Академический Документы
Профессиональный Документы
Культура Документы
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Forefront Security, Internet Explorer, Outlook, PowerPoint, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Privacy policy
Review the Microsoft Forefront Security Privacy Statement at the Microsoft Forefront Security Web site
Contents
Exchange Introduction ................................................................................................................... 11 Forefront Security for Exchange Server scanning overview ...................................................... 12 Premium spam protection .......................................................................................................... 14 Scanning order ........................................................................................................................... 15 Third-party file-level antivirus programs ..................................................................................... 16 Additional documentation ........................................................................................................... 16 Installing Forefront Security ........................................................................................................... 16 System requirements ................................................................................................................. 17 Installing on a local server .......................................................................................................... 18 Installing on a remote server ...................................................................................................... 20 Administrator-only installation .................................................................................................... 22 Guidelines for installing FSE in a Hyper-V virtual environment ................................................. 23 Verifying system requirements for using FSE in a Hyper-V environment .............................. 24 About FSE virtualization guidelines: ....................................................................................... 24 Tuning performance ................................................................................................................ 25 Optimizing guest and host operating system settings ............................................................ 25 About process counts ............................................................................................................. 25 Installing to multiple servers ....................................................................................................... 26 Initial scanning............................................................................................................................ 26 Post-installation security consideration ...................................................................................... 26 Upgrading ................................................................................................................................... 26 Uninstalling ................................................................................................................................. 27 Applying Exchange and FSE service packs and rollups ............................................................ 27 Product licensing information ..................................................................................................... 28 Evaluation version................................................................................................................... 29 Forefront Security for Exchange Server Services ......................................................................... 29 About services ............................................................................................................................ 29 FSCController ......................................................................................................................... 29 FSCMonitor ............................................................................................................................. 30 AdoNavSvc ............................................................................................................................. 30 FSEIMC .................................................................................................................................. 30 FSEMailPickup........................................................................................................................ 30 FSCRealtimeScanner ............................................................................................................. 31 FSCTransportScanner ............................................................................................................ 31 FSCStatisticsService .............................................................................................................. 31 Disabling the Forefront Security for Exchange Server services ................................................ 31 Recycling the Forefront Security for Exchange Server services ................................................ 32 Securing the service from unauthorized use .............................................................................. 32 Forefront Server Security Administrator ........................................................................................ 33
Enabling Forefront Server Security Administrator ...................................................................... 33 Launching the Forefront Server Security Administrator ............................................................. 34 Connecting to a local server ....................................................................................................... 35 Connecting to a remote server ................................................................................................... 35 Connecting to a different server ................................................................................................. 35 Running in read-only mode ........................................................................................................ 36 Forefront Server Security Administrator user interface .............................................................. 37 General Options ......................................................................................................................... 38 Diagnostics section ................................................................................................................. 38 Logging section ....................................................................................................................... 40 Scanner Updates section ........................................................................................................ 40 Scanning section..................................................................................................................... 42 Background Scanning section ................................................................................................ 56 Central management .................................................................................................................. 57 Multiple scan engines .................................................................................................................... 57 About engine rankings ............................................................................................................... 58 Setting the bias........................................................................................................................... 58 About bias settings.................................................................................................................. 59 Configuring the bias setting .................................................................................................... 60 Manual Scan Job ........................................................................................................................... 61 Configuring the Manual Scan Job .............................................................................................. 61 Configuring antivirus settings .................................................................................................. 61 Editing the Manual Scan Job .................................................................................................. 63 Running the Manual Scan Job ................................................................................................... 63 Checking results and status .................................................................................................... 63 Scheduling the Manual Scan Job............................................................................................... 64 Performing a Quick Scan ........................................................................................................... 65 Checking results and status .................................................................................................... 66 About mailboxes and public folders ........................................................................................... 66 Scanning files by type ................................................................................................................ 67 Realtime Scan Job......................................................................................................................... 67 About multiple Realtime processes ............................................................................................ 68 Configuring the Realtime Scan Job............................................................................................ 68 Configuring antivirus settings .................................................................................................. 69 Editing the Realtime Scan Job ................................................................................................ 70 Controlling the Realtime Scan Job ............................................................................................. 71 Enabling and disabling the Realtime Scan Job ...................................................................... 71 Selecting virus scans, file filtering, and content filtering ......................................................... 71 Checking results and status .................................................................................................... 71 About mailboxes and public folders ........................................................................................... 71 About proactive scanning ........................................................................................................... 73 About Realtime scan recovery ................................................................................................... 73 Scanning files by type ................................................................................................................ 74
Transport Scan Job ....................................................................................................................... 74 About multiple Transport processes........................................................................................... 74 Configuring the Transport Scan Job .......................................................................................... 75 Configuring antivirus settings .................................................................................................. 76 Editing the Transport Scan Job .............................................................................................. 77 Controlling the Transport Scan Job............................................................................................ 77 Enabling and disabling the Transport Scan Job ..................................................................... 77 Selecting virus scans, file filtering, or keyword filtering .......................................................... 77 Checking results and status .................................................................................................... 78 About Transport scan recovery .................................................................................................. 78 About message queues .......................................................................................................... 78 Scanning the inbound queue ............................................................................................... 79 Scanning the outbound queue ............................................................................................ 79 Internal scanning ................................................................................................................. 79 Scanning nested compressed files ............................................................................................ 79 Scanning files by type ................................................................................................................ 79 Background scanning and on-access scanning ............................................................................ 80 Scheduled background scanning ............................................................................................... 80 On-access scanning ................................................................................................................... 81 Heightened security on-access scanning .................................................................................. 81 Reporting incidents..................................................................................................................... 82 Templates ...................................................................................................................................... 82 Template uses ............................................................................................................................ 83 Creating a named template ........................................................................................................ 83 Renaming or deleting a named template ................................................................................... 84 Modifying templates ................................................................................................................... 84 Modifying default file scanner update templates ........................................................................ 85 Modifying notification templates ................................................................................................. 86 Using named templates ............................................................................................................. 86 Deploying templates during a remote installation ................................................................... 87 Deploying named templates ....................................................................................................... 88 Deploying schedule job templates .......................................................................................... 89 Template planning tips ............................................................................................................... 89 File filtering .................................................................................................................................... 89 Creating a file filter ..................................................................................................................... 89 Filtering by file type ................................................................................................................. 91 Filtering by extension .............................................................................................................. 91 Filtering by name .................................................................................................................... 92 Action ...................................................................................................................................... 92 Editing a file filter ........................................................................................................................ 93 Matching patterns in the file name with wildcard characters ..................................................... 94 Directional file filters ................................................................................................................... 95 Inbound filtering ...................................................................................................................... 95
Outbound filtering.................................................................................................................... 95 Inbound, outbound, and internal Filtering ............................................................................... 96 Filtering container files ............................................................................................................... 96 Excluding the contents of a container file from file filtering ........................................................ 97 Using file filtering to block most file types .................................................................................. 97 File filter lists ............................................................................................................................... 98 Creating a file filter list ............................................................................................................ 98 Importing items into a filter list ................................................................................................ 99 Filter set templates ................................................................................................................... 100 International character sets ...................................................................................................... 100 Statistics logging ...................................................................................................................... 100 Content filtering............................................................................................................................ 100 Configuring sender-domains filtering ....................................................................................... 101 Configuring subject line filtering ............................................................................................... 102 Action ....................................................................................................................................... 103 Editing a content filter ............................................................................................................... 103 Matching patterns with wildcards ............................................................................................. 104 Content filter lists ...................................................................................................................... 105 Creating a content filter list ................................................................................................... 105 Importing items into a filter list .............................................................................................. 106 Filtering mail from all users in a domain except for specific users ........................................... 106 International character sets ...................................................................................................... 107 Reporting .................................................................................................................................. 107 Filter set templates ................................................................................................................... 108 Creating a filter set template ................................................................................................. 108 Configuring a filter set template ............................................................................................ 108 Associating a filter set template with a scan job ................................................................... 108 Editing a filter set template ................................................................................................... 109 Deleting a filter set template ................................................................................................. 109 Renaming a filter set template .............................................................................................. 110 Distributing filter set templates to remote servers ................................................................ 110 Keyword filtering .......................................................................................................................... 110 Creating new keyword lists ...................................................................................................... 111 Configuring keyword lists ......................................................................................................... 111 Keyword filter actions ............................................................................................................ 112 Keyword list syntax rules ...................................................................................................... 113 Case-sensitive filtering .......................................................................................................... 115 Example lists ............................................................................................................................ 115 Allowed senders lists ................................................................................................................ 115 Enabling allowed senders lists .............................................................................................. 116 Importing items into a filter list .................................................................................................. 117 Purging messages infected by worms ......................................................................................... 117 Purging by the Realtime scanner ............................................................................................. 118
Purging by the Transport scanner ............................................................................................ 118 Purging by the Manual scanner ............................................................................................... 118 Using file filtering to purge worm viruses ................................................................................. 118 Notifications .............................................................................................................................. 119 Enabling and updating worm purging ...................................................................................... 119 Updating the worm purge list ................................................................................................... 119 Creating a custom worm purge list........................................................................................... 120 E-mail notifications....................................................................................................................... 120 How notifications are sent ........................................................................................................ 120 Configuring notifications ........................................................................................................... 121 Notification roles ....................................................................................................................... 122 Configuring internal addresses ................................................................................................ 123 Enabling and disabling a notification ........................................................................................ 124 Editing a notification ................................................................................................................. 124 Reporting and statistics ............................................................................................................... 124 Incidents database ................................................................................................................... 125 VirusLog.txt ........................................................................................................................... 126 Forefront Security for Exchange Server incidents ................................................................ 126 Statistics ................................................................................................................................ 128 Message statistics ............................................................................................................. 128 Attachment statistics.......................................................................................................... 129 Managing statistics ............................................................................................................... 129 Quarantine ................................................................................................................................ 129 Quarantine options................................................................................................................ 130 Saving quarantine database items to disk ............................................................................ 130 Delivering quarantined messages ........................................................................................ 131 DeliverLog.txt..................................................................................................................... 131 Forwarding attachments ....................................................................................................... 131 Forwarding attachments quarantined by the virus scanner .............................................. 131 Forwarding attachments quarantined by the file filter ....................................................... 132 Forwarding attachments and manual scans ..................................................................... 132 The ExtractFiles tool ............................................................................................................. 132 Using the ExtractFiles tool for fast mail recovery .............................................................. 133 Maintaining the databases ....................................................................................................... 133 Clearing the databases ......................................................................................................... 133 Clearing the incidents database ........................................................................................ 134 Clearing the quarantine database ..................................................................................... 134 Exporting database items ..................................................................................................... 135 Purging database items ........................................................................................................ 135 Filtering database views ....................................................................................................... 135 Moving the databases ........................................................................................................... 136 Changing the database compaction time ............................................................................. 137 Windows Event Viewer ............................................................................................................ 137 Performance ............................................................................................................................. 138
Reinstalling Forefront Security for Exchange Server performance counters ....................... 138 File scanner updating .................................................................................................................. 138 Automatic file scanner updating ............................................................................................... 139 Scheduling an update .............................................................................................................. 139 Scheduling updates on multiple servers ............................................................................... 141 Update Now .......................................................................................................................... 141 Update on load...................................................................................................................... 141 Scanner information .............................................................................................................. 141 Manifest.cab.......................................................................................................................... 141 Distributing updates ................................................................................................................. 142 Configuring servers to distribute and receive updates ......................................................... 142 Configuring the redistribution (hub) server and UNC credentials ..................................... 143 Configuring the spoke servers ........................................................................................... 143 Notifications following engine updates ..................................................................................... 144 Putting the new file scanner to use .......................................................................................... 144 Updating the file scanners through a proxy ............................................................................. 144 Adding and deprecating scan engines ..................................................................................... 145 Adding new scan engines ..................................................................................................... 145 Deprecating scan engines .................................................................................................... 145 Troubleshooting ........................................................................................................................... 146 Exchange not hooked in ........................................................................................................... 146 Getting help .............................................................................................................................. 146 Diagnostics ............................................................................................................................... 146 Forefront Security for Exchange Server installation failure ...................................................... 146 The FSC utility ............................................................................................................................. 147 Disabling and enabling Forefront Security for Exchange Server ............................................. 147 Registry keys ............................................................................................................................... 148 Scanner Update Settings registry keys .................................................................................... 154 Keyword substitution macros ....................................................................................................... 154 The macros .............................................................................................................................. 155 File types list ................................................................................................................................ 156 The FSC diagnostic tool .............................................................................................................. 162 Information collected ................................................................................................................ 162 Running the Forefront Security diagnostic tool ........................................................................ 162 Backing up and restoring Forefront Security for Exchange Server ............................................. 164 About backups.......................................................................................................................... 164 Preparing files for backup ........................................................................................................ 164 Backing up data files ................................................................................................................ 166 Restoring data files................................................................................................................... 167
Security and configuration notices............................................................................................... 169 Security policy changes ........................................................................................................... 169 General Options changes ........................................................................................................ 170 Other changes and updates ..................................................................................................... 171
Exchange Introduction
In Microsoft Exchange, viruses can enter the environment in file attachments to e-mails, e-mail bodies, and public folder posts, but traditional antivirus technology cannot monitor or scan the contents of the Exchange database or the Exchange Transport stack. Exchange environments require an antivirus solution that can prevent the spread of viruses by scanning all messages in real time with minimal impact on server performance or delivery times of messages. Microsoft Forefront Security for Exchange Server (FSE) is the solution for protecting Exchange environments. Forefront Security for Exchange Server is uniquely suited for Exchange Server 2007 environments. It uses the Exchange Virus Scanning Application Programming Interface (VSAPI) to tightly integrate with the Exchange servers to provide seamless protection. Forefront Security for Exchange Server provides powerful features that include: 1. Antivirus scanning using multiple antivirus scan engines. 2. Distributed protection on all storage and transport Exchange server roles, including Edge, Hub, and Mailbox/Public Folder servers. 3. File filtering by file name, extension, or size. 4. Comprehensive notifications for the administrator and the message sender and recipient. Forefront Security for Exchange Server provides powerful protection for your messaging servers and is the antivirus solution for Exchange 2007 environments. Benefits of using multiple scanning engines Antivirus vendors all try to release signatures as soon as possible, but with every virus threat there is variation between various antivirus research labs in how quickly virus samples are obtained and analyzed, and signatures are released. By using multiple antivirus scan engines, Forefront customers can realize the benefit of diversification. If all messages are scanned with five engines, it is more likely that one of the engines is equipped to handle a recently released virus than if only one antivirus engine was being used. Forefront offers configuration settings to enable you to choose a balance between performance and relative level of protection. Any number of engines can be chosen up to a maximum of five, and a bias setting can be chosen to determine if all engines scan every message or if a subset of the selected engines are used to scan each message. The recommended bias setting for increased protection is Favor Certainty. This setting configures Forefront to scan with all available engines that have been selected. (With Favor Certainty an engine may be bypassed if it is temporarily unavailable such as when it is in the middle of reloading to update its signatures.)
11
Forefront Security for Exchange Server supports Exchange Edge Transport, Hub Transport, and Mailbox/Public Folder server roles. By distributing the scanning workload over the various Exchange servers, the impact on individual servers is reduced and duplicate scanning is eliminated. Forefront Security for Exchange incorporates new scanning logic that does not scan e-mail that has already been scanned. By default, e-mail scanned at an Edge Transport or Hub Transport does not get scanned again when routed or deposited into mailboxes. This approach minimizes antivirus scanning overhead to maximize mail system performance. It also: Significantly reduces scanning impact at the Information Store. Can be turned off to enable scanning at all points.
To identify mail that has already been scanned, a secure antivirus header stamp is written to each e-mail when it is first scanned at the Edge or Hub server. Later scanning operations (Hub or Store) check for this stamp and if it is present the mail is not re-scanned. When the message is submitted to the Store, the antivirus stamp properties are added to a MAPI property and maintained. To best utilize this scan once capability, it is recommended that all Exchange servers be configured with the same configuration settings so that scanning at various distributed points in the Exchange organization are all equivalent. There are several scanning scenarios: Scanning of inbound mail Mail is scanned at the Edge server. The mail is not rescanned at the Hub or when first deposited in the Mailbox servers. However, after the messages are deposited in the Mailbox server, the server can be configured to periodically rescan all or some of the content with newer signatures. Scanning of outbound mail By default, outgoing mail is not scanned on the mailbox server, but is scanned at the Hub server. If Mailbox and Hub server roles are deployed on the same computer, the mail is scanned by the Hub Transport role. If there is an Edge server deployed in the Exchange Organization, the mail is not rescanned at the Edge server.
12
Scanning of internal mail Mail is scanned at the Hub server as it is routed internally. By default the mail is not scanned at the Mailbox server where it originated or rescanned at the destination Mailbox server. In all of these scenarios, processing time and load is saved on the Mailbox servers. The AV stamp There are three conditions that must be met before the AV Transport Agent places an AV stamp on a message: The message must be scanned with at least one virus engine. Either no virus must be found or if a virus is found it must be cleaned or deleted. If the message was updated, Forefront must successfully write the updated message back to Exchange.
If Forefront is set to Skip:detect only mode for virus scanning, no stamp will be written if a virus is found. Only antivirus scanning sets the stamp; file filtering has no effect on it. Mailbox scanning Store scanning is handled by: Realtime scan job and Background Scanning Manual scan job
Proactive scanning (Scan when messages and files are written to the Store.) is turned off by default. By default, messages that arrive at a Mailbox server carry a Transport stamp and are not rescanned by the Realtime scanning processes. The Transport Hub that has scanned theses messages can either be located on a separate server or co-located with the Mailbox server. Content that has never been routed through a Transport Hub does not have an AV stamp and is scanned when first retrieved from the store by On-Access Scanning. By default, On-Access Scanning is used to scan a message when it is accessed only if it has not been scanned before. Access includes opening a message, viewing in the preview pane, and content indexing operations. Most retrieval has no impact on the Store since messages have been scanned in transit. On-access scan provides protection for messages in the Sent Items folder, the Outbox, and Public Folders. There are optional high security configuration settings that can be enabled on the Mailbox server to scan a message on access if new signatures have arrived since the message was last scanned. (See the Scan on scanner update option in Settings- General Options.) It is recommended that these high security settings be used only in the event of a serious threat that requires constant rescanning of mail to protect users from a known threat which requires this level of protection. When Outlook is running in cache mode, there are two copies of the user folders, one local and one on the server. Forefront is a server application and only has access to the server copy. This provides appropriate protection, because sending or receiving transfers the message to the server, where scanning takes place. 13
It should be noted that On-Access protection is limited. When the mail has already been downloaded to a client Outlook cache in Outlook 2003 or Outlook 2007 (if Outlook cache mode is on), then locally accessing the mail in Outlook does not cause an On-Access event on the Exchange server. Background scanning is useful for this case when the mail is already stored in the client cache. If Background scan detects a virus, the store copy of the message will be cleaned or deleted, forcing the client to re-synchronize the (cleaned or purged) messages the next time the client connects to Exchange. Background Scanning now provides incremental Background Scanning to enhance performance. This functionality enables administrators to configure Background scanning jobs to scan messages based on their age. For example, administrators can configure Forefront to schedule a background scan job to run at off peak hours and to only scan messages received in the past two days. Administrators can also run a background scan job to clean the mailbox server in response to a known event that has deposited infected items in the store. Incremental Background Scanning dramatically reduces Store overhead and provides a significant level of protection for the latest messages that may have been received on the Exchange server before the corresponding signatures for that virus were received. Background Scanning uses the same configuration settings configured in the Realtime Scan job. Microsoft recommends that Proactive scanning be turned on for a Public Folder server so that the content is scanned when it is posted to the server and does not incur any download delays when the content is accessed.
These capabilities help ensure that your organization has the most up-to-date protection against the latest spam attacks. For more information about anti-spam protection, see Managing Anti-Spam and Antivirus Features in the Microsoft Exchange Server 2007 documentation. 14
Scanning order
When FSE scans a file or an e-mail message, the following tasks are performed in the order listed: Allowed senders scanIf the allowed senders list functionality is enabled, FSE compares the message sender's domain or address to the allowed senders list. If a message is from a domain or address in the allowed senders list, the message is delivered to the recipient and the rest of the scanning tasks that are described in this list are bypassed. You can configure the allowed senders list functionality to bypass specific types of filters, such as keyword filters, file filters, and content filters or you can bypass all filters. For more information, see Keyword filtering. Content filtering scanContent filtering includes the following filters (for more information see Content filtering): Sender-domains filteringWhen sender-domains filtering is enabled, FSE compares the message sender to the senders and the domains that are in the sender-domains filter list. Subject line filteringWhen subject line filtering is enabled, FSE compares the contents of the message's subject line to the words in the subject line filter list.
Keyword filtering scanWhen keyword filtering is enabled, FSE compares the contents of the message to any keyword filter lists that have been created. For more information, see Keyword filtering. Attachment scanIf the e-mail message has an attachment, FSE scans it for worms and viruses: Worm purgeThe worm purge tool maintains the WormPrge.dat file, containing a list of known worms. This list is regularly updated and maintained by FSE. The contents of the message are compared to the list of known worms. For more information, see Purging messages infected by worms. File filteringWhen file filtering is enabled, FSE compares the contents of the message to the file filter list. The file filter list provides you with the ability to search for attachments with a specific name, type, and size within an e-mail message. For more information, see File filtering. Virus cleaningFSE uses multiple virus scan engines to determine whether the attachment contains a virus. For more information, see Multiple scan engines.
Body scanThe body of the message is compared to the worm list that is maintained in the WormPrge.dat file. If no worms are found, FSE then scans the body of the message for viruses. For more information, see Purging messages infected by worms and Multiple scan engines
15
Additional documentation
The most current Microsoft Forefront Security for Exchange Server documentation, including the "Microsoft Forefront Security for Exchange Server Quick Start Guide", the "Microsoft Forefront Security for Exchange Server Best Practices Guide", and the "Microsoft Forefront Security for Exchange Server Cluster Installation Guide", is available at the Microsoft Forefront Security for Exchange Server TechNet Library.
System requirements
The following are the minimum server and workstation requirements for Forefront Security for Exchange Server. Note: All minimum system memory and disk space requirements for Microsoft Exchange Server 2007 must be met before installing Forefront Security for Exchange Server. Too little available memory or disk space may impact the ability of Forefront to scan large files. Minimum server requirements The following are the minimum server requirements. Note: If both the Exchange and SharePoint products are installed on the same server, only Forefront for Exchange can be installed, to protect Exchange. x64 Architecture-based computer with: Intel Xeon or Intel Pentium Family processor that supports Intel Extended Memory 64 Technology (Intel EM64T) or AMD Opteron or AMD Athalon 64 processor that supports AMD64 platform. Microsoft Windows Server 2003, Windows Small Business Server 2003, or Microsoft Windows Server 2008 Microsoft Exchange Server 2007 (Standard or Enterprise)
Server software:
1 gigabyte (GB) of free memory, in addition to that required to run Exchange 2007 (2 GB recommended). Note: With each additional licensed scan engine, more memory is needed per scanning process.
2 GB of available disk space. This is in addition to the disk space required for Microsoft Exchange Server 2007. 1 gigahertz (GHz) Intel processor.
Minimum workstation requirements The following are the minimum workstation requirements: Windows Server 2003, Windows 2000 Professional, Windows XP, or Windows Vista 6 MB of available memory 10 MB of available disk space Intel processor, or equivalent
17
9. On the Engine Updates Required screen, read the warning about engine updates. 10. If you use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options.
18
Note: If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail. 11. If the server you are installing to is an edge server you may be asked if you want FSE to enable Anti-Spam Updates. If youve never made any change to the Anti-Spam Updates setting on the Exchange Management Console (that is, the setting is in its default state), you are offered this choice. If you have made a change to that setting, you will not see it. If you do not enable Anti-Spam Updates during FSE installation, you can turn them on by clicking Enable Anti-spam Updates in the Action section of the Exchange Management Console. Note: If you enable Anti-Spam Updates during the installation and subsequently uninstall FSE, they will be disabled. 12. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one. Default: Program Files(x86)\Microsoft Forefront Security\Exchange Server 13. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services. Default program folder: Microsoft Forefront Server Security\Exchange Server 14. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied. 15. After installation is complete, you can start or restart the Exchange Transport Service, depending on whether it was stopped or running when the installation began. For a clean install, the service was probably still running and needs to be recycled. If you are reinstalling the product, the service had to be stopped before FSE could be uninstalled. If the service was running, the Restart Exchange Transport Service screen appears; if the service was stopped, the Start Exchange Transport Service screen appears. In either case, you can start the Transport service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSE cannot scan mail being sent or received. 16. Depending on whether the Exchange Transport Service is being started or restarted (that is, you clicked Next on the prior screen), the Starting Exchange Transport Service screen or the Recycling Exchange Transport Service screen appears. Wait until the status changes to All services started, before clicking Next to continue. 17. If the Information Store Service was stopped when the install began, the Start Exchange Information Store screen appears. You can start the Information Store service 19
automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started, FSE cannot scan mail on the Store. If the Information Store was running when the installation began, this screen does not appear. 18. If the Information Store Service is being started (that is, you clicked Next on the prior screen), the Starting Exchange Services screen appears. Wait until the status changes to All services started, before clicking Next to continue. 19. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.
To install Forefront Security for Exchange Server on a remote server 1. The initial setup screen is Welcome. Click Next to continue. 2. Read the license at the License Agreement screen and click Yes to accept it. 3. On the Customer Information screen, enter User Name and Company Name, if needed. 4. On the Installation Location screen, select Remote Installation. If Forefront Security for Exchange Server is already installed on the remote Exchange server, this process can automatically stop the Exchange services, uninstall Forefront Security for Exchange Server, and restart the Exchange services prior to beginning the new installation. 5. On the Remote Server Information screen, enter the following: Server Name. The name of the computer to which you are installing Forefront Security for Exchange Server. Share Directory. The temporary location for the remote installation to use while setting up Forefront Security for Exchange Server. The default is C$.
20
6. On the Quarantine Security Settings screen, select the desired setting. Secure Mode causes all messages and attachments delivered from Quarantine to be re-scanned for viruses and filter matches. This is the default. Compatibility Mode enables messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages delivered from Quarantine.
For more information about this setting, see Reporting and statistics. 7. On the Engine Updates Required screen, read the warning about engine updates. 8. If you use a proxy server for scanner updates, select Use Proxy Settings and enter the proxy name or IP address and its port on the Proxy Information screen. This ensures that your proxy server is correctly configured from the start. If you are doing a fresh install, you may enter the proxy information. If this is an upgrade, and proxy data is available in the registry, this screen does not appear and the existing data is preserved. Any changes to existing proxy information can be made in General Options. Note: If a username and password are required for the proxy server, they must be entered through General Options once FSE has been installed. This must be done immediately, otherwise engine updates will fail. 9. At this point, Setup determines if Exchange is installed and running on the remote computer. If Exchange is not running, Setup gives you the option of starting the Exchange services. The Exchange services must be running for installation to continue. 10. If the server you are installing to is an edge server you may be asked if you want FSE to enable Anti-Spam Updates. If youve never made any change to the Anti-Spam Updates setting on the Exchange Management Console (that is, the setting is in its default state), you are offered this choice. If you have made a change to that setting, you will not see it. If you do not enable Anti-Spam Updates during FSE installation, you can turn them on by clicking Enable Anti-spam Updates in the Action section of the Exchange Management Console. Note: If you enable Anti-Spam Updates during the installation and subsequently uninstall FSE, they will be disabled. 11. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one. 12. On the Select Program Folder screen, choose a program folder for Forefront. At this point, Setup checks for running services. 13. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are 21
being copied. 14. After installation is complete, you can start or restart the Exchange Transport Service, depending on whether it was stopped or running when the installation began. For a clean install, the service was probably still running and needs to be recycled. If you are reinstalling the product, the service had to be stopped before FSE could be uninstalled. If the service was running, the Restart Exchange Transport Service screen appears; if the service was stopped, the Start Exchange Transport Service screen appears. In either case, you can start the Transport service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started or restarted, FSE cannot scan mail being sent or received. 15. Depending on whether the Exchange Transport Service is being started or restarted (that is, you clicked Next on the prior screen), the Starting Exchange Transport Service screen or the Recycling Exchange Transport Service screen appears. Wait until the status changes to All services started, before clicking Next to continue. 16. If the Information Store Service was stopped when the install began, the Start Exchange Information Store screen appears. You can start the Information Store service automatically so that Forefront Security for Exchange Server can become active. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. Until the service has been started, FSE cannot scan mail on the Store. If the Information Store was running when the installation began, this screen does not appear. 17. If the Information Store Service is being started (that is, you clicked Next on the prior screen), the Starting Exchange Services screen appears. Wait until the status changes to All services started, before clicking Next to continue. 18. When you have been informed that the installation was successful, click Next to perform another remote installation, or click Cancel to exit the installation program. If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it.
Administrator-only installation
Performing an Administrator-only installation installs the Microsoft Forefront Server Security Administrator onto any workstation or server, which can then be used to centrally manage the FSE service running on remote Exchange servers. Administrator-only installation requires approximately 2.5 MB of disk space. To install the Administrator only 1. Run the Setup.exe file, which is available on your CD image or from the self-extracting package available at the Microsoft Volume Licensing Download Center. 2. The initial setup screen is Welcome. Click Next to continue. 3. Read the license at the License Agreement screen and click Yes to accept it. 22
4. On the Customer Information screen, enter User Name and Company Name, if needed. 5. On the Installation Location screen, select Local Installation. 6. On the Installation Type screen choose Client - Admin Console Only. 7. If Microsoft Update is not enabled, the Use Microsoft Updateto help keep your computer secure and up to date screen appears. If you select the option to use Microsoft Update, Setup will check to see if you have the correct version of the Windows Update Agent. If you do not have the correct version, you are directed to get it at the end of the installation and complete the opt-in online. 8. On the Choose Destination Location screen, either accept the default destination folder for the product, or click Browse to select a different one. Default: Program Files(x86)\Microsoft Forefront Security\Exchange Server 9. On the Select Program Folder screen, choose a program folder for Forefront. Default: Microsoft Forefront Server Security\Exchange Server 10. On the Start Copying Files screen, review the data presented to you. If any changes have to be made, use the Back button to navigate to the screen to be changed. Otherwise, click Next to begin the installation. A progress bar indicates that the files are being copied. On the InstallShield Wizard Complete screen, you are advised to view the Readme file (recommended). If you opted to use Microsoft Update and you do not have the correct version of the Windows Update Agent, you are directed to a site to obtain it. Click Finish to complete the installation.
23
The following are guidelines for the guest computer on which FSE will be installed:
24
drive to prevent slowdowns due to multiple computers accessing the same physical hard drive.
Tuning performance
Adding FSE increases the resources utilized by your Exchange environment. To ensure that your virtual environment can handle the anticipated load from Exchange and FSE, it is recommended that you measure the performance counters before and after installing FSE. Based on the differences in the performance data from before and after the FSE installation, you may want to adjust your virtual hardware requirements. This can include allocating more memory, CPU affinity, and improved disk I/O. Memory and CPU utilization are usually the most heavily impacted by FSE. Note: For more information on using performance counters, see Performance and Reliability Monitoring Step-by-Step Guide for Windows Server 2008 or Windows Server 2003 Performance Counters Reference.
information on fine tuning these settings. Additionally, use the performance data you collected earlier to help gauge how many process counts you should be using.
Initial scanning
When FSE is first installed, all mail up to one day old is scanned. (A registry key called OnAccessCutoff has an initial value of 24 hours). Each day, FSE adds 24 hours to the OnAccessCutoff value, so that progressively older and older mail is scanned. Mail that is older than the current value of OnAccessCutoff is not scanned, even if accessed. This keeps your system from being overwhelmed by the initial scan when FSE is installed.
Upgrading
You can upgrade prior versions of Forefront Security for Exchange Server 10.0 to SP1 without uninstalling the older version. (You must uninstall versions older than 10.0 in order to upgrade to SP1.) If Exchange Server 2007 has already been upgraded, you do not need to uninstall a 10.0 version of FSE. If you are upgrading both FSE and Exchange Server, upgrade FSE first. It is not necessary to upgrade Exchange Server in order to upgrade FSE. If, however, you are upgrading Exchange 2007 to Exchange 2007 SP1, FSE must also be upgraded to SP1, and then disabled during the Exchange upgrade, or it will no longer function correctly. Your configuration settings remain intact. When you start the upgrade installation, Setup detects the old version and asks you to confirm the upgrade. You are asked if you want to stop the Exchange Information Store, the Exchange Transport Service, the Microsoft Operations Manager (MOM), and the Performance Logs and Alerts Service. All these services will be stopped, updated, and started again, without the need for restarting the server. During an upgrade, the only setting that can be changed is the Installation Mode (Secure Mode or Compatibility Mode).
26
Note: To upgrade in a cluster installation, see the Microsoft Forefront Security for Exchange Server Cluster Installation Guide.
Uninstalling
To uninstall Forefront Security for Exchange Server, log on to the computer on which it is installed. Note: For the procedures to uninstall FSE from a clustered server, see the Microsoft Forefront Security for Exchange Server Cluster Installation Guide. To uninstall Forefront Security for Exchange Server 1. Ensure that the Forefront Server Security Administrator is not running. 2. Open Services in the Control Panel. 3. Stop the FSCController service. This causes the Microsoft Exchange Transport Service and Microsoft Exchange Information Store to be stopped also. 4. When all these services have stopped, close the Services dialog box. 5. Open Add or Remove Programs in the Control Panel. 6. Remove Microsoft Forefront Security for Exchange Server. Click Yes to confirm the deletion. 7. At the Uninstall Complete screen, click Finish. 8. Any settings that you have made still remain in .fdb files in the Microsoft Forefront Security folder in Program Files(x86) (or whatever folder you installed to). Additionally, the incidents and quarantine database files remain, as well as Statistics.xml. If you will be reinstalling FSE and want to retain those settings, do nothing. If you will not be reinstalling FSE or if you want to start with fresh settings, delete that folder. 9. If you are not planning to re-install Forefront Security for Exchange Server, restart the stopped Exchange services.
27
To install an Exchange service pack or rollup 1. Disable FSE using the steps described in The FSC utility. 2. Follow the instructions provided with the specific service pack or rollup that you are installing. 3. After the installation is complete and the Exchange services have been restarted, verify that mail is flowing. 4. Enable FSE using the steps described in The FSC utility. Note: Some Exchange service packs and rollups require you to download and install an FSE update in order to ensure that FSE operates correctly. For information and downloads, visit the Microsoft Web site at Microsoft Help and Support. To install an FSE service pack or rollup 1. Run the installer by double-clicking the service pack or rollup executable file. Note: While the installer is running, the Exchange and FSE services are stopped, and your mail flow is temporarily halted. 2. After the installation is complete and the Exchange and FSE services have been restarted (this occurs automatically during the installation), verify that FSE is working properly. Note: FSE service packs or rollups can also be installed using the FFSMC Deployment job. (For details, see Deployment Jobs in the Forefront Server Security Management Console User Guide.) In this case, the installer runs in silent mode and there is no user input required. The rest of the process remains the same as when running the installer by double-clicking the executable file.
To license FSE, select Register Forefront Server from the Help menu. If you have not already activated the product, the Product Activation dialog box appears. After you enter your product activation information, the Product License Agreement and Expiration dialog box appears. If 28
you have activated FSE, only the Product Licensing Agreement and Expiration dialog box appears. Enter your 7-digit License Agreement Number and then an expiration date. You should enter a date that corresponds to the expiration of your license agreement, to coordinate the expiration of both the license agreement and the product. When the product nears its expiration, you should renew your license agreement and enter the new license information into the Product Licensing Agreement and Expiration dialog box.
Evaluation version
Microsoft provides a fully functional version of Forefront Security for Exchange Server for a 120day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version. After 120 days, the evaluation version of FSE continues to operate and report detected files. It does, however, cease to clean, delete, and purge files (that is, the action for all virus detection is reset to Skip: detect only). All filters (file, content, and keyword) also have their actions set to Skip: detect only. Finally, the Allowed Sender lists are disabled and scan engines no longer update. To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Register Forefront Server from the Help menu.
About services
The following sections describe the services used by Forefront Security for Exchange server.
FSCController
FSCController acts as the server component that Forefront Server Security Administrator connects to for configuration and monitoring. FSCController coordinates all Realtime, Manual, and Transport scanning activities. The FSCController startup type defaults to manual. 29
Note: If you change the startup type to anything other than Manual, FSE may not scan properly. After being installed, the FSCController becomes a dependency on the FSEIMC service. Due to other dependencies, whenever the Microsoft Exchange Information Store service is started or stopped, the same occurs with the FSCController. The Task Scheduler service must be operating properly for the FSCController to initialize. Note: The FSCMonitor must run under the Local System account on Exchange 2007. If it is changed to run under a different account, Forefront Security for Exchange Server may not start. Important: For a mailbox-only role, if FSCController or FSCMonitor is disabled, mail continues to flow, but is not scanned for viruses. For all other roles, you must also stop the Exchange services (by selecting Yes when the Stop Other Services prompt appears).
FSCMonitor
FSCMonitor monitors the Exchange Information Store, Transport stack, and Forefront Security processes to ensure that Forefront Security for Exchange Server provides continuous protection of your messaging environment.
AdoNavSvc
AdoNavSvc is used for browsing the active directory for mailbox names. It will always be in a stopped state unless you are using the Forefront Server Security Administrator to browse mailboxes or public folders in Active Directory or if there is a manual scan or quick scan in progress.
FSEIMC
FSEIMC registers the FSE Agent to ensure that messages are scanned by the FSCTransportScanner process. FSEIMC becomes a dependency on the Microsoft Exchange Transport service on Exchange Server 2007. This service normally only runs for a brief time (less than a minute) when Forefront Security for Exchange Server initializes. It then shuts down and does not need to be running for Transport scanning to take place.
FSEMailPickup
FSEMailPickup delivers messages generated by Forefront Server Security, such as notifications, to Exchange for mail pickup. It also handles the delivery of messages from quarantine. If this service is disabled, no notifications are generated and items cannot be delivered from quarantine.
30
FSCRealtimeScanner
FSCRealtimeScanner provides immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders resident on the Exchange server.
FSCTransportScanner
FSCTransportScanner ensures that all messages that pass through the Transport stack are scanned prior to delivery.
FSCStatisticsService
The FSCStatisticsService logs scanning statistics for all Forefront Security scan jobs. This information is then available for retrieval by the Microsoft Forefront Security Enterprise Manager.
Note Forefront Security services must be recycled for the change to take effect.
31
32
d. Click Add Program, select FSSAClient from the list, and then click OK. This adds the Forefront Server Security Administrator to the Programs and Services list. e. In the Programs and Services list, select the FSSAClient. f. Click Add Port, enter a name for the port, enter 135 as the port number, and then select TCP as the protocol.
g. Click OK. Note: If you are concerned about opening port 135 to all computers, it can be opened only for the servers running Forefront Security for Exchange Server. When you add port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be permitted access through port 135. To enable the Forefront Server Security Administrator to run on Microsoft Windows Server 2003 SP2 1. Click Start, select Run, and enter dcomcnfg. The Component Services dialog box appears. 2. In the Console Root, expand Component Services. 3. Expand Computers. 4. Right-click My Computer. 5. Select Properties, and then select the COM Security tab. 6. Click Edit Limits under Access Permissions, and then Add anonymous logon account. 7. Select the Allow check box for Remote Access for the Anonymous Logon user.
34
To launch Forefront Server Security Administrator from a command prompt 1. Open a command prompt window. 2. Navigate to the Forefront Security for Exchange Server installation directory. Default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server 3. Enter FSSAclient.exe and then press Enter.
click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Forefront Server Security Administrator dialog box to quickly reconnect to a server.
23. Click the Edit button in the Launch and Activation Permissions section. 24. Add the user or group that you want to have read-only access. 25. Select all the Allow check boxes, and then click OK. 26. Click the Edit button in the Access Permissions section. 27. Add the user or group that you want to have read-only access. 28. Select all the Allow check boxes, and then click OK. 29. Save and close the Properties page. When a user without modify access opens the UI, it does not permit any configuration changes. Notes: The system account and Exchange service account must have full control of the Forefront Security for Exchange Server folder or Forefront Security for Exchange Server will not run properly. If you create a user that is part of the Administrators Group with read-only access rights to FSE, when that user logs on and tries to open the Forefront Server Security Administrator, the following error will occur: ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied. This error is caused by a Windows Server 2003 SP 1 security enhancement. To work around this problem, follow these steps: a. Run DCOMCNFG from START/Run. The Component Services dialog box appears. b. Expand Component Services. c. Expand Computers, My Computer, and DCOM Config. d. Right-click on FSCController, and then select Properties. e. Click the Security tab, and then click Edit in Launch and Activation Permissions. f. Add Domain Users, and click Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
37
FILTERINGThe FILTERING area enables you to configure content filtering, keyword filtering, file filtering, allowed senders lists, and filter lists. OPERATEThe OPERATE area enables you to control virus scanning and filter options, schedule and run scan jobs, and perform quick scans. REPORTThe REPORT area enables you to configure notifications, view and manage incidents, and view and manage quarantined files.
General Options
General Options, accessed from the SETTINGS section of the Shuttle Navigator, provides access to a variety of system-level settings for Forefront Security for Exchange Server. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Enable Forefront Security for Exchange Scan, Transport Process Count, and Realtime Process Count require that the Forefront Security for Exchange Server services be restarted for the change to take effect. Although there are many options that can be controlled through the General Options pane, each of them has a default (enabled, disabled, or a value) that is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time. To access the General Options pane, click General Options in the SETTINGS section of the Shuttle Navigator. The General Options pane opens. The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, and Background Scanning.
Diagnostics section
This table lists and describes the settings in the Diagnostics section of General Options.
Setting Description
Additional Transport
Additional diagnostic messages are added to programlog.txt for Transport scanning. Disabled by default. Additional diagnostic messages are added to programlog.txt for Manual scanning. Disabled by default. Additional diagnostic messages are added to programlog.txt for Realtime scanning. Disabled by default. Indicates that FSE should send a notification to 38
Additional Manual
Additional Realtime
Notify on Startup
Setting
Description
all the e mail addresses listed in the Virus Administrators list whenever the Internet scanner starts. Disabled by default. Archive Transport Mail Enables administrators to archive inbound and outbound Edge Transport or Hub Transport email in two folders (named In and Out) that are located in the Forefront Security for Exchange Server installation folder. Each message will be given a file name that consists of the year, day, month, time, and a three digit number. For example: 20022009102005020.eml. These options are provided to help administrators and Forefront Security for Exchange Server support engineers diagnose and isolate problems that users may be experiencing. The archiving options are: No Archive (the default)No mail is archived. Archive Before ScanMessages are archived prior to scanning. Archive After ScanMessages are archived after scanning. Archive Before and After ScanMessages are archived before and after scanning. Critical Notification List Indicates administrators and others who should be notified in the event that the Exchange store starts and Forefront Security for Exchange Server is not hooked in or if the Forefront Security store shuts down abnormally. Multiple e-mail addresses are separated by semicolons. Example: admin@microsoft.com;admin2@microsoft.com.
39
Logging section
This table lists and describes the settings in the Logging section of General Options.
Setting Description
Enables logging of FSE events to the event log. Enabled by default. Enables the logging of FSE performance statistics in the Performance snap-in. Enabled by default. Enables the Forefront program log (ProgramLog.txt). Enabled by default. Enables the Forefront virus log (VirusLog.txt). Disabled by default. Enables incident logging for the Transport Scan Job. Enabled by default. Enables incident logging for the Realtime Scan Job. Enabled by default. Enables incident logging for the Manual Scan Job. Enabled by default. Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size.
Enable Forefront Virus Log Enable Incidents LoggingTransport Enable Incidents LoggingRealtime Enable Incidents LoggingManual
For more information about the log files and the Performance snap-in, see Reporting and statistics.
Redistribution Server
Indicates that this server is acting as the central hub to distribute scanner updates to other servers. Disabled by default. (For more information, see File scanner updating.) Indicates that engines should be automatically updated every time FSE is started. Disabled by 40
Setting
Description
default. Send Update Notification Indicates that a notification should be sent to the Virus Administrator each time a scan engine is updated. Disabled by default. (For more information about setting up notifications to administrators, see E-mail notifications.) Indicates that proxy settings are to be used when retrieving antivirus scanner updates. Disabled by default, unless you indicated, during installation, that proxy settings were to be used. (For more information, see "Updating the file scanner through a proxy" in File scanner updating.) Indicates that Universal Naming Convention (UNC) credentials are needed when retrieving antivirus scanner updates. Disabled by default. (For more information, see File scanner updating.) Credentials are not supported if you are using the Microsoft Forefront Server Security Management Console for redistribution. Therefore, be sure to clear this setting if you are using the Microsoft Server Security Management Console to manage antivirus engine updates. The name or IP address of the proxy server. Required, if using proxy settings when retrieving antivirus scanner updates. If you indicated, during installation, that proxy settings were to be used, the value you entered then is used to populate this field. Indicates the port number of the proxy server. Required, if using proxy settings when retrieving antivirus scanner updates. The default is port 80. If you indicated, during installation, that proxy settings were to be used, the value you entered then is used to populate this field. The name of a user with access rights to the
Proxy Port
Proxy Username
41
Setting
Description
proxy server, if necessary. Optional field. Proxy Password The appropriate password for the proxy user name, if necessary. Optional field. The name of a user with access rights to the UNC path, if necessary. Optional field. The appropriate password for the UNC user name, if necessary. Optional field.
UNC Username
UNC Password
For more information about updating the scan engines, see File scanner updating.
Scanning section
This table lists and describes the settings in the Scanning section of General Options.
Setting Description
Enables message body scanning for the Manual Scan Job. Disabled by default. Enable message body scanning for the Realtime Scan Job. Disabled by default. Specifies whether corrupted compressed files are deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for FSE. When a corrupted compressed file is detected, FSE reports it as a CorruptedCompressedFile virus. This option is enabled by default. Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0. Note: 42
Setting
Description
In addition to CorruptedCompressedFile viruses, this setting also handles these file types: UnwritableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file. UnReadableCompressedFile - A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive. Delete Corrupted Uuencode Files Specifies whether corrupted UUENCODE files are deleted. Typically, a Uuencoded file that FSE is unable to parse is considered corrupted. FSE reports those as a CorruptedCompressedUuencodeFile virus. Enabled by default. Specifies whether an encrypted compressed file with at least one encrypted item within its contents is deleted (encrypted files cannot be scanned by antivirus scan engines). Disabled by default. FSE reports those as an EncryptedCompressedFile virus. Specifies whether ZIP archives containing highly-compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat can not be cleaned, the message will be deleted. If the file is compressed with an 43
Setting
Description
unknown algorithm, it is treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files are treated as corrupted compressed). Treat multipart RAR archives as corrupted compressed A file within a RAR archive can be compressed across multiple files or parts (hence multipart), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed. Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default. If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted. Enabled by default. Note: If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Registry keys. Treat concatenated gzips as corrupted compressed Multiple Gnu zip (gzip) files can be concatenated into a single file. Although FSE recognizes concatenated gzips, it may not 44
Setting
Description
recognize individual files split across concatenated gzips. Therefore, FSE treats concatenated gzips as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections. Disabling the Treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case a virus may escape detection. Scan Doc Files As Containers - Manual Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see File types list. Disabled by default. Specifies that the Transport Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by default. Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. For more information about OpenXML files, see File types list. Disabled by defalut.
45
Setting
Description
Specifies that keyword filtering should be casesensitive. Disabled by default (that is, filtering is not case-sensitive). Specifies whether FSE should fix bare carriage returns and bare line feeds. This corrects a discrepancy between the MIME header parsing method used by Microsoft Outlook and Outlook Express and the RFC 822 specification on how "bare carriage return (CR)" (0x0d) and "bare line feed (LF)" (0x0a) are handled in MIME headers. Disabled by default. If enabled, it corrects out-of-compliance MIME messages to be compliant with the RFC 2822 specification, meaning that bare carriage returns and bare line feeds are replaced by a "CR-LF" combination. Messages with bare carriage returns or bare line feeds can be parsed differently by different e-mail clients. By design, FSE parses these messages in the same manner as Microsoft Outlook and Outlook Express. If this feature is enabled, FSE alters these messages to be compliant with the RFC 2822 specification and, as a result, all e-mail clients will parse them in the same manner. If this feature is disabled, e-mail clients other than Microsoft Outlook and Outlook Express may parse messages with bare carriage returns or bare line feeds differently than FSE. Because of this, a virus could avoid detection. To maximize system performance, this feature is disabled by default. If your organization uses e-mail clients that interpret messages with bare carriage returns or bare line feeds differently than Microsoft Outlook and Outlook Express, you should enable this feature for maximum security. Configures Forefront Security for Exchange Server to skip scanning for messages that were previously scanned by any instance of Forefront Security for Exchange Server in any 46
Optimize for Performance by Not Scanning Messages That Were Already Virus Scanned Transport
Setting
Description
configuration. This applies to messages being received on Transport servers that have been scanned by Forefront Security for Exchange Server on another Transport server within the Exchange organization. Enabled by default. Scan on Scanner Update Causes previously scanned files to be rescanned when accessed following a scanner update. This setting applies to messages stored on a Mailbox server or a Public Folder server. This setting provides heightened security protection to re-scan messages that have already been scanned. Messages are rescanned the first time a mailbox server onaccess event occurs and during every onaccess event after the initial one if new virus signatures have been received since the last time the message was scanned. Disabled by default. Caution: When this option is enabled and an engine update occurs while a background scan is in progress, the background scan restarts at the mail that was being scanned. If updates continue to occur before the background scan finishes, the background scan continues to run indefinitely. It is therefore recommended that you do not schedule a background scan for a large dataset if this option is enabled. Important: When this option is enabled, the Mailbox server may experience increased virus scanning, which may impact server performance. Also, be aware that enabling this setting automatically also enables proactive scanning; for more information, see "About proactive scanning" in Realtime 47
Setting
Description
Scan Job. Note: Messages retrieved by Microsoft Outlook 2003 or Microsoft Outlook 2007 clients running in cache mode only generate an on-access event when they are originally synchronized to the client. They are not re-scanned on the server when the messages are accessed on the local client and retrieved from the cache. To re-scan these already retrieved messages, use the Enable Background Scan if 'Scan on Scanner Update' Enabled option in the Background Scanning section of General Options. If the background scan detects a virus in a message and cleans or purges the message, then the next time the Outlook client resynchronizes with the server, the already retrieved infected message will be cleaned or purged. Perform Reverse DNS Lookups Provides the ability to enable reverse DNS lookups for inbound and outbound determination if the Internal Address list contains entries other than the domain name of the server. The inbound or outbound determination is used by keyword and file filtering. When selected (enabled), Forefront Security for Exchange Server uses reverse DNS lookup to get the domain name and make the inbound or outbound determination. If the option is cleared (disabled), Forefront Security for Exchange Server will use the information in the Received header as well as secure routing information from the Exchange Transport Agent to make the inbound or outbound determination. Disabled by default. Some messages carry viruses in the body of 48
Setting
Description
Transport
the message file. When all or part of the message body is deleted to remove a virus, Forefront Security for Exchange Server inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Forefront Security for Exchange Server and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is selected. Disabled by default. Permits administrators to enable or disable all or selected Forefront Security for Exchange Server jobs. The options are Disable All, Enable Store Scanning (Realtime and Manual), Enable Transport Scanning, and Enable All (the default). After changing this setting, the Forefront Security for Exchange Server services must be recycled. (For more information about recycling the services, see "Recycling the Forefront Security for Exchange Server services" in Forefront Security for Exchange Server Services.) Used to change the number of FSCTransportScanning processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 Transport processes. After changing this setting, the Forefront Security and Exchange Server services must be recycled. (For more information about this setting, see Transport Scan Job.) Used to change the number of real-time processes that are used by Forefront Security for Exchange Server. The default value is 4. You may create up to 10 real-time processes. After changing this setting, the Forefront 49
Setting
Description
Security and Exchange Server services must be recycled. (For more information about this setting, see Realtime Scan Job.) Forefront Manual Priority Enables administrators to set the CPU priority of manual scans to: Normal (the default), Below Normal, or Low to permit more important jobs to take precedence over manual scans when demands on server resources are high. Enables administrators to set the action that Forefront Security for Exchange Server should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which logs the error to the program log; Skip: detect only, which logs the error to the program log and displays an EngineError entry with the state Detected in the UI; and Delete, which logs the error to the program log, deletes the file that caused the error, and displays an EngineError entry with the state Removed in the UI. The file that caused the engine error is always quarantined. The default value is Delete. If Forefront Security for Exchange Server encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are messages where the Content-Disposition or Content-Type header is longer than it is supposed to be. Identified messages are quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.
50
Setting
Description
Indicates what to do in the event that the Transport Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and the program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Transport Scan Timeout Action is set to either Skip or Delete. The default value is Delete. Indicates what to do in the event that the Realtime Scan Job times out while scanning a file. The options are Ignore, Skip: detect only, and Delete. The Ignore setting lets the file pass without being scanned. The Skip setting reports in the Incidents log and program log that the file exceeded the scan time and lets it pass without being scanned. The Delete setting also reports the event and replaces the contents of the file with the deletion text. A copy of the file is stored in the Quarantine database if quarantining is enabled and the Realtime Scan Timeout Action is set to either Skip or Delete. The default value is Delete. Forefront Security for Exchange Server performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled. The choices are: Quarantine as Single EML File (the default) the quarantined message and all attachments are quarantined in an EML file format. Quarantine Message Body and Attachments Separately - messages are quarantined as 51
Quarantine Messages
Setting
Description
separate pieces (bodies and attachments). For a complete description of this setting, see Quarantine. Note that these settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected. Deliver From Quarantine Security This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode. Secure Mode forces all messages and attachments delivered from quarantine to be re-scanned for viruses and filter matches. This is the default setting. Compatibility Mode enables messages and attachments to be delivered from quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Forefront Security for Exchange Server identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.
(For more information about using this setting, see Reporting and statistics.) Transport Sender Information By default, Forefront Security for Exchange Server uses the MIME FROM header sender address for the Transport Scan Job. This setting enables administrators to use the MAIL FROM sender address from the SMTP protocol for the Transport Scan Job. When Use Transport Protocol Mail From is selected, the address in that field is used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, or reporting in the Administrator. The options for this setting are: 52
Setting
Description
Use MIME From: Header (the default). Use Transport protocol MAIL FROM
Note that when MIME From is selected and a MIME Sender header is also present, the MIME Sender header information is used. Max Container File Infections Specifies the maximum number of infections permitted in a compressed file. If this is exceeded, the entire file is deleted and an incident is logged stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case the logged incident has "Container Removed" appended to the filter match. The default value is 5 infections. Specifies the maximum container file size (in bytes) that FSE attempts to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Forefront Security for Exchange Server reports these deleted files as LargeInfectedContainerFile virus. Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUEncoded files. Note that for the Realtime Scan Job, a nested MSG file is not treated as a nested file with certain e-mail clients. If the maximum number is exceeded, FSE deletes the document and reports an ExceedinglyNested incident. The default value is 30. Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSE sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is permitted. The default is 53
Setting
Description
5. Max Container Scan Time (msec) Realtime/Transport Specifies the number of milliseconds that the Realtime Scan Job or the Transport Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes). Specifies the number of milliseconds that the Manual Scan Job will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 milliseconds (ten minutes). Forefront Security for Exchange Server can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;company.com) with no spaces. Any change to this value is immediately reflected in virus notifications. When entering a domain name in the Internal Address field, be aware that its sub-domains are covered by the entry. For example: domain.com includes subdomain.domain.com and subdomain2.domain.com. Alternate domains such as domain.net or domain.org must be entered individually. Values entered in Internal Address are used as a substring match of the end of an e-mail address. For example, soft.com would consider someone@microsoft.com and someone@abcdef123soft.com to be internal 54
Internal Address
Setting
Description
addresses. Entries in the Internal Address field must be separated by semicolons (";") and there must be no spaces between the items. If you have a large number of domains to be used as internal addresses, enter them in an external file called Domains.dat, and leave the Internal Address field blank. Domains.dat was created, as an empty file in the DatabasePath directory, during installation. It is a text file, into which you enter all your internal domains, each on a separate line. Unlike the Internal Address field, all sub-domains must be entered individually. In order to use the external Domains.dat file, you must change the value of the UseDomainsDat registry key to 1 (its default value is 0). For more about this key, see Registry keys. Note: The Domains.dat file is reloaded at 02:00 (2:00 A.M.) each day. This is when any changes you make to the file take effect. (For more information about internal addresses and notifications, see E-mail notifications.) Transport External Hosts If you are using an Edge Transport or Hub Transport to route e-mail into your Exchange environment, you may enter the IP address of the edge transport server so that Forefront Security for Exchange Server will treat all mail coming from that server as inbound when determining which filters and scan jobs to utilize for a message. If you do not enter the IP address of your Edge Transport or Hub Transport, Forefront Security for Exchange Server will use its internal logic to determine if messages are inbound or not. IP addresses should be entered as a semicolon delimited list 55
Setting
Description
with no spaces.
Indicates that FSE should initiate a background scan every time a scan engine is updated if the General Option setting Scan on Scanner Update is enabled. Enabled by default. Indicates that the background scan job should only scan messages that include attachments. Enabled by default. Indicates that the background scan job should only scan messages that have not already been scanned. Disabled by default. Places limits on background scanning by enabling administrators to configure Forefront Security for Exchange Server to scan messages based on their age. The options are: Anytime, 4 hours, 6 hours, 8 hours, 12 hours, 18 hours, 1 Day, 2 Days (the default), 3 Days, 4 Days, 5 Days, 6 Days, 7 Days, and 30 Days. Please use caution when setting this option. If the message arrival rate at the mailbox server is very high and too long a scan back period is selected, background scanning may run continuously which can have a negative impact on server performance. The selected scan back time should be set based on an understanding of a specific threat or to generally cover the always-present protection gap between when malware may have been released into the wild and the availability of protection signatures. If background scanning is scheduled to run on a daily basis (see Background scanning and on56
Setting
Description
access scanning) the recommended setting is to scan the previous two days worth of mail. However, the time should be set based on both security and performance considerations.
Central management
Centralized management of Forefront Security for Exchange Server is handled by the Microsoft Forefront Server Security Management Console (FSSMC). FSSMC enables administrators to: Install or uninstall FSE on local and remote servers. Update all or individual scan engines on local and remote servers. Run a manual scan on multiple servers simultaneously. Check FSE, scan engine, and virus definition versions on multiple servers. Deploy FSE template files. Retrieve virus logs from multiple servers. Retrieve quarantined files. Retrieve the ProgramLog.txt file from single or multiple servers. Retrieve virus incident information. Deploy General Options settings. Deploy Filter List templates. Generate HTML reports. Send outbreak alerts.
For detailed instructions about using FSSMC, refer to the "Microsoft Forefront Server Security Management Console User Guide".
All the scan engines that FSE integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin. Multiple engines are easy to configure. You can select only the engines you would like to use for a scan job, and then indicate the bias setting. These two settings (both on the Antivirus Settings pane) enable the FSE Multiple Engine Manager (MEM) to properly control the selected engines during the scan job. MEM uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSE considers the item infected and has the MEM deal with it accordingly.
58
Favor Performance
Neutral
Favor Certainty
59
Maximum Certainty
Scans each item with all of the selected engines. Queues scanning if any selected engine becomes busy, such as during engine updates. Depending on the number of engines that you have selected for each scan job, this option generally increases the probability of virus catching at the expense of system performance.
Assuming you select five engines (the maximum you can use), the following table shows how each of the bias settings uses the engines in virus scanning.
Bias setting Description
Maximum Performance
Each item is virus-scanned by only one of the selected engines. Fluctuates between virus scanning each item with one and three engines. Each item is virus-scanned on average by three engines. Fluctuates between virus scanning each item with three and five engines. Each item is virus-scanned by all five of the selected engines.
Favor Performance
Neutral
Favor Certainty
Maximum Certainty
60
To configure antivirus settings 1. In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears. 2. From the list in the top pane, select the Manual Scan Job. The file current settings are displayed in the bottom half of the work pane. 3. From the list of available third-party scanners in the File Scanners section, choose the file scanning engines to use. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Manual Scan Job. 4. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines. 5. In the Action field, choose the action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. 7. Enable or disable the saving of attachments detected by the file scanning engine by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling 62
quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 8. Click Save to save your antivirus settings.
63
Note: If a large number of entries is selected, the deletion process may potentially take a long time. In this case, a message box appears to ask you to confirm the deletion. Use the Export button to save the results in formatted text or delimited text formats. At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported. Forefront Security for Exchange Server sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Manual Scan work pane is selected. This e-mail message includes: Total Mailboxes Scanned Total Physical Attachments Scanned Total Physical Attachments Detected Total Physical Attachments Cleaned Total Physical Attachments Deleted Total Logical Attachments Scanned Total Logical Attachments Detected Total Logical Attachments Cleaned Total Logical Attachments Deleted
64
d. Select the Action for FSE to perform if a virus is detected. The choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete the attachment without attempting to clean it. The detected attachment is removed from the 65
message and the Deletion Text is inserted in its place. e. Indicate whether to Send Notifications. The setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. f. Indicate whether to Quarantine Files. Quarantining, enabled by default, causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
g. Click Start.
None Selected
use the accompanying buttons to select All or None of the mailboxes or public folders. The +/button inverts the current selection. Notes:
Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included. To return to the main scan selection pane, click the arrow in the upper right corner of the mailbox or public folder selection pane.
Realtime in the General Options work pane. Message body scanning increases the time required to scan messages.
68
To select the mailboxes and set the deletion text 1. From the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears. 2. In the top portion of the work pane (which contains a list of configurable scan jobs), select the Realtime Scan Job. 3. In the Scan portion of the work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders. 4. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text. Note: FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros. 5. Click Save to save your scan job configuration
69
5. In the Action field, select the action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are: Skip: detect only Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text. Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. 7. Enable or disable the saving of attachments detected by the file scanning engine by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 8. Click Save to save your antivirus settings. Note: The Realtime Scan Job settings are also used by Background Scanning.
71
Note: Mailboxes and public folders with names that are made up entirely of backslashes (\) will not be scanned if Forefront Security for Exchange Server is configured for Selected scanning. If FSE is set to scan all mailboxes or public folders, those that use backslashes or other special characters will be scanned. In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options: All Scan all existing and newly-created mailboxes or public folders. Do not scan any mailboxes or public folders. Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to see a listing of mailboxes or public folders on the server. You can choose each mailbox or public folder to be scanned by clicking its name. You can use the accompanying buttons to select All or None of the mailboxes or public folders. The +/button inverts the current selection. Notes:
None Selected
Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included. To return to the main scan selection pane, click the arrow in the upper right corner of the mailbox or public folder selection pane.
72
74
To change the number of transport processes 1. In the Forefront Server Security Administrator, in the Shuttle Navigator, select Settings, and then select General Options. 2. In the Scanning area, choose a suitable value in the Transport Process Count dropdown box. The maximum value that you can use is 10. 3. Click Save. 4. Exit the Forefront Server Security Administrator. 5. Under Administrative Tools, click Services to open the Service Control Manager, and then restart the Forefront Security for Exchange Server services.
Note: The same tag is used for all filters associated with the Transport Scan Job. 6. Click Save to save your scan job configuration.
76
Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default. 7. Enable or disable saving infected attachments detected by the file scanning engines by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 8. Click Save to save your antivirus settings.
77
Security for Exchange Server to only scan one queue or all three. In the Scan Job Settings work pane there are three check boxes for making queue selections.
Internal scanning
Selecting the Internal check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all mail that is being routed from one location inside your domain to another location inside your domain. Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain.
header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)
80
To enable background scanning 1. Open the General Options work pane and select Enable Background Scan if "Scan on scanner update" Enabled. This causes FSE to initiate a background scan every time a scan engine is updated. 2. Enable the Realtime Scan Job for the storage groups that you want to have scanned by the Background Scanner. For more information see Realtime Scan Job. Here is how to stop or disable background scanning. To stop or disable background scanning 1. In the Shuttle Navigator, click REPORT, and then click Schedule Job. 2. At the top of the Schedule Job work pane, select the Background Scan Job. 3. On the Schedule Job work pane, click the Stop button. Note: After a Background scan has been stopped, it will restart after the next signature update if the General Options settings Scan on Scanner Update and Enable Background scan if 'Scan on scanner update' enabled are selected. If you do not want the Background scan to start after the next signature update, you can disable the scheduled scan in two ways: Clear the General Options settings Scan on Scanner Update and Enable Background scan if 'Scan on scanner update' enabled, or Click the Disable button on the Schedule Job work pane.
On-access scanning
By default, Exchange 2007 On-access scanning ensures that all files being accessed have been scanned at least once by Forefront Security for Exchange Server.
81
scanning, see its description in the "Scanning Section" of Forefront Server Security Administrator.
Reporting incidents
Incidents detected by background scanning and on-access scanning are reported in the Realtime columns in the Incidents pane of the REPORT section of the Shuttle Navigator.
Templates
When Forefront Security for Exchange Server is installed, it creates default templates for the various scan jobs, scan engines, and notifications. The scan jobs are configured to use the values in the default templates. Administrators can also create templates for file filter and content filter settings and additional scan job templates as needed. (These are called "named templates".) Templates are useful for controlling the configuration of Forefront Security for Exchange Server on multiple servers from a central location, controlling the configuration of scan jobs and other functions at installation, and defining configuration settings for newly mounted storage groups. The Template.fdb file contains the following default templates: Scan job templates: a Transport Scan Job template, a Realtime Scan Job template, and a Manual Scan Job template. Notification templates for each of the default notifications. Scanner update templates for each scan engine that is installed on the current system.
To deploy templates to remote computers after an upgrade, you must configure specific jobs to use either the default templates or named templates. To view templates in the Forefront Server Security Administrator, click File, click Templates, and then click View Templates. This causes the default and named templates to be displayed in the various work panes. Note: The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSCController starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one.
82
Template uses
Templates are used for the following purposes: Controlling configuration settings of all FSE servers from a single location. After a Template.fdb file is created, Microsoft Forefront Server Security Management Console (FSSMC) can be used to copy and activate the template settings on multiple FSE servers throughout an organization. Templates can be deployed simultaneously to multiple FSE servers, and the settings can be applied to currently running scan jobs without the need to stop or restart any services. (For more information about using FSSMC to deploy templates, see the "Microsoft Forefront Server Security Management Console User Guide".) Controlling the configuration of scan jobs during remote installations. Use templates to configure your remote servers at the time FSE is installed. Defining scan job settings for newly-mounted storage groups. In Exchange, storage groups can be added to the system dynamically while both Exchange and Forefront Security for Exchange Server are running. Forefront Security for Exchange Server detects when a new or previously used storage group is mounted. If the storage group is new, Forefront Security for Exchange Server needs to create a Realtime Scan Job and Manual Scan Job to protect that storage group. The settings that are used for each of these scan jobs are read from their associated templates found in Template.fdb. This feature enables an administrator to create default rules that protect new storage groups as they are added to the system.
display. 5. Click the appropriate work pane to configure the template. For example, if you have created a Transport template, select Antivirus Job in the SETTINGS section of the Shuttle Navigator and configure the template as you would a Transport Scan Job. Click Save when you are done. 6. For a scan job to use a template, the template must be associated with that scan job. a. Open the Forefront Server Security Administrator. b. In the SETTINGS section of the Shuttle Navigator, select Templates. c. In the list in the top pane, select the scan job to associate with the template you have just created. For example, select the Realtime Scan Job.
d. In the lower work pane, select the desired template from the Template list. e. Click Load From Template. f. Click Save. The scan jobs settings are reconfigured to those in the selected template.
Note: The new template can be distributed to remote servers using the Forefront Server Security Management Console (FSSMC). For more information about using FSSMC to deploy templates, refer to the "Microsoft Forefront Server Security Management Console User Guide".
Modifying templates
There are times when you might want to make changes to a default or a named template.
84
To modify a template 1. Open the Forefront Server Security Administrator. 2. If the templates are not visible, display them. Click File, select Templates, and then click View Templates. 3. Select a work pane with the template to be modified (for example Scan Job, in the SETTINGS section of the Shuttle Navigator). 4. In the job list, select the template to be modified. 5. Configure the template as desired, using the various work panes, clicking Save on each. Note: If you make changes directly to a specific scan job (for example, the Transport Scan Job), the templates associated with that scan job are not changed. It is important to remember that any custom filter updates must be made to the template to keep your settings in a consistent location. This is necessary in case you need to deploy the same template settings to another server.
85
Note: If you are using FSSMC to update Forefront Security for Exchange Server scan engines, you should disable scheduled updates in Forefront Security for Exchange Server.
the install or upgrade process. (For more information, see Deploying named templates.) The first time a named template is deployed to a server, it must be associated with a scan job on that server; otherwise the default template is used. You can use the Forefront Server Security Administrator to connect to the server and make the association. (For more information, see"Connecting to a remote server" inForefront Server Security Administrator.) After you have done this, the scan jobs, filter sets, and notifications always load from the named templates during configuration changes or when you need to deploy global filter settings during a virus outbreak.
87
After you have associated a named template with a scan job, the assigned template continues to be used when there are configuration changes. It is not necessary to re-associate the scan job unless you want to switch the template being used.
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All filter settings, notification settings, and scanner update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options. Multiple switches are listed without punctuation or spacing. If the optional filename parameter is specified, the file you indicate (by entering its full path) will overlay the current Template.fdb file before any settings are updated. If the optional \servername parameter is specified, the templates will be activated on the named remote server. The t parameter's options enable subsets of the template settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated. c Update the content filter settings for each scan job. f Update the file filter settings for each scan job. The file filter settings of each scan job on the server are updated with the file filter settings found in the associated template type. For example, the file filter settings for all Realtime Scan Jobs are updated with the file filter settings found in the Realtime Scan Job template. l Update the filter lists for each scan job. n Update the notification settings with the data in the associated templates. p Update the file scanner update path, proxy server settings (if applicable), and the scanner update schedule items (date, time, frequency, and repeat interval). The update path for each file scanner settings is updated from the file scanner template that matches the vendor of the file scanner.
88
s Update the scan job and antivirus settings. Each scan job on the server is updated with the settings found in the associated template type. For example, all Realtime Scan Jobs are updated with the settings found in the Realtime Scan Job template. This includes all filters. For example, to update the content filter settings, the file filter settings, and the notification settings, you would enter:
FSCStarter tcfn
When using FSSMC to deploy templates, it is useful to name your packages so they are easily recognized for distribution. For example, yo u could use FE Template 070607 to mean Front End Template created on July 6, 2007.
File filtering
The Forefront Security for Exchange Server file filter feature gives you the ability to search for attachments with a specific name, type, and size within an e-mail message. If a match is found, the file filter can be configured to perform actions on the attachment such as delete, quarantine, notify, and report the detected file. The file filter offers a flexible means to detect file attachments within e-mail messages and other Outlook items, including Tasks and Schedules (such as meetings and appointments).
To create and configure a file filter 1. In the Shuttle Navigator click FILTERING, and then click the File icon. The File Filtering pane appears. 2. In the upper work pane, select the scan job for which you would like to create the file filter. 3. To detect file files with a particular file name, add the file name to the File Names section of the work pane. Click the Add button and type the name of the file to be detected. (There are also buttons with which to Edit and Delete existing entries.) Use the up and down arrows (on the same line with File Names) to change the order in which a selected filter is executed. Optionally, the file filter can be configured to filter files based on their size. To detect files by size, specify a comparison operator (=, >, <, >=, <=) and a file size in kilobytes (KB), megabytes (MB), or gigabytes (GB). These are placed immediately after the file name, with no spaces between the file name and the operator or the operator and the file size. File sizes must be entered using the English size keywords KB (for kilobytes), MB (for megabytes), and GB (for gigabytes). The General Options setting Max Container File Size specifies the maximum container file size (in bytes) that FSE will attempt to clean or repair in the event that it discovers an infected file. Examples: *.bmp>=1.2MB all .bmp files larger than or equal to 1.2 megabytes *.com>150KB all .com files larger than 150 kilobytes *>5GB all files larger than 5 gigabytes 4. Specify the list of file types that can be associated to the selected file name. You can select one or more file types from the list or select All Types located below the list. If the file type you want to associate to the selected file name is not available in the list, then select All Types. (For a description of the file types listed in the selection box, see File types list.) The All Types selection configures Forefront Security for Exchange Server to filter based only on the file name and file extension. By selecting All Types, Forefront Security for Exchange Server is configured to detect the selected file name no matter what the file type. This prevents the potential of users bypassing the filter by simply changing the extension of a file. If you know the file type you are searching for, Forefront Security for Exchange Server will work more efficiently if you select the appropriate file type rather than All Types. For example, if you want to filter all EXE files, create the filter * and set the file type to EXE. 5. Ensure that the File Filter is set to Enabled. It is enabled by default. 6. Indicate the Action to take if there is a filter match. 7. Indicate whether to Send Notifications for the selected file name. This does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). It is disabled by default. 90
8. Indicate whether to Quarantine Files for the selected file name. It is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable. 9. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the filter. To create your own custom message, click Deletion Text. Note: Forefront Security for Exchange Server provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about keywords, see Keyword substitution macros. 10. Click Save to save your filter.
Filtering by extension
If you want to filter any file that has a certain extension, you can create a generic filter for the extension and set the File Types selection to All Types. Filter matching is not case-sensitive. For example: Create the filter *.exe* and set the File Types selection to All Types. This will ensure that all files with an .exe extension will be filtered.
91
Important: When creating generic file filters to stop all of a certain type of file (for example .exe files), it is recommended that you write the filter in this format: *.exe*. The second asterisk (*) will prevent files with extra characters appended after the file extension from bypassing the filter. Note: Microsoft recommends avoiding the use of the generic filter * with the File Types set to All Types. This filter configuration could result in the reporting of repeated detections.
Filtering by name
If you want to filter all files with a certain name, you can create a filter using the file name and set the File Types selection to All Types. Filter matching is not case-sensitive. For example: If a virus uses an attached file named payload.doc, you can create the filter payload.doc and set the File Types selection to All Types. This ensures that any file named payload.doc will be filtered no matter what the file type. Detecting file attachments by name is also useful when there is an outbreak of a new virus and you know the name of the file in which the virus resides before your virus scanners are updated to detect it. A perfect example of this was the Melissa worm. It resided in a file named List.doc and could have been detected by Forefront Security for Exchange Server using a file filter even before virus scanners could detect it.
Action
Choose the action that you want Forefront Security for Exchange Server to perform when a file filter is matched. By default, it is set to Delete: remove contents. Note: You must set the action for each file filter you configure. The Action setting is not global. Skip: detect only Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Deletes the file attachment. The detected file attachment is removed from the message and the Deletion Text is inserted in its place.
92
Deletes the message from your mail system. When you select this option, a warning appears, informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.
Note: If the Quarantine Files box is selected, however, purged messages will be quarantined and can then be recovered from the Quarantine database. Identify: tag message The subject line or message header of the detected message can be tagged with a customizable word or phrase so that it can be identified later for processing into folders by user inboxes or for other purposes identified by the Forefront Server Security Administrator. This tag can be modified by clicking the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job. This action is only available for the Transport Scan Job. For more information about Tag Text, see "Configuring the Transport Scan Job" in Transport Scan Job.
klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe. \char Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. For example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. Note: You must use a \ before each special character.
Inbound filtering
Prefixing the file name with the <in> directive instructs Forefront Security for Exchange Server to apply this filter only to inbound messages. <in>filename
Outbound filtering
Prefixing the file name with the <out> directive instructs Forefront Security for Exchange Server to apply this filter only to outbound messages. 95
<out>filename
Forefront Security for Exchange Server scans all parts of the container file and re-packs the file as necessary. For example, if you configure a file filter to delete all .exe files, Forefront Security for Exchange Server deletes .exe files inside container files (replacing them with the Deletion Text) but leaves all other files in the container intact. Note: Forefront Security for Exchange Server cannot scan password protected files or encrypted files. Although FSS does not decrypt such files, the files are always passed to the antivirus scanners in their entirety in their encrypted form.
96
Note: OPENXML files (For example, Office 2007 documents) are ZIP container files, but they are not affected by the ZIP container settings.
97
d. Click Yes to confirm. e. Select the DOC, OPENXML, TNEF file types. (TNEF is required since it is the wrapper around file attachments for internal mail.) f. Set the Action to Skip: detect only. g. Clear Quarantine Files. h. Save the filter. Next, create a filter to block all files. We will call it File Filter 2. As long as you have created File Filter 1 first, Office files are permitted and all other files are blocked. To create File Filter 2 1. In the Shuttle Navigator, click FILTERING, and then click the File icon. The File Filtering work pane appears. 2. Create a new file filter by following these steps: a. Click Add. b. Type * as the file name and press Enter. c. Ensure that All Types is selected in the File Types section. d. Set the action to Block or Purge, as desired. e. Select Quarantine Files. f. Select Send Notifications. g. Save the filter. Note: It is important to realize that the Skip: detect only action in the first filter generates an Incident Log entry for almost every attachment received. Also, TNEF is used for all internal Exchange e-mail, so if you create these filters on a Hub server (Exchange Server 2007 only), you will generate an event for every email. That can quickly overwhelm your server and inflate your Incident Log to an unmanageable size. You can ease this problem by making sure the file name of the first rule is "<in>*". Thus, the rule would only be invoked for inbound email, although a lot of events are still generated. Also, if you select Quarantine Files in the second Filter, you will likely get a lot of quarantined files.
To create a file filter list 1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon. 2. In the List Types pane, select Files. 3. In the List Names section, click the Add button. 4. Type a name for the new list and then press Enter. The empty list appears in the List Names section. 5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to add file names to the list. 6. In the Include In Filter section, click the Add button. 7. Type a file name to be included in the filter list. Press ENTER when you are finished typing. You may have as many items as you want, but each must be entered separately. Each follows all the rules already discussed for creating single file filters. The Exclude From Filter section is used to enter file names that should never be included on the file filter list. This prevents those file names from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list. 8. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save to save the list. 10. Configure the filter list in the same way as described in Creating a file filter.
can use the right-pointing arrows to move items into the Exclude From Import section. 8. When you have moved all the desired items, click OK. 9. Click Save to save your work.
Statistics logging
The Incidents work pane contains statistics counters that log the number of attachments that meet specified criteria and thus cause the message in which they reside to be purged. These counters can also be found in the Windows Performance snap-in.
Content filtering
Content filtering provides another tool to help manage the flow of messages entering and exiting your enterprise mail stream. Content filtering enables you to filter messages using a variety of filtering tools. These include: Sender-domains filtering (for Realtime and Manual scan jobs) Subject line filtering (for Realtime and Manual scan jobs) Filter set templates (simplify the creation and management of file and content filters on all scan jobs)
If you route e-mail messages through edge transport servers in your environment and are running Forefront Security for Exchange Server on your Exchange servers, you should enter the IP addresses of your edge transport servers into the General Options Transport External Hosts setting to ensure that all mail routed through the edge transport servers is treated as inbound mail rather than internal mail by Forefront Security for Exchange Server. (For more information about this setting, see Forefront Server Security Administrator.)
100
101
taken. If you do not want to filter against sender email addresses, set the registry value ContentFilterSMTPAddress to zero (0). You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that domain. For more information, see Filtering mail from all users in a domain except for specific users.
in the subject line. For more information about wildcards, see Matching patterns with wildcards.
Action
You must indicate the action that Forefront Security for Exchange Server should take upon detecting a match to your filter criteria. Note: You must set the action for each file filter you configure. The action setting is not global. For a Realtime Scan Job sender-domains or subject line filter, select the Skip or Purge action (the Manual Scan Job has a fixed value of Skip: detect only). Skip: detect only Records the number of messages that meet the filter criteria, but enables messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted. Deletes the message from your mail system. When you select this option, a warning appears, informing you that if there is a filter match, the message will be purged and unrecoverable, unless quarantined. Click Yes to continue.
Making any change to the configuration activates the Save and Cancel buttons If you make a change to the selected scan job and try moving to another scan job or shuttle icon without saving it, you will be prompted to save or discard your changes.
[range]
klezf, klezg, and klezp but not klezb or klezr. \char Indicates that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. Example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*. Note: You must use a \ before each special character.
The Exclude From Filter section is used to enter data that should never be included in the filter list. This prevents this data from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list. 8. When you are finished adding items, click OK. The list of items you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save to save the list. 10. Configure the filter list the same way as described in Configuring sender-domains filtering and Configuring subject line filtering.
Filtering mail from all users in a domain except for specific users
This section describes how to configure FSE to filter mail from all users in a domain except for specific users in that domain.
106
To filter mail from all users in a domain except for specific users 1. In the Shuttle Navigator, click FILTERING. 2. Select the Realtime Scan Job, and then select the Content icon. 3. Set up content filters containing the addresses of specific users whose messages you do not want filtered. a. In the lower-left corner, in the Content Fields section, select Sender-Domains, and then in the Content Filters section, click Add. b. In the text box that appears, type the e-mail address of the specific user. For example, type someone@example.com, and then press ENTER. c. In the Action field, set the action to Skip: detect only. Note: You can add multiple e-mail addresses, but each one must be entered separately. Repeat step 3 if you want to add more addresses whose messages you do not want filtered. 4. Set up the name of the domain that you want filtered. a. In the lower-left corner, in the Content Fields section, select Sender-Domains, and then in the Content Filters section, click Add. b. In the text box that appears, type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type *@example.com. Note: Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose mail you do not want filtered. FSE works from the top of the list down. c. In the Action field, set the action to Purge: Eliminate Message. 5. Click Save.
Reporting
Messages that are filtered because of sender-domains or subject line filtering are reported in the Incidents log under the Virus or Filter heading. Messages filtered because of sender-domains matches are noted as SENDER=<filter>, and subject line matches will be reported as SUBJECT=<filter>. For activity and Incidents logs, no file name is indicated. In the quarantine 107
area, the body and each attachment is quarantined with the sender-domains or subject line filter indicated.
108
To associate a filter set template with a scan job 1. In the SETTINGS section of the Shuttle Navigator, select Templates. 2. Select a scan job in the Job List. 3. Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are unsure about the contents of the filter set template, click View Filter Set. Click the left arrow button at the bottom of the pane when you are finished viewing the contents. 4. Click Save. The filter set template is now associated with that scan job. During scanning, FSE uses the filter set template configuration first and then any other filter settings that you specified when setting up the scan job. Note: To cancel the association, repeat the preceding steps and select None from the Filter Set list (or select a different filter set template).
and either reset the association to None or select a different filter set template for the association. 2. In the job list of the Template Settings work pane, select the filter set. 3. Click File, click Templates, and then click Delete. 4. Confirm the deletion request.
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them to the named server. For complete FSCStarter instructions, see "Deploying named templates" in Templates. For example, to update the content filter settings on server1, you would enter:
FSCStarter tc \server1
Keyword filtering
Keyword Filtering helps you identify unwanted e-mail messages by analyzing the contents of the message body as it is being transported by the Transport scan job. By creating keyword lists, you can filter messages based on a variety of words, phrases, and sentences
110
9. Indicate if you would like to Send Notifications. 10. Indicate if you would like to Quarantine identified files. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable. 11. Indicate what combination of Inbound, Outbound, and Internal mail should be scanned. 12. Click the Identify tab and indicate whether the filter should look in the subject line, the message header, or both. 13. Indicate the Minimum Unique Keyword Hits. This setting enables you to specify how many unique keywords must be matched for the action to be taken. The default is one (1). For example, you have set the minimum unique keyword hits value to 3. The word "wonderful", which is in the list, appears three times in the message. However, no other word in the list appears at all. The keyword filter has not been matched, because only one term in the list was matched. 14. Click Save. Filters for racial discrimination, sexual discrimination, spam, and any other custom lists must be created individually. For profanity filters, see Example lists.
detected message can be tagged with a customizable word or phrase, so that it can be identified later for processing into folders by user inboxes or for other purposes identified by the Forefront Server Security Administrator. This tag can be modified by clicking the Tag Text button on the Scan Job Settings work pane and modifying the text. The same tag, however, is used for all filters associated with the particular scan job. Note: Forefront Security for Exchange Server keyword filtering scans both plain text and HTML message body content. If Forefront Security for Exchange Server finds a match in both the HTML and the plain text, it reports two detections in the Incidents log and the Quarantine database.
Queries may also contain operators that precede or separate operands in an expression. An expression may be comprised of a single operand, an operand preceded by the _NOT_ or _HAS[#]OF_ operators, or two operands joined by the _AND_, _ANDNOT_, or _WITHIN[#]OF_ operators. The following logical operators are supported in expressions. There must be a space between an operator and an operand (or another operator), represented in the examples by the character: _AND_ (logical AND). For example, apples_AND_oranges. A filter such as this would be matched if the text contains both apples and oranges. _NOT_ (negation). For example, _NOT_oranges. A filter such as this would be matched if the text does not contain oranges. 113
_ANDNOT_ (logical AND negation). For example, apples_ANDNOT_oranges. A filter such as this would be matched if the text contains apples but does not contain oranges. _ANDNOT_ is functionally equivalent to _AND__NOT_. _HAS[#]OF_ (frequency). Specifies the minimum number of times that the text must appear in order for the query to be considered true. For example, _HAS[4]OF_get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query is true. This operator implicitly has a default value of 1 when it is not specified. _WITHIN[#]OF_ (proximity). If the two terms are within a specified number of words before or after each other, there is a match. For example, free_WITHIN[10]OF_offer. If "free" appears within 10 words before or after "offer", this query is true.
Multiple operators are permitted in a single query. The precedence of the operators is (from highest to lowest): _WITHIN[#]OF_ _HAS[#]OF_ _NOT_, _AND_, and _ANDNOT_ (these are at the same precedence level because they are used in conjunction when part of an expression) The logical operators must be entered in uppercase letters. Phrases may be used as keywords. For example, apple juice or get rich quick. Quotation marks are not used. Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, AB is treated as AB and matches the phrase AB. In HTML-encoded message texts, punctuation (any non-alphanumeric character) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter '<html>' will match '<html>', but not 'html'.
Examples (the character represents a space): apples_AND_oranges_AND_lemons_WITHIN[50]OF_juice This expression means that apples, oranges, and lemons all appear at least once, and that lemons is within 50 words of juice. confidential_WITHIN[10]OF_project_AND_banana_WITHIN[25]OF_shake This expression means that confidential is within 10 words of project, and that banana is within 25 words of shake. _HAS[2]OF_get rich_WITHIN[20]OF_quick This expression means that get rich appears at least 2 times within 20 words of quick.
114
Case-sensitive filtering
The General Option Case Sensitive Keyword Filtering setting causes Forefront Security for Exchange Server to use case-sensitive comparisons for all keyword filters. By default, comparisons are not case-sensitive. For more information, see "General Options" in Forefront Server Security Administrator.
Example lists
To aid you in filtering for profanity, example lists in various languages are included with the product. This is an optional component of FSE and must be installed separately. If you want to install one or more of these lists, follow these steps. To install the example lists 1. Find the file called KeywordInstaller.msi in the installation folder and double-click it. Note: The .msi file is not present on any computer which has had an Administrator-only installation or on one that does not contain a Forefront Security product. 2. You must read and consent to the license agreement/disclaimer. 3. You are presented with a list of available files. You may select any number of the various language files. The files you select are placed into a folder called Example Keywords in the database directory (which, by default is c:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\Data). 4. After the files have been extracted, you must import them into your filters. For more information on importing files, see Importing items into a filter list. Note: It is your responsibility to visually inspect all of the selected files to determine if there are words that are completely harmless in your environment, especially if you are using multiple language files. You must review the imported list and decide if you are going to eliminate any word clashes. If a certain word is unacceptable in one language but harmless in another, you must determine what is more important to you: catching everything (the default, if you accept all the words in all the selected lists) at the risk of false positives or risk not detecting something by deleting words from the list (which avoids those false positives).
the allowed senders list. If the e-mail address or domain appears on the allowed senders list, Forefront Security for Exchange Server will bypass all filtering that has been enabled for the list. To create an allowed senders list 1. In the FILTERING section of the Shuttle Navigator, click the Filter Lists icon. 2. In the List Types section, select Allowed Senders. 3. In the List Names section, click the Add button. 4. Type a name for the new list and then press ENTER. The empty list appears in the List Names section. 5. With the new list name selected, click the Edit button. The Edit Filter List dialog box appears. Use it to enter e-mail addresses or e-mail domains to include in the allowed senders list. 6. In the Include In Filter section, click the Add button. 7. Type an e-mail address or domain to be included in the filter list. Press ENTER when you are finished typing. User addresses should be entered in the format: user@customer.com. E-mail domain names should be entered in the format: *domain. You may have as many allowed senders as you want, but each address or domain must be entered separately. The Exclude From Filter section is used to enter addresses or domains that should never be included on the allowed senders list. This prevents those addresses and domains from accidentally being added when importing a list from a text file. For more information on importing files, see Importing items into a filter list 8. When you are finished adding items, click OK. The list of addresses and domains you just entered appears, alphabetically, in the pane next to List Names. 9. Click Save.
116
7. Click Save.
worm list to include a generic entry such as "*abcdef*". This entry covers any new variant of the same virus, such as Win32/abcdef.M@mm. Because the worm list contains generic worm name entries, the worm list does not have to be updated as frequently as the antivirus scan engines are.
The file filter is configured to send notifications to the administrator and the sender by default. It cannot be configured to send notifications to the recipients of purged worm messages, because this would prevent purging worm generated messages. Note: When you select the Purge: eliminate message option, the entire message is deleted and is not recoverable. It is recommended that you only select this action for the purpose of purging worm messages prior to the release of virus scanner updates. Unlike quarantining for non-worm messages, even if you select Quarantine Message, only the attachment that triggered the filter is quarantined; the message body and any other attachments are deleted. This should not present any problems when using filtering for worm messages because the message body has no value and should not contain any other attachments.
Notifications
The Transport and Realtime scanners can be configured to send distinct notification messages to the Worm Administrator when a message is purged. Additionally, notifications can be sent when a message is purged by the file filter. All notifications can be modified, as needed, in the Notification Setup work pane, described in E-mail notifications.
E-mail notifications
E-mail notifications are critical in keeping Exchange users informed about changes that occur to their attachments due to virus cleaning and file filtering, or informing users of infections that exist when a virus is detected and not cleaned. E-mail notifications are also important to administrators who prefer to have information delivered directly to their mailbox instead of continually checking logs for activity.
the Active Directory directory service. By default, the server profile used for this purpose is: Forefront_Server_Name. For example: Forefront_EX_Server1. To change the server profile, you must modify the FromAddress registry value. To change the FromAddress registry value on Exchange 2007 1. Open the Registry Editor and navigate to one of these registry values: For 32-bit systems (only valid during evaluation of FSE): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\ Notifications\FromAddress For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\FromAddress 2. Change the default value to the sender name you would like. Alphanumeric characters are acceptable. You may also use the at sign (@) or a period (.), but these characters cannot be the first or last character. Any illegal characters are replaced with an underscore (_). 3. You must restart the Exchange and Forefront Security services for this change to take effect.
Configuring notifications
There are various types of notification messages and each can be individually configured. To configure notifications 1. In the REPORT area of the Shuttle Navigator, select Notification. The Notification Setup work pane appears. The top pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. For more information about each of the roles, see Notification roles. 2. Enable those notifications that are to be in effect. (For more information, see Enabling and disabling a notification.) Note: Scan job configurations control whether a scan job sends any enabled notifications. 3. Make the desired changes to the notifications that are to be enabled. For more information, see Editing a notification. 4. Click Save to save your work.
121
Notification roles
The following list describes the various notification roles. Typically, each notification is used for reporting the who, what, where, and when details of the infection or the filtering performed, including the disposition of the virus or the attachment. Virus Administrators Alerts administrators of all viruses detected on a server being protected by FSE. Virus Sender (internal) Alerts the sender of the infection, if the sender is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed. Virus Sender (external) Alerts the sender of the infection, if the sender is not a user in your organization. Virus Recipients (internal) Alerts the recipient of the infection, if the recipient is an Exchange user in your organization. The typical message would include help in determining the extent of infection on the user's own computer, who to call, and how to proceed. Virus Recipients (external) Alerts the recipient of the infection, if the recipient is not a user in your organization. File Administrators Alerts administrators of all messages that are filtered by file filtering on the server being protected by FSE. This notification is also used for messages purged by the file filter. File Sender (internal) Alerts the sender of the filtered attachment, if the sender is an Exchange user in your organization. This notification is also used for messages purged by the file filter. File Sender (external) Alerts the sender of the filtered attachment, if the sender is not a user in your organization. This notification is also used for messages purged by the file filter. File Recipients (internal) Alerts the recipient of the filtered attachment, if the recipient is an Exchange user in your organization. This notification is also used for messages purged by the file filter. File Recipients (external) Alerts the recipient of the filtered attachment, if the recipient is not a user in your organization. This notification is also used for messages purged by the file filter. Worm Administrators Alerts administrators of all worm messages that are detected or purged by Forefront Security for Exchange Server. Content Administrators 122
Alerts administrators of all messages that are filtered by content filtering (sender and subject line filtering). Content Sender (internal) Alerts the sender that a message was filtered by sender or subject line filtering, if the sender is an Exchange user in your organization. Content Sender (external) Alerts the sender that a message was filtered by sender or subject line filtering, if the sender is not a user in your organization. Content Recipients (internal) Alerts the recipient that a message was filtered by sender or subject line filtering, if the recipient is an Exchange user in your organization. Content Recipients (external) Alerts the recipient that a message was filtered by sender or subject line filtering, if the recipient is not a user in your organization. Keyword Administrators Alerts administrators of all messages that are filtered by keyword filtering. Keyword Sender (internal) Alerts the sender that a message was filtered by keyword filtering, if the sender is an Exchange user in your organization. Keyword Sender (external) Alerts the sender that a message was filtered by keyword filtering, if the sender is not a user in your organization. Keyword Recipients (internal) Alerts the recipient that a message was filtered by keyword filtering, if the recipient is an Exchange user in your organization. Keyword Recipients (external) Alerts the recipient that a message was filtered by keyword filtering, if the recipient is not a user in your organization.
123
Editing a notification
The changes that are made to the lower portion of the Notification Setup work pane apply to the notification role currently selected in the notification list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a notification and try moving to another notification role or shuttle icon without saving it, you will be prompted to save or discard your changes. All changes take effect immediately when saved. The following are the fields that can be edited: To A semicolon-separated list of people and groups who will receive the notification. This list can include Exchange names, aliases, groups, and Keyword substitution macros. Notifications may also be sent to cc and bcc recipients. Subject The message that will be sent on the subject line of the notification. This field can include Keyword substitution macros. Body The message that will be sent as the body of the notification. This field can include Keyword substitution macros. (Administrators may also include the MIME headers in this field by inserting the %MIME% macro.) Note: When enabling Virus Administrators, File Administrators, Worm Administrators, or Keyword Administrators notifications on an Edge server, you must use a full SMTP address (For example, Administrator@microsoft.com) for the notification to work properly.
124
Incidents database
The Incidents database (Incidents.mdb) contains all virus and filter detections for a Microsoft Exchange Server, regardless of the scan job that caught the infection or performed the filtering. To view the Incidents database, click REPORT in the Shuttle Navigator, and then click the Incidents icon. The Incidents work pane appears. This is the information that Forefront Security for Exchange Server reports for each incident: Time State The date and time of the incident. The action taken by Forefront Security for Exchange Server. The name of the scan job that reported the incident. The name of the folder where the file was found. This column also reports if messages were inbound or outbound when caught by the Transport scanner. Messages that are being relayed by the Edge Transport or Hub Transport server are reported as inbound and outbound to distinguish them from standard inbound and outbound messages. The subject line of the message or the name of the file that triggered the incident. The name of the virus or name of the file that matched a file or content filter. The type and name of the incident detected. The name of the person who sent the infected or filtered message. The e-mail address of the person who sent the infected or filtered message. The names of the people who received the infected or filtered message. The e-mail addresses of the people who received the infected or filtered message. The names of the Cc recipients. The e-mail addresses of the Cc recipients. The names of the Bcc recipients. 125
Name
Folder
Message
File
Sender Address
Recipient Names
Recipient Addresses
Forefront Security for Exchange Server keyword filtering scans both plain text and HTML message body content. If Forefront Security for Exchange Server finds a match in both the HTML and the plain text, it will report two detections in the Incidents database and the Quarantine database.
VirusLog.txt
Incidents can also be written to a text file called VirusLog.txt file, located in the Microsoft Forefront Security for Exchange Server installation path. To enable this feature select Enable Forefront Virus Log in General Options (it is disabled by default). The following is a sample entry from the VirusLog.txt file: Thu. Apr 25 14:12:51 2002 (3184), "Information: Realtime scan found virus: Folder: First Storage Group\Usera\Inbox Message: Hello File: Eicar.com Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE State: Cleaned"
CorruptedCompressedFile
Forefront has deleted a corrupted compressed file. Forefront has deleted a corrupted compressed UUENCODE file Forefront has deleted an encrypted compressed file. Forefront has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file. 126
CorruptedCompressedUuencodeFile
EncryptedCompressedFile
EngineLoopingError
Reported incident
Description
ExceedinglyInfected
Forefront has deleted a container file because it exceeded the maximum number of infections, as set in Max Container File Infections in General Options. Forefront has deleted a container file because it exceeded the maximum nested depth, as set in Max Nested Compressed Files in General Options. Forefront has deleted a file because it exceeded the maximum nested attachment limit, as set in Max Nested Attachments in General Options. The default is 30 attachments. For more information, see MaxNestedAttachments in Registry keys. A fragmented SMTP message has been replaced with the fragmented message deletion text. Forefront has deleted a file because it exceeded the maximum container size that it will attempt to clean or repair. The default is 26 MB, but you may change the value with the Max Container File Size option in General Options. Forefront has deleted a container file because it exceeded the maximum 127
ExceedinglyNested
ExceedinglyNested
FragmentedMessage
Not applicable
LargeInfectedContainerFile
ScanTimeExceeded
Reported incident
Description
scan time. The default values, in milliseconds (msec), are 120000 msec (2 minutes) for Realtime/Transport scans and 600000 msec (10 minutes) for Manual scans. Forefront has deleted a compressed file that it could not read. Forefront has deleted a compressed file to which it cannot write (for example, during a cleaning operation).
UnReadableCompressedFile
Not applicable
UnWritableCompressedFile
Not applicable
Statistics
Forefront Security for Exchange Server tracks statistics for both messages and attachments for each scan job.
Message statistics
Several kinds of statistics are maintained for messages. Messages Scanned. The number of messages scanned by Forefront Security for Exchange Server since the last restart of the services. Messages Detected. The number of messages scanned that contained a virus or matched a file or content filter since the last restart of the services. Messages Tagged. The number of messages tagged by Forefront Security for Exchange Server due to a filter match since the last restart of the services. Messages Purged. The number of messages purged by Forefront Security for Exchange Server due to a virus detection or filter match since the last restart of the services. (Action set to Purge Eliminate Message or a worm purge match.) Total Messages Scanned. The number of messages scanned by Forefront Security for Exchange Server since the product was installed. Total Messages Detected. The number of messages scanned that contained a virus or matched a file or content filter since the product was installed. Total Messages Tagged. The number of messages tagged by Forefront Security for Exchange Server due to a filter match since the product was installed.
128
Total Messages Purged. The number of messages purged by Forefront Security for Exchange Server due to a virus detection or filter match since the product was installed.
Attachment statistics
Several kinds of statistics are maintained for message attachments. Attachments Scanned. The number of attachments scanned by Forefront Security for Exchange Server since the last restart of the services. Attachments Detected. The number of attachments scanned that contained a virus or matched a file or content filter since the last restart of the services. Attachments Cleaned. The number of attachments that were cleaned by Forefront Security for Exchange Server due to a virus infection or filter match since the last restart of the services. Attachments Removed. The number of attachments that were removed by Forefront Security for Exchange Server due to a virus infection or filter match since the last restart of the services. Total Attachments Scanned. The number of attachments scanned by Forefront Security for Exchange Server since the product was installed or the Statistics pane was last reset. Total Attachments Detected. The number of attachments scanned that contained a virus or matched a file or content filter since the product was installed or the Statistics pane was last reset. Total Attachments Cleaned. The number of attachments that were cleaned by Forefront Security for Exchange Server due to a virus infection or filter match since the product was installed or the Statistics pane was last reset. Total Attachments Removed. The number of attachments that were removed by Forefront Security for Exchange Server due to a virus infection or filter match since the product was installed or the Statistics pane was last reset.
FSE scans the message body and the attachments but reports all scanned message parts as attachments. A single message with one attachment, therefore, is reported as two attachments in the Statistics pane.
Managing statistics
To reset all statistics for a scan job, click the x next to the scan job's name in the Statistics section of the Incidents work pane. To save the report and the statistics in either formatted text or delimited text formats, click the Export button (on the Incidents work pane)
Quarantine
Forefront Security for Exchange Server, by default, creates a copy of every detected file in its original form (that is, before a Clean, Delete, or Skip action occurs). These files are stored in an 129
encoded format in the Quarantine folder under the Forefront Security for Exchange Server DatabasePath folder (which defaults to the installation folder). The actual file name of the detected attachment, the name of the infecting virus or the file filter name, and the message envelope information, along with other bookkeeping information, are saved in the file Quarantine.mdb in the Quarantine folder. The Quarantine database is configured as a system data source name (DSN) with the name Forefront Quarantine. This database can be viewed and manipulated using third-party tools.
Quarantine options
Forefront Security for Exchange Server performs two different quarantine operations: quarantine of entire messages or quarantine of attachments only. Entire messages are quarantined only for content filters and file filters that are set to Purge when quarantine is enabled. When the General Options setting Quarantine Messages is set to Quarantine as Single EML File (only applies to the Transport Scan Job), messages are quarantined in an EML file format. If you want to view the attachments that are contained inside the EML file, you must save the file from the Quarantine database and use Outlook Express to view the contents of the file. If Outlook Express is not installed on the computer, the message's attachments cannot be separated from the EML file easily for viewing. If you do not have Outlook Express installed on the server on which you are quarantining messages, you can choose to have messages quarantined in pieces by setting Quarantine Messages to Quarantine Message Body and Attachments Separately. Forefront Security for Exchange Server will then quarantine messages as separate pieces (bodies or attachments) so they can be viewed more easily after they are saved to disk from the Quarantine database. Messages that have been quarantined can also be forwarded to a mailbox. When the Quarantine Messages option is set to Quarantine Message Body and Attachments Separately, you must forward each piece of the message that was quarantined if you want the recipient to see the entire contents of the original message. If the Quarantine Messages option is set to Quarantine as Single EML File, only the quarantined EML file needs to be forwarded, and the recipient will receive the original message and any attachments as a single attachment to a new message. An administrator can access the Quarantine pane to delete or extract stored detected file attachments. To view the Quarantine log, click REPORT in the Shuttle Navigator, and then click the Quarantine icon. The Quarantine work pane appears. The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (such as virus or filter match), the name of the infecting virus or the filter name, the subject field of the message, the sender name, the sender address, the recipient names, and the recipient addresses.
130
When quarantined messages are delivered to the user's mailbox, the original message is included as an attachment. When the user opens the attachment, the original message launches within Outlook as a separate message. Note: On an Edge Server, since Forefront has no access to the Active Directory, you must enter a full e-mail address with a fully qualified domain name, even if delivery is to an addressee inside your Exchange organization. Failure to enter a fully qualified domain name results in the inability of Forefront to deliver mail from quarantine.
DeliverLog.txt
When a message file is delivered from the Quarantine database, a text file named DeliverLog.txt is created and saved in the folder where Forefront Security for Exchange Server is installed. This file provides a log of messages and attachments that have been delivered from quarantine.
Forwarding attachments
Attachments that were quarantined by the virus scanner or the file filter can be forwarded.
131
Path: The absolute path of the folder in which to save the extracted quarantined files. Type: The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files. For example: Jerusalem.Standard Extracts files that were infected with the virus named Jerusalem.Standard. *.doc Extracts quarantined files having a .doc extension. *.* Extracts all quarantined files Examples: extractfiles C:\temp\quarantine Jerusalem.Standard extractfiles C:\extract\ *.doc
132
The body of the message reads: The Microsoft Forefront Security for Exchange Server << database name>> database is greater than 1.5 GB (with a maximum size of 2 GB). Its current size is x GB. If this database grows to 2 GB, updates to the << database name>> will not occur. Please see the user guide for information about database maintenance. If for some reason the notification cannot be sent, the failure is ignored and is noted in the program log. One attempt to send the message is made during each compaction cycle for the specific database.
134
You can also delete a subset of the results by selecting one or more entries (using the SHIFT and CTRL keys), and then pressing the DELETE key to remove them from the Quarantine listing. Note: If a large number of entries is selected, the deletion process can take a long time. In this case, you are asked to confirm the deletion request.
whose State is "Purged".) If you select any column other than Time (on the Incidents pane) or Date (on the Quarantine pane), the Value field appears. If you select Time or Date, you get entry fields for beginning date and time, and ending date and time. 3. If you selected Time or Date, enter the beginning and ending date and time. Otherwise, enter a string in the Value field. Wildcard characters can be used. They are those used by the Microsoft Jet database OLE DB driver. The wildcard characters are: _ (underscore)Matches any single character. (The * and ? characters, which are common wildcard characters, are literals in this instance.) [ ]Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]). [!]Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]). 4. Click Save to apply the filter. The only items you now see are those that match your parameters. 5. To see all the items again, remove the filter by clearing the Filtering check box and clicking Save.
136
137
Performance
All Forefront Security for Exchange Server statistics can be displayed using the Performance snap-in (Perfmon.exe) provided by Windows and usually found in Administrative Tools. The performance object is called Microsoft Forefront Server Security.
The PerfMonitorSetup command will reinstall the performance counters without the need to reinstall Forefront Security for Exchange Server. To reinstall performance counters from a command prompt 1. Open a command prompt window. 2. Navigate to the Forefront Security for Exchange Server installation folder (default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server). 3. Enter the command: PerfMonitorSetup install
Update Now button on the Scanner Updates work pane to perform an immediate scanner update for each engine.
Scheduling an update
You can control when your scanning engines update, how often, and the update source. Note: If you are using the optional Microsoft Forefront Server Security Management Console to update the scan engines, you should use the Scanner Updates work pane to disable scheduled updates. To schedule updates for scanning engines 1. In the SETTINGS section of the Shuttle Navigator, select Scanner Update. The Scanner Updates work pane appears. The top pane shows a list of all supported file scanners and the worm list. 2. Select a scan engine to be scheduled. The bottom pane contains the Primary and Secondary update paths and the update schedule for the selected engine. Additionally, there is information about that engine. (For more information, see Scanner Information.) 3. Set the primary update path by clicking Primary in the bottom pane and entering a value in the Network Update Path field. By default, FSE uses the primary update path to download updates. If the primary path fails for any reason, FSE uses the secondary update path, if any. The default primary update path is http://forefrontdl.microsoft.com/server/scanengineupdate. You may change it to point to another HTTP update site, or if you would prefer to use UNC updating as the primary update path, enter the UNC path to another Exchange server. For more information about UNC updating, see Distributing updates. To restore the default server path, right-click the Network Update Path field and select Default HTTP Path. 4. Set the secondary update path, if desired, by clicking Secondary in the bottom pane and 139
entering a value in the Network Update Path field. If the primary path fails for any reason, FSE will use the secondary update path. It is left blank by default. The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another Exchange server. For more information about UNC updating, see Distributing updates. 5. Specify the Date to check for updates. If you choose a Frequency of Once, this date is the only time update checking will take place; otherwise, this date represents the first time update checking will take place. Click the left and right arrows on the calendar to change the month. Click a particular day to select it. (The current date is circled in red; a selected date turns blue.) 6. Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time or use the up and down buttons to change the current value of each subfield. FSE defaults to staggering the update time, leaving an interval of five minutes between engines. It is recommended that you stagger updates a minimum of 15 minutes apart. Note: Do not use the Windows scheduler to set or change scan engine updating times. Changes you make in the operating system are not reflected in FSE update scheduling. Use the Scanner Update Settings work pane only. 7. Specify how often the update will occur (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). It is recommended that you select Daily (the default), and then set a Repeat interval to update the engine at multiple times during the day. 8. Optionally indicate a repeat interval. Select Repeat, and then choose a time interval. (The minimum time is 15 minutes.) It is recommended that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done. The default is to repeat updating for each engine every hour. 9. Use the Enable and Disable buttons to control whether the update check will be performed for a selected engine. All engine updates are enabled by default. Even if you are not using a particular engine, you should schedule updates for it. That way, if you find you need to use that engine in the future, it will already be at the current update level. Note: The Enable and Disable buttons control updating only, and not the use of the engine. To discontinue using the engine itself, see Manual Scan Job, Realtime Scan Job, and Transport Scan Job.
140
Update Now
To perform an immediate update of a selected scanner, click the Update Now button on the Scanner Updates work pane. If an update exists, Forefront Security for Exchange Server will download the scanner and will start using it after the download is complete. While the engine download is in progress, the Update Now button remains inoperable. This button is useful for quick checks for a new scanner between regularly scheduled updates.
Update on load
Forefront Security for Exchange Server can be configured to update its file scanners when FSCController starts up. To configure Forefront Security for Exchange Server to update at startup, select the Perform Updates at Startup option in the Scanner Updates section of the General Options work pane. Schedule engine updating using the scheduler on the Scanner Updates work pane. The engines that are to be updated are scheduled in five-minute intervals to avoid possible conflicts. This can be observed by typing at a command prompt after the FSCController has been started. This feature was mainly added for clustered Exchange servers where the inactive node will not receive updates while it is offline.
Scanner information
This is the information that appears on the Scanner Updates work pane for a selected scanner: Engine Version. The version, as reported by the third-party scan DLL. Signature Version. The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner). Update Version. The value located in the Manifest.cab file. Last Checked. The date and time of the last check made for a new scan engine or definition files. Last Updated. The date and time of the last update made to the scan engine or definition files.
Manifest.cab
The Manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download. (Each engine has an associated Manifest.cab file in its Package folder.) During a scheduled update or when Update Now has been invoked, 141
Forefront Security for Exchange Server searches the network update path for a new update. To minimize overhead, the Manifest.cab file is first downloaded and used to determine if an update is required. If an update is not required, no further processing takes place. If an update is required, the update is then downloaded and applied. When the update is finished, the new Manifest.cab file overlays the old one. This is the directory structure of the scan engines on a server running Forefront Security for Exchange Server: Forefront Directory\ Engines\ x86\ Engine Name\ Package\ manifest.cab Version Directory\ manifest.cab enginename_fullpkg.cab other enginename files Forefront Directory is the top-level directory where all of the FSE files are kept. This was created during the product's installation. Engine Name is a directory with the name of an engine's vendor. There is an Engine Name directory for each engine. The Package directory contains the most-recent Manifest.cab file. The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0602020001). On any particular day, there may be multiple version directories. Each contains the current Manifest.cab, the enginename_fullpkg.cab, and all other required files for the engine.
Distributing updates
The most common method of distributing updates is to have one server (the "hub") receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers in your environment (the "spokes"). After the hub receives an engine update, it can share that update with any other server whose network update path points to it.
142
143
No update available:
Error updating:
3. Enter information about the proxy server: name or IP address, port, user name (optional), and password (optional). For more information about these fields, see "General Options" in Forefront Server Security Administrator. 4. Click Save. After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings using the Microsoft Forefront Server Security Management Console (FSSMC).
145
Troubleshooting
This section contains troubleshooting information.
Getting help
To obtain technical support, visit the Microsoft Web site at Microsoft Help and Support.
Diagnostics
Diagnostic logging is helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Forefront Security for Exchange Server is not working properly. Diagnostics can be set independently for each scan job by selecting the appropriate check box for each scan job in the Diagnostics area of the General Options work pane. The settings are: Additional Transport, Additional Realtime, Additional Manual, and Archive Transport Mail. These options are disabled by default. For more information about these settings, see General Options. For information about collecting diagnostic information, see The FSC diagnostic tool.
146
To delete the VirusScan registry entry 1. Click Start, click Run, type regedit, and then click OK. 2. In the Registry Editor, expand the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\VirusSca n 3. Right-click the VirusScan registry entry, and then click Delete. 4. Exit the Registry Editor.
There are other parameters, but they should only be used when you are directed to do so by support technicians.
FSCUtility /disable
3. To confirm that the Forefront Security dependencies have been removed, type:
FSCUtility /status
4. Restart the Exchange services. Caution: When you are not running FSE, you are without its protection. To enable Forefront Security for Exchange Server by reestablishing dependencies 1. Stop the Exchange services. Note: In a clustered environment, when running the FSC Utility to enable FSE, the Exchange services are automatically taken offline. Therefore, you can skip step 1 and proceed directly to step 2. 2. From a command prompt, navigate to the Forefront Security for Exchange Server installation directory. Enable Forefront Security dependencies by typing:
FSCUtility /enable
3. To confirm that the Forefront Security dependencies have been reestablished, type:
FSCUtility /status
Registry keys
Caution: Serious problems might occur if you modify the registry incorrectly. These problems could require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Always make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base article Windows registry information for advanced users. Forefront Security for Exchange Server stores many settings in the Windows registry. You seldom have to edit the registry yourself, because most of those settings are derived from entries you make in General Options. However, there are some additional settings that you may occasionally need to make. FSE stores registry values in the following locations: For 32-bit systems (only valid during evaluation of FSE): HKLM\SOFTWARE\Microsoft\Forefront Server Security\ \Exchange Server For 64-bit systems: 148
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server Variable AdditionalTypeChecking Description and values Forefront Security for Exchange Server performs signature type checking on files to avoid scanning files that can never contain a virus. If it becomes necessary to scan an additional file type, you will need to contact Help and Support to obtain the proper setting for the file type you would like to add. This key is set to 0 (off) by default. Specifies the path under which the Forefront Security for Exchange Server configuration files and Quarantine folder reside. It defaults to the Forefront Security for Exchange Server installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If this value is changed and the files are not moved, Forefront Security for Exchange Server re-creates them and the previous settings are lost. Move the files first and then change this value. Specifies whether the system will apply the secure AV stamp. An important feature of Forefront optimizes for scanning messages on the Exchange 2007 Transport role. A secure AV stamp is applied to messages scanned by Forefront on Transport servers; this prevents duplicate scanning on the Mailbox server role when the message is deposited into the Information Store. DisableAVStamping enables you to override this recommended default so that Forefront can scan with some engines on a Transport server, and a different set of engines on the Mailbox server. To set it up, add a new DWORD with a value of "1". This causes the Transport stamp to be suppressed, and the Mailbox server to treat the message as not having been previously scanned. You should use this setting only when different engines (or different filtering settings) are selected on the Transport server and the Mailbox server. Otherwise, needless duplicate scanning will take place. When the value of DisableAVStamping is set to "1", it prevents the stamping of messages at the Transport. This value is not present by default and is assumed to be "0" (the default). When the value of DisableAVStamping is set to "1", we also 149
DatabasePath
DisableAVStamping
recommend that you turn on mailbox server proactive scanning on all Mailbox servers routed to by the transport server. This causes newly-arrived mail to the Mailbox server to be placed in a scanning queue to be scanned upon arrival. To enable proactive scanning on the Mailbox server role, set the DWORD value of the following Exchange key to "1" (it is normally disabled, with a value of "0"): HKEY_Local_Machine\System\CurrentControlSet\Servic es\MSExchangeIS\VirusScan DisableInboundFileFiltering When set to 1, this value disables inbound file filtering for the Transport Scan Job. The default value is 0. The Forefront Security services must be recycled for this feature to take effect. When set to 1, this value disables inbound virus scanning for the Transport Scan Job. The default value is 0. When set to 1, this value disables outbound file filtering for the Transport Scan Job. The default value is 0. The Forefront Security services must be recycled for this feature to take effect. When set to 1, this value disables outbound virus scanning for the Transport Scan Job. The default value is 0. Specifies whether to scan IPM replication messages. The Transport Scan Job scans files called Winmail.dat for viruses. Exchange uses these files for several purposes, including facilitating replication between servers (IPM replication messages). If FSE modifies a Winmail.dat file, the public folder replication process will fail. Setting this DWORD registry key to 1 prevents the Transport Scan Job from scanning IPM replication messages. If a virus is replicated because of public folder replication, the Realtime Scan Job will still detect the virus even if this key is set. Specifies the timeout value (in seconds) that Forefront Security will allow for scan engine downloads. The default value is 300 (5 minutes). Enables or disables purging by the Transport scanner. If set to 0, purging is disabled. If set to 1, purging is enabled. The key is set to 1 by default. Used to recover from a manual scan failure when a scan engine encounters problems with a file or when moving 150
DisableInboundVirusScanning
DisableOutboundFileFiltering
DisableOutboundVirusScanning
DoNotScanIPMReplication Messages
EngineDownloadTimeout
InternetPurge
ManualScanContinueOnFailed
between folders. This prevents the manual scan from stopping if an engine encountered a problem while scanning a file or traversing a folder structure. When this key is set to any value other than 0, Forefront Security for Exchange Server continues scanning after such an event. MaxCompressedSize This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxCompressedSize, the Delete Corrupted Compressed Files General Option setting must be enabled. This key sets the maximum compressed file size that Antigen attempts to clean or repair in the event that it discovers an infected file. This key is set to 26 MB by default but may be changed by the administrator. Infected files or files that meet file filter rules that are larger than the allowed maximum size are deleted. Antigen reports a deleted file as having a LargeCompressedInfectedFile virus. MaxUncompressedFileSize This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxUncompressedFileSize, the Delete Corrupted Compressed Files General Option setting must be enabled. This key sets the maximum uncompressed file size for a file within a .zip or a RAR archive file. Files larger than the maximum permitted size are deleted and reported as Large Uncompressed File Size. The default setting is 100 MB. The RAR archive format enables one or more compressed files to be stored in multiple RAR volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart RAR volumes are subject to the size limit specified by this registry value (its default is 100MB). If a file exceeds the limit, any multipart RAR volume that contains the file, or a part of the file, is deleted. However, the outcome can vary, depending on the size of the original files and how they are distributed across the multiple RAR volumes. Example 1 A single file (F1) is split across 3 RAR volumes (V1, V2, V3). Outcome: If the uncompressed size of F1 exceeds the default 100MB limit, all 3 RAR volumes (V1, V2, V3) is deleted. 151
Example 2 Four files (F1, F2, F3, F4) are split across three RAR volumes (V1, V2, V3) as follows: V1 contains F1 and the first half of F2. V2 contains the second half of F2 and F3. V3 contains only F4.
Outcome: If only F1 exceeds the default 100MB limit, only V1 will be deleted. If only F2 exceeds the default 100MB limit, V1 and V2 will be deleted, but V3 will not. If only F4 exceeds the limit, only V3 will be deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit. In both examples, deletion text specifies that a file (the RAR volume) was deleted because it exceeded the maximum uncompressed file size limit. To prevent the volumes from being deleted, you must set the registry value MaxUncompressedFileSize to a value large enough to exceed the uncompressed size of the largest file in the multipart RAR volumes. MIMEDeletePartialMessages Some e-mail client programs, such as Microsoft Outlook Express, let you send large e-mail messages in several fragments. By default, when Security for Exchange Server scans fragmented messages (content type: message/partial), the e-mail message may be tagged as FragmentedMessage. In this case, the message body is deleted and replaced with the file filter deletion text. To prevent Forefront from deleting fragmented e-mail messages, you must create a new DWORD registry key called MIMEDeletePartialMessages and set it to a value of 0. Note: Fragmented messages are not deleted when the value data is set to 0. Fragmented messages are deleted when there is no MIMEDeletePartialMessages DWORD value in the registry or when the MIMEDeletePartialMessages value data is set to 1. QuarantineTimeout Specifies whether items that cause a scan job timeout should be quarantined. If this DWORD registry value is not 152
present or if it is present and its value is not zero, a message that causes a scan job timeout will be quarantined. If the registry value is present and its value is zero, that message will not be quarantined. RealtimePurge Enables or disables purging by the Realtime scanner. If set to 1, purging is enabled. If set to 0, purging is disabled. The key is assumed to be 1 by default. Each time you alter this registry value, you must recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job. When this DWORD value is set to 1 (the default), Forefront Security for Exchange Server scans all file attachments. ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1. When set to 1, this key ensures that a background scan will be initiated every time a change is made and saved to the Realtime Scan Job. This key is disabled by default. Enables or disables purging by the Transport scanner. If set to 1, purging is enabled. If set to 0, purging is disabled. The key is assumed to be 1 by default. Each time you alter this registry value, you must recycle the Exchange IMC service for the change to take effect for the Transport Scan Job. When this value is set to 1, updates are scheduled for each file scanner that was installed with Forefront Security for Exchange Server after a Forefront Security service startup. This feature is mainly used in clustered Exchange servers. By default, this value is set to 0. Specifies whether a text file (called Domains.dat) is used to indicate your internal domains. If the value is 0 (the default), the Internal Address field in General Options is used. If you change the value to 1, you can enter all your internal addresses in a text file called Domains.dat in the DatabasePath directory. You would do this if you have a large number of domains to be used as internal addresses.
ScanAllAttachments
UpdateDllonScanJobUpdate
TransportPurge
UpdateOnLoad
UseDomainsDat
153
Engine Version
Indicates the current version of enginename, as specified in the Forefront Server Security Administrator. Indicates the date and time enginename was last checked, as specified in the Forefront Server Security Administrator. Indicates the date and time enginename was last updated, as specified in the Forefront Server Security Administrator. Indicates the current version of the enginename signature file, as specified in the Forefront Server Security Administrator. Indicates the current update of enginename, as specified in the Forefront Server Security Administrator.
Last Checked
Last Updated
Signature Version
Update Version
The %Virus% virus was found by Forefront Security for Exchange Server. Instead of typing the keyword, you can select it from a shortcut menu. To select a keyword from the shortcut menu 1. Position the cursor in any notification field, at the point where you want the keyword to appear. 2. Right-click at that point to display a shortcut menu. 3. Select Paste Keyword. 4. Choose from a list of available keywords. 5. Click Save.
The macros
These are the possible keyword substitution macros. Use consecutive percent signs (%%) to display the percent sign itself in the notification field. %Company% The name of your organization, as found in the registry. %EBccAddresses% External Bcc addresses. A list of the addresses of all the external Bcc recipients. %EBccNames% External Bcc names. A list of the names of all the external Bcc recipients. %ECcAddresses% External Cc addresses. A list of the addresses of all the external Cc recipients. %ECcNames% External Cc names. A list of the names of all the external cc recipients. %ERAddresses% External recipient addresses. A list of the addresses of all the external To recipients. %ERNames% External recipient names. A list of the names of all the external To recipients. %ESAddress% External sender address. The address of the message sender, if external to the company. %ESName% External sender name. The name of the message sender, if external to the company. %File% The name of the detected file. %Filter% The name of the filter that detected the item. %Folder% The public or private store (mailbox) and subfolders where the virus or attachment was found. %IBccAddresses% Internal Bcc addresses. A list of the addresses of all the internal Bcc recipients. %IBccNames% Internal Bcc names. A list of the names of all the internal Bcc recipients. %ICcAddresses% Internal Cc addresses. A list of the addresses of all the internal Cc recipients. 155
%ICcNames% Internal Cc names. A list of the names of all the internal Cc recipients. %IRAddresses% Internal recipient addresses. A list of the addresses of all the internal To recipients. %IRNames% Internal recipient names. A list of the names of all the internal To recipients. %ISAddress% Internal sender address. The address of the message sender, if internal to the company. %ISName% Internal sender name. The name of the message sender, if internal to the company. %Message% The Subject field of the message. %MIME% MIME Header. The MIME header information. %ScanJob% The name of the scan job that scanned the attachment or performed the filtering operation. %Server% The name of the server that found the infection or performed the filtering operation. %State% The disposition of the detected item (Deleted, Cleaned, or Skipped). %Virus% The name of the virus, as reported by the file scanner. %VirusEngines% A list of all the scan engines that found the virus.
ANIfile
66
156
File type
Description
21 20 63 29
ARC compression format file ARJ compression format file AutoCad file Windows Audio/Visual file format (Audio/Video Interleaved resource interchange file format) Bitmap image file InstallShield file (InstallShield 3) Microsoft OLE Structured Storage file The Docfile test checks for the OLE Structured Storage file format. Contained within this format is information that describes the application to use to process the data. Among the applications that use this format are the Microsoft Office applications suite: Word (.doc), Excel (.xls), PowerPoint (.ppt), Exchange Message files (.msg), and Shell scraps (.shs).
24 15 6
Eicar EPSfile
5 57
Eicar test virus file Encapsulated PostScript file (Adobe) Microsoft executable file Adobe Type 1 font file GIF image file GZip compression format file ARC compression format file (Systems Enhancement Associates) 157
3 64 22 16 54
File type
Description
27 48 14
Windows icon file InstallShield uninstall file Microsoft cabinet archive format file Java archive file Java byte code file (usually contained inside a JAR file) JPEG image file Compression format file (LHA/LHARC) A binary (non-text) format that encodes Macintosh files so that they can be safely stored or transferred through nonMacintosh systems Access database file MP3 audio file MPEG animation file (.mpg) Document file for Microsoft Help index (.chi) Microsoft Help file (.hlp) Microsoft Type Library file format (typically used for ActiveX service) Microsoft Windows metafile format graphics (vectored and bitmapped) Cabinet file (Microsoft installation archive) Microsoft compression format file MIME formatted text file with IMC 158
JarFile JavaClass
52 45
JPEG LHAfile
23 12
MACFILE
77
71 67 32 51
MS_Help MS_TypeLib
50 49
MS_WMF
59
MSCabFile
13
MSCompress MSIMC_MIME
17/18 46
File type
Description
binary header MSLibrary MSShortCut NotesDB OBJfile 42 44 68 43 Microsoft object code library file Microsoft shortcut file (.lnk) Notes database file Object code file (Intel Relocatable Object Module - .obj). OpenXML File Note: This file type applies to Word, PowerPoint, and Excel 2007 files only. The Scan Doc Files As Containers settings in General Options (for each scan job) do not apply to Office 2007 files, since these are always scanned as containers. Although OpenXML files are essentially ZIP containers, and the individual files inside are scanned by FSE, settings that affect ZIP files do not apply to them. OpenXML documents have an XMLbased schema which FSE cannot modify if an infection is found. Therefore, if an infection is in a file that is part of the XML schema, the file is not cleaned and the entire OpenXML document is deleted. However, if the infected 159
OPENXML
83
File type
Description
file is not part of the XML schema, then FSE will attempt to clean just that infected file (replacing it with the Deletion Text) and leave the rest of the OpenXML document intact; if it cannot be cleaned, just that file will be deleted. However, in practice, Office 2007 does not open any OpenXML file containing files that are not part of the XML schema. PALfile 26 Adobe PageMaker library palette file or a color palette file Bitmap graphic file (PC Paintbrush) Portable Document Format file (Adobe) Program Information File (Windows), or Vector Graphics GDF format file (IBM mainframe computers) PKLite compression format file Bitmap graphics file (Portable Network Graphics.) Quick Time Movie file RAR-compressed archive file RIFF bitmap graphics file (Fractal Design Painter) Self extracting executable file TAR archive format file (a UNIX 160
PCXfile
25
PDFfile
47
PIFfile
PKLite PNGfile
55 61
31 76 30
SFXexe TARFILE
73 75
File type
Description
method of archiving files, which can also be used by personal computers). TAR archives files but does not compress them, so sometimes .tar files are compressed with other tools, which produces extensions like .tar.gz, .tar.Z, and .tgz. Text TifFile 1 62 Text file (.txt) Tagged Image File Format (TIFF) bitmap graphics file Microsoft Transport Neutral Encapsulation Format file (Message file) Microsoft TrueType font file (.ttf) Universal Character Code doublebyte text file Unix Compressed format file Visio exported meta file Waveform audio file (RIFF WAVE format) Microsoft Excel 1.x file (.xls) Microsoft Word (1.x and 2.x) file Microsoft Write file XaraX graphic file Compressed file created by PKZip Compressed file created by ZOO
TNEFfile
56
TrueType Unicode
65 2
53 60 28
8 7 9 58 10
ZOOfile
19
161
Information collected
The Forefront Security Diagnostic tool can collect any or all of the following information, based on your requests: FSE file versions Exchange file versions FSE registry key FSE database files FSE archive files FSE program log file Windows event log files Dr. Watson log file User.dmp file FSE installation log file FSE hotfix installation log file Exchange agents.config file
To run the Forefront Security Diagnostic tool 1. Run the program in no prompt mode, interactive mode, or console mode. To run the program in no prompt mode: Navigate to the Forefront Security for Exchange Server installation folder (default: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server) and launch FSCDiag.exe. The program runs in a command prompt window. You can also run the program at a command prompt by navigating to the Microsoft Forefront Security\Exchange Server installation folder and typing:
FSCDiag
To run the program in interactive mode: At a command prompt, navigate to the Microsoft Forefront Security\Exchange Server installation folder and type:
FSCDiag /i
You are prompted for each item. Type Yes or No, pressing ENTER after each response. To run the program in console mode: At a command prompt, navigate to the Microsoft Forefront Security\Exchange Server installation folder and type:
FSCDiag /c /switch1 /switch2 /switch3
You must specify /c, which signifies that you are running the tool in console mode. You can specify as many switches as needed. An example of the syntax used to collect only the Forefront file versions and the Forefront registry keys is:
FSCDiag.exe /c /ver Forefront /reg Forefront
To view the possible switch combinations that you can use, type FSCDiag /? before running the program. 2. After you execute the program, the tool gathers the requested information and compresses the results into a new file that is located in the Log\Diagnostics\ folder under the FSE installation directory. The file name, constructed from the name of the server, date, and time, has the following format: Format: ForefrontDiag-<server name>-<date>-<time>.zip <date> has the format yyyymmdd <time> has the format hh.mm.ss (where hh represents a 24-hour clock) Example: C:\Program Files(x86)\Microsoft Forefront Security\Exchange Server\Log\Diagnostics\ForefrontDiag-Server1-20051210-17.50.27.zip 3. Contact Microsoft Help and Support to find out where to upload the compressed file. 4. Upload the compressed file to Microsoft.
163
About backups
A backup is a copy of data that is used to restore and to recover lost data after a system failure. By using suitable backups, you can recover from many failures that include the following conditions: Media failure User errors, such as when a file is deleted by mistake Hardware failures, such as a damaged disk drive or the permanent loss of a server Natural disasters
For more detailed information about creating backups and recovering data for Microsoft Exchange Server 2007, see Disaster Recovery.
5. In Notepad, edit the batch file to include a command to start the Forefront Security Diagnostic tool (FSCDiag.exe) in order to obtain registry and file information for FSE. The contents of the ForefrontDiagnostics.bat file should resemble the following:
cd drive:\Program Files\Microsoft Forefront Security\Exchange Server FSCDiag.exe /c /ver Forefront /reg Forefront
Note: If you are not sure about the location of the FSCdiag.exe file, perform a search operation to find the location, and then use it to replace the path in the sample .bat file. 6. On the File menu, click Save, and then close Notepad. 7. Double-click the ForefrontDiagnostics.bat file. 8. In Windows Explorer, locate the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\log\Diagnostics 9. Make sure that a file that is named ForefrontDiag-ServerName-Date-Time.zip is created as a result of running the batch file. Note: The placeholders ServerName, Date, and Time represent the actual server name and the date and time when the log file is created. To create a scheduled task in order to keep the version information up to date on a computer running Windows Server 2008 1. Click Start, point to Administrative Tools, and then click Task Scheduler. If you are prompted for an administrator password or for a confirmation, type the password, or click Continue. 2. On the Actions menu, click Create Basic Task. 3. In the Create Basic Task Wizard, type the schedule name in the Name box, type the schedule description in the Description box, and then click Next. For example, type the following information: Name: Forefront Diagnostics Description: Runs ForefrontDiagnostics.bat in order to update and store updated registry and file version information for Forefront Security for Exchange Server. 4. On the Task Trigger page, select an acceptable interval, for example Weekly, and then click Next. 5. Depending on the selected interval, set the start date, the start time, and the recurrence details, and then click Next. For example, configure the following settings: Weekly Start MM/DD/YYYY - HH:MM:SS AM/PM Recur Every: X weeks on: Saturday 165
where MM/DD/YYYY is the month, day and year; HH:MM:SS is the hour, minutes, and seconds; and X is the number of weeks. 6. On the Action page, select the Start a program button, and then click Next. 7. On the Start a Program page, click Browse, locate the ForefrontDiagnostics.bat file that you previously created, click Open, and then click Next. Note: Leave the Add Arguments (optional) and the Start in (optional) text boxes blank. 8. On the Summary page, verify the settings, and then click Finish. To create a scheduled task in order to keep the version information up to date on a computer running Windows Server 2003 1. Click Start, click Control Panel, and then double-click Scheduled Tasks. 2. In Scheduled Tasks, double-click Add Scheduled Task. 3. In the Scheduled Task Wizard, click Next. 4. On the Click the program you want Windows to run page, click Browse. 5. In the Select Program to Schedule window, locate and then double-click the ForefrontDiagnostics.bat file that you previously created. 6. In the Type a name for this task box, type a schedule name, select an acceptable interval, and then click Next. For example, use the following name and interval for the task: Forefront Diagnostics Weekly 7. On the Select the time and date you want this task to start page, set an appropriate start date and time, and then click Next. For example, configure the following settings: Start HH:MM:SS AM/PM Every: X weeks on: Saturday where HH:MM:SS is the hour, minutes, and seconds; and X is the number of weeks. 8. On the Enter the name and password of a user page, provide the credentials for a user who has permissions to the server, and then click Next. 9. On the You have successfully scheduled the following task: schedule name page, click Finish.
After the whole system has been restored to an earlier state, you can recover the Incidents database and the Quarantine database along with your configuration settings. You can also create templates to deploy configuration settings to servers in your enterprise. (For more information about creating templates, see Templates.) Then, you can use these templates and the Microsoft Forefront Server Security Management Console (FSSMC) in order to help you quickly recover from a failure. Note: The steps outlined in the following procedures provide general instructions for performing specific tasks; for more detailed instructions, see the Microsoft Forefront Server Security Management Console User Guide. To restore data files in an environment that is running FSSMC 1. On the server that you want to use for configuring the FSE templates, upload the Template.fdb file to FSSMC. 2. In FSSMC, configure the General Options settings. 3. Restore the failed Exchange server. 4. On the Exchange server that you restored, follow these steps: a. Install FSE and all related hotfixes or rollups that were installed at the time of the backup. b. Deploy the FSSMC deployment agent. c. Deploy the Template package to the Exchange server. d. Deploy the General Options package to the Exchange server. e. Restore the Incidents.mdb database and the Quarantine folder to a temporary location. f. Stop the FSCController service. Note: Stopping this service stops the Microsoft Exchange Information Store and Microsoft Exchange Transport services, as well as the other FSE services, causing mail to stop flowing. 167
g. In Windows Explorer, locate and open the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data h. Rename the Incidents.mdb file to Incidents.old. i. j. Rename the Quarantine folder to QuarantineOld. Move the Incidents.mdb file and the Quarantine directory from the temporary location to the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data k. Start the Forefront services.
To restore data files in a standalone environment 1. Select the server that you want to use for configuring your Forefront Security for Exchange templates. 2. Restore the failed Exchange server. 3. On the Exchange server that you restored, follow these steps: a. Install FSE and all related hotfixes or rollups that were installed at the time of the backup. Note: You can compare the file versions against the VerForefront.csv file that is located in the latest ForefrontDiag backup. b. Restore the Template.fdb file, the Incidents.mdb file, and the Quarantine directory to a temporary location. c. Stop the FSCController service. Note: Stopping this service stops the Microsoft Exchange Information Store and Microsoft Exchange Transport services, as well as the other FSE services, causing mail to stop flowing. d. In Windows Explorer, locate and open the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data e. Rename the Incidents.mdb file to Incidents.old. f. Rename the Quarantine folder to QuarantineOld. g. Rename the Templates.fdb file to Templates.old. h. Move Templates.fdb, Incidents.mdb, and the Quarantine folder from the temporary location to the following folder: drive:\Program Files\Microsoft Forefront Security\Exchange Server\Data i. j. Start the Forefront services. At a command prompt, type the following command and then press ENTER:
cd drive:\Program Files\Microsoft Forefront Security\Exchange Server
168
FSCStarter t
Notes: The FSCStarter t command loads the templates from the Templates.fdb file. Because the General Options settings have registry values that are associated with them, they cannot be recovered in a stand-alone environment. It is recommended that you compare your registry settings against another server in your organization or against the Reg_ForefrontSoftware.txt file that is located in the latest ForefrontDiag backup, and then manually configure the General Options settings by using the Forefront Server Security Administrator. (For more information about configuring General Options, see "General Options" in Forefront Server Security Administrator.) It is recommended that you do not copy Forefront database (.fdb) files from another server. If you do this, the associated globally unique identifiers (GUIDs) of the databases will have conflicts.
There are now restricted access control lists (ACLs) on resources. The security to Forefront Security for Exchange Server resources has been improved to prevent unauthorized access. With 169
this change, only users who are part of the Administrators group have access to administer Forefront Security for Exchange Server. The ACLs that are applied to Forefront Security for Exchange Server resources are described in the following table.
Resource type Resource ACL set
File
<Installation path>
SYSTEM Full Access Administrators group Full Access Network Service - Read
File
"Data" folder
SYSTEM Full Access Administrators group Full Access Network Service Full Access
Registry
HKLM/Software/xxxxx/xxxxx
SYSTEM Full Access Administrators group Full Access Network Service - Read
DCOM
SYSTEM Full Access Administrators group Full Access Network Service - Read
present or it is present and its value is not zero, messages that cause a scan job time-out will be quarantined. If the registry value is present and its value is zero, the message will not be quarantined. Delete Corrupted Compressed Files. The default setting for the General Option DeleteCorruptedCompressedFiles has been changed from Off to On. Files identified as corrupted are quarantined. If you do not want to quarantine these files, you may create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantine. The DWORD setting must be created and its value set to 0. Illegal MIME Header Action. The General Option Illegal MIME Header Action has been added. When this option is enabled, Forefront Security for Exchange Server deletes messages that are malformed and multiple headers that cause the interpretation of the message to be ambiguous. Some of the headers checked for multiple headers and malformations include the content-type, content-disposition, and content-transfer-encoding headers. This option is On by default.
171