bias settings uses the engines in virus scanning.
Bias setting Description
Maximum Performance
Each item is virus-scanned by only one of the selected engines. Fluctuates between virus scanning each item with one and three engines. Each item is virus-scanned on average by three engines. Fluctuates between virus scanning each item with three and five engines. Each item is virus-scanned by all five of the selected engines.
Favor Performance
Neutral
Favor Certainty
Maximum Certainty
Configuring the bias setting

The bias setting is indicated on the Antivirus Settings work pane. To indicate the bias setting 1. In the SETTINGS section of the Shuttle Navigator, select Antivirus. The Antivirus Settings pane appears. 2. From the Job List in the top pane of the Antivirus Settings pane, select a scan job. 3. In the Bias field in the lower pane, indicate the bias setting. (The values are those discussed in About bias settings.) To find out more about the other fields on the Antivirus Settings work pane, see Transport Scan Job, Manual Scan Job, or Realtime Scan Job). 4. Click Save.
60
Manual Scan Job

Forefront Security for Exchange Server enables you to customize the Manual Scan Job to scan mailboxes that are not covered by the Realtime Scan Job or that contain messages that predate the installation of Forefront Security for Exchange Server. The Manual Scan Job is also useful for scanning with a third-party engine that is different from those being used by the Realtime Scan Job. It is recommended that you run a full manual scan after installing Forefront Security for Exchange Server for the first time. Note: The Manual Scan Job can be configured to scan message bodies as well as attachments. This feature is disabled by default upon installation, but can be enabled by selecting Body Scanning - Manual in the General Options work pane. Message body scanning increases the time required to perform a manual scan of a server.
Configuring the Manual Scan Job

When you configure the Manual Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text. To select the mailboxes and set the deletion text 1. In the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears. 2. In the top portion of the Scan Job Settings work pane (which contains a list of configurable scan jobs), select the Manual Scan Job. 3. In the Scan portion of the work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders. 4. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text. Note: FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros. 5. Click Save to save your scan job configuration.
Configuring antivirus settings

There are various settings that you can adjust for the Manual Scan Job. These include file scanner selection, bias, action, notifications, and quarantining. 61
To configure antivirus settings 1. In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears. 2. From the list in the top pane, select the Manual Scan Job. The file current settings are displayed in the bottom half of the work pane. 3. From the list of available third-party scanners in the File Scanners section, choose the file scanning engines to use. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Manual Scan Job. 4. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines. 5. In the Action field, choose the action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
Clean: repair attachment
Delete: remove infection
6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. 7. Enable or disable the saving of attachments detected by the file scanning engine by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling 62
quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 8. Click Save to save your antivirus settings.
Editing the Manual Scan Job

Select the Manual Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.
Running the Manual Scan Job

After the scan job and antivirus settings have been properly configured, you can run the Manual Scan Job. To run the Manual Scan Job 1. Click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears. 2. In the top portion of the pane, select the Manual Scan Job. 3. Specify the scope of the Manual Scan Job by selecting or clearing the following options: Virus Scanning, File Filtering, or Content Filtering; the Manual Scan Job can perform any combination. Any change to these settings takes effect immediately, even if the job is currently running. 4. To send a notification to the Virus Administrator when the scan job has completed, select Send Summary Notification. 5. Click Start to begin the Manual Scan Job. There are also buttons to Pause and Stop the job.
Checking results and status

The lower portion of the Run Job work pane shows the infections or filtered results found by the Manual Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Incidents log. A subset of the results can also be deleted by highlighting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will remove the subset from the virus log file.
63
Note: If a large number of entries is selected, the deletion process may potentially take a long time. In this case, a message box appears to ask you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text formats. At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported. Forefront Security for Exchange Server sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Manual Scan work pane is selected. This e-mail message includes: Total Mailboxes Scanned Total Physical Attachments Scanned Total Physical Attachments Detected Total Physical Attachments Cleaned Total Physical Attachments Deleted Total Logical Attachments Scanned Total Logical Attachments Detected Total Logical Attachments Cleaned Total Logical Attachments Deleted
Scheduling the Manual Scan Job

To schedule the Manual Scan Job, click OPERATE in the Shuttle Navigator, and then click the Schedule Job icon. The Schedule Job work pane appears. The top portion of the Schedule Job work pane shows the Manual Scan Job and indicates whether it is enabled or disabled. Select the Manual Scan Job on the top. The bottom of the pane shows the scheduling information for the job. To schedule the Manual Scan Job 1. Use the calendar in the Date section to set the date when the Manual Scan Job will activate. The red circle indicates today's date. The date you set is highlighted in blue. 2. Set the run time using the Time edit field to the right of the calendar. 3. Indicate the Frequency of the scheduled job: run it Daily, Weekly, Monthly, or only Once. 4. If the job is disabled, click Enable to enable it. 5. Click Save.
64
Performing a Quick Scan

There are times when you may want to perform a scan of a single mailbox or another one-time virus scanning job. Quick Scan enables you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in one work pane. Quick Scan initially has the following default configuration: all mailboxes and public folders, the scan engines selected during installation, a bias of Favor Certainty, an action of Skip: detect only, notifications disabled, and quarantining enabled. You can make changes to any of these settings and FSE will preserve them for the next time you run a Quick Scan. To perform a Quick Scan 1. Click OPERATE in the Shuttle Navigator, and then click the Quick Scan icon. The Quick Scan work pane appears. Your last Quick Scan configuration is displayed. 2. To run the Quick Scan with the same configuration, click Start. Otherwise, make changes as necessary. a. Select the mailboxes and public folders to be scanned. For more information about the choices, see About mailboxes and public folders. b. Select the File Scanners to use from the list of available third-party scanners. c. Select the Bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple Scan Engines
d. Select the Action for FSE to perform if a virus is detected. The choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete the attachment without attempting to clean it. The detected attachment is removed from the 65
message and the Deletion Text is inserted in its place. e. Indicate whether to Send Notifications. The setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. f. Indicate whether to Quarantine Files. Quarantining, enabled by default, causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
g. Click Start.

At the bottom of the screen, the status of the Quick Scan and the mailbox, folder, or file currently being scanned are reported.
About mailboxes and public folders

Forefront Security for Exchange Server offers flexibility in choosing what mailboxes, public folders, and items to scan in any specified scan job. You can configure scan jobs to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders. Note: Mailboxes and public folders with names that are made up entirely of backslashes (\) will not be scanned if Forefront Security for Exchange Server is configured for Selected scanning. If FSE is set to scan all mailboxes or public folders, those that use backslashes or other special characters will be scanned. In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options: All Scan all existing and newly-created mailboxes or public folders. Do not scan any mailboxes or public folders. Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to see a listing of mailboxes or public folders on the server. You can choose each mailbox or public folder to be scanned by clicking its name. You can 66
None Selected
use the accompanying buttons to select All or None of the mailboxes or public folders. The +/button inverts the current selection. Notes:
Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included. To return to the main scan selection pane, click the arrow in the upper right corner of the mailbox or public folder selection pane.
Scanning files by type

By default, Forefront Security for Exchange Server is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Realtime Scan Job

The Forefront Security for Exchange Server Realtime Scan Job runs on the Exchange server to provide immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders resident on the server. This method of scanning e-mail messages in real time is the most effective method for stopping the spread of infectious file attachments. The Realtime Scan Job can be configured to scan message bodies as well as attachments. This feature is disabled by default upon installation, but can be enabled by selecting Realtime Body Scanning 67
Realtime in the General Options work pane. Message body scanning increases the time required to scan messages.
About multiple Realtime processes

During installation, four Realtime Scan Jobs (processes) are created for the Mailbox server. You can create additional Realtime Scan Jobs by changing the value of the General Options setting Realtime Process Count to represent the number of scanning processes you want running per Mailbox server. The maximum is ten. When multiple realtime processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FSE delivers files to the first process if it is available. Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step. It is recommended that the number of realtime processes should be set to twice the number of effective processors on the server. For example, a two-processor server or a single processor dual core server should have the Realtime Process Count set to the default value of 4. If the server contains two processors each of which is dual core, the recommended setting is 8. To change the number of realtime processes 1. In the Forefront Server Security Administrator, in the Shuttle Navigator, select Settings, and then select General Options. 2. In the Scanning area, choose a suitable value in the Realtime Process Count dropdown box. The maximum value that you can use is 10. 3. Click Save. 4. Exit the Forefront Server Security Administrator. 5. Under Administrative Tools, click Services to open the Service Control Manager, and then restart the Forefront Security for Exchange Server services.
Configuring the Realtime Scan Job

When you configure the Realtime Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text.
68
To select the mailboxes and set the deletion text 1. From the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears. 2. In the top portion of the work pane (which contains a list of configurable scan jobs), select the Realtime Scan Job. 3. In the Scan portion of the work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders. 4. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text. Note: FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros. 5. Click Save to save your scan job configuration

There are various settings that you can adjust for the Realtime Scan Job. These include file scanner selection, bias, action, notifications, and quarantining. To configure antivirus settings 1. In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears. 2. In the list in the top pane, select the Realtime Scan Job. The file current settings are displayed in the bottom half of the work pane. 3. In the list of available third-party scanners in the File Scanners section, choose the file scanning engines. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Realtime Scan Job. 4. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines.
69
5. In the Action field, select the action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. 7. Enable or disable the saving of attachments detected by the file scanning engine by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 8. Click Save to save your antivirus settings. Note: The Realtime Scan Job settings are also used by Background Scanning.
Editing the Realtime Scan Job

Select the Realtime Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes. 70
Controlling the Realtime Scan Job

To control the Realtime Scan Job, click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears. Select the Realtime Scan Job in the list at the top of the Run Job work pane. The bottom portion of the Run Job work pane shows the status and results of the currently selected scan job.
Enabling and disabling the Realtime Scan Job

With the Realtime Scan Job selected, the Enable and Bypass buttons control the operation of the job.
Selecting virus scans, file filtering, and content filtering

The Realtime Scan Job can scan for viruses, perform file filtering or content filtering, or a combination of the three tasks. Use the Virus Scanning, File Filtering, and Content Filtering check boxes to make the appropriate selections. Any change to these settings will be performed immediately, even if the job is currently running.

The lower window shows the infections or filtered results found by the Realtime Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Incidents log. A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will remove the subset from the virus log file. Note: If a large number of entries are selected, the deletion process may potentially take a long time. In this case, a message box appears, to ask you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text format. At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.
About mailboxes and public folders

Forefront Security for Exchange Server offers flexibility in choosing what mailboxes, public folders, and items to scan with the Realtime Scan Job. You can configure the scan to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.
71
Note: Mailboxes and public folders with names that are made up entirely of backslashes (\) will not be scanned if Forefront Security for Exchange Server is configured for Selected scanning. If FSE is set to scan all mailboxes or public folders, those that use backslashes or other special characters will be scanned. In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options: All Scan all existing and newly-created mailboxes or public folders. Do not scan any mailboxes or public folders. Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to see a listing of mailboxes or public folders on the server. You can choose each mailbox or public folder to be scanned by clicking its name. You can use the accompanying buttons to select All or None of the mailboxes or public folders. The +/button inverts the current selection. Notes:
None Selected
Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included. To return to the main scan selection pane, click the arrow in the upper right corner of the mailbox or public folder selection pane.
72
About proactive scanning

Microsoft Exchange proactive scanning can be enabled on Public Folder servers to scan files as they are posted to the server and on Mailbox servers to scan sent items. You can enable proactive scanning in one of the following ways: Set the following Exchange DWORD registry value to 1: HKEY_Local_Machine\System\CurrentControlSet\Services\MSExchangeIS\VirusScan\Proact iveScanning By default, this registry value is set to 0 (proactive scanning is disabled). Check the General Options setting Scan on Scanner Update. When you enable this setting, the Realtime Scan Job rescans previously scanned messages when they are accessed following an engine update. Enabling this setting also automatically sets the ProactiveScanning registry value to 1. However, you may want to enable proactive scanning without rescanning messages after engine updates, since this may impact server performance. In this case, you should simply set the ProactiveScanning registry value to 1, and leave the Scan on Scanner Update setting disabled (this is the default).
About Realtime scan recovery

In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (default is 5 minutes or 300,000 milliseconds), the process is terminated and Forefront Security for Exchange Server attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and recovered. When the new real-time scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Realtime Scan Timeout Action. For example, if it is set to Delete, Forefront Security for Exchange Server deletes the file, replaces its contents with the Deletion Text for the Realtime Scan Job, logs the information, and quarantines and archives the file. If Forefront Security for Exchange Server again times out while processing the message, the message will be delivered without being scanned. (For more information about General Options, see Forefront Server Security Administrator.) If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job stopped. In this event, real-time scanning for the particular storage group will not function, but the information store will not stop. The default time-out for message scanning can be modified by creating the DWORD registry value RealtimeTimeout and setting a new time-out. The value is in milliseconds. If you continue to have time-out problems, you may try increasing the time specified in the RealtimeTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called RealtimeTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Forefront Security for Exchange Server services for the change to take effect. For more information about registry values, see Registry keys. 73

By default, Forefront Security for Exchange Server is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Transport Scan Job

The Forefront Security for Exchange Server Transport Scan Job runs on an Exchange 2007 server with either a Hub Transport or an Edge Transport role installed. It can scan, in real time, all MIME and UUENCODE-based e-mail messages that are inbound or outbound from the Transport stack of an Exchange site or organization as well as all internal mail. The Transport scanner scans for viruses in attachments and for embedded and HTML viruses in the message body.
About multiple Transport processes

During installation, four Transport Scan Jobs (processes) are created for the Transport server. You can create additional Transport Scan Jobs by changing the value of the General Options setting Transport Process Count to the number of scanning processes you want running per Transport server. The maximum is ten. When multiple transport processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FSE delivers files to the first process if it is available. Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step.
74
To change the number of transport processes 1. In the Forefront Server Security Administrator, in the Shuttle Navigator, select Settings, and then select General Options. 2. In the Scanning area, choose a suitable value in the Transport Process Count dropdown box. The maximum value that you can use is 10. 3. Click Save. 4. Exit the Forefront Server Security Administrator. 5. Under Administrative Tools, click Services to open the Service Control Manager, and then restart the Forefront Security for Exchange Server services.
Configuring the Transport Scan Job

Configure the Transport Scan Job to specify what combination of inbound, outbound, and internal mail should be scanned. You can optionally specify Deletion Text and Tag Text. To configure the Transport Scan Job 1. In the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears. 2. In the top portion of the Scan Job Settings work pane (which contains a list of configurable scan jobs), select the Transport Scan Job. 3. In the Transport Messages section of the work pane, select the combination of Inbound, Outbound, and Internal messages to be scanned. For more information, see About message queues. 4. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text. Note: FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros. 5. Optionally, you can specify Tag Text. This text is used by Forefront Security for Exchange Server to tag the subject line or MIME header of messages that meet filter criteria so that they can be identified later for routing into specific user inboxes or for other purposes identified by the Forefront Server Security Administrator. The action for a filter must set to Identify: Tag Message in order for the tag to be used. To modify the text, click the Tag Text button on the Scan Job Settings work pane. The Tag Text dialog box appears. There are two fields, each of which has a default that can be changed. The subject line tag text defaults to SUSPECT: and the message header tag text (which cannot have any spaces) defaults to Junk-Mail. Click OK. 75
Note: The same tag is used for all filters associated with the Transport Scan Job. 6. Click Save to save your scan job configuration.

There are various settings that you can adjust for the Transport Scan Job. These include file scanner selection, bias, action, notifications, and quarantining. To configure antivirus settings 1. In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears. 2. In the list in the top pane, select the Transport Scan Job. The file current settings are displayed in the bottom half of the work pane. 3. Choose the file scanning engines from the list of available third-party scanners in the File Scanners section. To disable virus scanning while retaining the ability to run File Filtering and Keyword Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Transport Scan Job. 4. Select the Bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines. 5. Choose the Action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
76
Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. 7. Enable or disable saving infected attachments detected by the file scanning engines by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 8. Click Save to save your antivirus settings.
Editing the Transport Scan Job

Select the Transport Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.
Controlling the Transport Scan Job

To control the Transport Scan Job, click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears. Select the Transport Scan Job in the list at the top of the Run Job work pane. The bottom portion of the Run Job work pane shows the status and results of the currently selected scan job.
Enabling and disabling the Transport Scan Job

With the Transport Scan Job selected, the Enable and Bypass buttons control the operation of the job.
Selecting virus scans, file filtering, or keyword filtering

The Transport Scan Job can scan for viruses, perform file filtering or keyword filtering, or a combination of the three tasks. Use the Virus Scanning, File Filtering, and Keyword Filtering check boxes to make the appropriate selections. Any change to these settings is immediate, even if the job is currently running.
77

The lower portion of the Run Job work pane shows the infections or filtered results found by the Transport Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Incidents log. A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will remove the subset from the virus log file. Note: If a large number of entries is selected, the deletion process may potentially take a long time. In this case, a message box appears to ask the user to confirm the deletion. Use the Export button to save the results in formatted text or delimited text formats.
About Transport scan recovery

In the event that the Transport Scan Job takes longer than a specified amount of time to scan a message (default is 5 minutes or 300,000 milliseconds), the process is terminated and Forefront Security for Exchange Server attempts to restart the service. If successful, Transport scanning resumes and a notification is sent to the administrator stating that the Transport Scan Job stopped and recovered. When the new Transport scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Transport Scan Timeout Action. For example, if it is set to Delete, Forefront Security for Exchange Server deletes the file, replaces its contents with the Deletion Text for the Transport Scan Job, logs the information, and quarantines and archives the file. (For more information about General Options, see Forefront Server Security Administrator.) If the process cannot be restarted, a notification is sent to the administrator stating that the Transport Scan Job stopped. In this event, Transport scanning will not function and the mail stream will not be scanned. If you continue to have time-out problems, you may try increasing the time specified in the TransportTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called TransportTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Forefront Security for Exchange Server services for the change to take effect. For more information about registry values, see Registry keys.
About message queues

Forefront Security for Exchange Server offers flexibility in choosing which message queues to scan with the Transport Scan Job: inbound, outbound, or internal. You can configure Forefront 78
Security for Exchange Server to only scan one queue or all three. In the Scan Job Settings work pane there are three check boxes for making queue selections.
Scanning the inbound queue

Selecting the Inbound check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all e-mail messages entering the Edge Transport or Hub Transport. Messages are designated as inbound if the message originated from or relayed through an external server. If the Exchange servers within that site or organization are not running Forefront Security for Exchange Server, this is an effective way to protect them from infected e-mail messages coming from the Internet.
Scanning the outbound queue

Selecting the Outbound check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all outgoing e-mail messages that leave your Exchange site or Exchange organization via the Edge Transport or Hub Transport. Messages are designated as outbound if at least one recipient has an external address.
Internal scanning
Selecting the Internal check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all mail that is being routed from one location inside your domain to another location inside your domain. Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain.
Scanning nested compressed files

Exceedingly nested, compressed files can slow the performance of Forefront Security for Exchange Server and the Exchange server. Multiple nesting is also a known denial of service attack against antivirus products. To minimize the potential impact on server performance and guard against denial of service attacks, the Forefront Security for Exchange Server registry key MaxNestedCompressedFile is set to five (5) by default. This setting allows Forefront Security for Exchange Server to search into five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion. You may change this setting as needed for your environments in the General Options work pane. For more information, see Forefront Server Security Administrator.

By default, Forefront Security for Exchange Server is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file 79
header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
Background scanning and on-access scanning

The Microsoft Exchange Virus Scanning API (VSAPI) provides the ability to perform background scanning of all files in the information store and on-access scanning of files as they are accessed. These features enhance the functionality of Forefront Security for Exchange Server by ensuring that files are scanned using the latest engine updates and scanning configuration.
Scheduled background scanning

Scheduled background scanning is recommended as a way to periodically scan a selected set of messages with the latest engine updates and scanning configurations. The scope of the Background Scan Job is determined by the options selected in the "Background Scanning" section of General Options (see Forefront Server Security Administrator). By default, background scanning is set to scan all messages received within the last two days. To activate background scanning, a Background Scan Job must be scheduled. Here is how to schedule background scanning. To schedule background scanning 1. Click OPERATE in the Shuttle Navigator, and then click Schedule Job. 2. At the top of the Schedule Job work pane, select the Background Scan Job. 3. Use the calendar in the Date section to set the date when the Background Scan Job will activate. The red circle indicates today's date. The date you set is highlighted in blue. 4. Set the run time using the Time edit field to the right of the calendar. 5. Indicate the Frequency of the scheduled job: run it Daily, Weekly, Monthly, or only Once (the default). 6. If the job is disabled, click Enable to enable it. 7. Click Save. Here is how to enable background scanning.
80
To enable background scanning 1. Open the General Options work pane and select Enable Background Scan if "Scan on scanner update" Enabled. This causes FSE to initiate a background scan every time a scan engine is updated. 2. Enable the Realtime Scan Job for the storage groups that you want to have scanned by the Background Scanner. For more information see Realtime Scan Job. Here is how to stop or disable background scanning. To stop or disable background scanning 1. In the Shuttle Navigator, click REPORT, and then click Schedule Job. 2. At the top of the Schedule Job work pane, select the Background Scan Job. 3. On the Schedule Job work pane, click the Stop button. Note: After a Background scan has been stopped, it will restart after the next signature update if the General Options settings Scan on Scanner Update and Enable Background scan if 'Scan on scanner update' enabled are selected. If you do not want the Background scan to start after the next signature update, you can disable the scheduled scan in two ways: Clear the General Options settings Scan on Scanner Update and Enable Background scan if 'Scan on scanner update' enabled, or Click the Disable button on the Schedule Job work pane.
On-access scanning
By default, Exchange 2007 On-access scanning ensures that all files being accessed have been scanned at least once by Forefront Security for Exchange Server.
Heightened security on-access scanning

Heightened security on-access scanning may be activated to ensure that all files being accessed are scanned if the antivirus engines have been updated since the file was originally stored. On-access scanning is controlled by the Scan on Scanner Update General Option setting, which causes previously scanned files to be re-scanned when accessed following a scanner update. Enable the Realtime Scan Job for the storage groups you would like scanned by the background scanner. Important: For more information about the Scan on Scanner Update General Option setting, including recommendations for when it should not be set and its impact on proactive
81
scanning, see its description in the "Scanning Section" of Forefront Server Security Administrator.
Reporting incidents
Incidents detected by background scanning and on-access scanning are reported in the Realtime columns in the Incidents pane of the REPORT section of the Shuttle Navigator.
Templates
When Forefront Security for Exchange Server is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and content filter settings and additional scan job templates as needed. (These are called "named templates".) Templates are useful for controlling the configuration of Forefront Security for Exchange Server on multiple servers from a central location, controlling the configuration of scan jobs and other functions at installation, and defining configuration settings for newly mounted storage groups. The Template.fdb file contains the following default templates: Scan job templates: a Transport Scan Job template, a Realtime Scan Job template, and a Manual Scan Job template. Notification templates for each of the default notifications. Scanner update templates for each scan engine that is installed on the current system.
To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates. To view templates in the Forefront Server Security Administrator, click File, click Templates, and then click View Templates. This causes the default and named templates to be displayed in the various work panes. Note: The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSCController starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.
82
Template uses
Templates are used for the following purposes: Controlling configuration settings of all FSE servers from a single location. After a Template.fdb file is created, Microsoft Forefront Server Security Management Console (FSSMC) can be used to copy and activate the template settings on multiple FSE servers throughout an organization. Templates can be deployed simultaneously to multiple FSE servers, and the settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using FSSMC to deploy templates, see the "Microsoft Forefront Server Security Management Console User Guide".) Controlling the configuration of scan jobs during remote installations. Use templates to configure your remote servers at the time FSE is installed. Defining scan job settings for newly-mounted storage groups. In Exchange, storage groups can be added to the system dynamically while both Exchange and Forefront Security for Exchange Server are running. Forefront Security for Exchange Server detects when a new or previously used storage group is mounted. If the storage group is new, Forefront Security for Exchange Server needs to create a Realtime Scan Job and Manual Scan Job to protect that storage group. The settings that are used for each of these scan jobs are read from their associated templates found in Template.fdb. This feature enables an administrator to create default rules that protect new storage groups as they are added to the system.
Creating a named template

To use named templates, you must create them and associate them with scan jobs. To create a named template 1. Click File, click Templates, and then click New. The New Template dialog box appears. 2. Select the Type of template you would like to create (Transport, Realtime, Manual, or Filter Set). For more information about filter set templates, see "Filter set templates" in Content filtering. For more information about the different types, see Using named templates. 3. Give the template a Name, and then click OK. The new template is created and becomes a choice in the list in the top pane and in the Template list in the bottom pane of the Template Settings work pane. 4. From the list in the top pane, select your new template. If the templates are not visible, you can display them by clicking File, selecting Templates, and then clicking View Templates. Note: If you have many templates, you may want to normally hide them to simplify the 83
display. 5. Click the appropriate work pane to configure the template. For example, if you have created a Transport template, select Antivirus Job in the SETTINGS section of the Shuttle Navigator and configure the template as you would a Transport Scan Job. Click Save when you are done. 6. For a scan job to use a template, the template must be associated with that scan job. a. Open the Forefront Server Security Administrator. b. In the SETTINGS section of the Shuttle Navigator, select Templates. c. In the list in the top pane, select the scan job to associate with the template you have just created. For example, select the Realtime Scan Job.
d. In the lower work pane, select the desired template from the Template list. e. Click Load From Template. f. Click Save. The scan jobs settings are reconfigured to those in the selected template.
Note: The new template can be distributed to remote servers using the Forefront Server Security Management Console (FSSMC). For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".
Renaming or deleting a named template

You can rename or delete any of your named templates. You cannot delete or rename a default template. To rename or delete a named template 1. Open the Forefront Server Security Administrator. 2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates. 3. In the job list, select the template. 4. Click File. 5. Select Templates. 6. Select Rename or Delete. If you choose Delete, you will be asked to confirm your choice.
Modifying templates
There are times when you might want to make changes to a default or a named template.
84
To modify a template 1. Open the Forefront Server Security Administrator. 2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates. 3. Select a work pane with the template to be modified (for example Scan Job, in the SETTINGS section of the Shuttle Navigator). 4. In the job list, select the template to be modified. 5. Configure the template as desired, using the various work panes, clicking Save on each. Note: If you make changes directly to a specific scan job (for example, the Transport Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.
Modifying default file scanner update templates

You may change the primary and secondary update path, change the updating schedule, and enable or disable automatic updates by using the scanner update templates. To configure default file scanner update templates 1. Open the Forefront Server Security Administrator. 2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates. 3. From the SETTINGS section of the Shuttle Navigator, select Scanner Updates. The Scanner Update Settings work pane appears. 4. From the job list select the file scanner template that you want to update (for example, Template for Microsoft Antimalware Engine). There should be one template for every installed engine. 5. Change the primary and secondary Network Update Path, as desired. 6. Change the date, time, frequency, and repeat interval, if desired. Enable or Disable updating as needed. 7. Click Save. New templates can be deployed locally using FSCStarter (for more information, see Deploying named templates) or deployed to remote servers using the Microsoft Forefront Server Security Management Console. For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".
85
Note: If you are using FSSMC to update Forefront Security for Exchange Server scan engines, you should disable scheduled updates in Forefront Security for Exchange Server.
Modifying notification templates

Default notification templates can be used to deploy notification settings to remote servers. To modify notification templates 1. Open the Forefront Server Security Administrator. 2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates. 3. In the REPORT section of the Shuttle Navigator, select Notification. 4. From the job list, select the notification template you would like to modify (for example, Template for Virus Administrators). 5. Edit the template in the lower work pane or use the Enable and Disable buttons to change the state of the template. 6. Click Save. Note: You cannot create new notification templates. You must modify the default notification template to update notification settings.
Using named templates

Named templates can be used to create and manage multiple configurations in an Exchange environment. If you run different configurations on the servers in your environment, it is recommended that you configure each server to use a named template as the default for its configuration settings. For example, if you have twenty servers divided into four groups of five, you can create named templates for each server group. These templates will contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. Each template has the name of the group: TransportTemplate1 TransportTemplate2 TransportTemplate3 TransportTemplate4 These names are similar for each scan job and filter set template. Named templates that you create are associated with scan jobs. (For more information, see Creating a named template.) These templates are then distributed to the various servers during 86
the install or upgrade process. (For more information, see Deploying named templates.) The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise the default template is used. You can use the Forefront Server Security Administrator to connect to the server and make the association. (For more information, see"Connecting to a remote server" inForefront Server Security Administrator.) After you have done this, the scan jobs, filter sets, and notifications always load from the named templates during configuration changes or when you need to deploy global filter settings during a virus outbreak.
Deploying templates during a remote installation

New templates can be deployed to multiple remote servers using the Microsoft Forefront Server Security Management Console (FSSMC). After FSSMC has distributed the template files to the target server, it launches FSCStarter to install the templates on that server. Before you deploy templates to a server (local or remote), you must ensure that the Forefront Security for Exchange Server scan jobs on that server are configured to run from templates. To do so, select Templates on the SETTINGS shuttle. The Template Settings work pane appears. The Template field associated with each scan job should be set to either Default (the default value) or to a named template. (Templates will not be used if the value is None.) All the templates are stored in the Template.fdb file, so all will be deployed when you use the FSSMC. This is not a problem if all of your servers are configured identically, but if you have multiple configurations in your environment, be sure to distribute the template files that match the configuration of the targeted servers. If you have multiple configurations, it is helpful to configure your servers to use named templates for their settings. This will allow you to easily distribute template files to all your servers without worrying about corrupting configuration settings. To have the template.fdb file distributed to all servers during a remote installation or upgrade, you must use the extract form of setup.exe. This is the syntax: Setup.exe /x:<path> This extracts all required files to the directory you specify in <path>, including another copy of setup.exe. Copy the template.fdb file to that same directory. Finally, execute the setup.exe file that was extracted to that directory. (For more information about remote installations, see "Manage Jobs" in the Microsoft Forefront Server Security Management Console User Guide. When you enter the location of the setup.exe file for the deployment job in the Management Console, it is the extracted one found in path.) The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise, the default template is used. You can use the Forefront Server Security Administrator to connect to the computer and make the association. (For more information, see Connecting to a Remote Server in Forefront Server Security Administrator.) After you are connected to the remote server, you can associate the template with the appropriate scan job by following the steps in Creating a named template.
87
After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to re-associate the scan job unless you want to switch the template being used.
Deploying named templates

New templates can be deployed locally using FSCStarter or deployed to remote servers using FSSMC. Individual templates can be associated with current scan jobs in the Forefront Server Security Administrator using the Load From Template button. An exception is filter list templates, which must be associated with a scan job using the FSCStarter. The FSCStarter can be used to activate any or all templates from a command prompt directly on the server. The FSCStarter.exe file has the ability to activate template settings on the current server. The t parameter facilitates activating template settings. The syntax of FSCStarter is:
FSCStarter t[c][f][l][n][p][s] [filename] [\servername]
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options. Multiple switches are listed without punctuation or spacing. If the optional filename parameter is specified, the file you indicate (by entering its full path) will overlay the current Template.fdb file before any settings are updated. If the optional \servername parameter is specified, the templates will be activated on the named remote server. The t parameter's options enable subsets of the template settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated. c Update the content filter settings for each scan job. f Update the file filter settings for each scan job. The file filter settings of each scan job on the server are updated with the file filter settings found in the associated template type. For example, the file filter settings for all Realtime Scan Jobs are updated with the file filter settings found in the Realtime Scan Job template. l Update the filter lists for each scan job. n Update the notification settings with the data in the associated templates. p Update the file scanner update path, proxy server settings (if applicable), and the scanner update schedule items (date, time, frequency, and repeat interval). The update path for each file scanner settings is updated from the file scanner template that matches the vendor of the file scanner.
88
s Update the scan job and antivirus settings. Each scan job on the server is updated with the settings found in the associated template type. For example, all Realtime Scan Jobs are updated with the settings found in the Realtime Scan Job template. This includes all filters. For example, to update the content filter settings, the file filter settings, and the notification settings, you would enter:
FSCStarter tcfn
Deploying schedule job templates

When deploying the default schedule job template, the Background Scan Job and all Manual Scan Jobs that are set to use the default template are updated. This causes all Manual Scan Jobs and the background scan to begin at the same time and could degrade server performance. To avoid this problem, use named templates for each Manual Scan Job so that you can schedule each one independently of the background scan.
Template planning tips

Here are some tips to help you use your templates more efficiently. In environments where you have both front-end and back-end servers, it is best to have two different sets of templates for each group. Use one server as your "master", and use FSCStarter or FSSMC to deploy configuration changes to the other servers. If you have more than one group, choose a "master" for each group. Only make changes directly to the "master" server.
When using FSSMC to deploy templates, it is useful to name your packages so they are easily recognized for distribution. For example, yo u could use FE Template 070607 to mean Front End Template created on July 6, 2007.
File filtering
The Forefront Security for Exchange Server file filter feature gives you the ability to search for attachments with a specific name, type, and size within an e-mail message. If a match is found, the file filter can be configured to perform actions on the attachment such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect file attachments within e-mail messages and other Outlook items, including Tasks and Schedules (such as meetings and appointments).
Creating a file filter

You can configure the file filter by file types, extensions, or names. For more information, see Filtering by file type, Filtering by extension, and Filtering by name. 89
To create and configure a file filter 1. In the Shuttle Navigator click FILTERING, and then click the File icon. The File Filtering pane appears. 2. In the upper work pane, select the scan job for which you would like to create the file filter. 3. To detect file files with a particular file name, add the file name to the File Names section of the work pane. Click the Add button and type the name of the file to be detected. (There are also buttons with which to Edit and Delete existing entries.) Use the up and down arrows (on the same line with File Names) to change the order in which a selected filter is executed. Optionally, the file filter can be configured to filter files based on their size. To detect files by size, specify a comparison operator (=, >, <, >=, <=) and a file size in kilobytes (KB), megabytes (MB), or gigabytes (GB). These are placed immediately after the file name, with no spaces between the file name and the operator or the operator and the file size. File sizes must be entered using the English size keywords KB (for kilobytes), MB (for megabytes), and GB (for gigabytes). The General Options setting Max Container File Size specifies the maximum container file size (in bytes) that FSE will attempt to clean or repair in the event that it discovers an infected file. Examples: *.bmp>=1.2MB all .bmp files larger than or equal to 1.2 megabytes *.com>150KB all .com files larger than 150 kilobytes *>5GB all files larger than 5 gigabytes 4. Specify the list of file types that can be associated to the selected file name. You can select one or more file types from the list or select All Types located below the list. If the file type you want to associate to the selected file name is not available in the list, then select All Types. (For a description of the file types listed in the selection box, see File types list.) The All Types selection configures Forefront Security for Exchange Server to filter based only on the file name and file extension. By selecting All Types, Forefront Security for Exchange Server is configured to detect the selected file name no matter what the file type. This prevents the potential of users bypassing the filter by simply changing the extension of a file. If you know the file type you are searching for, Forefront Security for Exchange Server will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, create the filter * and set the file type to EXE. 5. Ensure that the File Filter is set to Enabled. It is enabled by default. 6. Indicate the Action to take if there is a filter match. 7. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). It is disabled by default. 90
8. Indicate whether to Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable. 9. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text. Note: Forefront Security for Exchange Server provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about keywords, see Keyword substitution macros. 10. Click Save to save your filter.
Filtering by file type

If you want to filter certain file types, you can create the filter * and set the File Types selection to the exact file type you want to filter. For example: Create the filter * and set the File Types to MP3. This ensures that all MP3 files are filtered no matter what their file name or extension. One advantage of setting a generic * filter and associating it with a certain file type (for example, EXE) is that it prevents the potential of users bypassing the filter by simply changing the extension of a file. Notes: If you want to filter Office 2003 and older Microsoft Excel files, you will need to enter *.xls or * in the File Name box and then select both WINEXCEL and DOCFILE in the File Type list. Excel 1.x files are WINEXCEL type files but newer versions of Excel are DOCFILE file types. For Office 2007 documents (Word, Excel, and PowerPoint) you should use the proper file extension in the File Name box and then select OPENXML in the File Types list.
Filtering by extension
If you want to filter any file that has a certain extension, you can create a generic filter for the extension and set the File Types selection to All Types. Filter matching is not case-sensitive. For example: Create the filter *.exe* and set the File Types selection to All Types. This will ensure that all files with an .exe extension will be filtered.
91
Important: When creating generic file filters to stop all of a certain type of file (for example .exe files), it is recommended that you write the filter in this format: *.exe*. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter. Note: Microsoft recommends avoiding the use of the generic filter * with the File Types set to All Types. This filter configuration could result in the reporting of repeated detections.
Filtering by name
If you want to filter all files with a certain name, you can create a filter using the file name and set the File Types selection to All Types. Filter matching is not case-sensitive. For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This ensures that any file named payload.doc will be filtered no matter what the file type. Detecting file attachments by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it. A perfect example of this was the Melissa worm. It resided in a file named List.doc and could have been detected by Forefront Security for Exchange Server using a file filter even before virus scanners could detect it.
Action
Choose the action that you want Forefront Security for Exchange Server to perform when a file filter is matched. By default, it is set to Delete: remove contents. Note: You must set the action for each file filter you configure. The Action setting is not global. Skip: detect only Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Deletes the file attachment. The detected file attachment is removed from the message and the Deletion Text is inserted in its place.
Delete: remove contents
92
Purge: eliminate message
Deletes the message from your mail system. When you select this option, a warning appears, informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.
Note: If the Quarantine Files box is selected, however, purged messages will be quarantined and can then be recovered from the Quarantine database. Identify: tag message The subject line or message header of the detected message can be tagged with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes or for other purposes identified by the Forefront Server Security Administrator. This tag can be modified by clicking the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job. This action is only available for the Transport Scan Job. For more information about Tag Text, see "Configuring the Transport Scan Job" in Transport Scan Job.
Editing a file filter

Once you have created a file filter, it can be modified. To edit a file filter 1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering pane appears. 2. In the upper work pane, select the scan job for which you would like to modify the file filter. 3. Make the required changes to the various fields. The changes apply to the selected scan job. 4. Click Save to save your filter changes. Making any change to the configuration activates the Save and Cancel buttons If you make a change to the selected scan job and try moving to another scan job or shuttle icon without saving it, you will be prompted to save or discard your changes. 93
Matching patterns in the file name with wildcard characters

Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters: * Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage: Single: Any of these single wildcard character patterns would detect veryevil.doc: veryevil.*, very*.doc, very*, *il.doc. Multiple: Any of these multiple wildcard character patterns would detect eicar.com: e*c*r*om, ei*.*, *car.*. Note: Use multiple asterisks to filter file attachments with multiple extensions. For example: love*.*.* ? Used to match any single character in a name where a single character may change. For example: virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. However, this filter would not catch virus.exe. [set] A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. For example: klez[a-h].exe would find kleza.exe through klezh.exe. [^set] Used to exclude characters that you know are not used in the file name. For example: klez[^m-z].exe would not find klezm.exe through klezz.exe. [range] Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: 94
klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe. \char Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. For example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. Note: You must use a \ before each special character.
Directional file filters

When using the file filter in conjunction with the Transport Scan Job, you can configure a filter so that it only checks inbound or outbound messages. This is accomplished by adding an <in> or <out> prefix to the file name when entering it in the File Names work pane: (For information about the inbound, outbound, and internal designations, see Transport Scan Job.) Note: There are no spaces between the prefix and the file name. Note: The prefixes <in> (for inbound messages) and <out> (for outbound messages), must be entered in English.
Inbound filtering
Prefixing the file name with the <in> directive instructs Forefront Security for Exchange Server to apply this filter only to inbound messages. <in>filename
Outbound filtering
Prefixing the file name with the <out> directive instructs Forefront Security for Exchange Server to apply this filter only to outbound messages. 95
<out>filename
Inbound, outbound, and internal Filtering

If no prefix is appended to the file name, the filter is applied to all messages, regardless of direction.
Filtering container files

Container files can be broadly described as complex files that can be broken down into various parts. Forefront Security for Exchange Server can scan the following container files for filter matches: PKZip (.zip) GNU Zip (.gzip) Self-Extracting .zip archives Zip files (.zip) Java archive (.jar) TNEF (Winmail.dat) Structured storage (for example, .doc, .xls, or .ppt) Open XML (for example, .docx, .xlsx, or .pptx) MIME (.eml) SMIME (.eml) UUENCODE (.uue) Unix tape archive (.tar) RAR archive (.rar) MACBinary (.bin)
Forefront Security for Exchange Server scans all parts of the container file and re-packs the file as necessary. For example, if you configure a file filter to delete all .exe files, Forefront Security for Exchange Server deletes .exe files inside container files (replacing them with the Deletion Text) but leaves all other files in the container intact. Note: Forefront Security for Exchange Server cannot scan password protected files or encrypted files. Although FSS does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.
96
Excluding the contents of a container file from file filtering

To exclude the contents of a .zip (container file) from being scanned for filter matches, specify the name of the .zip file in the file filter list and set the action to Skip. Ordering of the filter in the list is not important. If the name of the .zip file is in the file filter list and its action is set to Skip, its contents are not scanned by the file filters. The file is, however, scanned for viruses. If you would like to skip all .zip files, create the filter: *.zip and set the action to Skip. Notes: By default, this functionality only applies to .zip and .jar files. If you would like to enable this functionality for other archive types (TAR, GZIP, RAR, Macintosh, SMIME, and SelfExtracting .zip archives), you can set the following DWORD registry values: Realtime Scan Job SkipFileFilterWithinCompressedRealtime Manual Scan Job SkipFileFilterWithinCompressedManual Transport Scan Job SkipFileFilterWithinCompressedInternet For the location of these registry keys, see Registry keys. After creating each registry value, it should be set to 1 to enable file filtering in the specified archive types.
Note: OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.
Using file filtering to block most file types

You can use file filters to block some file types and permit others. The files permitted through in this example are Office files, which tend to be safer than other kinds. It takes two file filters for this to work properly. Note: Be sure that file filter 1 is created before file filter 2, as the filters are applied, in order, from top to bottom. First, create a file filter to permit Office files through. For this example, we will call it File Filter 1. To create File Filter 1 1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears. 2. Create a new file filter by following these steps: a. Click Add. b. Type <in>* as the file name and press Enter. c. Clear All Types in the File Types section.
97
d. Click Yes to confirm. e. Select the DOC, OPENXML, TNEF file types. (TNEF is required since it is the wrapper around file attachments for internal mail.) f. Set the Action to Skip: detect only. g. Clear Quarantine Files. h. Save the filter. Next, create a filter to block all files. We will call it File Filter 2. As long as you have created File Filter 1 first, Office files are permitted and all other files are blocked. To create File Filter 2 1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears. 2. Create a new file filter by following these steps: a. Click Add. b. Type * as the file name and press Enter. c. Ensure that All Types is selected in the File Types section. d. Set the action to Block or Purge, as desired. e. Select Quarantine Files. f. Select Send Notifications. g. Save the filter. Note: It is important to realize that the Skip: detect only action in the first filter generates an Incident Log entry for almost every attachment received. Also, TNEF is used for all internal Exchange e-mail, so if you create these filters on a Hub server (Exchange Server 2007 only), you will generate an event for every email. That can quickly overwhelm your server and inflate your Incident Log to an unmanageable size. You can ease this problem by making sure the file name of the first rule is "<in>*". Thus, the rule would only be invoked for inbound email, although a lot of events are still generated. Also, if you select Quarantine Files in the second Filter, you will likely get a lot of quarantined files.
File filter lists

As well as creating individual file filters, you can create lists of them to have collections of filters for use by different scan jobs or simply to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.
Creating a file filter list

Begin by creating a new file filter list. 98
To create a file filter list 1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon. 2. In the List Types pane, select Files. 3. In the List Names section, click the Add button. 4. Type a name for the new list and then press Enter. The empty list appears in the List Names section. 5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add file names to the list. 6. In the Include In Filter section, click the Add button. 7. Type a file name to be included in the filter list. Press ENTER when you are finished typing. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single file filters. The Exclude From Filter section is used to enter file names that should never be included on the file filter list. This prevents those file names from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list. 8. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save to save the list. 10. Configure the filter list in the same way as described in Creating a file filter.
Importing items into a filter list

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list using the Forefront Server Security Administrator. Note that Forefront Security for Exchange Server can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported. To create and import entries into a filter list 1. Create a list and save it as a text file. Place each filter on its own line in the file. 2. In the FILTERING section of the Shuttle Navigator, click Filter Lists. 3. Select the filter list into which you will be importing data. 4. Click Edit. The Edit Filter List dialog box appears. 5. Click the Import button. A File Explorer window opens. Use it to navigate to the text file you created in step 1. 6. Select the file and click Open. 7. The file is imported into the middle pane of the Import List editor to enable you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You 99
can use the right-pointing arrows to move items into the Exclude From Import section. 8. When you have moved all the desired items, click OK. 9. Click Save to save your work.
Filter set templates

Filter set templates can be created for use with any Forefront Security for Exchange Server scan job. A single filter set template can be associated with any or all of the scan jobs and you can also create multiple filter set templates for use on different servers or different scan jobs. For information on creating and configuring filter set templates, see "Filter Set Templates" in Content filtering.
International character sets

Support for file filtering by name in Forefront Security for Exchange Server extends beyond the English character set. For example, messages with an attachment that includes Japanese characters, words, or phrases are handled in the same manner as English character sets.
Statistics logging
The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and thus cause the message in which they reside to be purged. These counters can also be found in the Windows Performance snap-in.
Content filtering
Content filtering provides another tool to help manage the flow of messages entering and exiting your enterprise mail stream. Content filtering enables you to filter messages using a variety of filtering tools. These include: Sender-domains filtering (for Realtime and Manual scan jobs) Subject line filtering (for Realtime and Manual scan jobs) Filter set templates (simplify the creation and management of file and content filters on all scan jobs)
If you route e-mail messages through edge transport servers in your environment and are running Forefront Security for Exchange Server on your Exchange servers, you should enter the IP addresses of your edge transport servers into the General Options Transport External Hosts setting to ensure that all mail routed through the edge transport servers is treated as inbound mail rather than internal mail by Forefront Security for Exchange Server. (For more information about this setting, see Forefront Server Security Administrator.)
100
Configuring sender-domains filtering

Sender-domains filtering enables you to filter messages from particular senders or domains. Wildcard characters can be used to enable such filters as *@domain.com to filter all mail from a certain domain. Note: Sender-domains filtering only applies to the From field in a message. It cannot be used for the To field. To configure sender domains filtering 1. In the Shuttle Navigator, click FILTERING. 2. Select the Content icon. The Content Filtering pane appears. 3. In the upper work pane, select the Realtime Scan Job or the Manual Scan Job. (Content filtering is not available for the Transport Scan Job, but see Keyword filtering.) 4. In the Content Fields pane, select Sender-Domains, and then click the Add button in the Content Filters pane. 5. A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name filter, you must use an * (wildcard character) before the domain name. Examples: A generic domain: *@domain.com A specific sender: someone@domain.com 6. Press ENTER after you have typed the sender or domain. You may add as many entries as you like. 7. Enable the filter with the Filter field. 8. In the Action field, indicate the action to take if there is a filter match. 9. Indicate whether to Send Notifications if there is a filter match. The Content Administrators set up in the Notification work pane, located under REPORT in the Shuttle Navigator, will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see E-mail notifications). 10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 11. Click Save. The scan job looks at both the display name and the e-mail address of the sender to match against sender-domains filters. It applies the filter against the display name of the mailbox first. If the display name and sender e-mail address are different, Forefront Security for Exchange Server also applies the filter against the sender e-mail address. If either matches, the filter action is
101
taken. If you do not want to filter against sender email addresses, set the registry value ContentFilterSMTPAddress to zero (0). You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that domain. For more information, see Filtering mail from all users in a domain except for specific users.
Configuring subject line filtering

Subject line filtering enables you to filter messages based on the content of the subject line of the message. Wildcard characters can be used. To configure subject line filtering 1. In the Shuttle Navigator, click FILTERING. 2. In the upper work pane, select the Realtime Scan Job or the Manual Scan Job. 3. Select the Content icon. The Content Filtering pane appears. 4. In the Content Fields pane, select Subject Lines. 5. In the Content Filters pane, click the Add button. A text box appears. Type the content you would like to filter. 6. Press ENTER after you have typed the content. You may add as many entries as you like. 7. Enable the filter with the Filter field. 8. In the Action field, indicate the action to take if there is a filter match. 9. Indicate whether to Send Notifications if there is a filter match. The Content Administrators set up in the Notification work pane located under REPORT in the Shuttle Navigator will be sent a notification that a message was filtered. In addition, you must also configure the notifications (see E-mail notifications). 10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 11. Click Save. If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at the beginning and the end of the phrase to ensure proper detection. For example: The filter get rich quick filters messages that contain only the target phrase in the subject line. The filter *get rich quick filters messages that contain the target phrase and any phrase that ends with the target phrase in the subject line. The filter *get rich quick* filters messages that contain the target phrase anywhere 102
in the subject line. For more information about wildcards, see Matching patterns with wildcards.
Action
You must indicate the action that Forefront Security for Exchange Server should take upon detecting a match to your filter criteria. Note: You must set the action for each file filter you configure. The action setting is not global. For a Realtime Scan Job sender-domains or subject line filter, select the Skip or Purge action (the Manual Scan Job has a fixed value of Skip: detect only). Skip: detect only Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Deletes the message from your mail system. When you select this option, a warning appears, informing you that if there is a filter match, the message will be purged and unrecoverable, unless quarantined. Click Yes to continue.
Editing a content filter

Once you have created a content filter, it can be modified. To edit a content filter 1. In the Shuttle Navigator, click FILTERING, and then select the Content icon. The Content Filtering work pane appears. 2. In the upper work pane, select the scan job for which you would like to modify the content filter. 3. Make the required changes to the various fields. The changes apply to the selected scan job. 4. Click Save to save your filter changes. 103
Making any change to the configuration activates the Save and Cancel buttons If you make a change to the selected scan job and try moving to another scan job or shuttle icon without saving it, you will be prompted to save or discard your changes.
Matching patterns with wildcards

Use wildcard characters to have your filter match patterns in the content. You can use any of the following to refine your filters: * Used to match any number of characters. You can use multiple asterisks. The following are some examples of its usage. Single: Any of these single wildcard character patterns would detect veryevil: veryevil*, very*, *il Multiple: Any of these multiple wildcard character patterns would detect veryevil: V*r*v*l, *very*, *evil* ? Matches any single character, because many malicious users insert extra characters between letters to spoof filters. Example: You can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T [set] A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched. Example: The set is useful for creating a single rule to match when the number zero (0) is used instead of the letter o (for example, pornography and p0rnography can be filtered using p[o0]rnography). [^set] Used to exclude characters that you know are not used. Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp] would match kleza, klezd, kleze, 104
[range]
klezf, klezg, and klezp but not klezb or klezr. \char Indicates that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. Example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. Note: You must use a \ before each special character.
Content filter lists

As well as creating individual content filters (for subject lines and sender-domains), you can create lists of them to have collections of filters for use by different scan jobs or simply to organize your filters. The individual filters are created in the same way as previously described, but now, each filter is part of a list.
Creating a content filter list

Begin by creating a new filter list for either Subject Lines filters or Sender-Domains filters. To create a content filter list 1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon. 2. In the List Types pane, select Subject Lines or Sender-Domains. 3. In the List Names section, click the Add button. 4. Type a name for the new list and then press Enter. The empty list appears in the List Names section. 5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add items to the list: subject lines (text that might appear in the subject line of messages) or sender-domains (specific senders or generalized domains). 6. In the Include In Filter section, click the Add button. 7. Type a subject line, a sender, or a domain (depending on the type of filter list) to be included in the list. Press ENTER when you are finished typing. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single subject line or sender-domains filters. 105
The Exclude From Filter section is used to enter data that should never be included in the filter list. This prevents this data from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list. 8. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save to save the list. 10. Configure the filter list the same way as described in Configuring sender-domains filtering and Configuring subject line filtering.

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list using the Forefront Server Security Administrator. Note that Forefront Security for Exchange Server can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported. To create and import entries into a filter list 1. Create a list and save it as a text file. Place each filter on its own line in the file. 2. In the FILTERING section of the Shuttle Navigator, click Filter Lists. 3. Select the filter list into which you will be importing data. 4. Click Edit. The Edit Filter List dialog box appears. 5. Click the Import button. A File Explorer window opens. Use it to navigate to the text file you created in step 1. 6. Select the file and click Open. 7. The file is imported into the middle pane of the Import List editor to enable you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section. 8. When you have moved all the desired items, click OK. 9. Click Save to save your work.
Filtering mail from all users in a domain except for specific users
This section describes how to configure FSE to filter mail from all users in a domain except for specific users in that domain.
106
To filter mail from all users in a domain except for specific users 1. In the Shuttle Navigator, click FILTERING. 2. Select the Realtime Scan Job, and then select the Content icon. 3. Set up content filters containing the addresses of specific users whose messages you do not want filtered. a. In the lower-left corner, in the Content Fields section, select Sender-Domains, and then in the Content Filters section, click Add. b. In the text box that appears, type the e-mail address of the specific user. For example, type someone@example.com, and then press ENTER. c. In the Action field, set the action to Skip: detect only. Note: You can add multiple e-mail addresses, but each one must be entered separately. Repeat step 3 if you want to add more addresses whose messages you do not want filtered. 4. Set up the name of the domain that you want filtered. a. In the lower-left corner, in the Content Fields section, select Sender-Domains, and then in the Content Filters section, click Add. b. In the text box that appears, type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type *@example.com. Note: Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose mail you do not want filtered. FSE works from the top of the list down. c. In the Action field, set the action to Purge: Eliminate Message. 5. Click Save.
International character sets

Support for file filtering by name in Forefront Security for Exchange Server extends beyond the English character set. For example, messages with an attachment that includes Japanese characters, words, or phrases are handled in the same manner as English character sets.
Reporting
Messages that are filtered because of sender-domains or subject line filtering are reported in the Incidents log under the Virus or Filter heading. Messages filtered because of sender-domains matches are noted as SENDER=<filter>, and subject line matches will be reported as SUBJECT=<filter>. For activity and Incidents logs, no file name is indicated. In the quarantine 107
area, the body and each attachment is quarantined with the sender-domains or subject line filter indicated.
Filter set templates

Filter set templates can be created for use with any Forefront Security for Exchange Server scan job. A single filter set template can be associated with any or all of the scan jobs and administrators can also create multiple filter set templates for use on different servers or different scan jobs.
Creating a filter set template

Start by creating a filter set template. To create a filter set template 1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates. 2. Click File, select Templates, and then click New. The New Template dialog box appears. 3. Select Filter Set, enter a name for it, and then click OK. The name has a maximum of 19 characters. Your new filter set template now appears in the list in the top pane, ready to be configured.
Configuring a filter set template

After you have created a filter set template, you must configure it. To configure a filter set template 1. In the FILTERING section of the Shuttle Navigator, click File or Content. The File Filtering or Content Filtering work pane appears. 2. In the upper pane, select the name of the filter set template to be configured. 3. Using the Add button, add a File Filter or a Content Filter, and then specify the criteria for that filter. You may create multiple filters within a filter set template. A filter set template may contain a combination of file filters and content filters. 4. Click Save to save your work.
Associating a filter set template with a scan job

After you have created and configured a filter set template, associate it with a scan job. During scanning, Forefront Security for Exchange Server uses the filter set template configuration first and then uses any other filter setting you have specified when setting up the scan job.
108
To associate a filter set template with a scan job 1. In the SETTINGS section of the Shuttle Navigator, select Templates. 2. Select a scan job in the Job List. 3. Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are unsure about the contents of the filter set template, click View Filter Set. Click the left arrow button at the bottom of the pane when you are finished viewing the contents. 4. Click Save. The filter set template is now associated with that scan job. During scanning, FSE uses the filter set template configuration first and then any other filter settings that you specified when setting up the scan job. Note: To cancel the association, repeat the preceding steps and select None from the Filter Set list (or select a different filter set template).
Editing a filter set template

You can modify the settings in a filter set template. To edit a filter set template 1. In the FILTERING section of the Shuttle Navigator, click File or Content. The File Filtering or Content Filtering work pane appears. 2. In the upper pane, select the filter set template. 3. In the lower pane, select the filter whose configuration you want to modify 4. Click Edit and make your changes. 5. Click Save to save your changes. Note: File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however they cannot be selected for modification in the File Names section. To modify a filter set template, you must select its template in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set are not visible in the UI unless View Templates is selected in the File option of the menu bar.
Deleting a filter set template

You can delete a filter set template. To delete a filter set template 1. If the filter set template has been associated with a scan job, you have to remove the association. Follow the directions in Associating a Filter Set Template With a Scan Job 109
and either reset the association to None or select a different filter set template for the association. 2. In the job list of the Template Settings work pane, select the filter set. 3. Click File, click Templates, and then click Delete. 4. Confirm the deletion request.
Renaming a filter set template

You can rename a filter set template. To rename a filter set template 1. In the job list of the Template Settings work pane, select the filter set. 2. Click File, select Templates, and then click Rename. The Rename Template dialog box appears. 3. Type the template's new name. The name has a maximum of 19 characters. 4. Click OK.
Distributing filter set templates to remote servers

Filter set templates can be distributed to remote servers using a deployment job in the Microsoft Forefront Server Security Management Console (FSSMC). For more information about using the FSSMC, refer to the "Microsoft Forefront Server Security Management Console User Guide". You can also use FSCStarter from a command prompt to manually install filter set templates on remote servers: The syntax of FSCStarter is:
FSCStarter t[options] [\servername]
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them to the named server. For complete FSCStarter instructions, see "Deploying named templates" in Templates. For example, to update the content filter settings on server1, you would enter:
FSCStarter tc \server1
Keyword filtering
Keyword Filtering helps you identify unwanted e-mail messages by analyzing the contents of the message body as it is being transported by the Transport scan job. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences
110
Creating new keyword lists

For maximum flexibility, you can create your own lists of keywords to scan for. You can thus maintain individual lists of filters for use by different scan jobs. To create a new keyword list 1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon. 2. In the List Types pane, select Keywords. 3. In the List Names section, click the Add button. 4. Type a name for the new list, and then press Enter. The empty list appears in the List Names section. 5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add content to your filter list. 6. In the Include In Filter section, click the Add button. 7. Type a word or phrase to be included in the filter list. Press Enter when you are finished typing. You may have as many words or phrases as you want, but each must be entered separately. The Exclude From Filter section is used to enter keywords or phrases that should never be included on the Keyword list. This prevents those words and phrases from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list. 8. When you are finished adding items, click OK. The list of words you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save.
Configuring keyword lists

After you have created a keyword list, you must configure it. To configure a keyword list 1. In the Shuttle Navigator, click FILTERING. 2. Click the Keyword icon. The Keyword Filtering work pane appears. 3. Select the Transport scan job. (Keyword filtering only works with the Transport Scan Job.) 4. In the Keyword Fields section, select Message Body. 5. Select one of the filter lists you have created. 6. Using the Filter field, set the filter to Enabled. 7. Set the Action. For more information, see Keyword filter actions. 8. Click the General tab. 111
9. Indicate if you would like to Send Notifications. 10. Indicate if you would like to Quarantine identified files. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 11. Indicate what combination of Inbound, Outbound, and Internal mail should be scanned. 12. Click the Identify tab and indicate whether the filter should look in the subject line, the message header, or both. 13. Indicate the Minimum Unique Keyword Hits. This setting enables you to specify how many unique keywords must be matched for the action to be taken. The default is one (1). For example, you have set the minimum unique keyword hits value to 3. The word "wonderful", which is in the list, appears three times in the message. However, no other word in the list appears at all. The keyword filter has not been matched, because only one term in the list was matched. 14. Click Save. Filters for racial discrimination, sexual discrimination, spam, and any other custom lists must be created individually. For profanity filters, see Example lists.
Keyword filter actions

You must indicate the action that Forefront Security for Exchange Server should take upon detecting a match to your filter criteria. Note: You must set the action for each content filter you configure. The action setting is not global. The action choices are: Skip: detect only Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Deletes the message from your mail system. When you select this option, a warning appears informing you that if there is a filter match, the message will be purged and unrecoverable, unless quarantined. Click Yes to continue. The subject line or message header of the 112
Identify: tag message
detected message can be tagged with a customizable word or phrase, so that it can be identified later for processing into folders by user inboxes or for other purposes identified by the Forefront Server Security Administrator. This tag can be modified by clicking the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job. Note: Forefront Security for Exchange Server keyword filtering scans both plain text and HTML message body content. If Forefront Security for Exchange Server finds a match in both the HTML and the plain text, it reports two detections in the Incidents log and the Quarantine database.
Keyword list syntax rules

The following are the syntax rules for a keyword filter list. Be careful to use the appropriate syntax because FSE does not perform validation. If the filtering results are not what you are expecting, it is recommended that you double-check your syntax. Each item (line of text) is considered a search query. Queries use the OR operator. It is considered to be a positive detection if any entry is a match. Queries are comprised of operands (keywords), which are text tokens or a string of text tokens, such as: apple (means that the text contains apple) apple juice (means that the text contains apple juice) get rich quick (means that the text contains get rich quick)
Queries may also contain operators that precede or separate operands in an expression. An expression may be comprised of a single operand, an operand preceded by the _NOT_ or _HAS[#]OF_ operators, or two operands joined by the _AND_, _ANDNOT_, or _WITHIN[#]OF_ operators. The following logical operators are supported in expressions. There must be a space between an operator and an operand (or another operator), represented in the examples by the character: _AND_ (logical AND). For example, apples_AND_oranges. A filter such as this would be matched if the text contains both apples and oranges. _NOT_ (negation). For example, _NOT_oranges. A filter such as this would be matched if the text does not contain oranges. 113
_ANDNOT_ (logical AND negation). For example, apples_ANDNOT_oranges. A filter such as this would be matched if the text contains apples but does not contain oranges. _ANDNOT_ is functionally equivalent to _AND__NOT_. _HAS[#]OF_ (frequency). Specifies the minimum number of times that the text must appear in order for the query to be considered true. For example, _HAS[4]OF_get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator implicitly has a default value of 1 when it is not specified. _WITHIN[#]OF_ (proximity). If the two terms are within a specified number of words before or after each other, there is a match. For example, free_WITHIN[10]OF_offer. If "free" appears within 10 words before or after "offer", this query is true.
Multiple operators are permitted in a single query. The precedence of the operators is (from highest to lowest): _WITHIN[#]OF_ _HAS[#]OF_ _NOT_, _AND_, and _ANDNOT_ (these are at the same precedence level because they are used in conjunction when part of an expression) The logical operators must be entered in uppercase letters. Phrases may be used as keywords. For example, apple juice or get rich quick. Quotation marks are not used. Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, AB is treated as AB and matches the phrase AB. In HTML-encoded message texts, punctuation (any non-alphanumeric character) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter '<html>' will match '<html>', but not 'html'.
This precedence cannot be overridden with parentheses. Other considerations are:
Examples (the character represents a space): apples_AND_oranges_AND_lemons_WITHIN[50]OF_juice This expression means that apples, oranges, and lemons all appear at least once, and that lemons is within 50 words of juice. confidential_WITHIN[10]OF_project_AND_banana_WITHIN[25]OF_shake This expression means that confidential is within 10 words of project, and that banana is within 25 words of shake. _HAS[2]OF_get rich_WITHIN[20]OF_quick This expression means that get rich appears at least 2 times within 20 words of quick.
114
Case-sensitive filtering
The General Option Case Sensitive Keyword Filtering setting causes Forefront Security for Exchange Server to use case-sensitive comparisons for all keyword filters. By default, comparisons are not case-sensitive. For more information, see "General Options" in Forefront Server Security Administrator.
Example lists
To aid you in filtering for profanity, example lists in various languages are included with the product. This is an optional component of FSE and must be installed separately. If you want to install one or more of these lists, follow these steps. To install the example lists 1. Find the file called KeywordInstaller.msi in the installation folder and double-click it. Note: The .msi file is not present on any computer which has had an Administrator-only installation or on one that does not contain a Forefront Security product. 2. You must read and consent to the license agreement/disclaimer. 3. You are presented with a list of available files. You may select any number of the various language files. The files you select are placed into a folder called Example Keywords in the database directory (which, by default is c:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\Data). 4. After the files have been extracted, you must import them into your filters. For more information on importing files, see Importing items into a filter list. Note: It is your responsibility to visually inspect all of the selected files to determine if there are words that are completely harmless in your environment, especially if you are using multiple language files. You must review the imported list and decide if you are going to eliminate any word clashes. If a certain word is unacceptable in one language but harmless in another, you must determine what is more important to you: catching everything (the default, if you accept all the words in all the selected lists) at the risk of false positives or risk not detecting something by deleting words from the list (which avoids those false positives).
Allowed senders lists

Forefront Security for Exchange Server provides allowed senders list functionality so that administrators can maintain lists of safe e-mail addresses or domains that are not subjected to filtering by the Transport Scan Job. (The allowed sender lists have no effect on scanning for viruses.) Forefront Security for Exchange Server checks the sender address or domain against 115
the allowed senders list. If the e-mail address or domain appears on the allowed senders list, Forefront Security for Exchange Server will bypass all filtering that has been enabled for the list. To create an allowed senders list 1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon. 2. In the List Types section, select Allowed Senders. 3. In the List Names section, click the Add button. 4. Type a name for the new list and then press ENTER. The empty list appears in the List Names section. 5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to enter e-mail addresses or e-mail domains to include in the allowed senders list. 6. In the Include In Filter section, click the Add button. 7. Type an e-mail address or domain to be included in the filter list. Press ENTER when you are finished typing. User addresses should be entered in the format: user@customer.com. E-mail domain names should be entered in the format: *domain. You may have as many allowed senders as you want, but each address or domain must be entered separately. The Exclude From Filter section is used to enter addresses or domains that should never be included on the allowed senders list. This prevents those addresses and domains from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list 8. When you are finished adding items, click OK. The list of addresses and domains you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save.
Enabling allowed senders lists

After you have created an allowed senders list, you must enable it. To enable an allowed senders list 1. In the Shuttle Navigator, click FILTERING. 2. Click the Allowed Senders icon. The Allowed Senders work pane appears. 3. From the list in the upper pane, select the Transport Scan Job. 4. In the Sender Lists pane, select the name of the allowed senders list. 5. Set the List State to Enabled. 6. In the Skip scanning for section, indicate if the allowed senders list should apply to Keyword Filtering, File Filtering, or both. You can click All Types to have all the choices selected. If none of the check boxes are selected, the filter is effectively disabled.
116
7. Click Save.

Data for filter lists may be created offline in Notepad or a similar text editor and then imported into the appropriate filter list using the Forefront Server Security Administrator. Note that Forefront Security for Exchange Server can only import lists that are UTF-16 or ANSI files. Other Unicode types will not be properly imported. To create and import entries into a filter list 1. Create a list and save it as a text file. Place each filter on its own line in the file. 2. In the FILTERING section of the Shuttle Navigator, click Filter Lists. 3. Select the filter list into which you will be importing data. 4. Click Edit. The Edit Filter List dialog box appears. 5. Click the Import button. A File Explorer window opens. Use it to navigate to the text file you created in step 1. 6. Select the file and click Open. 7. The file is imported into the middle pane of the Import List editor to enable you to select the entries you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section. 8. When you have moved all the desired items, click OK. 9. Click Save.
Purging messages infected by worms

Forefront Security for Exchange Server enables you to configure the Transport Scan Job and the Realtime Scan Job to purge messages infected by worms. Worm purging is a powerful new feature for containing attacks before they harm your network. Forefront Security for Exchange Server identifies worm messages using a regularly updated worm list called WormPrge.dat, which is maintained by Microsoft and updated like the antivirus scan engines. The WormPrge.dat file typically contains the names of worms that are reported by the current third-party scan engines. (Note that each scan engine may report the worm name differently.) Note: The definitions in the worm list differ from the definitions that are used by the antivirus scan engines. The worm list includes generic worm name entries. These entries may help provide more protection against future worms that are part of a worm family that has already been detected. For example, if a new worm that is named "Win32/abcdef.A@mm" is detected, Forefront Security for Exchange Server updates the 117
worm list to include a generic entry such as "*abcdef*". This entry covers any new variant of the same virus, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, the worm list does not have to be updated as frequently as the antivirus scan engines are.
Purging by the Realtime scanner

The registry key RealtimePurge is used by the Realtime Scan Job to determine whether or not worm purging is enabled. The Microsoft registry key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS \VirusScan\EnableScanDeletion, determines whether VSAPI message purging is enabled. If the EnableScanDeletion key is set (with a value of 1), when the Realtime Scan Job finds a message body or an attachment that should be purged, it will send the message VIRSCAN_DELETE_MESSAGE to FSEVSAPI and Exchange will delete the entire message. Forefront Security for Exchange Server is not given access to the entire message before it is purged. FSE does not support quarantine for Realtime worm purging.
Purging by the Transport scanner

When the Transport scanner determines that a message is infected with a worm, it purges the message by deleting it entirely. Purging is handled for both inbound and outbound Edge Transport or Hub Transport messages. No message or notification is sent to the intended recipient of the infected message. Messages purged by the Transport scanner are not recoverable. The Transport scanner can be configured to send notifications to the administrator and the sender by selecting Send Notifications on the File Filtering work pane. It cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm-generated messages. Worm viruses (messages and attachments) that are purged by the Transport scanner are not quarantined even if quarantine is enabled. This is to prevent the quarantine database from receiving hundreds or thousands of copies of the same message.
Purging by the Manual scanner

Forefront Security for Exchange Server does not support message purging during a manual scan.
Using file filtering to purge worm viruses

To prevent a new worm threat from spreading before a scanner engine is updated, the attachment names for worm-generated messages can be placed in the file filter list under the File Filtering work pane. This is done by accessing the File Filtering work pane (for more information see File filtering) and adding a new entry to the file names list with Purge: eliminate message as the action. 118
The file filter is configured to send notifications to the administrator and the sender by default. It cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm generated messages. Note: When you select the Purge: eliminate message option, the entire message is deleted and is not recoverable. It is recommended that you only select this action for the purpose of purging worm messages prior to the release of virus scanner updates. Unlike quarantining for non-worm messages, even if you select Quarantine Message, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems when using filtering for worm messages because the message body has no value and should not contain any other attachments.
Notifications
The Transport and Realtime scanners can be configured to send distinct notification messages to the Worm Administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified, as needed, in the Notification Setup work pane, described in E-mail notifications.
Enabling and updating worm purging

When you install or upgrade Forefront Security for Exchange Server, the worm purge feature is enabled by default. WormPrge.dat is installed in the Data\Engines\x86\Wormlist\Bin folder, which can be found in the directory where Forefront Security for Exchange Server was installed. To disable the worm purge feature for the Transport Scan Job, you must set up the TransportPurge registry key with a value of 0. To disable the worm purge feature for the Realtime Scan Job, you must set up the RealtimePurge registry key with a value of 0. For more information about these keys, including their location, see Registry keys. Note: Each time you alter these registry values, you must recycle the Exchange IMC service for the change to take effect for the Transport Scan Job and recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job.
Updating the worm purge list

As new worm threats are identified, the worm identification list is updated by Microsoft and the new update becomes available for download by the same process that is used for updating virus scan engines. Updates can be performed manually or by schedule. After a successful update, the Data\Engines\x86\Wormlist\Bin folder will contain the newest version of the WormPrge.dat file and a LastKnownGood folder will contain the previous WormPrge.dat file. For more information about performing updates, see File scanner updating. 119
Creating a custom worm purge list

Administrators can create a custom worm purge list (CustPrge.dat) either to specify additional virus names not already included in the Wormprge.dat file or to create a list to purge all messages that are identified as infected by a virus. Infected messages and files will then be checked against both the worm purge list and the custom purge list. To create a custom worm purge list 1. Create a new folder named CustomList in the Data\Engines\x86\Wormlist folder, located in the Microsoft Forefront Security\Exchange Server folder. 2. Create a file named CustPrge.dat in the CustomList folder. 3. Using a text editor, enter the names of the viruses you would like to have purged into CustPrge.dat. Place only a single virus name on each line, followed by a carriage return. These names can be obtained from antivirus engine update notifications or antivirus engine vendor Web sites. Entries may contain asterisk (*) wildcard characters. Note: If different antivirus companies refer to the same virus by different names, include each of the names in CustPrge.dat file to be fully protected. 4. If you would like all virus-infected messages to be purged, enter a single line consisting of just an asterisk (*), followed by a carriage return. This results in all messages identified as infected being purged. Note: Because this would result in all infected messages being purged and unrecoverable, it is not recommended that you use this procedure. Instead, use the Delete or Clean options for non-worm viruses, because these options enable infected messages and files to be quarantined. 5. Recycle the Microsoft Exchange Transport service.
E-mail notifications
E-mail notifications are critical in keeping Exchange users informed about changes that occur to their attachments due to virus cleaning and file filtering, or informing users of infections that exist when a virus is detected and not cleaned. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.
How notifications are sent

Forefront Security for Exchange Server utilizes SMTP messaging for notification purposes, placing the message in the SMTP service Pickup folder and resolving the Exchange name with 120
the Active Directory directory service. By default, the server profile used for this purpose is: Forefront_Server_Name. For example: Forefront_EX_Server1. To change the server profile, you must modify the FromAddress registry value. To change the FromAddress registry value on Exchange 2007 1. Open the Registry Editor and navigate to one of these registry values: For 32-bit systems (only valid during evaluation of FSE): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\ Notifications\FromAddress For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\FromAddress 2. Change the default value to the sender name you would like. Alphanumeric characters are acceptable. You may also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters are replaced with an underscore (_). 3. You must restart the Exchange and Forefront Security services for this change to take effect.
Configuring notifications
There are various types of notification messages and each can be individually configured. To configure notifications 1. In the REPORT area of the Shuttle Navigator, select Notification. The Notification Setup work pane appears. The top pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. For more information about each of the roles, see Notification roles. 2. Enable those notifications that are to be in effect. (For more information, see Enabling and disabling a notification.) Note: Scan job configurations control whether a scan job sends any enabled notifications. 3. Make the desired changes to the notifications that are to be enabled. For more information, see Editing a notification. 4. Click Save to save your work.
121
Notification roles
The following list describes the various notification roles. Typically, each notification is used for reporting the who, what, where, and when details of the infection or the filtering performed, including the disposition of the virus or the attachment. Virus Administrators Alerts administrators of all viruses detected on a server being protected by FSE. Virus Sender (internal) Alerts the sender of the infection, if the sender is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed. Virus Sender (external) Alerts the sender of the infection, if the sender is not a user in your organization. Virus Recipients (internal) Alerts the recipient of the infection, if the recipient is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed. Virus Recipients (external) Alerts the recipient of the infection, if the recipient is not a user in your organization. File Administrators Alerts administrators of all messages that are filtered by file filtering on the server being protected by FSE. This notification is also used for messages purged by the file filter. File Sender (internal) Alerts the sender of the filtered attachment, if the sender is an Exchange user in your organization. This notification is also used for messages purged by the file filter. File Sender (external) Alerts the sender of the filtered attachment, if the sender is not a user in your organization. This notification is also used for messages purged by the file filter. File Recipients (internal) Alerts the recipient of the filtered attachment, if the recipient is an Exchange user in your organization. This notification is also used for messages purged by the file filter. File Recipients (external) Alerts the recipient of the filtered attachment, if the recipient is not a user in your organization. This notification is also used for messages purged by the file filter. Worm Administrators Alerts administrators of all worm messages that are detected or purged by Forefront Security for Exchange Server. Content Administrators 122
Alerts administrators of all messages that are filtered by content filtering (sender and subject line filtering). Content Sender (internal) Alerts the sender that a message was filtered by sender or subject line filtering, if the sender is an Exchange user in your organization. Content Sender (external) Alerts the sender that a message was filtered by sender or subject line filtering, if the sender is not a user in your organization. Content Recipients (internal) Alerts the recipient that a message was filtered by sender or subject line filtering, if the recipient is an Exchange user in your organization. Content Recipients (external) Alerts the recipient that a message was filtered by sender or subject line filtering, if the recipient is not a user in your organization. Keyword Administrators Alerts administrators of all messages that are filtered by keyword filtering. Keyword Sender (internal) Alerts the sender that a message was filtered by keyword filtering, if the sender is an Exchange user in your organization. Keyword Sender (external) Alerts the sender that a message was filtered by keyword filtering, if the sender is not a user in your organization. Keyword Recipients (internal) Alerts the recipient that a message was filtered by keyword filtering, if the recipient is an Exchange user in your organization. Keyword Recipients (external) Alerts the recipient that a message was filtered by keyword filtering, if the recipient is not a user in your organization.
Configuring internal addresses

Internal addresses must be identified in Forefront Security for Exchange Server so that the proper notifications can be sent to senders and recipients. Internal addresses are configured with the Internal Address option in the General Options pane or by use of the Domains.dat file. For information about configuring internal addresses, see the "General Options" section in Forefront Server Security Administrator.
123
Enabling and disabling a notification

The Enable and Disable buttons in the Notification Setup work pane permit you to enable or disable any selected notification. The current status of each notification is displayed in the list in the top pane, under the State column. A change made to the status of a notification takes effect as soon as you click Save. Note: Scan job configurations control whether a scan job sends any enabled notifications.
Editing a notification
The changes that are made to the lower portion of the Notification Setup work pane apply to the notification role currently selected in the notification list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a notification and try moving to another notification role or shuttle icon without saving it, you will be prompted to save or discard your changes. All changes take effect immediately when saved. The following are the fields that can be edited: To A semicolon-separated list of people and groups who will receive the notification. This list can include Exchange names, aliases, groups, and Keyword substitution macros. Notifications may also be sent to cc and bcc recipients. Subject The message that will be sent on the subject line of the notification. This field can include Keyword substitution macros. Body The message that will be sent as the body of the notification. This field can include Keyword substitution macros. (Administrators may also include the MIME headers in this field by inserting the %MIME% macro.) Note: When enabling Virus Administrators, File Administrators, Worm Administrators, or Keyword Administrators notifications on an Edge server, you must use a full SMTP address (For example, Administrator@microsoft.com) for the notification to work properly.
Reporting and statistics

Forefront Security for Exchange Server provides various mechanisms to help administrators analyze the state and performance statistics of the Forefront Security for Exchange Server services through the Forefront Server Security Administrator.
124
Incidents database
The Incidents database (Incidents.mdb) contains all virus and filter detections for a Microsoft Exchange Server, regardless of the scan job that caught the infection or performed the filtering. To view the Incidents database, click REPORT in the Shuttle Navigator, and then click the Incidents icon. The Incidents work pane appears. This is the information that Forefront Security for Exchange Server reports for each incident: Time State The date and time of the incident. The action taken by Forefront Security for Exchange Server. The name of the scan job that reported the incident. The name of the folder where the file was found. This column also reports if messages were inbound or outbound when caught by the Transport scanner. Messages that are being relayed by the Edge Transport or Hub Transport server are reported as inbound and outbound to distinguish them from standard inbound and outbound messages. The subject line of the message or the name of the file that triggered the incident. The name of the virus or name of the file that matched a file or content filter. The type and name of the incident detected. The name of the person who sent the infected or filtered message. The e-mail address of the person who sent the infected or filtered message. The names of the people who received the infected or filtered message. The e-mail addresses of the people who received the infected or filtered message. The names of the Cc recipients. The e-mail addresses of the Cc recipients. The names of the Bcc recipients. 125
Name
Folder
Message
File
Incident Sender Name
Sender Address
Recipient Names
Recipient Addresses
Cc Names Cc Addresses Bcc Names
Bcc Addresses Note:
The e-mail addresses of the Bcc recipients.
Forefront Security for Exchange Server keyword filtering scans both plain text and HTML message body content. If Forefront Security for Exchange Server finds a match in both the HTML and the plain text, it will report two detections in the Incidents database and the Quarantine database.
VirusLog.txt
Incidents can also be written to a text file called VirusLog.txt file, located in the Microsoft Forefront Security for Exchange Server installation path. To enable this feature select Enable Forefront Virus Log in General Options (it is disabled by default). The following is a sample entry from the VirusLog.txt file: Thu. Apr 25 14:12:51 2002 (3184), "Information: Realtime scan found virus: Folder: First Storage Group\Usera\Inbox Message: Hello File: Eicar.com Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE State: Cleaned"
Forefront Security for Exchange Server incidents

The following table describes the various incidents FSE reports. Several of the reported incidents are controlled through settings in General Options.
Reported incident General Options setting Description
CorruptedCompressedFile
Delete Corrupted Compressed Files Delete Corrupted Uuencode Files
Forefront has deleted a corrupted compressed file. Forefront has deleted a corrupted compressed UUENCODE file Forefront has deleted an encrypted compressed file. Forefront has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file. 126
CorruptedCompressedUuencodeFile
EncryptedCompressedFile
Delete Encrypted Compressed Files Not applicable
EngineLoopingError
Reported incident
General Options setting
Description
ExceedinglyInfected
Maximum Container File Infections
Forefront has deleted a container file because it exceeded the maximum number of infections, as set in Max Container File Infections in General Options. Forefront has deleted a container file because it exceeded the maximum nested depth, as set in Max Nested Compressed Files in General Options. Forefront has deleted a file because it exceeded the maximum nested attachment limit, as set in Max Nested Attachments in General Options. The default is 30 attachments. For more information, see MaxNestedAttachments in Registry keys. A fragmented SMTP message has been replaced with the fragmented message deletion text. Forefront has deleted a file because it exceeded the maximum container size that it will attempt to clean or repair. The default is 26 MB, but you may change the value with the Max Container File Size option in General Options. Forefront has deleted a container file because it exceeded the maximum 127
ExceedinglyNested
Maximum Nested Compressed Files
ExceedinglyNested
Maximum Nested Attachments
FragmentedMessage
Not applicable
LargeInfectedContainerFile
Maximum Container File Size
ScanTimeExceeded
Max Container Scan Time (msec) Realtime/Transport, or
Reported incident
General Options setting
Description
Max Container Scan Time (msec) - Manual
scan time. The default values, in milliseconds (msec), are 120000 msec (2 minutes) for Realtime/Transport scans and 600000 msec (10 minutes) for Manual scans. Forefront has deleted a compressed file that it could not read. Forefront has deleted a compressed file to which it cannot write (for example, during a cleaning operation).
UnReadableCompressedFile
Not applicable
UnWritableCompressedFile
Not applicable
Statistics
Forefront Security for Exchange Server tracks statistics for both messages and attachments for each scan job.
Message statistics
Several kinds of statistics are maintained for messages. Messages Scanned. The number of messages scanned by Forefront Security for Exchange Server since the last restart of the services. Messages Detected. The number of messages scanned that contained a virus or matched a file or content filter since the last restart of the services. Messages Tagged. The number of messages tagged by Forefront Security for Exchange Server due to a filter match since the last restart of the services. Messages Purged. The number of messages purged by Forefront Security for Exchange Server due to a virus detection or filter match since the last restart of the services. (Action set to Purge Eliminate Message or a worm purge match.) Total Messages Scanned. The number of messages scanned by Forefront Security for Exchange Server since the product was installed. Total Messages Detected. The number of messages scanned that contained a virus or matched a file or content filter since the product was installed. Total Messages Tagged. The number of messages tagged by Forefront Security for Exchange Server due to a filter match since the product was installed.
128
Total Messages Purged. The number of messages purged by Forefront Security for Exchange Server due to a virus detection or filter match since the product was installed.
Attachment statistics
Several kinds of statistics are maintained for message attachments. Attachments Scanned. The number of attachments scanned by Forefront Security for Exchange Server since the last restart of the services. Attachments Detected. The number of attachments scanned that contained a virus or matched a file or content filter since the last restart of the services. Attachments Cleaned. The number of attachments that were cleaned by Forefront Security for Exchange Server due to a virus infection or filter match since the last restart of the services. Attachments Removed. The number of attachments that were removed by Forefront Security for Exchange Server due to a virus infection or filter match since the last restart of the services. Total Attachments Scanned. The number of attachments scanned by Forefront Security for Exchange Server since the product was installed or the Statistics pane was last reset. Total Attachments Detected. The number of attachments scanned that contained a virus or matched a file or content filter since the product was installed or the Statistics pane was last reset. Total Attachments Cleaned. The number of attachments that were cleaned by Forefront Security for Exchange Server due to a virus infection or filter match since the product was installed or the Statistics pane was last reset. Total Attachments Removed. The number of attachments that were removed by Forefront Security for Exchange Server due to a virus infection or filter match since the product was installed or the Statistics pane was last reset.
FSE scans the message body and the attachments but reports all scanned message parts as attachments. A single message with one attachment, therefore, is reported as two attachments in the Statistics pane.
Managing statistics
To reset all statistics for a scan job, click the x next to the scan job's name in the Statistics section of the Incidents work pane. To save the report and the statistics in either formatted text or delimited text formats, click the Export button (on the Incidents work pane)
Quarantine
Forefront Security for Exchange Server, by default, creates a copy of every detected file in its original form (that is, before a Clean, Delete, or Skip action occurs). These files are stored in an 129
encoded format in the Quarantine folder under the Forefront Security for Exchange Server DatabasePath folder (which defaults to the installation folder). The actual file name of the detected attachment, the name of the infecting virus or the file filter name, and the message envelope information, along with other bookkeeping information, are saved in the file Quarantine.mdb in the Quarantine folder. The Quarantine database is configured as a system data source name (DSN) with the name Forefront Quarantine. This database can be viewed and manipulated using third-party tools.
Quarantine options
Forefront Security for Exchange Server performs two different quarantine operations: quarantine of entire messages or quarantine of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled. When the General Options setting Quarantine Messages is set to Quarantine as Single EML File (only applies to the Transport Scan Job), messages are quarantined in an EML file format. If you want to view the attachments that are contained inside the EML file, you must save the file from the Quarantine database and use Outlook Express to view the contents of the file. If Outlook Express is not installed on the computer, the message's attachments cannot be separated from the EML file easily for viewing. If you do not have Outlook Express installed on the server on which you are quarantining messages, you can choose to have messages quarantined in pieces by setting Quarantine Messages to Quarantine Message Body and Attachments Separately. Forefront Security for Exchange Server will then quarantine messages as separate pieces (bodies or attachments) so they can be viewed more easily after they are saved to disk from the Quarantine database. Messages that have been quarantined can also be forwarded to a mailbox. When the Quarantine Messages option is set to Quarantine Message Body and Attachments Separately, you must forward each piece of the message that was quarantined if you want the recipient to see the entire contents of the original message. If the Quarantine Messages option is set to Quarantine as Single EML File, only the quarantined EML file needs to be forwarded, and the recipient will receive the original message and any attachments as a single attachment to a new message. An administrator can access the Quarantine pane to delete or extract stored detected file attachments. To view the Quarantine log, click REPORT in the Shuttle Navigator, and then click the Quarantine icon. The Quarantine work pane appears. The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as virus or filter match), the name of the infecting virus or the filter name, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses.
Saving quarantine database items to disk

Use the Save As button on the Quarantine work pane to detach and decode a selected file to disk. You can select multiple items from the quarantine list. Each is saved as a separate file.
130
Delivering quarantined messages

The Deliver button on the Quarantine work pane enables administrators to deliver quarantined messages to the intended recipients or any other designated recipients. When the Deliver button is clicked, the Confirm Delivery dialog box appears. It enables the administrator to indicate the recipients and the delivery action for the message being delivered. If a single file is selected for delivery, the original recipients populate the To:, Cc:, and Bcc: fields. If multiple files are selected, the recipients fields are initially empty. There are three choices in the Delivery Action section: Original RecipientsThe recipients fields are disabled. Click OK to deliver the selected files to their original recipients. Above RecipientsThe recipients fields are enabled and can be changed by the administrator. Click OK to deliver the selected files to the named recipients. Original and Above RecipientsThe recipients fields are enabled and the administrator can change them. Click OK to deliver the selected files to both the original recipients and any additional ones entered.
When quarantined messages are delivered to the user's mailbox, the original message is included as an attachment. When the user opens the attachment, the original message launches within Outlook as a separate message. Note: On an Edge Server, since Forefront has no access to the Active Directory, you must enter a full e-mail address with a fully qualified domain name, even if delivery is to an addressee inside your Exchange organization. Failure to enter a fully qualified domain name results in the inability of Forefront to deliver mail from quarantine.
DeliverLog.txt
When a message file is delivered from the Quarantine database, a text file named DeliverLog.txt is created and saved in the folder where Forefront Security for Exchange Server is installed. This file provides a log of messages and attachments that have been delivered from quarantine.
Forwarding attachments
Attachments that were quarantined by the virus scanner or the file filter can be forwarded.
Forwarding attachments quarantined by the virus scanner

Attachments that were quarantined by the virus scanner cannot be forwarded unless the scan jobs are disabled. Any forwarded attachment that contains a virus is redetected and treated appropriately.
131
Forwarding attachments quarantined by the file filter

Attachments that were quarantined by the file filter are scanned for filter matches unless the General Option setting Deliver from Quarantine Security is set to Compatibility Mode. This enables messages to be forwarded without being redetected by any of the scan jobs. If you want to run a manual scan and have forwarded attachments redetected, you must create the ManuallyScanForwardedAttachments registry value and set it to 1. If the value is not present, it assumes the default value of 0. To enable attachments to be delivered without being redetected, Forefront Security for Exchange Server adds a special tag to the subject line of the message. You may customize this tag by changing the entry in the registry key value ForwardedAttachmentSubject. This value enables administrators to specify the tag text to use in the subject line. The subject line tag text can be changed to a unique string for the organization or changed into a local language. Note: If the General Option Deliver from Quarantine Security is set to Compatibility Mode and the subject line tag text is changed, filters are applied to messages already in the organization that were tagged with old tag text in the subject line if they are re-scanned.
Forwarding attachments and manual scans

By default, a manual scan does not perform file filtering on messages that were forwarded from quarantine. If the ForwardedAttachmentSubject registry key is changed, a manual scan performs file filtering on messages already in the organization with the subject line that was in this registry key before the change.
The ExtractFiles tool

Forefront Security for Exchange Server includes a console tool, ExtractFiles, that enables you to extract all, or a subset, of the quarantined files to a specified directory. This is the syntax of ExtractFiles:
extractfiles <path> <type>
Path: The absolute path of the folder in which to save the extracted quarantined files. Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example: Jerusalem.Standard Extracts files that were infected with the virus named Jerusalem.Standard. *.doc Extracts quarantined files having a .doc extension. *.* Extracts all quarantined files Examples: extractfiles C:\temp\quarantine Jerusalem.Standard extractfiles C:\extract\ *.doc
132
Using the ExtractFiles tool for fast mail recovery

You can use the ExtractFiles utility as part of a fast mail recovery scenario from quarantine: this only works when choosing the Quarantine as Single EML File option for the Quarantine Messages setting in General Options. This is helpful when delivering a large amount of quarantined e-mails. Such a situation can arise if there is a change in your company's filtering policy, due to a management request, or if e-mails were accidentally quarantined because of an incorrectly configured filter. To use the ExtractFiles tool for fast mail recovery 1. Extract all the files with the *.* syntax described previously. This extracts all quarantined files, both EML files and attachments. Note: Be sure you understand which EML files you need to deliver. 2. Copy the needed EML files into the Pickup folder on your Exchange server. Be aware that the usage of this folder is supported only under the following circumstances. a. These operations are performed outside of normal business hours. b. When copying many .eml files, you must copy them into the Pickup directory in batches. Try 10,000 files and see how long processing takes. There are many factors that can impact how long it takes to process the messages, such as server hardware, the load on the server, the volume of messages being processed, and so on. It may be possible to increase the batch size to 15,000 or 20,000 .eml files, or it may need to be reduced to 5,000 files. For basic instructions about the Exchange server Pickup folder, go to the following URL: http://go.microsoft.com/fwlink/?LinkId=140655. If you need further assistance on submitting mail via the Pickup folder, contact Microsoft Help and Support.
Maintaining the databases

There are several other tasks you can perform with the Incidents or Quarantine databases. You can clear the databases, export database items, purge database items, filter database views, move the databases, and change the database compaction time.
Clearing the databases

Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2 GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to all those having a notification role of Virus Administrators, warning that the database is nearing its limit. An administrator can then clear the database to ensure that future incidents and quarantined items will be saved. The subject line of the message reads: Microsoft Forefront Security for Exchange Server Database Warning 133
The body of the message reads: The Microsoft Forefront Security for Exchange Server << database name>> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB. If this database grows to 2 GB, updates to the << database name>> will not occur. Please see the user guide for information about database maintenance. If for some reason the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.
Clearing the incidents database

The Incidents database can be cleared when it becomes too large. To clear the Incidents database 1. On the Incidents work pane on the REPORT section of the Shuttle Navigator, click Clear Log. This clears all the items from the Incidents work pane. You will be asked to confirm your decision. 2. In the OPERATE section of the Shuttle Navigator, select Run Job. Select a scan job, and then click Clear Log. This clears the items from the job in the Incidents work pane. Once again, you will be asked to confirm your decision. You must individually clear all scan jobs to have all items flagged for deletion from the database. After you have cleared the entries in both places, they no longer appear in the work panes. However, they are actually deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.). You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from both locations, as indicated above. Note: If a large number of entries is selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.
Clearing the quarantine database

The Quarantine database can be cleared when it becomes too large. To clear the Quarantine database, click Clear Log on the Quarantine work pane on the REPORT section of the Shuttle Navigator. This clears all the items from the Quarantine work pane. You will be asked to confirm your decision. After you have cleared the entries, they no longer appear in the work pane. However, they are actually deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.).
134
You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from the Quarantine listing. Note: If a large number of entries is selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.
Exporting database items

Click Export on the Incidents or Quarantine work panes to save all the results from the Incidents or Quarantine databases as a text file. Clicking Export displays a standard Windows Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file. In addition to the Export button, the Quarantine pane has a Save As button, used to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each is saved as a separate file.
Purging database items

You can instruct Forefront Security for Exchange Server to remove items from the databases after they are a certain number of days old. The number of days is indicated by the Purge field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database, all files older than the specified number of days are flagged for removal from that database. To purge database items after a certain number of days 1. On either the Incidents or the Quarantine work pane in the REPORT section of the Shuttle Navigator, select the Purge check box. This causes the Days field to become available. 2. In the Days field, indicate the number of days after which items will be purged. All items older than that number of days will be deleted from the database. The default is 30 days. 3. Click Save. Setting or changing the purge value takes effect only after being saved. To suspend purging, clear the Purge check box. The value in the Days field will remain, but no purging will take place until Purge is selected again.
Filtering database views

You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed. To filter the database view 1. On the Incidents or Quarantine work pane, select the Filtering check box. 2. Select the items you want to see with the Fieldoption. Each choice in Field corresponds to one of the columns in the display. (For example, you can show only those Incidents 135
whose State is "Purged".) If you select any column other than Time (on the Incidents pane) or Date (on the Quarantine pane), the Value field appears. If you select Time or Date, you get entry fields for beginning date and time, and ending date and time. 3. If you selected Time or Date, enter the beginning and ending date and time. Otherwise, enter a string in the Value field. Wildcard characters can be used. They are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are: _ (underscore)Matches any single character. (The * and ? characters, which are common wildcard characters, are literals in this instance.) [ ]Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]). [!]Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]). 4. Click Save to apply the filter. The only items you now see are those that match your parameters. 5. To see all the items again, remove the filter by clearing the Filtering check box and clicking Save.
Moving the databases

You can move the Quarantine and Incidents databases. However, for FSE to function properly, you must move both databases, as well as all related databases and support files. To move the databases and all related files 1. Create a new folder in a new location (for example: C:\Moved Databases). 2. Set the permissions for the new folder: a. Right-click the new folder, and then select Properties. b. On the Security tab, add Network Service with Full Control privileges. c. Enable all permissions for Administrators and System. 3. Stop Exchange and any Forefront Security for Exchange Server services that might still be running after the Exchange server is stopped. 4. Copy the entire contents of the Data folder, including the subfolders, from Microsoft Forefront Security\Exchange Server into the folder created in step 1. (This results in a folder called, for example, C:\Moved Databases\Data.) 5. Change the path in the DatabasePath registry key to point to the new Data folder location: (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server) 6. Restart the Exchange services.
136
Changing the database compaction time

Typically, Forefront Security for Exchange Server runs daily database management functions on the Incident.mdb and Quarantine.mdb databases. The CompactIncidentDB function and the CompactQuarantineDB function are run to delete old database records and to delete stale Quarantine items. By default, these functions are run at 02:00 local time. However, you may want to compact the databases at a different time. To run the compaction functions at a different time, you must add a registry entry. To change the database compaction time 1. Click Start, click Run, type regedit, and then click OK. 2. In Registry Editor, expand the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Software\Forefront Security for Exchange 3. On the Edit menu, point to New, and then click String Value. 4. Type CompactDatabaseTime, and then press ENTER. 5. Right-click CompactDatabaseTime, and then click Modify. 6. In the Value data box, type a new value, for example 21:00, and then click OK. Note: Enter the time value using the 24-hour (hh:mm) format. The value should be based on the local time during which you want the compaction functions to run. 7. Exit the Registry Editor. 8. Click Start, point to Settings, and then click Control Panel. 9. Double-click Administrative Tools, and then click Services. 10. Right-click FSCController, and then click Restart. 11. Close Services and Control Panel.
Windows Event Viewer

Forefront Security for Exchange Server stores virus detections, stop codes, system information, and other general application events in the Windows application log. Use Windows Event Viewer to access the log. Additionally, these events are stored in ProgramLog.txt located in the Data subdirectory of Microsoft Forefront Security\Exchange Server.
137
Performance
All Forefront Security for Exchange Server statistics can be displayed using the Performance snap-in (Perfmon.exe) provided by Windows and usually found in Administrative Tools. The performance object is called Microsoft Forefront Server Security.
Reinstalling Forefront Security for Exchange Server performance counters

In the event that the Forefront Security for Exchange Server performance counters are deleted, they can be reinstalled in two ways: By reinstalling Forefront Security for Exchange Server. By issuing PerfMonitorSetup from a command prompt.
The PerfMonitorSetup command will reinstall the performance counters without the need to reinstall Forefront Security for Exchange Server. To reinstall performance counters from a command prompt 1. Open a command prompt window. 2. Navigate to the Forefront Security for Exchange Server installation folder (default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server). 3. Enter the command: PerfMonitorSetup install
File scanner updating

Forefront Security for Exchange Server enables you to choose virus scanning engines from multiple vendors. The standard Forefront Security for Exchange Server license includes all currently integrated antivirus engines. Although all engines are integrated, only five may be enabled at any time. By default, four randomly-selected engines plus the Microsoft Antimalware Engine are chosen. You can modify the four additional engine selections through the Forefront Server Security Administrator. After Forefront Security for Exchange Server is installed, engine updates automatically begin. The scanner update settings are, by default, set to begin updating your engines five minutes after the FSCController is started. Updates are spaced at five-minute intervals. For more information about configuring scanning options, see Transport Scan Job, Realtime Scan Job, and Manual Scan Job. Note: If you are using a proxy server to access the Internet for scanner updates, these scheduled updates will fail. For information about configuring Forefront Security for Exchange Server to use a proxy server to retrieve updates, see Updating the file scanners through a proxy. After the configuration settings have been entered, use the 138
Update Now button on the Scanner Updates work pane to perform an immediate scanner update for each engine.
Automatic file scanner updating

Scan engines, signature files, and worm list updates can be downloaded automatically from the Microsoft HTTP server, or from another Exchange server running Forefront Security for Exchange Server. Setting a schedule for checking the HTTP or Exchange server for a new scan engine means that you are automatically protected against new viruses without having to check versions or manually update the files. After Forefront Security for Exchange Server has automatically downloaded an updated scan engine, it automatically puts that engine to use. During file scanner updates, only the engine being updated is taken offline. The other engines continue to scan for viruses.
Scheduling an update
You can control when your scanning engines update, how often, and the update source. Note: If you are using the optional Microsoft Forefront Server Security Management Console to update the scan engines, you should use the Scanner Updates work pane to disable scheduled updates. To schedule updates for scanning engines 1. In the SETTINGS section of the Shuttle Navigator, select Scanner Update. The Scanner Updates work pane appears. The top pane shows a list of all supported file scanners and the worm list. 2. Select a scan engine to be scheduled. The bottom pane contains the Primary and Secondary update paths and the update schedule for the selected engine. Additionally, there is information about that engine. (For more information, see Scanner Information.) 3. Set the primary update path by clicking Primary in the bottom pane and entering a value in the Network Update Path field. By default, FSE uses the primary update path to download updates. If the primary path fails for any reason, FSE uses the secondary update path, if any. The default primary update path is http://forefrontdl.microsoft.com/server/scanengineupdate. You may change it to point to another HTTP update site, or if you would prefer to use UNC updating as the primary update path, enter the UNC path to another Exchange server. For more information about UNC updating, see Distributing updates. To restore the default server path, right-click the Network Update Path field and select Default HTTP Path. 4. Set the secondary update path, if desired, by clicking Secondary in the bottom pane and 139
entering a value in the Network Update Path field. If the primary path fails for any reason, FSE will use the secondary update path. It is left blank by default. The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another Exchange server. For more information about UNC updating, see Distributing updates. 5. Specify the Date to check for updates. If you choose a Frequency of Once, this date is the only time update checking will take place; otherwise, this date represents the first time update checking will take place. Click the left and right arrows on the calendar to change the month. Click a particular day to select it. (The current date is circled in red; a selected date turns blue.) 6. Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time or use the up and down buttons to change the current value of each subfield. FSE defaults to staggering the update time, leaving an interval of five minutes between engines. It is recommended that you stagger updates a minimum of 15 minutes apart. Note: Do not use the Windows scheduler to set or change scan engine updating times. Changes you make in the operating system are not reflected in FSE update scheduling. Use the Scanner Update Settings work pane only. 7. Specify how often the update will occur (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). It is recommended that you select Daily (the default), and then set a Repeat interval to update the engine at multiple times during the day. 8. Optionally indicate a repeat interval. Select Repeat, and then choose a time interval. (The minimum time is 15 minutes.) It is recommended that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done. The default is to repeat updating for each engine every hour. 9. Use the Enable and Disable buttons to control whether the update check will be performed for a selected engine. All engine updates are enabled by default. Even if you are not using a particular engine, you should schedule updates for it. That way, if you find you need to use that engine in the future, it will already be at the current update level. Note: The Enable and Disable buttons control updating only, and not the use of the engine. To discontinue using the engine itself, see Manual Scan Job, Realtime Scan Job, and Transport Scan Job.
140
Scheduling updates on multiple servers

When scheduling engine updates on multiple servers in your organization, it is recommended that you stagger the updates by at least five minutes, to prevent servers from timing out during the update process. When scheduling updates for multiple engines, it is also helpful to stagger the updates in five-minute intervals.
Update Now
To perform an immediate update of a selected scanner, click the Update Now button on the Scanner Updates work pane. If an update exists, Forefront Security for Exchange Server will download the scanner and will start using it after the download is complete. While the engine download is in progress, the Update Now button remains inoperable. This button is useful for quick checks for a new scanner between regularly scheduled updates.
Update on load
Forefront Security for Exchange Server can be configured to update its file scanners when FSCController starts up. To configure Forefront Security for Exchange Server to update at startup, select the Perform Updates at Startup option in the Scanner Updates section of the General Options work pane. Schedule engine updating using the scheduler on the Scanner Updates work pane. The engines that are to be updated are scheduled in five-minute intervals to avoid possible conflicts. This can be observed by typing at a command prompt after the FSCController has been started. This feature was mainly added for clustered Exchange servers where the inactive node will not receive updates while it is offline.
Scanner information
This is the information that appears on the Scanner Updates work pane for a selected scanner: Engine Version. The version, as reported by the third-party scan DLL. Signature Version. The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner). Update Version. The value located in the Manifest.cab file. Last Checked. The date and time of the last check made for a new scan engine or definition files. Last Updated. The date and time of the last update made to the scan engine or definition files.
Manifest.cab
The Manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download. (Each engine has an associated Manifest.cab file in its Package folder.) During a scheduled update or when Update Now has been invoked, 141
Forefront Security for Exchange Server searches the network update path for a new update. To minimize overhead, the Manifest.cab file is first downloaded and used to determine if an update is required. If an update is not required, no further processing takes place. If an update is required, the update is then downloaded and applied. When the update is finished, the new Manifest.cab file overlays the old one. This is the directory structure of the scan engines on a server running Forefront Security for Exchange Server: Forefront Directory\ Engines\ x86\ Engine Name\ Package\ manifest.cab Version Directory\ manifest.cab enginename_fullpkg.cab other enginename files Forefront Directory is the top-level directory where all of the FSE files are kept. This was created during the product's installation. Engine Name is a directory with the name of an engine's vendor. There is an Engine Name directory for each engine. The Package directory contains the most-recent Manifest.cab file. The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0602020001). On any particular day, there may be multiple version directories. Each contains the current Manifest.cab, the enginename_fullpkg.cab, and all other required files for the engine.
Distributing updates
The most common method of distributing updates is to have one server (the "hub") receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers in your environment (the "spokes"). After the hub receives an engine update, it can share that update with any other server whose network update path points to it.
Configuring servers to distribute and receive updates

You must configure both the hub and spoke servers before distributing updates.
142
Configuring the redistribution (hub) server and UNC credentials

To prepare a server to act as an update hub, you need to establish a Windows share for its Engines directory (which is, by default, in c:\Program Files\Microsoft Forefront Security\Exchange Server\Data). Next, enable the Redistribution Server option in the Scanner Updates section of General Options on the chosen hub server. This configures Forefront Security for Exchange Server to save the two most recent engine update packages in the engine package folder instead of the usual single engine package. FSE will also download the full update package rather than perform an incremental update. The multiple engine packages enable the spoke servers to continue pulling updates from the redistribution server while a new update is being downloaded. Finally, enter the UNC credentials. To configure UNC credentials 1. In the SETTINGS section of the Shuttle Navigator, select General Options. 2. In the Scanner Updates section, select Use UNC Credentials. 3. In the UNC Username field, enter the name of a user with access rights to the UNC path. For more information, see "General Options" in Forefront Server Security Administrator. 4. In the UNC Password field, enter the password for that user. 5. Click Save to save your changes.
Configuring the spoke servers

After the hub server has been set up, configure the spoke servers to point to the shared directory by entering the hub's UNC path (\\ServerName\ShareName), in the Primary Network Update Path field of each of the spokes. Note: The use of static IP addresses within the update path is neither recommended nor supported. Example: Server Ex1 receives its updates automatically from the Microsoft HTTP server. Ex1 has Forefront Security for Exchange Server installed in C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server, and you have created a share, called AdminShare, that begins at the Engines directory. Another server, Ex2, will get its updates from Ex1, using \\Ex1\AdminShare as its primary network update path.
143
Notifications following engine updates

Forefront Security for Exchange Server can be configured to send a notification to the Virus Administrator following each engine update. The notifications include: Successful update: Subject Line:Successful update of <engine_name> scan engine on server <server_name> Body:The <engine_name> scan engine has been updated from <update_path> Subject Line:No new update for the <engine_name> scan engine on server <server_name> Body:There are currently no new scan engine files available for the < engine_name> scan engine at <update_path> Subject Line:Failed update of <engine_name> scan engine on server <server_name> Body:An error occurred while updating the <engine_name> scan engine. [There may be an error message included here.] Please see the Program Log for more information. Note: If the Program Log contains the "could not create mapper object" error, it means that the engine in question did not load properly. Engine update notifications are controlled in the General Options work pane by selecting Send Update Notification in the Scanner Updates section
No update available:
Error updating:
Putting the new file scanner to use

After a download has successfully completed, the newly-downloaded file scanner is tested. If the test fails, scan jobs continue to use the current version of the file scanner. Otherwise, all scan jobs are notified that there is a new file scanner. If a scan job is currently scanning a file, it will finish that file, and then load the new file scanner before continuing. If a scan job is currently idle, it will load the new file scanner immediately.
Updating the file scanners through a proxy

In environments where the Exchange server must access the Internet through a proxy server, Forefront Security for Exchange Server can be configured to retrieve engine updates through that server. To configure proxy server updating 1. In the SETTINGS section of the Shuttle Navigator, select General Options. 2. In the Scanner Updates section of General Options, select Use Proxy Settings. 144
3. Enter information about the proxy server: name or IP address, port, user name (optional), and password (optional). For more information about these fields, see "General Options" in Forefront Server Security Administrator. 4. Click Save. After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings using the Microsoft Forefront Server Security Management Console (FSSMC).
Adding and deprecating scan engines

When Forefront Security for Exchange Server (FSE) adds or deprecates an engine, you are informed via notification entries in the event log. You can also configure notifications to be sent to Virus Administrators in addition to the event log by using the Forefront Server Security Administrator; for more information about how to do this, see E-mail notifications.
Adding new scan engines

When FSE adds a scan engine, an announcement is written to the event log that publicizes that the engine was added to your configuration. This notification - which includes links to information about this new engine - is written to the event log only once.
Deprecating scan engines

When FSE is no longer going to support a scan engine, an announcement is written to the event log to publicize the date on which updates for this engine will no longer be available. Notifications, which include links to information about this engine's deprecation, are written to the event log on a weekly basis up until the date on which the engine becomes obsolete. Upon receiving a notification about an engine being deprecated, it is strongly recommended that you disable the use of this engine with any scan jobs. Once the engine becomes obsolete, the definitions on disk will become out of date and the scanning usefulness of this engine diminishes. After the date on which the engine becomes obsolete, updates are no longer available for this engine. If the obsolete engine is still enabled for updates, update checks for that engine are automatically disabled, and an error notification is written to the event log. If the obsolete engine is in use with a scan job, an error notification is written to the event log on a daily basis until the engine is disabled for that scan job.
145
Troubleshooting
This section contains troubleshooting information.
Exchange not hooked in

If you receive a message (in the Forefront Server Security Administrator, the Event Log, or the MOM console) that says you are not hooked into the Transport or Mailbox, try recycling the MSExchangeTransport or the MSExchangeIS service (the Event Log indicates the correct one). If that does not solve the problem, close the Forefront Server Security Administrator (if it is open) and restart the FSCController service. If you still receive the errors, contact Microsoft Help and Support.
Getting help
To obtain technical support, visit the Microsoft Web site at Microsoft Help and Support.
Diagnostics
Diagnostic logging is helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Forefront Security for Exchange Server is not working properly. Diagnostics can be set independently for each scan job by selecting the appropriate check box for each scan job in the Diagnostics area of the General Options work pane. The settings are: Additional Transport, Additional Realtime, Additional Manual, and Archive Transport Mail. These options are disabled by default. For more information about these settings, see General Options. For information about collecting diagnostic information, see The FSC diagnostic tool.
Forefront Security for Exchange Server installation failure

Forefront Security for Exchange Server cannot co-exist with any VSAPI-based antivirus product. If you previously used VSAPI to install another antivirus software product, you will receive an error message when attempting to install Forefront Security for Exchange Server and the installation will fail. When using VSAPI to install antivirus software, the following registry subkey is created to save information about the VSAPI library: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusScan If the VirusScan registry subkey is present in the registry when you try to install Forefront Security for Exchange Server, the installation will fail.
146
To delete the VirusScan registry entry 1. Click Start, click Run, type regedit, and then click OK. 2. In the Registry Editor, expand the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusSca n 3. Right-click the VirusScan registry entry, and then click Delete. 4. Exit the Registry Editor.
The FSC utility

The FSC Utility (FSCUtility.exe) is a command line utility with which you can enable or disable Forefront Security for Exchange Server (FSE). Note: Unlike a reset, when you use FSCUtility.exe, the Forefront services are not removed. Only the dependencies that have been set are removed. FSCUtility.exe is located in the Forefront Security installation directory. It has the following parameters: FSCUtility /status Gives an on-screen report showing the status of Forefront Security and the server. FSCUtility /disable Disables Forefront Security dependencies and the VSAPI hook. FSCUtility /enable Enables Forefront Security dependencies.
There are other parameters, but they should only be used when you are directed to do so by support technicians.
Disabling and enabling Forefront Security for Exchange Server

You can use the FSC Utility to disable and enable FSE. To disable Forefront Security for Exchange Server by removing dependencies 1. Stop the Exchange and Forefront services. Note: In a clustered environment, when running the FSC Utility to disable FSE, the Exchange services are automatically taken offline. Therefore, you can skip step 1 and proceed directly to step 2. 2. From a command prompt, navigate to the Forefront Security for Exchange Server installation directory. Disable Forefront Security dependencies by typing: 147
FSCUtility /disable
3. To confirm that the Forefront Security dependencies have been removed, type:
FSCUtility /status
4. Restart the Exchange services. Caution: When you are not running FSE, you are without its protection. To enable Forefront Security for Exchange Server by reestablishing dependencies 1. Stop the Exchange services. Note: In a clustered environment, when running the FSC Utility to enable FSE, the Exchange services are automatically taken offline. Therefore, you can skip step 1 and proceed directly to step 2. 2. From a command prompt, navigate to the Forefront Security for Exchange Server installation directory. Enable Forefront Security dependencies by typing:
FSCUtility /enable
3. To confirm that the Forefront Security dependencies have been reestablished, type:
FSCUtility /status
4. Restart the Exchange services.
Registry keys
Caution: Serious problems might occur if you modify the registry incorrectly. These problems could require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Always make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base article Windows registry information for advanced users. Forefront Security for Exchange Server stores many settings in the Windows registry. You seldom have to edit the registry yourself, because most of those settings are derived from entries you make in General Options. However, there are some additional settings that you may occasionally need to make. FSE stores registry values in the following locations: For 32-bit systems (only valid during evaluation of FSE): HKLM\SOFTWARE\Microsoft\Forefront Server Security\ \Exchange Server For 64-bit systems: 148
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server Variable AdditionalTypeChecking Description and values Forefront Security for Exchange Server performs signature type checking on files to avoid scanning files that can never contain a virus. If it becomes necessary to scan an additional file type, you will need to contact Help and Support to obtain the proper setting for the file type you would like to add. This key is set to 0 (off) by default. Specifies the path under which the Forefront Security for Exchange Server configuration files and Quarantine folder reside. It defaults to the Forefront Security for Exchange Server installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If this value is changed and the files are not moved, Forefront Security for Exchange Server re-creates them and the previous settings are lost. Move the files first and then change this value. Specifies whether the system will apply the secure AV stamp. An important feature of Forefront optimizes for scanning messages on the Exchange 2007 Transport role. A secure AV stamp is applied to messages scanned by Forefront on Transport servers; this prevents duplicate scanning on the Mailbox server role when the message is deposited into the Information Store. DisableAVStamping enables you to override this recommended default so that Forefront can scan with some engines on a Transport server, and a different set of engines on the Mailbox server. To set it up, add a new DWORD with a value of "1". This causes the Transport stamp to be suppressed, and the Mailbox server to treat the message as not having been previously scanned. You should use this setting only when different engines (or different filtering settings) are selected on the Transport server and the Mailbox server. Otherwise, needless duplicate scanning will take place. When the value of DisableAVStamping is set to "1", it prevents the stamping of messages at the Transport. This value is not present by default and is assumed to be "0" (the default). When the value of DisableAVStamping is set to "1", we also 149
DatabasePath
DisableAVStamping
recommend that you turn on mailbox server proactive scanning on all Mailbox servers routed to by the transport server. This causes newly-arrived mail to the Mailbox server to be placed in a scanning queue to be scanned upon arrival. To enable proactive scanning on the Mailbox server role, set the DWORD value of the following Exchange key to "1" (it is normally disabled, with a value of "0"): HKEY_Local_Machine\System\CurrentControlSet\Servic es\MSExchangeIS\VirusScan DisableInboundFileFiltering When set to 1, this value disables inbound file filtering for the Transport Scan Job. The default value is 0. The Forefront Security services must be recycled for this feature to take effect. When set to 1, this value disables inbound virus scanning for the Transport Scan Job. The default value is 0. When set to 1, this value disables outbound file filtering for the Transport Scan Job. The default value is 0. The Forefront Security services must be recycled for this feature to take effect. When set to 1, this value disables outbound virus scanning for the Transport Scan Job. The default value is 0. Specifies whether to scan IPM replication messages. The Transport Scan Job scans files called Winmail.dat for viruses. Exchange uses these files for several purposes, including facilitating replication between servers (IPM replication messages). If FSE modifies a Winmail.dat file, the public folder replication process will fail. Setting this DWORD registry key to 1 prevents the Transport Scan Job from scanning IPM replication messages. If a virus is replicated because of public folder replication, the Realtime Scan Job will still detect the virus even if this key is set. Specifies the timeout value (in seconds) that Forefront Security will allow for scan engine downloads. The default value is 300 (5 minutes). Enables or disables purging by the Transport scanner. If set to 0, purging is disabled. If set to 1, purging is enabled. The key is set to 1 by default. Used to recover from a manual scan failure when a scan engine encounters problems with a file or when moving 150
DisableInboundVirusScanning
DisableOutboundFileFiltering
DisableOutboundVirusScanning
DoNotScanIPMReplication Messages
EngineDownloadTimeout
InternetPurge
ManualScanContinueOnFailed
between folders. This prevents the manual scan from stopping if an engine encountered a problem while scanning a file or traversing a folder structure. When this key is set to any value other than 0, Forefront Security for Exchange Server continues scanning after such an event. MaxCompressedSize This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxCompressedSize, the Delete Corrupted Compressed Files General Option setting must be enabled. This key sets the maximum compressed file size that Antigen attempts to clean or repair in the event that it discovers an infected file. This key is set to 26 MB by default but may be changed by the administrator. Infected files or files that meet file filter rules that are larger than the allowed maximum size are deleted. Antigen reports a deleted file as having a LargeCompressedInfectedFile virus. MaxUncompressedFileSize This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxUncompressedFileSize, the Delete Corrupted Compressed Files General Option setting must be enabled. This key sets the maximum uncompressed file size for a file within a .zip or a RAR archive file. Files larger than the maximum permitted size are deleted and reported as Large Uncompressed File Size. The default setting is 100 MB. The RAR archive format enables one or more compressed files to be stored in multiple RAR volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart RAR volumes are subject to the size limit specified by this registry value (its default is 100MB). If a file exceeds the limit, any multipart RAR volume that contains the file, or a part of the file, is deleted. However, the outcome can vary, depending on the size of the original files and how they are distributed across the multiple RAR volumes. Example 1 A single file (F1) is split across 3 RAR volumes (V1, V2, V3). Outcome: If the uncompressed size of F1 exceeds the default 100MB limit, all 3 RAR volumes (V1, V2, V3) is deleted. 151
Example 2 Four files (F1, F2, F3, F4) are split across three RAR volumes (V1, V2, V3) as follows: V1 contains F1 and the first half of F2. V2 contains the second half of F2 and F3. V3 contains only F4.
Outcome: If only F1 exceeds the default 100MB limit, only V1 will be deleted. If only F2 exceeds the default 100MB limit, V1 and V2 will be deleted, but V3 will not. If only F4 exceeds the limit, only V3 will be deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit. In both examples, deletion text specifies that a file (the RAR volume) was deleted because it exceeded the maximum uncompressed file size limit. To prevent the volumes from being deleted, you must set the registry value MaxUncompressedFileSize to a value large enough to exceed the uncompressed size of the largest file in the multipart RAR volumes. MIMEDeletePartialMessages Some e-mail client programs, such as Microsoft Outlook Express, let you send large e-mail messages in several fragments. By default, when Security for Exchange Server scans fragmented messages (content type: message/partial), the e-mail message may be tagged as FragmentedMessage. In this case, the message body is deleted and replaced with the file filter deletion text. To prevent Forefront from deleting fragmented e-mail messages, you must create a new DWORD registry key called MIMEDeletePartialMessages and set it to a value of 0. Note: Fragmented messages are not deleted when the value data is set to 0. Fragmented messages are deleted when there is no MIMEDeletePartialMessages DWORD value in the registry or when the MIMEDeletePartialMessages value data is set to 1. QuarantineTimeout Specifies whether items that cause a scan job timeout should be quarantined. If this DWORD registry value is not 152
present or if it is present and its value is not zero, a message that causes a scan job timeout will be quarantined. If the registry value is present and its value is zero, that message will not be quarantined. RealtimePurge Enables or disables purging by the Realtime scanner. If set to 1, purging is enabled. If set to 0, purging is disabled. The key is assumed to be 1 by default. Each time you alter this registry value, you must recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job. When this DWORD value is set to 1 (the default), Forefront Security for Exchange Server scans all file attachments. ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1. When set to 1, this key ensures that a background scan will be initiated every time a change is made and saved to the Realtime Scan Job. This key is disabled by default. Enables or disables purging by the Transport scanner. If set to 1, purging is enabled. If set to 0, purging is disabled. The key is assumed to be 1 by default. Each time you alter this registry value, you must recycle the Exchange IMC service for the change to take effect for the Transport Scan Job. When this value is set to 1, updates are scheduled for each file scanner that was installed with Forefront Security for Exchange Server after a Forefront Security service startup. This feature is mainly used in clustered Exchange servers. By default, this value is set to 0. Specifies whether a text file (called Domains.dat) is used to indicate your internal domains. If the value is 0 (the default), the Internal Address field in General Options is used. If you change the value to 1, you can enter all your internal addresses in a text file called Domains.dat in the DatabasePath directory. You would do this if you have a large number of domains to be used as internal addresses.
ScanAllAttachments
UpdateDllonScanJobUpdate
TransportPurge
UpdateOnLoad
UseDomainsDat
153
Scanner Update Settings registry keys

These are the keys containing the scanner information that is reported on the Scanner Update Settings work pane. Although these should not be modified, you may find them useful for reporting purposes. For 32-bit systems (only valid during evaluation of FSE): HKLM\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server\Scan Engines\enginename HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server\Scan Engines\enginename
Variable Description
For 64-bit systems:
Engine Version
Indicates the current version of enginename, as specified in the Forefront Server Security Administrator. Indicates the date and time enginename was last checked, as specified in the Forefront Server Security Administrator. Indicates the date and time enginename was last updated, as specified in the Forefront Server Security Administrator. Indicates the current version of the enginename signature file, as specified in the Forefront Server Security Administrator. Indicates the current update of enginename, as specified in the Forefront Server Security Administrator.
Last Checked
Last Updated
Signature Version
Update Version
Keyword substitution macros

Forefront Security for Exchange Server provides keyword macros that can be used in the Deletion Text and in the various fields of a notification (To, Cc, Bcc, Subject, and body) to display information obtained from an item in which an infection was found or that matched a filter. Enter keywords into those fields, surrounded by leading and trailing percent signs (%), as shown in the list below. For example, to include the name of the virus in the subject line, you could use the %Virus% macro, in the Subject field, as follows: 154
The %Virus% virus was found by Forefront Security for Exchange Server. Instead of typing the keyword, you can select it from a shortcut menu. To select a keyword from the shortcut menu 1. Position the cursor in any notification field, at the point where you want the keyword to appear. 2. Right-click at that point to display a shortcut menu. 3. Select Paste Keyword. 4. Choose from a list of available keywords. 5. Click Save.
The macros
These are the possible keyword substitution macros. Use consecutive percent signs (%%) to display the percent sign itself in the notification field. %Company% The name of your organization, as found in the registry. %EBccAddresses% External Bcc addresses. A list of the addresses of all the external Bcc recipients. %EBccNames% External Bcc names. A list of the names of all the external Bcc recipients. %ECcAddresses% External Cc addresses. A list of the addresses of all the external Cc recipients. %ECcNames% External Cc names. A list of the names of all the external cc recipients. %ERAddresses% External recipient addresses. A list of the addresses of all the external To recipients. %ERNames% External recipient names. A list of the names of all the external To recipients. %ESAddress% External sender address. The address of the message sender, if external to the company. %ESName% External sender name. The name of the message sender, if external to the company. %File% The name of the detected file. %Filter% The name of the filter that detected the item. %Folder% The public or private store (mailbox) and subfolders where the virus or attachment was found. %IBccAddresses% Internal Bcc addresses. A list of the addresses of all the internal Bcc recipients. %IBccNames% Internal Bcc names. A list of the names of all the internal Bcc recipients. %ICcAddresses% Internal Cc addresses. A list of the addresses of all the internal Cc recipients. 155
%ICcNames% Internal Cc names. A list of the names of all the internal Cc recipients. %IRAddresses% Internal recipient addresses. A list of the addresses of all the internal To recipients. %IRNames% Internal recipient names. A list of the names of all the internal To recipients. %ISAddress% Internal sender address. The address of the message sender, if internal to the company. %ISName% Internal sender name. The name of the message sender, if internal to the company. %Message% The Subject field of the message. %MIME% MIME Header. The MIME header information. %ScanJob% The name of the scan job that scanned the attachment or performed the filtering operation. %Server% The name of the server that found the infection or performed the filtering operation. %State% The disposition of the detected item (Deleted, Cleaned, or Skipped). %Virus% The name of the virus, as reported by the file scanner. %VirusEngines% A list of all the scan engines that found the virus.
File types list

This is a list of the file types that are used when creating file filters to detect files based solely on their content type. The program log number is reported in the Forefront Security for Exchange Server program log when the associated file type is identified by a virus scanner or a file filter. For more information about detecting files by type, see "Filtering by File Type" in File filtering. Note: When a Microsoft Office file (PowerPoint, Access, Excel, and Word document) is embedded in another Office file, its data is included as part of the original Office file. These are not scanned as individual files. If, however, another file type (such as .exe) is embedded in one of these files that is then embedded in an Office file, it will be detected and scanned as a separate file. (The .exe extension, however, is still visible because the icon is a GIF file that cannot be deleted. If you click the file, the icon will be replaced with the correct TXT icon.)
File type Program log number Description
ANIfile
66
Microsoft Windows 95 animated cursor file
156
File type
Program log number
Description
ARCfile ARJfile AutoCad AVIfile
21 20 63 29
ARC compression format file ARJ compression format file AutoCad file Windows Audio/Visual file format (Audio/Video Interleaved resource interchange file format) Bitmap image file InstallShield file (InstallShield 3) Microsoft OLE Structured Storage file The Docfile test checks for the OLE Structured Storage file format. Contained within this format is information that describes the application to use to process the data. Among the applications that use this format are the Microsoft Office applications suite: Word (.doc), Excel (.xls), PowerPoint (.ppt), Exchange Message files (.msg), and Shell scraps (.shs).
BMPfile DataZfile Docfile
24 15 6
Eicar EPSfile
5 57
Eicar test virus file Encapsulated PostScript file (Adobe) Microsoft executable file Adobe Type 1 font file GIF image file GZip compression format file ARC compression format file (Systems Enhancement Associates) 157
EXE Font_Type1 GifFile GZipFile HyperArc
3 64 22 16 54
File type
Program log number
Description
ICOfile IS_Uninst ISCABfile
27 48 14
Windows icon file InstallShield uninstall file Microsoft cabinet archive format file Java archive file Java byte code file (usually contained inside a JAR file) JPEG image file Compression format file (LHA/LHARC) A binary (non-text) format that encodes Macintosh files so that they can be safely stored or transferred through nonMacintosh systems Access database file MP3 audio file MPEG animation file (.mpg) Document file for Microsoft Help index (.chi) Microsoft Help file (.hlp) Microsoft Type Library file format (typically used for ActiveX service) Microsoft Windows metafile format graphics (vectored and bitmapped) Cabinet file (Microsoft installation archive) Microsoft compression format file MIME formatted text file with IMC 158
JarFile JavaClass
52 45
JPEG LHAfile
23 12
MACFILE
77
MDB MP3File MPEG1 MS_Chifile
71 67 32 51
MS_Help MS_TypeLib
50 49
MS_WMF
59
MSCabFile
13
MSCompress MSIMC_MIME
17/18 46
File type
Program log number
Description
binary header MSLibrary MSShortCut NotesDB OBJfile 42 44 68 43 Microsoft object code library file Microsoft shortcut file (.lnk) Notes database file Object code file (Intel Relocatable Object Module - .obj). OpenXML File Note: This file type applies to Word, PowerPoint, and Excel 2007 files only. The Scan Doc Files As Containers settings in General Options (for each scan job) do not apply to Office 2007 files, since these are always scanned as containers. Although OpenXML files are essentially ZIP containers, and the individual files inside are scanned by FSE, settings that affect ZIP files do not apply to them. OpenXML documents have an XMLbased schema which FSE cannot modify if an infection is found. Therefore, if an infection is in a file that is part of the XML schema, the file is not cleaned and the entire OpenXML document is deleted. However, if the infected 159
OPENXML
83
File type
Program log number
Description
file is not part of the XML schema, then FSE will attempt to clean just that infected file (replacing it with the Deletion Text) and leave the rest of the OpenXML document intact; if it cannot be cleaned, just that file will be deleted. However, in practice, Office 2007 does not open any OpenXML file containing files that are not part of the XML schema. PALfile 26 Adobe PageMaker library palette file or a color palette file Bitmap graphic file (PC Paintbrush) Portable Document Format file (Adobe) Program Information File (Windows), or Vector Graphics GDF format file (IBM mainframe computers) PKLite compression format file Bitmap graphics file (Portable Network Graphics.) Quick Time Movie file RAR-compressed archive file RIFF bitmap graphics file (Fractal Design Painter) Self extracting executable file TAR archive format file (a UNIX 160
PCXfile
25
PDFfile
47
PIFfile
PKLite PNGfile
55 61
QTMovie RARFILE RIFfile
31 76 30
SFXexe TARFILE
73 75
File type
Program log number
Description
method of archiving files, which can also be used by personal computers). TAR archives files but does not compress them, so sometimes .tar files are compressed with other tools, which produces extensions like .tar.gz, .tar.Z, and .tgz. Text TifFile 1 62 Text file (.txt) Tagged Image File Format (TIFF) bitmap graphics file Microsoft Transport Neutral Encapsulation Format file (Message file) Microsoft TrueType font file (.ttf) Universal Character Code doublebyte text file Unix Compressed format file Visio exported meta file Waveform audio file (RIFF WAVE format) Microsoft Excel 1.x file (.xls) Microsoft Word (1.x and 2.x) file Microsoft Write file XaraX graphic file Compressed file created by PKZip Compressed file created by ZOO
TNEFfile
56
TrueType Unicode
65 2
UnixComprs Visio_WMF WavFile
53 60 28
WinExcel1 WinWord1&2 WinWrite XaraFile ZipFile
8 7 9 58 10
ZOOfile
19
161
The FSC diagnostic tool

To accurately diagnose a problem, support engineers typically need a variety of information about Forefront Security for Exchange Server (FSE) and the Exchange server on which it is running. This information consists of FSE version information, third-party scan engine versions, registry settings, and FSE databases. Gathering this configuration information is a major effort that can hinder the troubleshooting process. To make it easier for you to collect this information, the Forefront Security Diagnostic tool (FSCDiag) automates the process, assembling all the necessary data in one file that can then be uploaded to Microsoft. When you contact Microsoft Help and Support, you are told where to upload the file.
Information collected
The Forefront Security Diagnostic tool can collect any or all of the following information, based on your requests: FSE file versions Exchange file versions FSE registry key FSE database files FSE archive files FSE program log file Windows event log files Dr. Watson log file User.dmp file FSE installation log file FSE hotfix installation log file Exchange agents.config file
Running the Forefront Security diagnostic tool

You can run the Forefront Security Diagnostic tool in no prompt mode (the default), gathering all possible information. You can also run the tool in interactive mode or console mode. When running in interactive mode, you are prompted for every option. When running in console mode, you can use command-line switches to specify which information you want gathered. After running the tool, the selected data is gathered and compressed into a single file to be uploaded to Microsoft. Note: Console mode is only available if you have installed SP1 rollup 3 or higher. 162
To run the Forefront Security Diagnostic tool 1. Run the program in no prompt mode, interactive mode, or console mode. To run the program in no prompt mode: Navigate to the Forefront Security for Exchange Server installation folder (default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server) and launch FSCDiag.exe. The program runs in a command prompt window. You can also run the program at a command prompt by navigating to the Microsoft Forefront Security\Exchange Server installation folder and typing:
FSCDiag
To run the program in interactive mode: At a command prompt, navigate to the Microsoft Forefront Security\Exchange Server installation folder and type:
FSCDiag /i
You are prompted for each item. Type Yes or No, pressing ENTER after each response. To run the program in console mode: At a command prompt, navigate to the Microsoft Forefront Security\Exchange Server installation folder and type:
FSCDiag /c /switch1 /switch2 /switch3
You must specify /c, which signifies that you are running the tool in console mode. You can specify as many switches as needed. An example of the syntax used to collect only the Forefront file versions and the Forefront registry keys is:
FSCDiag.exe /c /ver Forefront /reg Forefront
To view the possible switch combinations that you can use, type FSCDiag /? before running the program. 2. After you execute the program, the tool gathers the requested information and compresses the results into a new file that is located in the Log\Diagnostics\ folder under the FSE installation directory. The file name, constructed from the name of the server, date, and time, has the following format: Format: ForefrontDiag-<server name>-<date>-<time>.zip <date> has the format yyyymmdd <time> has the format hh.mm.ss (where hh represents a 24-hour clock) Example: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\Log\Diagnostics\ForefrontDiag-Server1-20051210-17.50.27.zip 3. Contact Microsoft Help and Support to find out where to upload the compressed file. 4. Upload the compressed file to Microsoft.
163
Backing up and restoring Forefront Security for Exchange Server

This topic describes the recommended backup and restore procedures for Forefront Security for Exchange (FSE): About backups Preparing files for backup Backing up data files Restoring data files
About backups
A backup is a copy of data that is used to restore and to recover lost data after a system failure. By using suitable backups, you can recover from many failures that include the following conditions: Media failure User errors, such as when a file is deleted by mistake Hardware failures, such as a damaged disk drive or the permanent loss of a server Natural disasters
For more detailed information about creating backups and recovering data for Microsoft Exchange Server 2007, see Disaster Recovery.
Preparing files for backup

To keep a copy of the most up-to-date versions of FSE files and registry data, create a batch file, and then create a scheduled task to keep the version information up to date. Note: The steps for creating a scheduled task differ for Windows Server 2008 or Windows Server 2003; follow the appropriate procedure. After completing these steps, the server will be configured to automatically export versions of FSE files and registry data. To create a batch file` 1. In Windows Explorer, locate the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data 2. On the File menu, point to New, and then click Text Document. 3. Type ForefrontDiagnostics.bat for the file name, press ENTER, and then click Yes. 4. Right-click the ForefrontDiagnostics.bat file, and then click Edit. 164
5. In Notepad, edit the batch file to include a command to start the Forefront Security Diagnostic tool (FSCDiag.exe) in order to obtain registry and file information for FSE. The contents of the ForefrontDiagnostics.bat file should resemble the following:
cd drive:\Program Files\Microsoft Forefront Security\Exchange Server FSCDiag.exe /c /ver Forefront /reg Forefront
Note: If you are not sure about the location of the FSCdiag.exe file, perform a search operation to find the location, and then use it to replace the path in the sample .bat file. 6. On the File menu, click Save, and then close Notepad. 7. Double-click the ForefrontDiagnostics.bat file. 8. In Windows Explorer, locate the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\log\Diagnostics 9. Make sure that a file that is named ForefrontDiag-ServerName-Date-Time.zip is created as a result of running the batch file. Note: The placeholders ServerName, Date, and Time represent the actual server name and the date and time when the log file is created. To create a scheduled task in order to keep the version information up to date on a computer running Windows Server 2008 1. Click Start, point to Administrative Tools, and then click Task Scheduler. If you are prompted for an administrator password or for a confirmation, type the password, or click Continue. 2. On the Actions menu, click Create Basic Task. 3. In the Create Basic Task Wizard, type the schedule name in the Name box, type the schedule description in the Description box, and then click Next. For example, type the following information: Name: Forefront Diagnostics Description: Runs ForefrontDiagnostics.bat in order to update and store updated registry and file version information for Forefront Security for Exchange Server. 4. On the Task Trigger page, select an acceptable interval, for example Weekly, and then click Next. 5. Depending on the selected interval, set the start date, the start time, and the recurrence details, and then click Next. For example, configure the following settings: Weekly Start MM/DD/YYYY - HH:MM:SS AM/PM Recur Every: X weeks on: Saturday 165
where MM/DD/YYYY is the month, day and year; HH:MM:SS is the hour, minutes, and seconds; and X is the number of weeks. 6. On the Action page, select the Start a program button, and then click Next. 7. On the Start a Program page, click Browse, locate the ForefrontDiagnostics.bat file that you previously created, click Open, and then click Next. Note: Leave the Add Arguments (optional) and the Start in (optional) text boxes blank. 8. On the Summary page, verify the settings, and then click Finish. To create a scheduled task in order to keep the version information up to date on a computer running Windows Server 2003 1. Click Start, click Control Panel, and then double-click Scheduled Tasks. 2. In Scheduled Tasks, double-click Add Scheduled Task. 3. In the Scheduled Task Wizard, click Next. 4. On the Click the program you want Windows to run page, click Browse. 5. In the Select Program to Schedule window, locate and then double-click the ForefrontDiagnostics.bat file that you previously created. 6. In the Type a name for this task box, type a schedule name, select an acceptable interval, and then click Next. For example, use the following name and interval for the task: Forefront Diagnostics Weekly 7. On the Select the time and date you want this task to start page, set an appropriate start date and time, and then click Next. For example, configure the following settings: Start HH:MM:SS AM/PM Every: X weeks on: Saturday where HH:MM:SS is the hour, minutes, and seconds; and X is the number of weeks. 8. On the Enter the name and password of a user page, provide the credentials for a user who has permissions to the server, and then click Next. 9. On the You have successfully scheduled the following task: schedule name page, click Finish.
Backing up data files

To make sure that you can recover FSE, back up the following folders. Be sure to include all files within the folders: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data 166
drive:\Program Files\Microsoft Forefront Security\Exchange Server\Log\Diagnostics
Restoring data files

After you select the restoration strategy that is most applicable to your environment, you can perform the appropriate restoration tasks. The recovery procedures that you perform depend on the following factors: The kind of disaster or failure that may occur The kind of backups that are available The time that you can spend to perform the recovery
After the whole system has been restored to an earlier state, you can recover the Incidents database and the Quarantine database along with your configuration settings. You can also create templates to deploy configuration settings to servers in your enterprise. (For more information about creating templates, see Templates.) Then, you can use these templates and the Microsoft Forefront Server Security Management Console (FSSMC) in order to help you quickly recover from a failure. Note: The steps outlined in the following procedures provide general instructions for performing specific tasks; for more detailed instructions, see the Microsoft Forefront Server Security Management Console User Guide. To restore data files in an environment that is running FSSMC 1. On the server that you want to use for configuring the FSE templates, upload the Template.fdb file to FSSMC. 2. In FSSMC, configure the General Options settings. 3. Restore the failed Exchange server. 4. On the Exchange server that you restored, follow these steps: a. Install FSE and all related hotfixes or rollups that were installed at the time of the backup. b. Deploy the FSSMC deployment agent. c. Deploy the Template package to the Exchange server. d. Deploy the General Options package to the Exchange server. e. Restore the Incidents.mdb database and the Quarantine folder to a temporary location. f. Stop the FSCController service. Note: Stopping this service stops the Microsoft Exchange Information Store and Microsoft Exchange Transport services, as well as the other FSE services, causing mail to stop flowing. 167
g. In Windows Explorer, locate and open the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data h. Rename the Incidents.mdb file to Incidents.old. i. j. Rename the Quarantine folder to QuarantineOld. Move the Incidents.mdb file and the Quarantine directory from the temporary location to the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data k. Start the Forefront services.
To restore data files in a standalone environment 1. Select the server that you want to use for configuring your Forefront Security for Exchange templates. 2. Restore the failed Exchange server. 3. On the Exchange server that you restored, follow these steps: a. Install FSE and all related hotfixes or rollups that were installed at the time of the backup. Note: You can compare the file versions against the VerForefront.csv file that is located in the latest ForefrontDiag backup. b. Restore the Template.fdb file, the Incidents.mdb file, and the Quarantine directory to a temporary location. c. Stop the FSCController service. Note: Stopping this service stops the Microsoft Exchange Information Store and Microsoft Exchange Transport services, as well as the other FSE services, causing mail to stop flowing. d. In Windows Explorer, locate and open the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data e. Rename the Incidents.mdb file to Incidents.old. f. Rename the Quarantine folder to QuarantineOld. g. Rename the Templates.fdb file to Templates.old. h. Move Templates.fdb, Incidents.mdb, and the Quarantine folder from the temporary location to the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data i. j. Start the Forefront services. At a command prompt, type the following command and then press ENTER:
cd drive:\Program Files\Microsoft Forefront Security\Exchange Server
168
FSCStarter t
Notes: The FSCStarter t command loads the templates from the Templates.fdb file. Because the General Options settings have registry values that are associated with them, they cannot be recovered in a stand-alone environment. It is recommended that you compare your registry settings against another server in your organization or against the Reg_ForefrontSoftware.txt file that is located in the latest ForefrontDiag backup, and then manually configure the General Options settings by using the Forefront Server Security Administrator. (For more information about configuring General Options, see "General Options" in Forefront Server Security Administrator.) It is recommended that you do not copy Forefront database (.fdb) files from another server. If you do this, the associated globally unique identifiers (GUIDs) of the databases will have conflicts.
Security and configuration notices

Forefront Security for Exchange Server includes many security updates and configuration changes from earlier releases. This section details security and configuration information and is updated as necessary to reflect new changes in Forefront Security for Exchange Server.
Security policy changes

Security has been improved, by reducing the privileges when Forefront Security for Exchange Server services and processes start. This helps prevent malformed data from exploiting any security issues within the Forefront Security for Exchange Server code or the third-party scanning engines. Many services and processes run in the Network Service account; a few run in the Local System account. When FSS services start, Forefront Security for Exchange Server removes all privileges, except those that are required by the services to do their work. The only privileges enabled are: SeImpersonatePrivilege SeChangeNotifyPrivilege SeSecurityPrivilege SeIncreaseQuota SeTCB SeAssignPrimaryToken
There are now restricted access control lists (ACLs) on resources. The security to Forefront Security for Exchange Server resources has been improved to prevent unauthorized access. With 169
this change, only users who are part of the Administrators group have access to administer Forefront Security for Exchange Server. The ACLs that are applied to Forefront Security for Exchange Server resources are described in the following table.
Resource type Resource ACL set
File
<Installation path>
SYSTEM Full Access Administrators group Full Access Network Service - Read
File
"Data" folder
SYSTEM Full Access Administrators group Full Access Network Service Full Access
Registry
HKLM/Software/xxxxx/xxxxx
DCOM
FSEIMC FSCMonitor FSCController FSCStatisticsService
General Options changes

The following describes changes to the General Options: Engine Error Action. The default action for the General Option Engine Error Action has been changed from Skip to Delete. The Delete action logs the error to the program log, delete the file that caused the error, and display an EngineError entry with the state Removed in the Forefront Server Security Administrator. Transport Scan Timeout Action. The default action for the General Option TransportScanTimeoutAction has been changed from Skip to Delete. Realtime Scan Timeout Action. The default action for the General Option RealtimeScanTimeoutAction has been changed from Skip to Delete. Quarantine Timeout. The registry value QuarantineTimeout has been added to override quarantine after a scan job time-out. The value is a DWORD type. If the registry value is not 170
present or it is present and its value is not zero, messages that cause a scan job time-out will be quarantined. If the registry value is present and its value is zero, the message will not be quarantined. Delete Corrupted Compressed Files. The default setting for the General Option DeleteCorruptedCompressedFiles has been changed from Off to On. Files identified as corrupted are quarantined. If you do not want to quarantine these files, you may create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantine. The DWORD setting must be created and its value set to 0. Illegal MIME Header Action. The General Option Illegal MIME Header Action has been added. When this option is enabled, Forefront Security for Exchange Server deletes messages that are malformed and multiple headers that cause the interpretation of the message to be ambiguous. Some of the headers checked for multiple headers and malformations include the content-type, content-disposition, and content-transfer-encoding headers. This option is On by default.
Other changes and updates

The following describes other changes and updates: ScanAllAttachments Registry Setting. The registry setting ScanAllAttachments defaults to 1 for all new installations of Forefront Security for Exchange Server. This configures Forefront Security for Exchange Server to scan all attachments for viruses by default. For more information about this setting, see the "Scanning files by type" sections in Manual Scan Job, Realtime Scan Job, and Transport Scan Job. Winmail.dat Scanning. The Forefront Security for Exchange Server Transport Scan Job scans Winmail.dat files for viruses. Exchange uses Winmail.dat files for several purposes. One of the uses is to send Winmail.dat files between servers to facilitate replication (IPM replication messages). If Forefront Security for Exchange Server modifies any of these Winmail.dat files, the public folder replication process will fail. To prevent this from happening, you can set a new DWORD registry key named DoNotScanIPMReplicationMessages to 1, and the Transport Scan Job will not scan IPM replication messages. Note: If a virus is replicated via public folder replication, the Forefront Security for Exchange Server Realtime Scan Job still detects the virus even if this key is set. FTP Engine Updates. Engine updates via the File Transfer Protocol (FTP) server are no longer supported. Updates must be done using HTTP or locally using a UNC share.
171

Ex Users Guide

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ex Users Guide

Загружено:

Авторское право:

Доступные форматы

Microsoft Forefront Security for Exchange Server User Guide

Microsoft Forefront Security for Exchange Server Version 10

Forefront Security for Exchange Server scanning overview

Premium spam protection

Third-party file-level antivirus programs

Installing Forefront Security

Installing on a local server

Installing on a remote server

Guidelines for installing FSE in a Hyper-V virtual environment

Verifying system requirements for using FSE in a Hyper-V environment

About FSE virtualization guidelines:

Optimizing guest and host operating system settings

About process counts

Installing to multiple servers

Post-installation security consideration

Applying Exchange and FSE service packs and rollups

Product licensing information

Forefront Security for Exchange Server Services

Disabling the Forefront Security for Exchange Server services

Recycling the Forefront Security for Exchange Server services

Securing the service from unauthorized use

Forefront Server Security Administrator

Enabling Forefront Server Security Administrator

Launching the Forefront Server Security Administrator

Connecting to a local server

Connecting to a remote server

Connecting to a different server

Running in read-only mode

g. Click OK for both open dialog boxes.

Forefront Server Security Administrator user interface

Enable Event Log

Enable Performance Monitor and Statistics

Enable Forefront Program Log

Max Program Log Size

Scanner Updates section

Perform Updates at Startup

Use Proxy Settings

Use UNC Credentials

Proxy Server Name/IP Address

Body Scanning Manual Body Scanning Realtime

Delete Corrupted Compressed Files

Delete Encrypted Compressed Files

Treat ZIP archives containing highlycompressed Files as corrupted compressed

Scan Doc Files As Containers - Transport

Scan Doc Files As Containers - Realtime

Case Sensitive Keyword Filtering

Fix Bare CR or LF in Mime Headers

Purge Message if Message Body Deleted

Enable Forefront Security for Exchange Scan

Transport Process Count

Realtime Process Count

Engine Error Action

Illegal MIME Header Action

Transport Scan Timeout Action

Realtime Scan Timeout Action

Max Container File Size

Max Nested Attachments

Max Nested Compressed Files

Max Container Scan Time (msec) - Manual

Background Scanning section

Enable Background Scan if 'Scan On Scanner Update' Enabled

Scan Only Messages With Attachments

Scan Only Unscanned Messages