User's Guide

Microsoft Forefront Server Security for SharePoint 2007

Microsoft Corporation Published: December, 2006

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2006 Microsoft Corporation. All rights reserved. Microsoft, ActiveX, Excel, Forefront, Internet Explorer, Outlook, PowerPoint, Visio, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Review the Microsoft Forefront Security Privacy Statement at the Microsoft Forefront Security Web site.

Contents
User's Guide Microsoft Forefront Server Security for SharePoint 2007 Contents SharePoint Introduction Components Installing Forefront Security for SharePoint System Requirements Minimum Server Requirements Minimum Workstation Requirements Installing on a Local Server Installing on a Remote Server Installing to Multiple Servers Administrator-Only Installation Upgrading Hot Upgrade Applying SharePoint Service Packs and Hotfixes Relocating Forefront Security for SharePoint Data Files Uninstalling Forefront Security for SharePoint Evaluation Version Forefront Security for SharePoint Services FSCController FSSPController Disabling Forefront Security for SharePoint Services Disabling Forefront Security for SharePoint Using the Services Control Manager Securing the Service Disabling or Enabling Scan Jobs Disabling Scan Jobs Locally Enabling Scan Jobs Locally Disabling Scan Jobs Remotely Enabling Scan Jobs Remotely Engine Parameters SharePoint Forefront Server Security Administrator Launching the Forefront Server Security Administrator

Connecting to a Local Server Connecting to a Remote Server Connecting to a Different Server Read-Only Administrator Forefront Server Security Administrator User Interface Shuttle Navigator General Options Diagnostics Logging Scanner Updates Scanning SharePoint Multiple Scan Engines Engine Rankings Bias Setting Bias Setting Choices Bias Setting Example Configuring the Bias Setting Cleaning Infected Files SharePoint Manual Scan Job Configuring the Manual Scan Job Scan Job Settings Configuring the Engines Running the Manual Scan Job Immediately Scheduling a Manual Scan Job Viewing Results Send Summary Notification Quick Scan SharePoint Realtime Scan Job Configuring the Realtime Scan Job Scan Job Settings Realtime Antivirus Configuration Settings Configuring the Engines Running the Realtime Scan Job Viewing Results SharePoint Scan Recovery SharePoint Templates Template Uses Creating Templates

Associating a New Template With a Scan Job Modifying Templates Modifying Default File Scanner Update Templates Modifying Notification Templates Using Named Templates Deploying Templates With FSCStarter Deploying Templates Remotely SharePoint File Filtering Creating a File Filter Matching Patterns in the File Name With Wildcard Characters Detecting Files of a Particular Type File Types Selection Detecting Files by File Size Enabling the Filter Action Realtime Scan Job Actions Manual Scan Job Actions Limiting Compressed File Scanning Send Notifications Quarantine Files Deletion Text Editing a File Filter Filter Lists Importing Items Into a Filter List Associating a Filter List With a Scan Job Viewing Filter List Contents Editing a Filter List Filter Sets for File Filters Configuring a Filter Set Associating a Filter Set With a Scan Job Editing a Filter Set Deleting a Filter Set Renaming a Filter Set Deploying Filters to Remote Servers International Character Sets SharePoint Keyword Filtering Creating New Keyword Filter Lists Keyword List Syntax Rules Enabling a Keyword Filter

Action Notify Administrator Quarantine Minimum Unique Keyword Hits Viewing Keyword List Contents Editing a Keyword List Case Sensitive Filtering International Character Sets Event Notifications Forefront Security for SharePoint Notification Web Parts Configuring Notifications Notification Roles Default Notification Roles Enabling or Disabling a Notification Editing a Notification Keyword Substitution Macros Deleting Notifications SharePoint Reporting and Statistics Incidents Log VirusLog.txt Forefront Security for SharePoint Incidents Event Statistics Resetting Statistics Other Incidents Database Tasks Quarantine Quarantine Database Tables Viewing the Quarantine Log ExtractFiles Tool Retrieving a Database Other Quarantine Database Tasks Clearing the Databases Clearing the Incidents Database Clearing the Quarantine Database Exporting Database Items Saving Database Items to Disk Purging Database Items Filtering Database Views Wildcard Characters for Filtering Moving the Databases

Windows Event Viewer Performance Monitor Reinstalling Forefront Security for SharePoint Performance Counters SharePoint File Scanner Updating Automatic File Scanner Updating Scheduling an Update Scheduling Updates on Multiple Servers Update Now Scanner Information Manifest.cab Update on Load Distributing Updates Engine Update Notifications Using the New File Scanner Updating Through a Proxy SharePoint Troubleshooting Diagnostics Technical Support Forefront Security Tool Disabling and Enabling Forefront Security for SharePoint SharePoint Registry Keys SharePoint Keyword Macros SharePoint File Types List Forefront Security Diagnostic Tool Information Collected Running the Forefront Security Diagnostic Tool

SharePoint Introduction
Microsoft SharePoint Products and Technologies, a premier groupware solution, also permit viruses to proliferate rapidly throughout an organization. In SharePoint Products and Technologies, viruses can exist in documents saved in the various content sources, which may include public folders, workspaces, and Web sites, but traditional antivirus technology cannot monitor or scan the contents of these diverse storage units. SharePoint environments require an antivirus solution that can prevent the spread of viruses by scanning all documents in real time as they are accessed or stored while not impacting server performance. Microsoft Forefront Security for SharePoint (FSSP) is the solution for the SharePoint virus problem. Forefront for SharePoint is designed to protect servers running Microsoft Office SharePoint Portal Server 2007 or Microsoft Windows SharePoint Services 2007. Both versions run on either the 32-bit or 64-bit version of the SharePoint server and have identical functionality. The configuration data for the Forefront for SharePoint Realtime Scan is stored in the SharePoint Portal Server or Windows SharePoint Services configuration database, and not in a separate Forefront for SharePoint database. This means that you can access the configuration data from either the Microsoft Forefront Server Security Administrator or from the SharePoint Administrator. Forefront for SharePoint also supports the Microsoft Forefront Server Security Management Console (FSSMC). The FSSMC provides administrators with central installation and reporting functionality.

Components
Forefront Service Acts as the configuration and monitoring agent on the server to which the Forefront Server Administrator connects. Forefront Server Security Administrator Used to configure and run Forefront for SharePoint locally or remotely.

Installing Forefront Security for SharePoint

Forefront Security for SharePoint (FSSP) supports local and remote installations. The setup wizards can be used to install the product to a local SharePoint Portal Server or Windows SharePoint Services site, to a remote SharePoint Portal Server or Windows SharePoint Services site, or as an Administrator-only installation to a local workstation. The Virus Scanning Application Programming Interface (VSAPI) hook dynamic-link library (DLL) will be loaded into the W3wp.exe process (World Wide Web Publishing Service) address space and any applications using the SharePoint object model. Important: All of these processes should be stopped prior to installation or upgrade of Forefront Security for SharePoint. A remote install will exit if any of the applications are using the Forefront Security for SharePoint VSAPI DLL. Important: To provide the MAPI interface necessary for the proper parsing of message bodies in .msg files or TNEF-encoded messages, you must also install a MAPI Client on the SharePoint server. You may install Microsoft Outlook on the server to provide the required functionality.

System Requirements
The following are the minimum server and workstation requirements for Forefront Security for SharePoint.

Minimum Server Requirements

The following are the minimum server requirements: Dual-processor computer with 1 gigabyte (GB) of available memory (2 GB is recommended) and a clock speed of 2.5 gigahertz (GHz) Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter, or Web Edition), with Service Pack 1 Microsoft Windows Workflow Foundation Runtime Components

10 Microsoft .NET Framework 2.0 Internet Information Services (IIS) in IIS 6.0 worker process isolation mode NTFS file system

Microsoft Office SharePoint Server 2007 or Microsoft Windows SharePoint Services version 3 550 megabytes (MB) of available disk space Intel processor, or equivalent

MAPI client, such as Microsoft Outlook, to provide the MAPI interface necessary for the proper parsing of message bodies in .msg files or TNEF-encoded messages

Minimum Workstation Requirements

The following are the minimum requirements for Administrator-only installs: Microsoft Windows 2000 Professional, Microsoft Windows Server 2003, or Microsoft Windows XP Professional 6 MB of available memory 10 MB of available disk space Intel processor, or equivalent

Installing on a Local Server

Forefront for SharePoint is always installed on your SharePoint front-end or stand-alone server. To install Forefront Security for SharePoint on a local SharePoint Portal Server computer or on a computer running Windows SharePoint Services (formerly known as SharePoint Team Services), you will need to log on to the local computer using an account that has administrator rights (so that Setup can perform necessary service registrations). FSSP uses Hot Upgrade technology, which allows first-time installs of FSSP on SharePoint or Windows SharePoint Services servers to be performed without stopping and restarting the SharePoint or Windows SharePoint Services services. To install Forefront Security for SharePoint on a local SharePoint server 1. Run the Setup.exe file, which is available on your CD image or from the selfextracting package available at the Microsoft Volume Licensing Download Center. 2. Follow the initial setup dialog boxes until you are prompted by the

11 Installation Location dialog box. Select Local Installation. 3. Select Client - Admin console only. At this point, Setup will verify that SharePoint Portal Server or Windows SharePoint Services is installed. 4. When the Engines dialog box appears, select those engines that you want installed. The Microsoft AV engine is always installed. You should select four others. Four engines have been randomly selected for you, but you may change that selection to any four you desire. If you select fewer than four, you receive a warning, but the installation continues. You cannot select more than four. 5. Choose the destination directory. Default: C:\Program Files\Microsoft Forefront Security\SharePoint 6. Choose the Start Menu program folder. Default: Forefront Security for SharePoint 7. Enter the account to be used for remote SharePoint database access. This account must be a member of the local Administrators group on which SharePoint Portal Server is installed (one who is a local administrator on the web server or who has System Administrator rights on the database server). The user name must be entered in the following format: <domain or server name\user name> 8. After installation is complete, Setup can stop and restart the SharePoint services automatically, if necessary. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. 9. As in most installations, Setup updates shared Microsoft files on your computer. If you are prompted to restart the computer, you do not have to do that immediately, but it may be necessary for certain FSSP features to work correctly. 10. View the ReadMe file.

Installing on a Remote Server

To install Forefront Security for SharePoint on a remote SharePoint Portal Server computer or on a computer that has Windows SharePoint Services, you need to log on to your local computer using an account that has administrator rights to the remote computer. This is necessary for Setup to be able to perform service registrations.

12 Note: Since the SMB protocol is used to copy the service to the remote server, you should ensure that you are working over a secure network. To install Forefront Security for SharePoint on a remote SharePoint server 1. Run the Setup.exe file, which is available on your CD image or from the selfextracting package available at the Microsoft Volume Licensing Download Center. The installation process begins automatically. 2. Proceed with the setup until you are prompted by the Installation Location dialog box. Select Remote Installation/Uninstallation. If FSSP is already installed on the remote SharePoint Portal Server or Windows SharePoint Services computer, the install process can automatically stop the SharePoint services, uninstall FSSP, and restart the SharePoint services prior to beginning the new installation. Enter the following information: Server Name. The name of the remote computer on which you are installing FSSP. Share Directory. The temporary location that the remote install will use while setting up FSSP. The default is C$. At this point, Setup will determine if SharePoint Portal Server or Windows SharePoint Services is installed on the remote computer. 3. When the Engines dialog box appears, select those engines that you want installed. The Microsoft AV engine is always installed. You should select four others. Four engines have been randomly selected for you, but you may change that selection to any four you desire. If you select fewer than four, you will receive a warning, but the installation will continue. You cannot select more than four. 4. Select the Destination Directory and Start Menu folder name. 5. Enter the account to be used for remote SharePoint database access. This account must be a member of the local Administrators group on which SharePoint Portal Server is installed (one who is a local administrator on the web server or who has System Administrator rights on the database server). The user name must be entered in the following format: <domain or server name\user name> 6. After installation is complete, Setup can stop and restart the SharePoint services automatically. This must be done for FSSP to become active. Click Next

13 to have Setup perform this step, or click Skip to manually perform this step at a later time. 7. As in most installations, Setup updates shared Microsoft files on your computer. If Setup prompts you to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSSP features to work correctly. Note: Upon installation, Forefront Security for SharePoint is configured to allow everyone access to FSCController. To change the security settings to restrict access to FSCController, you need to use DCOMCNFG to modify the security settings. For more information about securing access to FSCController, see Forefront Security for SharePoint Services.

Installing to Multiple Servers

The Microsoft Forefront Server Security Management Console (FSSMC) should be used to install Forefront Security for SharePoint to multiple SharePoint servers. For complete installation instructions, see the Microsoft Forefront Server Security Management Console User Guide.

Administrator-Only Installation
An Administrator-only installation places only the Forefront Server Security Administrator onto any Windows workstation or server. The Forefront Server Security Administrator can then be used to centrally manage the FSSP service running on remote SharePoint servers. An Administrator-only installation requires approximately 11 MB of disk space. To install the Administrator only 1. Run the Setup.exe file, which is available on your CD image or from the selfextracting package available at the Microsoft Volume Licensing Download Center. The installation process begins automatically. 2. Proceed with the setup until you are prompted by the Installation Location dialog box. Select Local Installation. 3. Select Administrator - Admin Console Only. 4. Indicate the installation directory. Default: C:\Program Files\Microsoft Forefront Security\SharePoint

14 5. Indicate the Start Menu program folder. Default: Forefront Security for SharePoint

Upgrading
The install program detects previous installations of FSSP. Local and remote installs provide the option of uninstalling the previous version or upgrading it. Upgrading an installation only requires that you provide the password for the user account that the FSSP services run under. (For security reasons, FSSP does not store this.) When you upgrade, FSSP retains all of your previous settings, and additional features may be added, based on your environment. Note: When upgrading Forefront Security for SharePoint, all scan jobs have their template settings configured to none, to prevent users from inadvertently overwriting existing settings. To deploy templates, you need to change this setting on each server to default or a named template. For more information about configuring scan job template settings, see SharePoint Templates.

Hot Upgrade
The Microsoft Hot Upgrade technology allows you to apply most upgrades to FSSP without the need to stop or recycle the SharePoint services. However, if critical files need to be upgraded, the services must be recycled after the upgrade. In that case, you are given the opportunity to recycle the services after the upgrade or stop the upgrade if you do not want the services to be recycled at that time.

Applying SharePoint Service Packs and Hotfixes

To install a SharePoint service pack or hotfix 1. Stop SharePoint services and any FSSP services that might still be running after SharePoint services are stopped. 2. From a command prompt, run the FSCUtility command (found in the FSSP install folder) to unhook FSSP from SharePoint services. The syntax is:
fscutility /disable

15 3. Install the SharePoint service pack or hotfix. 4. Start SharePoint services and verify that all services are working. 5. Stop all SharePoint services once again. 6. From a command prompt, run the FSCUtility command again to enable the FSSP services. The syntax is:
fscutility /enable

7. Start SharePoint services.

Relocating Forefront Security for SharePoint Data Files

Forefront Security for SharePoint stores program settings, as well as scanning activity information (including the Quarantine Area), on the file system. If you want, you may relocate the database files at any time after installation. For more information about relocating the database files, see Moving the Databases.

Uninstalling Forefront Security for SharePoint

Forefront Security for SharePoint is uninstalled locally, using the Add or Remove Programs tool in Control Panel. FSSP can also be uninstalled remotely with the Forefront Server Security Management Console. Complete instructions for the use of the FSSMC can be found in the Microsoft Forefront Server Security Management Console User Guide.

Evaluation Version
Microsoft provides a fully functional version of Forefront Security for SharePoint for a 120-day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version. After 120 days, the evaluation version of FSSP will continue to operate and report detected files. It will, however, cease to clean files. Keyword filters will be set to Skip: Detect Only. To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Product Activation from the Help menu.

16

Forefront Security for SharePoint Services

The Forefront Security for SharePoint Services are the components that run on the SharePoint server and control all back-end functionality of FSSP. They service requests from the Forefront Server Security Administrator, control the scanning processes, generate notifications, and store virus incident data to disk. FSSP services are not installed in an Administrator-only installation.

FSCController
The Forefront Server Security Administrator connects to FSCController on a server to configure and monitor Forefront Security for SharePoint activities. FSCController, therefore, acts as the agent on that server, and coordinates all real-time and manual scanning activities. The FSCController startup type defaults to automatic. The Schedule service becomes a dependency of FSCController and must be operating properly for FSCController to initialize. There is no benefit from starting or stopping FSCController independently of the Microsoft SharePoint services.

FSSPController
FSSPController is the agent responsible for communicating with the SharePoint SQL Server databases. This service runs under the account used by the SharePoint Administration service. You will be requested to enter the account information during the install process. Note: The account used must be a member of the local Administrators group on the server on which SharePoint Portal Server is installed.

Disabling Forefront Security for SharePoint Services

The FSSP services can be disabled using the Windows Services Control Manager.

17

Disabling Forefront Security for SharePoint Using the Services Control Manager
To disable the FSSP services, open the Windows Services Control Manager. Click Start, click Control Panel, click Administrative Tools, click Services, and then rightclick FSSPController. Select Stop to disable the service. Caution: If the Forefront Security for SharePoint Service is disabled, traffic will continue to flow but will no longer be scanned.

Securing the Service

The FSSP service utilizes DCOM to launch and authenticate Forefront Server Security Administrator connections. You can build an access list of authorized users who can connect to FSCController utilizing the Forefront Server Security Administrator. To build an access list of authorized users 1. Open a Command Prompt window. 2. Enter DCOMCNFG. The Component Services dialog box appears. 3. Expand Component Services. 4. Expand Computers. 5. Right-click My Computer. A shortcut menu appears. 6. Select Properties. The My Computer Properties dialog box appears. 7. Click the COM Security tab. 8. Click Edit Limits in the Access Permissions section. The Access Permissions dialog box appears. 9. Add users and configure their permissions to control who has rights to access the FSSP service, launch the FSSP service, or change the DCOM configuration.

Disabling or Enabling Scan Jobs

To update an engine manually, without recycling the SharePoint services, you can disable or enable all FSSP scan jobs locally or remotely by using FSCStarter.exe from the command line. When you disable the scan jobs, all the engines will be unloaded, allowing

18 you to manually swap an engine DLL. When you then enable the scan jobs, you can add an engine parameter to instruct FSSP to update that engines last checked and last updated fields, and update the Engine Version Number in the Forefront Server Security Administrator. Caution: When you disable all scan jobs, Forefront Security for SharePoint will halt data flow for ten minutes. After that time, data flow will be resumed, but no scanning will take place.

Disabling Scan Jobs Locally

To disable all scan jobs, open a Command Prompt window and use FSCStarter with the d parameter (which disables all scan jobs and causes them to unload their engines):
fscstarter d

Enabling Scan Jobs Locally

To enable all the scan jobs again, open a Command Prompt window and use FSCStarter with the e and n parameters:
fscstarter en

The e parameter enables all scan jobs and causes them to reload their engines. The n parameter is a number, representing the engine that you just manually updated. (For more information, see the Engine Parameters list.) This method is for use when manually updating an engine signature file. Forefront Security for SharePoint merely updates the user interface information to reflect the changes made to the engines. This example enables the scan jobs and updates the VirusBuster Antivirus Scan Engine information:
fscstarter e512

Disabling Scan Jobs Remotely

To disable the scan jobs on a remote computer, open a Command Prompt window and use FSCStarter with the d parameter (which disables all scan jobs and causes them to unload their engines), followed by the remote server name (preceded by a backslash):
fscstarter d \RemoteServerName

19

Enabling Scan Jobs Remotely

To enable the scan jobs again on a remote computer, open a Command Prompt window and use FSCStarter with the e and n parameters, followed by the remote server name (preceded by a backslash):
fscstarter en \RemoteServerName

The e parameter enables all scan jobs and causes them to reload their engines. The n parameter is a number, representing the engine that you just manually updated. (For more information, see the Engine Parameters list.) This method is for use when manually updating an engine signature file. Forefront Security for SharePoint merely updates the user interface information to reflect the changes made to the engines. This example enables the scan jobs and updates the VirusBuster Antivirus Scan Engine information on a remote server called Server42:
fscstarter e512 \Server42

Engine Parameters
The engine parameter value is used with FSCStarter to enable a scan job. Each value represents a different vendor or product, as follows: 1 = Norman Virus Control 2 = Microsoft Antimalware Engine 8 = Sophos Virus Detection Engine 16 = CA InoculateIT 32 = CA Vet 64 = Authentium Command Antivirus Engine 128 = AhnLab Antivirus Scan Engine 256 = Forefront Security Worm List 512 = VirusBuster Antivirus Scan Engine 2048 = Kaspersky Antivirus Technology

20

SharePoint Forefront Server Security Administrator

The Forefront Server Security Administrator is used to configure and run FSSP, locally or remotely. For the Forefront Server Security Administrator to launch successfully, FSCController and the SharePoint server must be running on the computer to which the Forefront Server Security Administrator is connecting. Because the Forefront Server Security Administrator is the front end of the FSSP software, it can be launched and closed without affecting the back-end processes that are being performed by the FSSP services. The Forefront Server Security Administrator may also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface. (For more information, see Read-Only Administrator.) Important: For users running Microsoft Windows XP Service Pack 2 (SP2), due to default security settings in Windows XP SP2, the Forefront Server Security Administrator will not run properly when first installed. To enable the Forefront Server Security Administrator to run on Windows XP SP2 1. Click Start, click Run, and enter dcomcnfg. The Component Services dialog box appears. 2. Expand Component Services, expand Computers, and then right-click My Computer. 3. Select Properties, and then select the COM Security tab. 4. Click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user. 5. Add the Forefront Server Security Administrator application to the Windows Firewall Exceptions list: a. Open Control Panel, and then select Security Center. b. Select Windows Firewall. The Windows Firewall dialog box appears. c. Select the Exceptions tab.

d. Click Add Program, select Forefront Server Security Administrator from the list, and then click OK. This adds the Forefront Server Security

21 Administrator to the Programs and Services list. e. Select the Forefront Server Security Administrator in the Programs and Services list. f. Click Add Port.

g. Enter a name for the port. h. Enter 135 as the port number. i. j. Note: If you are concerned about opening port 135 to all computers, it can be opened only for the Forefront servers. When adding port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be allowed access through port 135. Select TCP as the protocol. Click OK.

Launching the Forefront Server Security Administrator

To run the Forefront Server Security Administrator, click Start, expand Programs, expand Microsoft Forefront Security Server, expand SharePoint Security, and then select Forefront Server Security Administrator. Or, you can launch it from a command prompt. To launch Forefront Server Security Administrator (FSSAClient) from a command prompt 1. Open a Command Prompt window. 2. Navigate to the Forefront Security for SharePoint install directory. Default: C:\Program Files\Microsoft Forefront Security\SharePoint 3. Enter fssaclient.exe.

Connecting to a Local Server

The first time the Forefront Server Security Administrator is launched, the Connect To Server dialog box appears, prompting you to connect to the SharePoint server running

22 on the local computer. The local server name is filled in by default. (You could also enter the local alias.)

Connecting to a Remote Server

The Forefront Server Security Administrator can also be connected to a remote SharePoint server running FSSP. This allows you to use a single installation of the Forefront Server Security Administrator to configure and control FSSP throughout the network. If the server you are connecting to is in a different domain, you must ensure that the FSSPController is using a valid user ID that has permissions to access the server in that domain. To connect to a remote server, enter the server name, IP address, or Domain Name System (DNS) name of the remote computer into the Connect To Server dialog box (which appears whenever the Forefront Server Security Administrator is started). Instead of entering an identifier for the remote computer, you can click Browse to display the Select Server dialog box, in which you can select any of the servers that FSSP has detected. If the Forefront Server Security Administrator is already running, you can connect to a remote server using the procedure in Connecting to a Different Server. Note: If you have problems connecting the Forefront Server Security Administrator to the SharePoint server, try using the PING command to test for server availability. If the server is available, be sure that no other Forefront Server Security Administrators are currently connected to it.

Connecting to a Different Server

To connect to a different server, select the Open command from the Forefront Server Security Administrator File menu. The Connect To Server dialog box appears. Enter the name of another server running FSSP, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Forefront Server Security Administrator dialog box to quickly reconnect to a server.

Read-Only Administrator
The Forefront Server Security Administrator may be run in a read-only mode. To do so, the administrator will need to modify the NTFS permissions on the FSSP install directory

23 to only allow modify access to those users with permission to change FSSP settings. By default, the FSSP install directory is: C:\Program Files\Microsoft Forefront Security\SharePoint. Its actual value can be found in DatabasePath in one of these registry keys: For 32-bit systems: HKLM\Software\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint To ensure proper configuration, first remove modify access for all users and then set modify access only for users that are allowed to change Forefront Security for SharePoint settings. When a user without modify access opens the Forefront Server Security Administrator, it will show Read-Only at the top and not allow any configuration changes.

Forefront Server Security Administrator User Interface

The Forefront Server Security Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right.

24

Shuttle Navigator
The Shuttle Navigator is divided into several areas: SETTINGS Configure scan jobs, antivirus settings, scanner updates, templates, and General Options. For more information, see General Options. FILTERING Configure keyword filtering, file filtering, and filter lists. OPERATE Configure jobs, schedule jobs, and perform Quick Scans. REPORT Configure notifications. View incidents and the quarantine area.

General Options
General Options, accessed from the SETTINGS shuttle, provides access to a variety of system-level settings for Forefront Security for SharePoint, eliminating the need to directly access the registry to change them.

25 Although there are many options that can be controlled through the General Options panel, each of them has a default (enabled, disabled, or a value), which is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation and you might need to change one of them from time to time. The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, and Scanning.

Diagnostics
Additional Manual Additional Realtime Notify on Startup Logs every file scanned by the manual scanner. Logs every file scanned by the realtime scanner. Indicates that FSSP should send a notification to all the e mail addresses listed in the Virus Administrators list (Realtime Scan, Email) whenever the Realtime Scan Job starts. Only SMTP addresses may be used. (For more information about setting up notifications to Administrators, see Event Notifications.)

Logging
Enable Event Log Enable Performance Monitor and Statistics Enables the logging of FSSP events to the event log. Enabled by default. Enables the logging of FSSP performance statistics in Performance Monitor. Enabled by default. Enables the FSSP program log (ProgramLog.txt). Enabled by default. Enables the FSSP virus log (VirusLog.txt). Disabled by default.

Enable Forefront Program Log Enable Forefront Virus Log

26 Max Program Log Size Specifies the maximum size of the program log. Expressed in kilobytes (KB). The minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size.

For more information about the log files and Performance Monitor, see SharePoint Reporting and Statistics.

Scanner Updates
Redistribution Server Indicates that a server will be the central hub to distribute scanner updates to other servers. (For more information, see Distributing Updates.) Indicates that engines should be automatically updated every time FSSP is started. Sends a notification to the Virus Administrator each time a scan engine is updated. (For more information about setting up notifications to Administrators, see Event Notifications.) Indicates that proxy settings are to be used. (For more information, see Updating Through a Proxy.) Indicates that UNC credentials are needed. (For more information, see Distributing Updates.) Indicates the name or IP address of the proxy server. Required, if using proxy settings. Indicates the port number that Forefront Security for SharePoint should use. Required, if using proxy settings. The default is port 80.

Perform Updates at Startup

Send Update Notification

Use Proxy Settings

Use UNC Credentials

Proxy Server Name/IP Address

Proxy Port

27 Proxy Username Indicates the name of a user with access rights to the proxy server, if necessary. Optional field. Indicates the appropriate password for the proxy user name, if necessary. Optional field. Indicates the name of a user with access rights to the UNC path, if necessary. Optional field. Indicates the appropriate password for the UNC user name, if necessary. Optional field.

Proxy Password

UNC Username

UNC Password

For more information about updating the scan engines, see SharePoint File Scanner Updating.

Scanning
Block/Delete Corrupted Compressed Files Indicates if compressed files that are corrupted will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. They are reported as a CorruptedCompressedFile virus. Enabled by default. Indicates if UUENCODE files that are corrupted will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. They are reported as a CorruptedCompressedUuencodeFile virus. Enabled by default.

Block/Delete Corrupted Uuencode Files

28 Block/Delete Encrypted Compressed Files Indicates if encrypted compressed files will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. (Encrypted files cannot be scanned by AV scan engines.) They are reported as an EncryptedCompressedFile virus. Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers.

Scan Doc Files As Containers - Manual

Scan Doc Files As Containers - Realtime

Note: When a Microsoft Office file (PowerPoint, Access, Excel, or Word document) is embedded in another Office file, its data is included as part of the original Office file. These are not scanned as individual files. If, however, another file type (such as .exe) is embedded in one of these files that is then embedded in an Office file, it will be detected and scanned as a separate file. (The .exe extension, however, is still visible because the icon is a GIF file that cannot be deleted. If you click the file, the icon is replaced with the correct TXT icon.) Case Sensitive Keyword Filtering Specifies that keyword filtering should be case-sensitive. Filtering is not casesensitive by default. Indicates that previously scanned files should be re-scanned when accessed following a scanner update.

Scan on Scanner Update

29 Forefront Manual Priority Specifies the priority of manual scans: Normal (the default), Below Normal, or Low. This lets more important jobs take precedence over manual scans when demands on server resources are high.

Note: When the Manual Scan Priority is set to Low, the Manual Scan Job may not stop immediately when you click STOP in the Run Job work pane. Max Container File Infections Specifies the maximum number of infections allowed in a compressed file. If this is exceeded, the entire file is deleted and FSSP sends a notification stating that an ExceedinglyInfected virus was found. A value of zero means that there is no limit on the number of infections that can be detected. The default value is 5 infections. Specifies the maximum container file size (in bytes) that FSSP will attempt to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet File Filter rules. Forefront Security for SharePoint will report these deleted files as LargeInfectedContainerFile virus. Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUENCODE documents. The limit will include the sum of the nestings of all of these types. If the maximum number is exceeded, FSSP will block or delete the document and report that an ExceedinglyInfected virus was found. The default is 30.

Max Container File Size

Max Nested Attachments

30 Max Nested Compressed Files Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSSP sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default is 5. Specifies the number of milliseconds (msec) that FSSP will scan a compressed attachment before reporting it as a ScanTimeExceeded virus in real-time scans. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 msec (ten minutes). Specifies the number of milliseconds that FSSP will scan a compressed attachment before reporting it as a ScanTimeExceeded virus in manual scans. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 msec (ten minutes).

Max Container Scan Time - Realtime

Max Container Scan Time Manual

SharePoint Multiple Scan Engines

With Forefront Security for SharePoint, you have the ability to employ multiple scan engines (up to five) to detect and clean viruses. Multiple engines provide extra security by allowing you to draw upon the expertise of various virus labs to keep your environments virus-free. A virus may slip by one engine, but it is unlikely to get past three. Multiple engines also allow for a variety of scanning methods. Forefront Security for SharePoint integrates antivirus scan engines that use heuristic scanning methods with ones that use signatures. For more information about individual scan engines, visit each engine vendors Web site. Links are provided at Microsoft Help and Support. All the scan engines that FSSP integrates have been certified by at least one of the following organizations: West Coast Labs, ICSA Labs, or Virus Bulletin.

31 Multiple engines are easy to configure. You need only select which engines you would like to use for a scan job and indicate the bias setting. (For more information, see Bias Setting.) These two settings (both on the Antivirus Settings work pane) allow the Forefront Security for SharePoint Multiple Engine Manager (MEM) to properly control the selected engines during the scan job. MEM uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSSP considers the item infected and has MEM deal with it accordingly. (For more information, see Cleaning Infected Files.)

Engine Rankings
MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information allows MEM to weight each engine so that better performing ones are used more during scanning, and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best performing engines have more influence in the scanning process. If two or more engines are equally ranked, FSSP invokes them by cycling through various engine order permutations.

Bias Setting
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your systems performance. Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. In between is the number of engines that permit balanced (called neutral) performance. This will probably be your optimal setting. You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Edge Transport server, to maximize its performance. Then, you can use several engines on your other servers where performance is not as critical.

32 Note: The bias setting only applies to virus scanning. It is not used in file filtering.

Bias Setting Choices

There are several possible bias settings. Each scan (other than one with a bias setting of Maximum Certainty) independently selects the engines to use. Maximum Performance Scans each item with only one of the selected engines. This gives the fastest performance, but the least certainty. Fluctuates between scanning each item with one of the selected engines and half of them. Scans each item with at least half of the selected engines. Fluctuates between scanning each item with half of the selected engines and all of them. Scans each item with all of the selected engines. This gives the slowest performance, but the greatest certainty.

Favor Performance

Neutral Favor Certainty

Maximum Certainty

Bias Setting Example

Assuming you select five engines (the maximum you can use), the following table shows how each of the bias settings uses the engines in virus scanning. Bias setting Maximum Performance Favor Performance Description Each item is virus-scanned by only one of the selected engines. Fluctuates between virus scanning each item with one and three engines.

33 Bias setting Neutral Favor Certainty Maximum Certainty Description Each item is virus-scanned by at least three engines. Fluctuates between virus scanning each item with three and five engines. Each item is virus-scanned by all five of the selected engines.

Configuring the Bias Setting

The bias setting is indicated in the Antivirus Settings work pane. To indicate the bias setting 1. Select Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears. 2. Select a scan job from the Job List in the top pane of the work pane. 3. Indicate the bias setting by using the Bias field in the lower pane. (The values are those discussed in Bias Setting Choices.) To find out more about the other fields on the Antivirus Settings work pane, see SharePoint Manual Scan Joband SharePoint Realtime Scan Job. 4. Click Save to save your choices.

Cleaning Infected Files

The first engine that detected an infected file attempts to clean it. If that attempt is unsuccessful, the next engine in line makes an attempt. If all the engines that detected the infection fail to clean it, the item is deleted.

SharePoint Manual Scan Job

Forefront Security for SharePoint allows you to customize the Manual Scan Job to scan newly added document libraries or to perform periodic scans of the entire environment. The Manual Scan Job is also useful for scanning with a different scan engine from the

34 ones in use by the Realtime Scan Job. We recommend that you do a full manual scan after installing FSSP for the first time. Note: When Forefront Security for SharePoint cleans an infected file that has been checked into a document library, the file extension is not changed. For example: If the file Eicar.com is detected, the contents are removed and replaced with the deletion text, but the file extension remains .com rather than being changed to Eicar.txt. (For more information, see Deletion Text.) If the same file is cleaned while it is nested inside a compressed file, however, the extension is changed to .txt.

Configuring the Manual Scan Job

Configure the Manual Scan Job using the Scan Job Settings and Antivirus Settings work panes. For more information about configuring the Manual Scan Job, see Scan Job Settings and Configuring the Engines.

Scan Job Settings

To configure the Manual Scan Job, select Scan Job in the SETTINGS shuttle of the Forefront Server Security Administrator. The Scan Job Settings work pane appears. The top pane of the Scan Job Settings work pane shows the Job List, a list of configurable scan jobs. The bottom pane shows a tree view of the document libraries that can be scanned. To configure the Manual Scan Job 1. Select the Manual Scan Job in the Job List. 2. Select the document libraries to be scanned in the tree view. Forefront Security for SharePoint offers complete flexibility in choosing which document libraries to scan in any scan job. You can configure scan jobs to include all existing document libraries, or you can build an inclusion list from available document libraries. Use the tree view in the bottom pane of the Scan Job Settings work pane to locate folders and files for scanning. The tree displays all the sites, folders, and files for the currently connected SharePoint server. You can select any sites, folders, or files to be manually scanned by checking

35 specific ones or by using the buttons beneath the tree view: All None Find Browse Select all the files or folders displayed in the tree. Clear all the files or folders displayed in the tree. Search for a particular folder or file. Open a selected folder in the Web browser (to visually check that it is the one you want to manually scan). Update the tree.

Refresh

3. Modify the deletion text, if desired. (For more information, see Deletion Text.) Clicking Deletion Text displays the text used by Forefront Security for SharePoint when replacing the contents of an infected file during a Delete operation. You may modify this text to place a custom message inside the deleted file attachments. Forefront Security for SharePoint provides keywords that can be used in the Deletion Text field to obtain information from the file in which the infection was found. For a list of available keywords, see Keyword Macros.

Configuring the Engines

Configure the Manual Scan Job with the engines to use, the Bias setting, and the Action. Note: To configure scan jobs, administrators must log on to the SharePoint server using an account that has SharePoint Administrative rights. Otherwise, the Antivirus Settings work pane will be disabled. To configure the engines 1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears. 2. Select the Manual Scan Job in the Job List in the top pane. 3. Select the engines to use for the scan job, from the list of available File Scanners. All the engines are listed, and the five you chose at installation are

36 initially selected by default. (Although you may only use a maximum of five engines, you may use any five. You are not limited to the ones you selected during the installation.) To run jobs that only perform file filtering, disable all the scanners (by clearing their check boxes). Note: If you have the maximum of five engines selected and you want to change the ones used, clear the check boxes of unwanted engines before selecting new ones. You may only have a maximum of five engines selected at a time. 4. Select a Bias setting for the scan job. For more information about bias settings, see SharePoint Multiple Scan Engines. 5. Select the Action for FSSP to perform when it detects a virus: Skip: detect only Make no attempt to clean or delete the infection. Viruses will be reported, but the files will remain infected Clean: repair document Attempt to replace the infected file with a clean version. If unsuccessful, the file will be deleted and the deletion text will be sent in its place. (For more information, see Deletion Text.) Delete: remove infection Delete the file without attempting to clean the infection. The deletion text will be sent in place of the file. (For more information, see Deletion Text.) Note: Due to SharePoint restrictions, if Forefront Security for SharePoint deletes a file that has been checked in to a SharePoint document library, the file icon and extension will remain the same, but the contents will be replaced with the deletion text. (For more information, see Deletion Text.) 6. Enable or disable e-mail notifications for the Manual Scan Job by using the Send Notifications field. This setting does not affect reporting to the Virus Incidents or Scan Job log. Notifications are disabled by default. 7. Enable or disable saving files detected by the file scanning engines by using the Quarantine Files field. Quarantine is enabled by default. 8. To perform scans as quickly and efficiently as possible, FSSP normally scans only those files that can potentially contain viruses. It does this by first determining the file type and then by determining if that file type can be infected with a virus. The file type is determined by looking at the file header and not by looking at the file extension. This is a much more secure method because file

37 extensions can be easily spoofed. This pre-scan check increases Forefront Security for SharePoint performance, while making sure no potentially infected file attachments pass without being scanned. If you would like all attachments to be scanned, no matter what the type, set the ScanAllAttachments registry key to 1. The registry key can be found at: For 32-bit systems: HKLM\Software\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint

Running the Manual Scan Job Immediately

After you have indicated all the settings for the Manual Scan Job, you may either run it immediately or schedule it to run at a later time. To schedule it, see Scheduling a Manual Scan Job. To run the Manual Scan Job immediately 1. Select Run Job in the OPERATE shuttle. The Run Job work pane appears. The top pane contains the Job List, a list of scan jobs that can be started, paused, or stopped. The bottom pane shows the status and results of the currently selected scan job. 2. Select the Manual Scan Job in the Job List. The Job List shows whether the Manual Scan Job is running, paused, or stopped, and if it is performing virus scans, file filtering, or keyword filtering. 3. Indicate whether the Manual Scan Job should perform virus scanning, file filtering, or keyword filtering, by means of the check boxes below the Job List. You can specify any combination of these. Any change to these settings will be implemented immediately, even if the job is currently running. 4. Indicate whether to send an e-mail message to the designated Virus Administrators after the completion of the manual scan, by selecting Send Summary Notification. For more information, see Send Summary Notification. 5. Start the Manual Scan Job by clicking the Start button. (There are also buttons to Pause and Stop the Manual Scan Job.) Note: When the Manual Scan Priority is set to low, the Manual Scan Job may

38 not halt immediately when Stop is selected. 6. View the results of the scan. For more information, see Viewing Results.

Scheduling a Manual Scan Job

After you have indicated all the settings for the Manual Scan Job, you may either run it immediately or schedule it to run at a later time. To run it immediately, see Running the Manual Scan Job Immediately. To schedule a Manual Scan Job 1. Select Schedule Job in the OPERATE shuttle. The Schedule Job work pane appears. The top pane contains the Job List, a list of scan jobs that can be scheduled. The bottom pane shows the current schedule for the selected scan job. 2. Select the Manual Scan Job in the Job List. 3. Enable the Manual Scan Job. To the right of the Job List are Enable and Disable buttons. Select the Manual Scan Job and click Enable (to have the job run at its scheduled date and time) or Disable (to prevent a scheduled job from running). You can verify that the scheduled job is enabled by opening a Command Prompt window and typing AT. When a scheduled job is enabled, it will appear in the AT list until it has run or been disabled. 4. Use the calendar to set the date for the Manual Scan Job to run. Today's date is indicated in red. The scheduled run date is indicated in blue. 5. Set a time for the Manual Scan Job to run on the chosen date. 6. Set the frequency of the Manual Scan Job. You can select: Once. For a single running. Daily. To have the job run at the same time every day. Weekly. To have the job run at the same day and time every week. Monthly. To have the job run at the same date and time every month.

39

Viewing Results
The lower pane of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk by the Forefront Security for SharePoint Service and are not dependent on the Forefront Server Security Administrator remaining open. The database files can be cleared when no longer needed. For more information, see Clearing the Databases. Note: When a new document library is created, SharePoint services creates resource file folders that contain files needed for the proper functioning of SharePoint services. FSSP scans these folders and the results are reflected in the manual scan statistics. This results in several hundred extra files being reported as scanned.

Send Summary Notification

If you have specified that an e-mail message should be sent to the designated Virus Administrators after the completion of a manual scan, it will include: Total Physical Documents Scanned Total Physical Documents Detected Total Physical Documents Cleaned Total Physical Documents Deleted Total Logical Documents Scanned Total Logical Documents Detected Total Logical Documents Cleaned Total Logical Documents Deleted

Quick Scan
There are times when you need to scan a single document library or run a special onetime virus scanning job. Quick Scan allows you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in a single work pane.

40 To run Quick Scan 1. Select Quick Scan in the OPERATE shuttle of the Forefront Server Security Administrator. The Quick Scan work pane appears. The top left pane shows a tree view of the document libraries that can be scanned (as detailed in Scan Job Settings). The top right pane contains the list of File Scanners, the bias setting, the Action, Send Notifications, and Quarantine Files (as detailed in Configuring the Engines). There are no Save or Cancel buttons. Any changes you make are automatically saved and will be used to populate the various fields the next time you invoke the Quick Scan. 2. Make any desired changes to the Quick Scan job configuration. 3. Click Start to run the scan. After the job has started, you can Stop or Pause it by clicking the appropriate button

SharePoint Realtime Scan Job

The Realtime Scan Job runs on the SharePoint server to provide immediate scanning of all files that are uploaded to or downloaded from it. When users upload or download documents using a Web browser or any application that uses the SharePoint 2007 Object Model, the VSAPI hooking DLL will send the documents to FSSP for scanning. This method of scanning file transfers in real time is the most effective method for stopping the spread of infectious files. Forefront Security for SharePoint can support up to ten real-time processes. (The default is three.) You may change the number of realtime processes by changing the value of the RealtimeProcessCount registry key to the number of FFSCCRealtime processes you would like to run on the SharePoint server. For more information about this setting, see SharePoint Registry Keys. Additional real-time processes, beyond the default three, may impact server performance. Note: When FSSP cleans an infected file that has been checked into a document library, the file extension is not changed. For example: If the file Eicar.com is detected, the contents are removed and replaced with the deletion text, but the file extension remains .com rather than being changed to Eicar.txt. (For more information, see Deletion Text.) If the same file is cleaned while it is nested inside a compressed file, however, the extension is changed to .txt.

41

Configuring the Realtime Scan Job

The Realtime Scan Job can be configured with scan job settings, antivirus settings, and run-time settings. For more information, see Scan Job Settings, Configuring the Engines, and Running the Realtime Scan Job.

Scan Job Settings

To customize the Realtime Scan Job, select Scan Job in the SETTINGS shuttle of the Forefront Server Security Administrator. The Scan Job Settings work pane appears. Note: You can also modify these SharePoint 2007 AV settings through the Configure Antivirus Settings in the SharePoint Central Administrator of SharePoint Server 2007. The top pane of the Scan Job Settings work pane shows the Job List, which is a list of configurable scan jobs. The bottom pane allows you to specify the options to be used while scanning. You can also edit the deletion text, used when the contents of an infected file are deleted. (For more information, see Deletion Text.) To configure the Realtime Scan Job 1. Select Scan Job in the SETTINGS shuttle. The Scan Job Settings work pane appears. 2. Select the Realtime Scan Job in the Job List. 3. Make any needed changes to the Realtime antivirus configuration settings. For more information, see Realtime Antivirus Configuration Settings. 4. Modify the deletion text, if desired. Clicking Deletion Text displays the text used by FSSP when replacing the contents of an infected file during a Delete operation. You may modify this text to place a custom message inside the deleted file attachments. Forefront Security for SharePoint provides keywords that can be used in the Deletion Text field to obtain information from the file in which the infection was found. For a list of available keywords, see SharePoint Keyword Macros. 5. Configure the engines for the scan. For information, see Configuring the Engines.

42

Realtime Antivirus Configuration Settings

On the Scan Job work pane, select the Realtime Scan Job and make any needed changes to the Realtime antivirus configuration settings. Note: All the settings on this screen are read-only. Below them, there is a link to the SharePoint Administration site, so that you can make your changes using the SharePoint user interface. Scan documents on upload Scans documents being uploaded to SharePoint Portal Server. It is enabled by default. Scans documents being downloaded from SharePoint Portal Server. It is enabled by default. Allows users to download infected documents. If left cleared, all infected documents are blocked. It is disabled by default. Allows FSSP to clean infected documents, if possible. If FSSP is unable to clean an infected file, it will be reported as infected and SharePoint Portal Server will block the file. If the infected file is nested, FSSP will remove the infected nested file (if it cannot be cleaned). If this option is cleared, Forefront Security for SharePoint will mark detected files as infected and SharePoint Portal Server will block them. It is enabled by default. The number of seconds the VSAPI scanning interface will continue to scan a document before timing out. The default is 600 seconds (ten minutes).

Scan documents on download

Allow users to download infected documents

Attempt to clean infected documents

Time out scanning after ___ seconds

43 Allow scanner to use up to ___ threads The number of processes the VSAPI scanning interface will run simultaneously. The default of 10 simultaneous threads is also the maximum.

If Scan Documents on Upload and Scan Documents on Download are both cleared, the Realtime Scan Job and its Attempt to Clean Infected Documents setting will both be disabled. When Attempt to Clean Infected Documents is selected, the Action for the Realtime Scan Job will be set to Clean. Finally, if the Realtime Scan Job is disabled in the Run Job dialog box, Scan Documents on Upload and Scan Documents on Download will be cleared and all the other settings, except Allow Users to Download Infected Documents, will be disabled.

Configuring the Engines

Configure the Realtime Scan Job with the engines to use, the Bias setting, and the Action. Note: To configure FSSP scan jobs, administrators must log on to the SharePoint server using an account that has SharePoint Administrative rights. Otherwise, the Antivirus Settings work pane will be disabled. To configure the engines 1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane appears. a. Select the Realtime Scan Job in the Job List in the top pane. b. Select the engines to use for the scan job, from the list of available File Scanners. All the engines are listed, and the five you chose at installation are initially selected by default. (Although you may only use a maximum of five engines, you may use any five. You are not limited to the ones you selected during the installation.) To run jobs that only perform file filtering, disable all the scanners (by clearing their check boxes). Note: If you have the maximum of five engines selected and you want to change the ones used, clear the check boxes of unwanted engines before selecting new ones. You may only have a maximum of five

44 engines selected at a time. 2. Select a Bias setting for the scan job. For more information about bias settings, see Multiple Scan Engines. 3. Select the Action for FSSP to perform when it detects a virus. Skip: detect only Make no attempt to clean or delete the infection. Viruses will be reported, but the files will remain infected. Attempt to replace the infected file with a clean version. If unsuccessful, the file will be deleted and the deletion text will be sent in its place. For more information, see Deletion Text.

Clean: repair document

Note: This option is only available if Attempt to clean infected documents is selected in Scan Job Settings. Block: prevent transfer If FSSP identifies a file as infected, it will be blocked from being uploaded or downloaded. The user will receive a SharePoint message that the file was infected and could not be uploaded or downloaded.

Note: Due to SharePoint restrictions, if FSSP deletes a file that has been checked in to a SharePoint document library, the file icon and extension remain the same, but the content is replaced with text as previously described. 4. Enable or disable e-mail notifications for the Realtime Scan Job by using the Send Notifications field. This setting does not affect reporting to the Virus Incidents or Scan Job log. Notifications are disabled by default. 5. Enable or disable saving files detected by the file scanning engines by using

45 the Quarantine Files field. Quarantining is enabled by default. 6. To perform scans as quickly and efficiently as possible, FSSP normally scans only those files that can potentially contain viruses. It does this by first determining the file type and then by determining if that file type can be infected with a virus. The file type is determined by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This pre-scan check increases Forefront Security for SharePoint performance, while making sure no potentially infected file attachments pass without being scanned. If you want all attachments to be scanned, no matter what the type, set the ScanAllAttachments registry key to 1. The registry key can be found at: For 32-bit systems: HKLM\Software\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint

Running the Realtime Scan Job

After you have indicated all the settings for the Realtime Scan Job, you must enable it. To run the Realtime Scan Job 1. Select Run Job in the OPERATE shuttle. The Run Job work pane appears. The top pane contains the Job List, which is a list of scan jobs that can be enabled or disabled. The bottom pane shows the status and results of the currently selected scan job. 2. Select the Realtime Scan Job in the Job List. The Job List shows, at a glance, if the Realtime Scan Job is enabled or disabled, and if it is performing virus scans, file filtering, or keyword filtering. 3. Select the kind of scanning to take place. The Realtime Scan Job can perform any combination of virus scanning, file filtering, or keyword filtering by means of the check boxes below the Job List. Any change to these settings is implemented immediately, even if the job is currently running. 4. Enable the Realtime Scan Job with the Enable button associated with the Job List.

46

Viewing Results
The lower pane of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk by the FSSP service and are not dependent on the Forefront Server Security Administrator remaining open. The database files can be cleared when no longer needed. For more information, see Clearing the Databases.

SharePoint Scan Recovery

In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a message (the default is 10 minutes), the process will be terminated and FSSP will attempt to restart it. If successful, scanning resumes and a notification is sent to the administrator stating that the scan job terminated and recovered. If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job terminated. In the event of a termination, realtime scanning will not function. (Files will not be scanned.) If you continue to have time-out problems, you can increase the time specified in the RealtimeTimeout registry value. You must create a new DWORD registry value called RealtimeTimeout and set the time, in milliseconds. (For example, 20 minutes would be 1200000 milliseconds.) For more information about registry values, see SharePoint Registry Keys.

SharePoint Templates
When it was installed, Forefront Security for SharePoint created default templates for the various scan jobs, scan engines, and notifications. At installation time, scan jobs were configured to use the values in the default templates. You can create additional templates for File Filter and Keyword Filter settings, as well as additional scan jobs, as needed. (These are called named templates.) Templates are useful for controlling the configuration of Forefront Security for SharePoint on multiple servers from a central location and the configuration of scan jobs and other functions at installation. Templates are stored in the Template.fdb file, which initially contains the following default templates: Scan job templates, which include Realtime and Manual Scan Job templates.

47 Notification templates for each of the notification categories. (For more information, see Event Notifications.) Scanner update templates for each scan engine that is installed on the current system. Note: Only the primary network update path field (and not the secondary network update path) of a file scanner update template will be modified when the template is deployed to a server. To deploy templates to remote computers after an upgrade, you must set FSSP on the target server to use default templates or named templates for configuring the scan job settings. (For more information, see Using Named Templates and Deploying Templates Remotely.) To view templates in the Forefront Server Security Administrator, click File, click Templates, and then click View Templates. This will cause the default and named templates to be displayed in the various work panes.

Template Uses
Templates are used for two purposes: Controlling configuration settings of all FSSP servers from a single location.

After the Template.fdb file is created, the Microsoft Forefront Server Security Management Console (FSSMC) can be used to copy and activate the template settings on multiple FSSP servers throughout your organization. Templates can be deployed simultaneously to multiple FSSP servers, and their settings can be applied to currently running scan jobs without the need to stop or restart any services. (For information about how to use the FSSMC to deploy templates, see the Microsoft Forefront Server Security Management Console User Guide.) Controlling the configuration of scan jobs at installation time.

The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSSP service starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one. By including templates in your install images, you can configure your remote servers at the time of installation.

48

Creating Templates
To use named templates, you must create them and associate them with jobs. To create a new template (called a named template) 1. Select Templates from the SETTINGS shuttle of the Forefront Server Security Administrator. The Template Settings work pane appears. 2. Click File, click Templates, and then click View Templates to have templates displayed in the Job List. If you have many templates, you may want to normally hide them just to simplify the display. 3. Click File, click Templates, and then click New. The New Template work pane appears. 4. Select the Type of template you want to create (Realtime, Manual, or Filter Set). 5. Give the template a Name, and then click OK. The new template is created and becomes a choice in the Template list in the bottom pane of the Template Settings work pane. 6. Select the scan job (in the Job List) with which the template is to be associated. Note that if none of the scan jobs is selected in the Job List, the Template list is not active. 7. Select your new template in the Template list, and then click Save. 8. Display the appropriate work pane to configure the template (Antivirus, File Filtering, or Keyword Filtering). For example, if you have created a real-time scan job template, select Antivirus in the SETTINGS shuttle, select the new template in the Job List, and then configure it as you would a real-time scan job. Click Save when you are done. 9. Associate the new template with the scan job by following the directions given in Associating a New Template With a Scan Job or distribute it to remote servers using the Microsoft Forefront Server Security Management Console. 10. Rename or delete a template by selecting it in the Job List. Then, click File, click Templates, and then click Rename or Delete. (You will be asked to confirm a deletion.) You cannot delete or rename a default template. Note: You cannot create new notification templates. You must modify the default notification template to update Notification settings.

49 For more information about named templates, see Using Named Templates.

Associating a New Template With a Scan Job

For a scan job to use a template, the scan job and the template must be associated. To associate a new template with a scan job 1. Select Templates in the SETTINGS shuttle of the Forefront Server Security Administrator. 2. Select the scan job you want to associate with the template you have just created. 3. In the lower pane, select the desired template from the Template list. 4. Click Load From Template. 5. Click Save. The selected scan jobs settings will be reconfigured to those in the selected template.

Modifying Templates
There are times when you might want to make changes to an existing template. To modify an existing template 1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates. 2. Select a work pane with the template to be modified (for example, Scan Job Settings). 3. Select the template to be modified in the Job List. 4. Configure the template as desired, and then click Save. Note: The default template settings are not changed when scan job settings are changed and saved. To change the settings in a default template, you must follow the steps in Modifying Default File Scanner Update Templates.

50

Modifying Default File Scanner Update Templates

You may change the primary or secondary update path in the file scanner templates, as well as the update schedule. This is typically only necessary if you are not updating through the standard Microsoft HTTP site. To configure default file scanner update templates 1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates. 2. Select Scanner Updates from the SETTINGS shuttle. The Scanner Update Settings work pane appears. 3. Select the file scanner template that you want to update. There should be one template for every installed engine. 4. Change the primary or secondary Network Update Path, as desired. 5. Change the date, time, frequency, and repeat interval, if desired. 6. Click Save. New templates can be deployed locally using the FSCStarter or to remote servers using the Microsoft Forefront Server Security Management Console. (For more information, see Deploying Templates With FSCStarter.)

Modifying Notification Templates

Default notification templates can be used to deploy notification settings to remote servers. To configure notification templates 1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates. 2. Select Notification in the REPORT shuttle. 3. Select the notification template you would like to modify from the Job List. 4. Edit the template in the bottom pane. 5. Click Save to retain your changes.

51

Using Named Templates

Forefront Security for SharePoint allows you to use named templates to easily create and manage multiple configurations in your SharePoint environment. If you run different configurations on the servers in your environment, we recommend configuring each server to use a named template as the default for its configuration settings. During installation or upgrade, you can configure all of the named templates that you will need for your environment. For example, if you have twenty servers, divided into four groups of five, you can create named templates for each server group. These templates will contain all of the configuration information for scan jobs, filtering, notifications, and scanner update paths. For ease of use, each template could have the name of the group. Named templates that you create are associated with scan jobs. (For more information, see Creating Templates and Associating a New Template With a Scan Job.) These templates are then distributed to the various servers during the install or upgrade process. (For more information, see Deploying Templates With FSCStarter.) The first time a named template is deployed to a server, it must be associated with a scan job on that server, otherwise the default template is used. You can use the Forefront Server Security Administrator to connect to the computer and make the association. (For more information, see Connecting to a Remote Server.) After you have done this, the scan jobs, filter sets, and notifications always load from the named templates during configuration changes or when you need to deploy global filter settings during a virus outbreak.

Deploying Templates With FSCStarter

New templates can be deployed locally using FSCStarter. FSCStarter provides a command-line method of activating templates on the current server. If you make changes to many templates, you can easily deploy all of them with FSCStarter (as opposed to updating one scan job at a time with the Load From Template button). The syntax of FSCStarter is:
fscstarter t[options] [newtemplatefile.fdb]

The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All scan job settings (including filter settings), all filter settings, all notification settings, and all file scanner update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options.

52 If the optional newtemplatefile parameter is specified, the file you indicate (by entering its full path) will overlay the current Template.fdb file before any settings are updated. The following options allow subsets of the template settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated. c Update the Content Filter (Keyword) settings for each scan job. f l Update the File Filter settings for each scan job. Update the Filter Lists for each scan job.

n Update the Notification settings with the data in the associated templates. p Update the Network Update Paths for all installed file scanners. s Update the Scan Job settings with the data found in the associated template type. All Realtime Scan Jobs will be updated with the settings found in the Realtime Scan Job template and all Manual Scan Jobs will be updated with the settings found in the Manual Scan Job template. This includes File Filter and Content Filter settings. For example, to update the Content Filter settings, the File Filter settings, and the Notification settings, you would enter: fscstarter tcfn Before you deploy templates to a server (local or remote), you must ensure that the Forefront Security for SharePoint scan jobs on that server are configured to run from templates. To do so, select Templates on the SETTINGS shuttle. The Template Settings work pane appears. The Template field associated with each scan job should be set to either Default (the default value) or to a named template. (Templates will not be used if the value is None.)

Deploying Templates Remotely

New templates can be deployed to multiple remote servers using the Microsoft Forefront Server Security Management Console (FSSMC). After the FSSMC has distributed the template files to the target server, it launches FSCStarter to install the templates on that server. Before you deploy templates to a server (local or remote), you must ensure that the Forefront Security for SharePoint scan jobs on that server are configured to run from templates. To do so, select Templates on the SETTINGS shuttle. The Template Settings work pane appears. The Template field associated with each scan job should be set to either Default (the default value) or to a named template. (Templates will not be used if the value is None.)

53 All the templates are stored in the Template.fdb file, so all will be deployed when you use the FSSMC. This is not a problem if all of your servers are configured identically, but if you have multiple configurations in your environment, be sure to distribute the template files that match the configuration of the targeted servers. If you have multiple configurations, it is helpful to configure your servers to use named templates for their settings. This will allow you to easily distribute template files to all your servers without worrying about corrupting configuration settings. For more information about configuring servers at installation time to use named templates, see Using Named Templates. For more information about using the FSSMC to deploy templates, refer to the Microsoft Forefront Server Security Management Console User Guide.

SharePoint File Filtering

The Forefront Security for SharePoint file filter feature gives you the ability to search for files with a specific name, type, or size. The file filter can be configured to perform actions on a matching file, such as deletion, quarantining, notification, and reporting. The file filter offers a flexible means to detect specific files that are being uploaded to or downloaded from the SharePoint server. Additionally, FSSP scans the contents of compressed files for file filtering matches. For example, if you configure a filter to delete all .exe files, FSSP will delete them inside compressed files, while leaving all files that are not .exe files intact. Forefront Security for SharePoint can scan all compressed files and variations of compressed formats (such as PKZIP, WINZIP, or GZIP), with the exception of password-protected compressed files. Forefront Security for SharePoint also scans for files embedded in other container files, such as Word documents.

Creating a File Filter

File filters are used to detect files with specific names. For example, you might want to prevent the file named Resume.doc from being sent or received. To do this, you would create a filter called Resume.doc. Thus, the name of the filter is also its value. Detecting files by name is also useful when there is a new virus outbreak (not yet covered by your virus scanners), and you know the name of the file in which the virus resides. An example of this is the Melissa worm. It resided in a file named List.doc and could have been detected by FSSP via the file filter even before the virus scanners had a signature for it.

54 To create a new file filter 1. Select File from the FILTERING shuttle. The File Filtering work pane appears. 2. Select a scan job (in the top pane) with which the new file filter should be associated. 3. Click the Names button. All available filters are displayed in the Filter Lists section. 4. Click Add. An entry field appears in the File Names pane. 5. Type the name of the filter (which is the name of a specific file), and then press ENTER. You can use wildcard characters in the name. (For more information, see Matching Patterns in the File Name With Wildcard Characters.) Finally, you can indicate that files of a certain size are to be checked. (For more information, see Detecting Files by File Size.) If you make a mistake typing the name of the filter, select it in the File Names pane, and then click Edit. Fix the mistake, and then press ENTER. To delete a file filter, select it in the File Names pane, and then click Delete. 6. Indicate the File Type. (For more information, see Detecting Files of a Particular Type.) 7. Ensure that the filter is enabled. (For more information, see Enabling the Filter.) 8. Indicate the Action to be taken if the filter is matched. (For more information, see Action.) 9. Indicate if notifications are to be sent. (For more information, see .) 10. Indicate if matched files are to be quarantined. (For more information, see Quarantine Files.) 11. Change the Deletion Text, if desired. (For more information, see Deletion Text.) 12. Click Save to save your work.

Matching Patterns in the File Name With Wildcard Characters

Use wildcard characters to have your filter match patterns in the file name, rather than a specific file name. You can use any of the following to refine your filters:

55 * Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage: Single: Any of these single wildcard character patterns would detect veryevil.doc: veryevil.*, very*.doc, very*, *il.doc. Multiple: Any of these multiple wildcard character patterns would detect eicar.com: e*c*r*om, ei*.*, *car.*.

Note: Use multiple asterisks to filter file attachments with multiple extensions. For example: love*.*.* ? Used to match any single character in a name where a single character may change. For example: virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. However, this filter would not find virus.exe. [set] A list of characters or ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be matched. For example: klez[a-h].exe would find kleza.exe through klezh.exe. [^set] Used to exclude characters that you know are not used in the file name. For example: klez[^m-z].exe would not find klezm.exe through klezz.exe.

56 range Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe. \char Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. For example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.

Note: You must use a \ before each special character.

Detecting Files of a Particular Type

You can use a file filter to detect files based solely on their content type. For example, you can prevent users from accessing or saving .exe files. To do this, create a file filter, as detailed in Creating a File Filter, and associate it with an EXE file type. Because you want to screen out all file attachments that are executables (as opposed to those that simply have an .exe extension), you can do so by specifying the file name as *.*. Then, associate that file name with an EXE file type by selecting EXEFILE from the File Types list. After you create a file filter, the All Types check box is selected by default (in the File Types section). If you know, for example, that you are searching for a Word document, you can clear All Types, and then select DOCFILE from the File Types list. This causes FSSP to work more efficiently. However, if you are not sure of the type, you can add resume.* to the File Names list and leave All Types selected. This will ensure that all files with the name resume will be detected, regardless of their extension or type.

57

File Types Selection

On the bottom pane of the File Filtering work pane, there is a list of file types that can be associated with the selected File Name. Select one or more file types from the list (or select All Types, located below the list). If the desired file type is not listed, select All Types. (For a description of all the available file types, see File Types List.) Note: If you want to filter Microsoft Excel files, you will need to enter *.xls as the File Name, and then select both WINEXCEL and DOCFILE in the File Type list. Excel 1.x files are WINEXCEL type files but newer versions of Excel are DOCFILE file types.

Detecting Files by File Size

To detect files by size, specify a comparison operator (=, >, <, >=, or <=) and a file size (in KB, MB, or GB). These are placed immediately after the file name. Note: There should be no spaces between the file name and the operator or between the operator and the file size. File sizes must be entered using the English size keywords KB (for kilobytes), MB (for megabytes), and GB (for gigabytes). Examples: *.bmp > = 1.2MB all .bmp files larger than or equal to 1.2 megabytes *.com > 150KB all .com files larger than 150 kilobytes *.* > 5GB all files larger than 5 gigabytes

Enabling the Filter

Turn on the filter by selecting Enabled in the File Filter field. To temporarily disable the filter without deleting it, select Disabled.

Action
Choose the action that you want FSSP to perform when a specified file name is detected. There are different actions available for realtime and manual scans.

58 Note: You must set the action for each file filter you configure. The Action setting is not global.

Realtime Scan Job Actions

For realtime scanning, the VSAPI in SharePoint Portal Server 2007 only supports the Block: prevent transfer action for file filter matches. When a file matches a filter, FSSP will stop scanning for viruses and users will be blocked from accessing that file.

Manual Scan Job Actions

There are two action choices for manual scan jobs: Skip and Delete. Skip: Detect only Keeps track of the number of files that meet the filter criteria, but leaves them in the workspace. This is the default. For special rules about ZIP and JAR files, see Limiting Compressed File Scanning. Deletes the detected file, inserting a text file in its place. The text file contains the string that was configured using the deletion text. (For more information, see Deletion Text.)

Delete: Remove contents

Limiting Compressed File Scanning

To keep the contents of a ZIP or JAR file from being scanned for filter matches, specify the name in the File Filter List and set the action to Skip. The position of the filter in the list is not important. The contents will not be scanned for filter matches, but will be scanned for viruses. Note: By default, this functionality only applies to ZIP and JAR files. Other compressed files, including self-extracting ZIP files, will be scanned for file filter matches. To apply this functionality to other compressed files (including self-extracting exe, s/mime, gzip, rar, tar, and macbin), set the following registry keys to 1: SkipFileFilterWithinCompressedRealtime

59 SkipFileFilterWithinCompressedManual

Send Notifications
Enables or disables e-mail notifications for the selected file name. This does not affect reporting to the Virus Incidents or Scan Job log. Notifications are disabled by default.

Quarantine Files
Enables or disables quarantine for the selected file name. Quarantine is enabled by default.

Deletion Text
This is the text used by Forefront Security for SharePoint when replacing the contents of an infected file during a Delete operation. You may modify this text to place a custom message inside the deleted file attachments. Forefront Security for SharePoint provides keywords that can be used in the Deletion Text field to obtain information from the file in which the infection was found. For a list of available keywords, see SharePoint Keyword Macros.

Editing a File Filter

You can modify specific files to detect, change the file types to be scanned, change the action to take, and decide whether to send notifications and quarantine incidents. To edit a file filter 1. Select File from the FILTERING shuttle. The File Filtering dialog box appears. 2. Select a job from the Job List. 3. Select one of the jobs file filters to edit (in the File Names section). 4. Click Edit, and then make the desired changes. 5. Click Save to retain your changes.

60

Filter Lists
You can create and maintain lists of filters for use by different scan jobs or to organize your filters, if you have created many of them. Simply create one or more named lists of filters (rather than a series of individual ones) to be associated with various scan jobs. To create and configure a new filter list 1. Select Filter Lists from the FILTERING shuttle. The Filter Lists work pane appears. 2. Select the type of filter list (Files or Keywords) in the List Types section of the top pane. 3. Click Add in the List Names section. 4. Type a name for the new list, and then press ENTER. The new list's name is added to the List Names section. 5. With the new lists name selected, click Edit. The Edit Filter List dialog box appears. Use it to enter files to include in the search query. 6. Click Add (under Include In Filter), type a search query, and press ENTER. To have multiple items, enter each item individually. To have an item excluded from the list (never scanned), click Add in the Exclude From Filter section, type the item name in the field, and then press ENTER. This section is used to enter items that should never be included in the filter list. This will prevent these items from accidentally being added to the Include section when importing a list from a text file. To modify an existing list, select an item, click Edit, and then make the required changes. 7. You can import file names from a text file by means of the Import button. (For more information, see Importing Items Into a Filter List.) After you have built a list, you can save it to a text file by means of the Export button. This file can later be imported into other Include lists to reduce typing. 8. Click OK to return to the Filter Lists work pane when you are finished entering queries. You will now see the new filter and all its queries. 9. Click Save to save your work.

61

Importing Items Into a Filter List

Filter lists may be created in Notepad, or a similar text editor, and then imported into the appropriate filter list. To create and import entries into a filter list 1. Create a list and save it as a text file. Place each item on its own line in the file. 2. Select Filter Lists in the FILTERING shuttle. 3. Select or create the Filter List into which you will be importing data. 4. Click Edit. The Edit Filter List dialog box appears. 5. Click Import. A standard Windows Explorer dialog box opens to allow you to navigate to the saved text file. 6. Select the file and click Open. The contents of the imported file appear in a New Items column, from which you can move selected items into the Include In Filter and Exclude From Import columns (by means of the arrow keys). 7. Click OK on the Edit Filter List dialog box, and then click Save on the Filter Lists work pane.

Associating a Filter List With a Scan Job

After you create a filter list, associate it with a scan job. A single filter list can be associated with as many scan jobs as desired. To associate a filter list with a scan job 1. Select File from the FILTERING shuttle. The File Filtering work pane appears. 2. Click the Lists button. All available filter lists are displayed in the Filter Lists section. 3. Select a scan job (in the top pane) with which the new filter list should be associated. 4. Enable the filter. (For details, see Enabling the Filter.) 5. Indicate the File Type. (For details, see Detecting Files of a Particular Type.) 6. Indicate the Action to be taken if the filter is matched. (For details, see

62 Action.) 7. Indicate if notifications are to be sent. (For details, see .) 8. Indicate if matched files are to be quarantined. (For details, see Quarantine Files.) 9. Change the Deletion Text, if desired. (For details, see Deletion Text.) 10. Click Save to save your work. The filter list is now associated with the selected scan job.

Viewing Filter List Contents

You can view the contents of any selected filter list by clicking the Lists button (in the Filter Lists pane of the File Filtering work pane), selecting an item, and then clicking View List. To change the contents, see . Click the Back button when you are finished viewing the contents.

Editing a Filter List

To change the contents of a filter list, select the list in the List Names pane of the Filter Lists work pane, and then click Edit. Use the Add, Edit, and Remove buttons to add new items, edit existing ones, or delete items from the list.

Filter Sets for File Filters

A filter set is a type of template that you can use to distribute file filters and content filters to remote installations. (For more information about templates, see SharePoint Templates.) Filter sets can be created for use with any FSSP scan job. A single filter set can be associated with any or all of the scan jobs, and you can create multiple filter sets for use on different servers or different scan jobs. You cannot create filter sets for Keyword Filters. (For more information, see SharePoint Keyword Filtering.) To create a filter set 1. Click File, click Templates, and then click View Templates. This displays templates in the Job List. 2. Click File, click Templates, and then click New. The New Template dialog box appears.

63 3. Select Filter Set. 4. Enter a name for the new filter set. 5. Click OK. The new filter set will then be displayed in the upper pane whenever you click File, click Templates, and then click View Templates. 6. Configure the new filter set. (For more information, see Configuring a Filter Set.)

Configuring a Filter Set

After you have created a filter set, you must configure it. To configure a filter set 1. Click File, in the FILTERING shuttle. The File Filtering work pane appears. 2. Select the name of the filter set to be configured in the upper pane. 3. Use the File Filter field to enable the filter set. 4. Set up the rest of your filter criteria, as outlined in Creating a File Filter. 5. Click Save to save your work.

Associating a Filter Set With a Scan Job

After you create and configure a filter set, associate it with a scan job. To associate a filter set with a scan job 1. Select Templates in the SETTINGS shuttle. 2. Select a scan job in the Job List. 3. Select the filter set that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set with a scan job. If you are unsure about the contents of the filter set, click View Filter Set. Click Back when you finish viewing the contents. 4. Click Save. The filter set is now associated with that scan job. During scanning, FSSP will use the filter set configuration first and then any other filter setting you specified when setting up the scan job.

64 Note: To cancel the association, repeat the steps in the preceding procedure and select None from the Filter Set list.

Editing a Filter Set

You may modify the settings in a filter set. To edit a filter set 1. Click File in the FILTERING shuttle. The File Filtering work pane appears. 2. Select any filter set in the upper pane. 3. Modify the configuration in the lower pane. 4. Click Save. Note: File filters that you create for particular scan jobs are displayed in the File Names section and can be modified. Filter sets are also displayed, however they cannot be selected for modification. You must select the original filter set template in the upper pane to modify it.

Deleting a Filter Set

You may delete a filter set. To delete a filter set 1. Select the filter set in the Job List of the Template Settings work pane. 2. Select Delete from Templates on the File menu. 3. Confirm the deletion request.

Renaming a Filter Set

You may rename a filter set. To rename a filter set 1. Select the filter set in the Job List of the Template Settings work pane.

65 2. Select Rename from Templates on the File menu. The Rename Template dialog box appears. 3. Type the template's new name. 4. Click OK.

Deploying Filters to Remote Servers

Filters can be distributed to remote servers using the Deploy Template feature of the Microsoft Forefront Server Security Management Console. For information about using this feature, see SharePoint Templates and the Microsoft Forefront Server Security Management Console User Guide. You can also use FSCStarter from the command prompt to manually install filters on remote servers: The syntax of FSCStarter is:
fscstarter t[options] [\servername]

The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them to the current server. Note: You must insert a space between FSCStarter and the t parameter and between the options and the \servername. However, there is no space between the t parameter and the options. The following are the options. They may be entered in any order, with no spaces. F Update the file filter or filter sets settings for each scan job. L Update the filter lists for each scan job. For example, to update the file filter settings, you would enter: fscstarter tf

International Character Sets

FSSP supports filter queries that use characters other than those found in the English/Western European/Other Latin character set. They are handled in the same manner as filters that use those characters and follow the same rules.

66

SharePoint Keyword Filtering

Keyword filtering allows you to filter messages based on content criteria. This is accomplished by using lists of keywords that FSSP will scan for. Keyword filtering analyzes the contents of document, text, Excel, Word, Office 2007 Open-XML, HTML, and PowerPoint files to identify unwanted or prohibited content. By creating keyword filter lists, you can filter messages and text attachments based on a variety of words, phrases, and sentences. You may create your own keyword filter lists, as needed.

Creating New Keyword Filter Lists

For maximum flexibility, you can create your own lists of keywords to scan for. You can thus maintain individual lists of filters for use by different scan jobs. To create and configure a new keyword filter list 1. Select Filter Lists from the FILTERING shuttle. The Filter Lists work pane appears. 2. Select Keywords in the List Types section in the top pane. 3. Click Add at the bottom of the List Names section. 4. Type a name for the new list, and then press ENTER. 5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to enter terms to include in the search query. 6. Click Add (under Include In Filter), type the search query, and press ENTER. (For more information about the structure of query items, see .) To have an item excluded (never caught by the filter), click Add in the Exclude From Filter section, type the name of the item, and then press ENTER. This section is used to enter keywords or phrases that should never be included on the keyword list. This will prevent these words and phrases from accidentally being added to the Include section when importing a list from a text file. Click Edit to modify a selected item. Click Remove to delete a selected item. 7. Enter each item individually. 8. Import items from a text file by means of the Import button. After you build a list, you can save it to a text file by means of the Export button. This file can later be imported into other Include lists to save typing. 9. Click OK to return to the Filter Lists work pane when you finish entering

67 items. You will now see the new filter list and all its items. 10. Enable the list, and set its Action and other attributes. (For more information, see Enabling a Keyword Filter.) 11. Click Save to retain your work.

Keyword List Syntax Rules

The following are the syntax rules for a keyword list: Each item (line of text) is considered a search query.

Queries use OR functionality. It is considered to be a positive detection if any entry is a match. Queries may contain operators that separate text tokens. Such queries are called expressions. There must be a space between an operator and a keyword, represented in the following examples by the character. The following logical operators are supported: _AND_ (Logical AND). For example, apple_AND_orange juice. _NOT_ (Negation). For example, apple_AND__NOT_juice. _ANDNOT_ (Same as _AND__NOT_). For example, apple_ANDNOT_juice. _WITHIN[#]OF_ (Proximity). If the two terms are within a specific number of words of each other, there is a match. For example, free_WITHIN[10]OF_offer. (If free is within 10 words of offer, this query will be true.) _HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example, _HAS[4]OF_get rich quick. If the phrase get rich quick is found in the text four or more times, this query will be true. This operator is implicitly assumed and has a default value of 1 when it is not specified. Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest): 1) _WITHIN[#]OF_ 2) _HAS[#]OF_ 3) _NOT_ 4) _AND_ The logical operators must be entered in uppercase letters.

68 Phrases may be used as keywords, for example, apple juice or get rich quick.

Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, AB is treated as AB and matches the phrase AB. In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML mark-up tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but does not match html. Examples (the character represents a space): apple_AND_orange_AND_lemon_WITHIN[50]OF_juice confidential_WITHIN[10]OF_project_AND_banana_WITHIN[25]OF_shake _HAS[2]OF_get rich_WITHIN[20]OF_quick

Enabling a Keyword Filter

To function, keyword filters must be enabled. To enable a keyword filter 1. Select Keyword on the FILTERING shuttle. 2. Select the scan job for which you would like to enable an existing keyword filter in the Job List. 3. Select the filter list to be enabled, in the Filter Lists section (any of the customized lists that you have created. For more information, see Creating New Keyword Filter List.) 4. Enable the filter, using the Filter field. 5. Set the action. (For more information, see Action.) 6. Indicate if you would like to send notifications or quarantine identified files. (For more information, see Event Notifications or Quarantine.) 7. Select the minimum number of unique keyword hits that will trigger the action. (For more information, see Minimum Unique Keyword Hits.) 8. Click Save to retain your changes.

69

Action
Select the action for FSSP to take if it detects a keyword filter match. The choices are: Skip: Detect Only Records the number of files that meet the filter criteria, but allows the files to route normally. Notifications are sent to the Administrator and the Sender, if notifications are enabled. Prevents the transfer of a file that meets the filter criteria. This action is for real-time scans only. Deletes the contents of the file and replaces it with the string that was configured using the deletion text. (For more information, see Deletion Text.) This action is for manual scans only.

Block: prevent transfer

Delete: remove infection

Note: You must set the action for each keyword filter you configure. The action setting is not global.

Notify Administrator
Enables or disables e-mail notifications. Notifications are disabled by default.

Quarantine
Enables or disables quarantine. It is enabled by default. If enabled, each file will be quarantined for later analysis or routing by the administrator.

Minimum Unique Keyword Hits

Allows you to specify how many unique keywords must be matched for the action to be taken. The default is one (1). For example: You have set the Minimum Unique Keyword Hits value to 3. The word wonderful, which is in the list, appears three times. However, no other word in the list

70 appears at all. The keyword filter has not been matched, because only one term in the list was matched.

Viewing Keyword List Contents

You can view the contents of any selected keyword filter list by clicking View List on the Keyword Filtering work pane. (Click the Back button when you finish viewing the contents.) To change the contents of a keyword list, see .

Editing a Keyword List

You can make changes to a keyword list. To edit a keyword list 1. Select Filter Lists from the FILTERING shuttle. The Filter Lists work pane appears. 2. Select Keywords from the List Types section. 3. Select one of the keyword lists from the List Names section. 4. Click Edit. The Edit Filter List dialog box appears, allowing you to edit the list. Follow the same rules provided in Creating New Keyword Filter Lists. 5. Click Save to save your work.

Case Sensitive Filtering

The General Option Case Sensitive Keyword Filtering causes Forefront Security for SharePoint to use case-sensitive comparisons for all keyword filters. Comparisons are not case sensitive by default. For more information, see General Options.

International Character Sets

FSSP supports filter queries that use characters other than those found in the English/Western European/Other Latin character set. They are handled in the same manner as filters that use those characters and follow the same rules.

71

Event Notifications
Event notifications provide a convenient way for administrators to receive information about virus and filtering events without having to continually check logs or the Incidents work pane. Both e mail (SMTP) and browser-based notifications are available. Notifications are sent automatically to the e-mail address of the administrator configured in FSSP. Note: To send e-mail notifications, you must configure an SMTP server for SharePoint Portal Server to use when sending the notifications.

Forefront Security for SharePoint Notification Web Parts

To receive Forefront Security for SharePoint notifications on the SharePoint home page, you must add the Forefront Security for SharePoint Notification Web Parts to your SharePoint Portal Server home page. There are two types of web parts provided by Forefront Security for SharePoint: Forefront Notifications - Summary. Displays a count of the Forefront Security notifications in the system and provides a link to the detailed web part. Forefront Notifications - Detailed. Shows details of the notifications and provides the ability for administrators to clear individual notifications. To create the Forefront Security for SharePoint Notification Web Parts 1. Navigate to the portal site's home page. 2. Select Site Settings from the Site Actions menu. 3. Click Sites and workspaces. 4. Click Create to create a new document workspace. 5. Enter Forefront Notifications in both the Title and the URL fields. Note that the URL must be entered exactly for the summary notifications web part to link to the detailed notifications web part. 6. Select the Document Workspace template, and then click Create. 7. Select Edit Page from the Site Actions menu for this document workspace.

72 8. Click Add a Web Part in the area you would like the Forefront detailed notifications to appear, and then select Forefront Notifications Detailed from the list of available web parts. 9. Select Exit Edit Mode to complete editing the detailed notifications page. 10. Return to the portal sites home page and add the Forefront Notifications Summary web part to the desired area of the page in the same manner. The summary web part will now link to the detailed web part when it is clicked.

Configuring Notifications
There are various types of notification messages and each can be individually configured. To configure notifications 1. Select Notification in the REPORT shuttle. The Notification Setup work pane appears. The top pane of the Notification Setup work pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. (For more information about roles, see Notification Roles.) 2. Enable those notifications that are to be in effect. (For more information, see Enabling or Disabling a Notification.) Note: Scan Job configurations control whether a Scan Job will send any enabled notifications. 3. Make the desired changes to the notifications that are to be enabled. (For more information, see Editing a Notification.) 4. Click Save to retain your work.

Notification Roles
The top pane of the Notification Setup work pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. Both File and Virus notifications include individual notices for Web and e-mail. Web notifications are sent to the Forefront Security Notifications area of the SharePoint browser and e-mail notifications are sent to the e-mail address of the administrator or author.

73

Default Notification Roles

These are the various notification roles. Typically, each notification is used for reporting the who, what, where, and when details of the infection or the filtering performed, including the disposition of the virus or the attachment. Virus Administrators Alerts administrators of all viruses detected on a server being protected by FSSP. Virus Author Alerts someone that a virus has been detected in a file that he or she authored. Virus Last Modified User Alerts the last person who modified a file that a virus has been detected in that file. File Administrators Alerts administrators of all files that satisfy the filtering criteria on the server being protected by FSSP. This notification is also used for messages blocked by the file filter. File Author Alerts someone that a filter match has been detected in a file he or she authored. This notification is also used for messages blocked by the file filter. File Last Modified User Alerts the last person who modified a file that a filter match has been detected in a file. This notification is also used for messages blocked by the file filter. Keyword Administrators Alerts administrators of all files that satisfy the keyword filtering criteria on the server being protected by FSSP. Template Categories Each of the preceding categories also exists in the listing as a Template for item, to aid you in deploying notification templates to remote servers.

Enabling or Disabling a Notification

The Enable and Disable buttons in the Notification Setup work pane allow you to selectively enable or disable any highlighted notification. The current status of each notification is displayed in the list in the top pane, under the State column. A change made to the status of a notification takes effect as soon as you click Save. Note: Scan job configurations control whether a scan job will send any enabled notifications.

74

Editing a Notification
Changes that you make to the lower pane of the Notification Setup work pane apply to the currently selected Notification role and take effect immediately when you click Save. All fields can have keyword substitution macros. For more information, see SharePoint Keyword Macros. The following fields can be edited: To: (Recipients) A semicolon-separated list of people and groups who will receive the notification. This list can include SharePoint names, aliases, and groups. For servers that are in a domain, user names should follow the syntax: domain\username. For servers that are in a workgroup, user names should follow the syntax: servername\username. Subject The message that will be sent on the subject line of the notification. Body The message that will be sent as the body of the notification.

Keyword Substitution Macros

All notification fields can include keyword substitution macros to obtain information from the message in which the infection was found or filtering was performed. For more information about macros, see Keyword Macros. For example, to include the name of the virus in the Subject line, you could use the %Virus% macro, in the Subject field, as follows: The %Virus% virus was found by Forefront Security for SharePoint. Instead of typing the keyword, you can select it from a shortcut menu. To select a keyword from the shortcut menu 1. Position the cursor in any notification field, at the point where you want the keyword to appear. 2. Right-click at that point to display a shortcut menu. 3. Select Paste Keyword. 4. Choose from a list of available keywords. 5. When you are finished inserting keywords, click Save.

75

Deleting Notifications
SharePoint administrators can view all the notifications in the database. This allows them to delete undeliverable or old notifications as needed. To delete the notifications that appear in the Forefront Security Web Parts, the user must be a member of the Power Users group. Navigate to Forefront Notifications - Detailed and click Delete All Notifications. All Forefront Security notifications throughout the system, regardless of the individual SharePoint security settings, will be deleted.

SharePoint Reporting and Statistics

Forefront Security for SharePoint provides a variety of reports designed to help administrators analyze the state and performance statistics of the FSSP services, using the Forefront Server Security Administrator interface.

Incidents Log
The incidents log is a database (Incidents.mdb) that stores a record of all detected viruses and items trapped by filters for a SharePoint server. Results are stored in the database by FSCController and are not dependent on the Forefront Server Security Administrator remaining open. To view this log, select Incidents in the REPORT shuttle. The Incidents work pane appears. This is the information that Forefront Security for SharePoint reports for each incident: Time The date and time of the incident. State The action taken by Forefront Security for SharePoint. Name The name of the scan job that reported the incident. Folder The name of the folder where the file was found. File The name of the virus or the name of the file that matched a file filter or content filter. Incident The type of incident that occurred. The categories are: VIRUS and FILE FILTER. Each is followed by either the name of the virus caught or the name of the filter that triggered the event.

76 Author Name The name of the author of the document. Author's E-mail The e-mail address of the author of the document. Last Modified By The name of the last user to modify the document. Modified User's E-mail The e-mail address of the last user to modify the document. Note: The last four fields will be reported as N/A for the Realtime Scan Job because FSSP does not have access to this information during a real-time scan.

VirusLog.txt
You can also have virus and filter events recorded in a file called VirusLog.txt. To enable this file, select Enable Forefront Virus Log in General Options. When enabled, all virus incidents are written to the VirusLog.txt text file, under the FSSP installation path (InstalledPath). The following is a sample entry from the VirusLog.txt file: Wed Dec 14 12:56:13 2005 (3184), "Information: Realtime scan found virus: Folder: WorkSpace1\SavedFiles File: Eicar.com Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE State: Cleaned"

Forefront Security for SharePoint Incidents

The following table describes the various incidents FSSP reports. Most of the reported incidents are generated by FSSP settings that are controlled through General Options. Reported incident CorruptedCompressedFile EncryptedCompressedFile General Options setting Delete Corrupted Compressed Files Delete Encrypted Compressed Files Description Forefront has deleted a corrupted compressed file. Forefront has deleted an encrypted compressed file.

77 Reported incident EngineLoopingError General Options setting Not applicable Description Forefront has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file. Forefront has deleted a compressed file that has exceeded the maximum number of infections, as set in General Options. When the number is exceeded, the entire container is deleted. Forefront has deleted a compressed file that has exceeded the maximum nested depth, as set in General Options. When the number is exceeded, the entire file is deleted. Forefront has deleted a file that has exceeded the maximum nested attachment limit. The default is 30 attachments. For more information, see "MaxNestedAttachments" in SharePoint Registry Keys. Forefront has deleted a file that has exceeded the maximum container size that it will attempt to clean or repair. The default is 26 MB, but you may change the value in General Options.

ExceedinglyInfected

Maximum Container File Infections

ExceedinglyNested

Maximum Nested Compressed Files

ExceedinglyNested

Maximum Nested Attachments

LargeInfectedContainerFile

Maximum Container File Size

78 Reported incident ScanTimeExceeded General Options setting Max Scan Time Description Forefront has deleted a container file that has exceeded the maximum amount of scan time (in milliseconds). The default value is 600,000 msec (10 minutes). Forefront has deleted a compressed file that it could not read. Forefront has deleted a compressed file to which it cannot write (for example, during a cleaning operation).

UnReadableCompressedFile

Not applicable

UnWriteableCompressedFile

Not applicable

Event Statistics
Forefront Security for SharePoint maintains three basic groups of statistics: Event Rate. Tracks the number of events per second (by means of Windows Performance Monitor). Event. Tracks the number of events for the current Forefront Security for SharePoint session. Total Events. Tracks the total number of events since installation or reset.

Only the Event and Total Events statistics for each scan job are reported in the bottom pane of the Incidents work pane. The Event Rate statistics can be viewed with Windows Performance Monitor. Within each group, several different events are maintained (for both realtime and manual scans): Documents Scanned Documents Detected Documents Cleaned Documents Removed

79 Total Documents Scanned Total Documents Detected Total Documents Cleaned Total Documents Removed

Resetting Statistics
The Event Rate and Event statistics for the Realtime and Manual Scan Jobs are automatically reset to zero each time the FSSP service is started. All statistics for each scan job can also be manually reset. To reset all the statistics for a scan job, click the X in the Statistics display next to the scan job's name at the top of the column. You can also recycle the services to reset the statistics.

The control to reset statistics You will be asked to confirm the reset. Clicking Yes will reset all the statistics for the selected scan job. Use the Export button (on the Incidents work pane) to save the report and the statistics in either formatted text or delimited text formats. Note: You may instruct FSSP to write all virus incidents to a text file named VirusLog.txt by selecting Enable Forefront Virus Log in General Options. (For more information, see General Options.)

Other Incidents Database Tasks

For information about other tasks that you can perform with the Incidents database, see Clearing the Databases, Exporting Database Items, Purging Database Items#, Filtering Database Views, and Moving the Databases.

80

Quarantine
Forefront Security for SharePoint, by default, creates a copy of every detected file before a Clean, Delete, or Skip action. These files are stored in an encoded format in the Quarantine folder in the FSSP install directory, unless you relocate it. (For information, see Moving the Databases.) Each detected file is saved under the name Filex where x is the ID number of the file. The Quarantine database consists of two tables stored inside the Quarantine.mdb file. (For more information, see Quarantine Database Tables.) This database is configured as a system data source name (DSN) with the name Forefront Quarantine, and can be viewed and manipulated using third-party tools.

Quarantine Database Tables

The Quarantine database (Quarantine.mdb) contains the following tables: HeaderInfo. This table contains the quarantine version, the number of quarantined files, and the ID to use for the next quarantined file. Field name Version Count NextDetectedId Type Int Int Int

Quarantine. This table contains all the details for each quarantined message. Type Text Text Text Date/Time Int Size 255 255 255 Not applicable Not applicable Description Attachment file name Virus name Sender name Date and time file was quarantined File ID used to save a renamed quarantined file (for example, File9)

Field name FileName VirusIncident SenderName _DateTime DetectedFileId

81 Field name ID Type AutoNumber Size Not applicable Description Identifies a row in the table

Viewing the Quarantine Log

An administrator can access the Quarantine log to view it, delete all or some items, or extract stored detected files. To view the Quarantine log, select Quarantine from the REPORT shuttle. The Quarantine work pane appears. The quarantine list reports the date the file was quarantined, the name of the file, the type of incident that triggered the quarantine (virus or filter match), and the author name.

ExtractFiles Tool
Forefront Security for SharePoint includes a console tool, ExtractFiles, that allows you to extract all, or a subset, of the quarantined files to a specified directory. ExtractFiles.exe has two required arguments, path and type: Path. The absolute path of the folder in which to save the extracted quarantined files. Type. The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files: Jerusalem.StandardExtracts files that were infected with the virus named Jerusalem.Standard. *.docExtracts quarantined files having a .doc extension. *.*Extracts all quarantined files. This is the syntax of ExtractFiles:
extractfiles path type

Examples: extractfiles C:\temp\quarantine Jerusalem.Standard extractfiles C:\extract\ *.doc

82

Retrieving a Database
Quarantine database files can be retrieved using the FSSMC, as described in the Microsoft Forefront Server Security Management Console User Guide. You can select a .csv file to open (to view or retrieve) in the standard manner. (The .csv file was created by the Export function.) After the data is retrieved, you can export or delete the quarantined files as needed. Export creates a .csv text file of the Quarantine log, either formatted or delimited. (For more information, see Exporting Database Items.) The Save As function saves a copy of the database.

Other Quarantine Database Tasks

For information about other tasks that you can perform with the Quarantine database, see Clearing the Databases, Exporting Database Items, Purging Database Items, Filtering Database Views, and Moving the Databases.

Clearing the Databases

Over time, you might find that your Incidents and Quarantine databases are becoming very large. Each database (Incidents.mdb and Quarantine.mdb) has a 2-GB limit. When a database is larger than 1.5 GB after being compacted, a notification is sent to the administrator warning that the database is nearing its limit. The administrator can then clear the database to ensure that future incidents and quarantined items will be saved. The notification is sent to all addresses included in the Virus Administrator List in General Options.

Clearing the Incidents Database

To clear the Incidents database 1. Click Clear Log on the Incidents work pane. This clears all the items from the Incidents display. 2. Select Run Job in the OPERATE shuttle. Select a scan job, and then click Clear Log. This clears the items from the job's Incidents display. You must clear both the Realtime and the Manual jobs to have all items flagged for deletion from the database.

83 After you have cleared the entries in both places, they will no longer appear in the work panes. However, they will actually be deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.). You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then using the DELETE key to remove them from the Incidents listing. Note: If a large number of entries is selected, the deletion process can take a long time. In this case, you will be asked to confirm the deletion request.

Clearing the Quarantine Database

To clear the Quarantine database, click Clear Log on the Quarantine work pane. After you clear the entries, they will actually be deleted from the Quarantine.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.). You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then using the DELETE key to remove them from the Quarantine listing. Note: If a large number of entries is selected, the deletion process can take a long time. In this case, you will be asked to confirm the deletion request.

Exporting Database Items

Use Export to save results from the Incident or Quarantine databases. Clicking Export displays a standard Windows Save dialog box, in which you select a location for the Incidents.txt or Quarantine.txt file and select a format of Formatted Text or Delimited Text. Entries in the delimited text format are separated by a vertical bar ( | ).

Saving Database Items to Disk

Use Save As to detach and decode a selected file to disk. You can select multiple items from the Quarantine list. Each will be saved as a separate file.

84

Purging Database Items

You may instruct Forefront Security for SharePoint to remove items from the databases after a set number of days indicated by the Purge field on both the Incidents and Quarantine work panes. Each database can have a separate purge value (or none at all). If the purge function is enabled for a database (by means of its associated check box), all files older than the specified number of days are flagged for removal from that database. Note: Setting or changing the purge value takes effect only after you click Save.

Filtering Database Views

You can filter the Incidents or Quarantine views to see only certain items. The filter has no effect on the database itself, just on which records are displayed for you. To filter the database view 1. Select the Filtering check box on the Incidents or Quarantine work pane. 2. Select a column for the filter with the Field option. If you select any column other than Date, the Value field appears. If you select Date, you get entry fields for beginning date and time, and ending date and time. 3. Enter a string in the Value field. Wildcard characters can be used, as described in Wildcard Characters for Filtering. (The wildcard characters are those used by the Microsoft Jet database OLE DB driver.) If you selected Date, enter the beginning and ending date and time. You can select time in half-hour increments or enter a specific time. 4. Click Save to apply the filter. The items you now see are those that match the parameters set in the Field and Value (or date and time) options. 5. To remove the filter, clear the Filtering check box, and then click Save.

Wildcard Characters for Filtering

_ (underscore) Matches any single character. (The * and ? characters, which are common wildcard characters, are literals in this instance.) [ ] Denotes a set or a range. Matches any single character within the specified set (for example, [abcdef]) or range (for example, [a-f]).

85 [!] Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]).

Moving the Databases

You can move the Quarantine and Incidents databases, but you must move both, as well as all related databases and support files, for FSSP to function properly. To move all the files 1. Create a new folder in a new location (for example: C:\Moved Quarantine). 2. Stop SharePoint Portal Server and any FSSP services that might still be running after SharePoint Portal Server is stopped. 3. Copy the entire existing Quarantine folder (containing the Quarantine database) into the new folder you just created. This would result in a subfolder called (continuing the example): C:\Moved Quarantine\Quarantine. The Quarantine folder is found in the FSSP install folder. The default location for this folder is: C:\Program Files\Microsoft Forefront Security\SharePoint\Quarantine 4. Move ProgramLog.txt, Incidents.mdb, Notifications.mdb, FFSCCHRLog.txt, and all .fdb files to the new location (C:\Moved Quarantine). The default location for these files is: C:\Program Files\Microsoft Forefront Security\SharePoint 5. Change the DatabasePath registry key to point to the new folder (in this example: C:\Moved Quarantine). This key is found at: For 32-bit systems: HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint 6. Restart the SharePoint services.

86

Windows Event Viewer

Forefront Security for SharePoint stores virus detections, system information, and other general application events in the Windows Application log. Use Windows Event Viewer to access the log. Additionally, these events are stored in ProgramLog.txt, in the FSSP install directory, as a method for logging events in the event that the Application log is full. The maximum size of the ProgramLog.txt file is controlled by the Max Program Log Size field in General Options (specified in KB). The minimum value is 512 KB. A value of 0 (the default) indicates no limit on the size. For more details, see General Options.

Performance Monitor
All FSSP virus scan statistics can be displayed using the Performance Monitor tool (Perfmon.exe) provided by Windows and usually found by clicking Start, pointing to Administrative Tools, and then clicking Performance. The FSSP object is called Microsoft Forefront Server Security.

Reinstalling Forefront Security for SharePoint Performance Counters

In the event that the Forefront Security for SharePoint performance counters (used by Performance Monitor) are deleted, they can be reinstalled in two ways: By reinstalling Forefront Security for SharePoint.

By issuing FFSCCPMSetup from a command prompt in the FSSP install folder (default: C:\Program Files\Microsoft Forefront Security\SharePoint). The syntax is:
ffsccpmsetup -install

SharePoint File Scanner Updating

Forefront Security for SharePoint gives you the flexibility of choosing virus scanning engines from multiple vendors. The standard Forefront Security for SharePoint license includes all currently integrated AV engines: Two from CA (InoculateIT and Vet), Microsoft Antimalware Engine, Norman Virus Control, Sophos Virus Detection Engine, Kaspersky Antivirus Technology, Authentium Command Antivirus Engine, AhnLab Antivirus Scan

87 Engine, and VirusBuster Antivirus Scan Engine. Although all engines are integrated, only five may be enabled at any time. During the installation, the Microsoft AV engine is selected and four other engines are selected at random. Administrators can modify the four additional engine selections during the installation or through the Forefront Server Security Administrator after installation is complete. These engines begin scanning your system as soon as the FSSP service starts. Unless you disable updating a specific engine, it will always be automatically updated. (For more information, see Automatic File Scanner Updating.) After FSSP is installed, updates automatically take place. By default, the Scanner Update Settings are set to begin updating your engines five minutes after the FSSP service is started. Updates are spaced at five-minute intervals. All selected engines are automatically downloaded and installed by the first update. Note: We recommend that you schedule updates and do a manual update before scanning with an engine that you have not used before. For more information, see Scheduling an Update and Update Now. For more information about setting up scanning options, see SharePoint Manual Scan Job and SharePoint Realtime Scan Job.

Automatic File Scanner Updating

Scan engines and signature files can be downloaded automatically from the Microsoft HTTP server or from another SharePoint server running Forefront Security for SharePoint. Using the Forefront Server Security Administrator to set a schedule for checking the HTTP or SharePoint server for a new scan engine means that you are automatically protected against new viruses without having to check versions or manually update the files. After FSSP has automatically downloaded an updated scan engine, it instantly puts it to use. During file scanner updates, only the engine being updated is taken offline. The other engines continue to scan for viruses. Note: If you disable a scanning engine on the Scanner Update Settings work pane, you are actually disabling the updating of that engine, but not its use. This means that the engine will continue to scan, but its signatures will not be updated. To discontinue using the engine itself, see "Configuring the Engines" in SharePoint Manual Scan Job and SharePoint Realtime Scan Job.

88

Scheduling an Update
You can control when your scanning engines update, how often, and the update source. To schedule updates for scanning engines 1. Select Scanner Updates in the SETTINGS shuttle. The Scanner Update Settings work pane appears. The top of the pane shows a list of all supported file scanners. The bottom of the pane contains the update paths and schedule for a selected scanner, along with information about that scanner. (For more information, see Scanner Information.) 2. Select the name of the engine to be scheduled. 3. Set the primary update path by clicking Primary in the bottom pane and entering a value into the Network Update Path field. By default, FSSP uses the primary update path to download updates. If the primary path fails for any reason, FSSP uses the secondary update path, if any. The primary update path is set to http://forefrontdl.microsoft.com/server/scanengineupdate by default. You may change it to point to another HTTP update site. Or, if you prefer to use UNC updating as the primary update path, enter the UNC path to another SharePoint Server. For more information about UNC updating, see Distributing Updates. To restore the default server path, right-click in the Network Update Path field and select Default HTTP Path. 4. Set the secondary update path, if desired, by clicking Secondary in the bottom pane and entering a value into the Network Update Path field. If the primary path fails for any reason, FSSP will use the secondary update path. It is left blank by default. The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another SharePoint server. For more information about UNC updating, see Distributing Updates. 5. Specify when to check for updates. If you choose a Frequency of Once, this date is the only time update checking will take place. If you specify anything other than Once, this date represents the first time update checking will take place. Click the left and right arrows on the calendar to change the month. Click a particular day to select it. (It will turn blue.) 6. Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time

89 or use the up or down arrows to change the current value of each subfield. 7. Specify how often the update will occur (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). We recommend that you select Daily, and then set a Repeat interval to update the engine at multiple times during the day. 8. Indicate a repeat interval. Select Repeat, and then choose a time interval (the minimum time is 15 minutes). We recommend that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done. 9. Use the Enable and Disable buttons to control whether the update check will be performed for a selected engine. All engine updates are enabled by default. Note: Enable and Disable control updating only, and not the use of the engine. To discontinue using the engine itself, see "Configuring the Engines" in SharePoint Manual Scan Job and SharePoint Realtime Scan Job.

Scheduling Updates on Multiple Servers

When scheduling engine updates on multiple servers in your organization, we recommend staggering the updates by at least five minutes, to prevent servers from timing out during the update process. When scheduling updates for multiple engines, it is also helpful to stagger the updates in five-minute intervals. Note: If you are using the optional Microsoft Forefront Server Security Management Console to update the scan engines, you should disable scheduled updates in Forefront Security for SharePoint.

Update Now
Click Update Now (on the Scanner Updates work pane) to immediately update a selected scanner. If an update exists, Forefront Security for SharePoint will download it and start using it immediately. This is useful for quick checks between regularly scheduled updates.

90

Scanner Information
This is the information that appears for a selected scanner: Engine Version. The version, as reported by the third-party scan DLL.

Signature Version. The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner). Update Version. The value located in the Manifest.cab file. For more information, see Manifest.cab. Last Checked. The date and time of the last check made for a new scan engine or definition files. Last Updated. The date and time of the last update made to the scan engine or definition files.

Manifest.cab
The Manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download. (Each engine has an associated Manifest.cab file in its Package folder.) During a scheduled update, or when Update Now is invoked, FSSP searches the network update path for a new update. To minimize overhead, the Manifest.cab file is first downloaded and used to determine if an update is required. If not, no further processing takes place. If it is, the update is then downloaded and applied. When the update is finished, the new Manifest.cab file overlays the old one. This is the directory structure of the scan engines on a Forefront Security for SharePoint server: Forefront Security Install\ Engines\ x86\ Engine Name\ Package\ manifest.cab Version Directory\ manifest.cab enginename_fullpkg.cab

91 other enginename files Forefront Security Install is the top-level directory where all of the FSSP files are kept. Engine Name is a directory with the name of an engine's vendor (for example: Norman or Sophos). There is an Engine Name directory for each engine. The Package directory contains the most recent Manifest.cab file. To minimize overhead, this file is first downloaded and used to determine if an update is required. If not, no further processing takes place. If it is, the update is downloaded and applied. If the update is successful, the new Manifest.cab file overlays the old one in the Package directory. The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0602020001). On any specific day, there may be multiple version directories. Each contains the current Manifest.cab file, the enginename_fullpkg.cab (for example: norman_fullpkg.cab), and all other required files for the engine.

Update on Load
You can configure Forefront Security for SharePoint to update its file scanners when the FSSP service starts. To enable it, select Perform Updates At Startup in the Scanner Updates section of General Options. For more information, see General Options. The update on load feature uses the Windows Task Scheduler. Updates should be scheduled in five-minute intervals to avoid possible conflicts. Updating when the service starts is useful for clustered SharePoint servers, where the inactive node will not receive updates while it is offline.

Distributing Updates
The most common method of distributing updates is to have one server (the hub) receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers (the spokes) in your environment. A server can share engine updates with any other server whose network update path points to it. Start with the computer that you want to be the hub server and establish a Windows share for its Engines directory (which is, by default, in the FSSP install folder). Then, enable the Redistribution Server option in the Scanner Updates section of General Options. For more information, see General Options.

92 When the hub server has been set up, configure the spoke servers to point to the shared directory by entering its UNC path (\\ServerName\ShareName), into the Primary Network Update Path field of each of the spokes. Example: Server SharePoint1 receives its updates automatically from the Microsoft HTTP server. SharePoint1 has Forefront Security for SharePoint installed in C:\Program Files\Microsoft Forefront Security\SharePoint, and you have created a share, called AdminShare, that begins at the Engines directory. Another server, SharePoint2, will get its updates from SharePoint1. SharePoint2 will therefore have a UNC Primary Network Update Path of:
\\SharePoint1\AdminShare

To enter UNC credentials 1. Select General Options from the SETTINGS shuttle. 2. In the Scanner Updates section, select Use UNC Settings. 3. Enter the UNC Username and Password. For details, see General Options. 4. Click Save to retain your changes.

Engine Update Notifications

Forefront Security for SharePoint can be configured to send a notification to the Virus Administrator following each engine update. This function is controlled by the Send Update Notification field in the Scanner Updates section of General Options. For more information, see General Options. The notifications include: Successful update:

Subject Line: Successful update of <engine_name> scan engine on server <server_name>. Body: The <engine_name> scan engine has been updated from <update_path>. No Update available:

Subject Line: No new update for the <engine_name> scan engine on server <server_name>. Body: There are currently no new scan engine files available for the <engine_name> scan engine at <update_path>.

93 Error Updating:

Subject Line: Failed update of <engine_name> scan engine on server <server_name>. Body: An error occurred while updating the <engine_name> scan engine. [There may be an error message included here.] For more information, see the program log. Note: If the Program Log contains the "could not create mapper object" error, it means that the engine in question did not load properly.

Using the New File Scanner

After an update succeeds, FSSP immediately starts using it. Any currently running scan jobs are temporarily paused while FSSP loads the new file scanner. The old file scanner is archived in a LastKnownGood folder. If, for any reason, the newly downloaded file scanner fails, FSSP will revert to the archived copy.

Updating Through a Proxy

In environments where the SharePoint servers must access the Internet through a proxy server, FSSP can be configured to retrieve engine updates through that proxy. To configure Forefront Security for SharePoint for proxy server updating 1. Select General Options from the SETTINGS shuttle. 2. In the Scanner Updates section of General Options, select Use Proxy Settings. 3. Enter information about the proxy server: name or IP address, port, username (optional), and password (optional). For more information about these fields, see General Options. 4. Click Save to retain your changes. After the proxy server settings have been entered and saved, they can be deployed to other servers by replicating the General Options settings using the Microsoft Forefront Server Security Management Console.

94

SharePoint Troubleshooting
For information about contacting Microsoft, see Technical Support.

Diagnostics
Diagnostic logging provides helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Forefront Security for SharePoint is running. Enable diagnostics for the Manual Scan Job or the Realtime Scan Job, by selecting that job in the Diagnostics section of General Options. For more information, see General Options. By default, Diagnostic logging for the scan jobs is not selected.

Technical Support
To obtain technical support visit the Microsoft Web site at Microsoft Help and Support.

Forefront Security Tool

The Forefront Security tool (FSCUtility.exe) is a command-line program that removes Forefront Security dependencies, allowing you to troubleshoot problems with the SharePoint services that may be unrelated to Forefront Security. Note: Unlike a reset, when you use FSCUtility.exe, the Forefront Security Windows services are not removed. Only the dependencies that have been set are removed. FSCUtility.exe is located in the Forefront Security install directory (default: C:\Program Files\Microsoft Forefront Security\SharePoint). It has the following parameters: FSCUtility /status Gives an on-screen report showing the status of Forefront Security and the server. FSCUtility /disable Disables Forefront Security dependencies. FSCUtility /enable Enables Forefront Security dependencies.

95 There are other parameters, but they should only be used when directed by support technicians.

Disabling and Enabling Forefront Security for SharePoint

You can use the Forefront Security tool, FSCUtility.exe, to disable and enable Forefront Security for SharePoint. To disable Forefront Security for SharePoint by removing dependencies 1. Stop the SharePoint services. 2. Disable FSSP dependencies. At the command line, enter:
fscutility /disable

3. Restart the SharePoint services. Caution: When you are not running FSSP, you are without its protection. To enable Forefront Security for SharePoint by reestablishing dependencies 1. Stop the SharePoint services. 2. Enable FSSP dependencies. At the command line, enter:
fscutility /enable

3. Restart the SharePoint services.

SharePoint Registry Keys

Forefront Security for SharePoint stores many settings in the Windows registry. You seldom have to edit the registry yourself, because most of those settings are derived from entries you make in General Options. There are, however, some additional settings you may occasionally need to make. Forefront Security for SharePoint stores registry values in the following locations: For 32-bit systems:

96 HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint

For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint Variable AdditionalTypeChecking Description and values Forefront Security for SharePoint performs signature type checking to avoid scanning those files that can never contain a virus. If it becomes necessary to scan an additional file type, contact Help and Support to obtain the proper setting for the file type you would like to add. This key is set to 0 (off) by default. Specifies the extension type with which all deleted attachments will be named (example: abc). By default, its value is txt. To disable this feature (to retain the original extension), replace txt with an empty string (""). To specify a different extension, replace txt with some other string (between one and three characters). If you use an extension size larger than three characters, or if you delete this registry value, it will default back to txt at the next recycling of the services. Any changes made to this registry value take effect only after you recycle the FSSP services.

ConvertExtensionType

97 Variable DatabasePath Description and values Specifies the path under which the FSSP configuration files and Quarantine folder will be created. It defaults to the FSSP installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If the files are not moved, Forefront Security for SharePoint will recreate the files and the previous settings will be lost. For more information about moving these files, see Moving the Databases. Specifies that Forefront Security for SharePoint should recover from a manual scan failure if a message contains broken or corrupted links to attachments. When the value is 1, FSSP will continue scanning after encountering a message with a broken or corrupted link. A value of 0 (the default) causes FSSP to terminate the scan if a broken or corrupted link is found. Sets the limit for the maximum nested attachments that can appear in MSG, TNEF, MIME, and UUENCODE files. The limit is the sum of the nesting of all of these types. If the maximum is exceeded, the entire file is deleted and a notification is sent stating that an ExceedinglyNested virus was found. The default is 30.

ManualScanContinueOnFailed

MaxNestedAttachments

98 Variable RealtimeProcessCount Description and values This registry value will be created after the initial start of FSCController. The default value is 3, which indicates that three FSSP real-time processes will be launched. You may modify it to represent the number of FSSP realtime processes you want running on the server (the maximum is 10). FSCController must be recycled for the change to take effect. Specifies whether purging by the realtime scanner will take place. A value of 1 (the default) enables purging. A value of 0 disables it. Indicates whether FSSP should scan all attachments or just certain types known to contain viruses. When this DWORD value is set to 1, FSSP will scan all file attachments. A value of 0 (the default) indicates that only certain types should be scanned.

RealtimePurge

ScanAllAttachments

These keys contain the scanner information that is reported on the Scanner Update Settings work pane. Although they should not be modified, you may find them useful for reporting purposes. For 32-bit systems: HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint\Scan Engines\ enginename For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint\Scan Engines\enginename Variable Engine Version Description Indicates the current version of <engine name>.

99 Variable Last Checked Last Updated Signature Version Update Version Description Indicates the date and time <engine name> was last checked Indicates the date and time <engine name> was last updated. Indicates the current version of the <engine name> signature file. Indicates the current update of <engine name>.

SharePoint Keyword Macros

Forefront Security for SharePoint provides keyword macros that can be used in the various fields of a notification (To, cc, bcc, subject, and body) to display information obtained from an item in which an infection was found or that matched a filter. Enter keywords into those fields, surrounded by leading and trailing percent signs (%), as shown in the following procedure. Be sure to save your work. Instead of typing the keyword, you can select it from a shortcut menu. To select a keyword from the shortcut menu 1. Position the cursor in any notification field, at the point where you want the keyword. 2. Right-click at that point to display a shortcut menu. 3. Select Paste Keyword. 4. Choose from a list of available keywords. 5. Click Save to retain your work. The following are the possible keyword substitution macros. Use consecutive percent signs (%%) to display the percent sign itself in the notification field. %Company% The name of your organization, as found in the registry. %File%

100 The name of the detected file. %Filter% The name of the filter that detected the item. %Folder% The workspace and subfolders where the virus or attachment was found. %ScanJob% The name of the scan job that scanned the attachment or performed the filtering operation. %Server% The name of the server that found the infection or performed the filtering operation. %State% The disposition of the detected item (Deleted, Cleaned, Skipped, Purged, or Identified). %Virus% The name of the virus, as reported by the file scanner. %Virus Engines% A list of all the scan engines that found the virus.

SharePoint File Types List

The following table shows the file types used by file filters to detect files based solely on their content type. Each has an associated program log number, which is reported in the FSSP program log when the file type is identified by a virus scanner or a file filter. For more information about detecting files by type, see Detecting Files of a Particular Type. File type Program log number ANIfile ARCfile ARJfile 66 21 20 Microsoft Windows 95 Animated Cursor file ARC compression format file ARJ compression format file Description

101 File type Program log number AutoCad AVIfile 63 29 AutoCad file Windows Audio/Visual file format (Audio/Video Interleaved resource interchange file format) Bitmap image file InstallShield file (InstallShield 3) Microsoft OLE Structured Storage file Eicar test virus file Encapsulated Post-Script file (Adobe) Microsoft executable file Adobe Type 1 Font file GIF image file GZip compression format file ARC compression format file (Systems Enhancement Associates) Windows icon file InstallShield Uninstall file Microsoft Cabinet Archive format file Java archive file Java byte code file (usually contained inside a JAR file) JPEG image file Description

BMPfile DataZfile Docfile Eicar EPSfile EXEfile Font_Type1 GifFile GZipFile HyperArc

24 15 6 5 57 3 64 22 16 54

ICOfile IS_Uninst ISCABfile JarFile JavaClass JPEG

27 48 14 52 45 23

102 File type Program log number LHAfile MACFILE 12 77 Compression format file (LHA/LHARC) A binary (non-text) format that encodes Macintosh files so that they can be safely stored or transferred through nonMacintosh systems Access database file MP3 audio file MPEG animation file (.mpg) Document file Microsoft Help Index (.chi) Microsoft Help file (.hlp) Microsoft Type Library file format (typically used for Microsoft ActiveX service) Microsoft Windows Metafile Format graphics (vectored and bit-mapped) Cabinet file (Microsoft installation archive) Microsoft compression format file MIME formatted text file with IMC binary header Microsoft Object code library file Microsoft Shortcut file (.lnk) Notes database file Description

MDB MP3File MPEG1 MS_Chifile MS_Help MS_TypeLib

71 67 32 51 50 49

MS_WMF

59

MSCabFile MSCompress MSIMC_MIME MSLibrary MSShortCut NotesDB

13 17/18 46 42 44 68

103 File type Program log number OBJfile 43 Object Code file (Intel Relocatable Object Module - .obj). Adobe PageMaker Library palette file or a Color palette file Bitmap graphic file (PC Paintbrush) Portable Document Format file (Adobe) Program Information File (Windows), or Vector Graphics GDF format file (IBM mainframe computers) PKLite compression format file Bitmap graphics file (Portable Network Graphics.) Quick Time Movie file RAR-compressed archive file RIFF bitmap graphics file (Fractal Design Painter) Self extracting executable file Description

PALfile

26

PCXfile PDFfile PIFfile

25 47 4

PKLite PNGfile QTMovie RARFILE RIFfile SFXexe

55 61 31 76 30 73

104 File type Program log number TARFILE 75 TAR archive format file (a UNIX method of archiving files, which can also be used by personal computers). TAR archives files but does not compress them, so sometimes .tar files are compressed with other tools, which produces extensions like .tar.gz, .tar.Z, and .tgz. Text file (.txt) Tagged Image File Format (TIFF) bitmap graphics file Microsoft Transport Neutral Encapsulation Format file (Message file) Microsoft TrueType font file (.ttf) Universal Character Code double-byte text file Unix Compressed format file Microsoft Visio exported meta file Waveform audio file (RIFF WAVE format.) Microsoft Excel 1.x file (.xls) Microsoft Word (1.x and 2.x) file Microsoft Write file XaraX graphic file Description

Text TifFile TNEFfile

1 62 56

TrueType Unicode UnixComprs Visio_WMF WavFile WinExcel1 WinWord1&2 WinWrite XaraFile

65 2 53 60 28 8 7 9 58

105 File type Program log number ZipFile ZOOfile 10 19 Compressed file created by PKZip Compressed file created by ZOO Description

Forefront Security Diagnostic Tool

Support engineers typically need a variety of information about Forefront Security for SharePoint, and the SharePoint server it is running on, to accurately diagnose a problem. This information consists of FSSP version information, third-party scan engine versions, the registry settings, FSSP databases, and other information. Gathering this configuration information is not a trivial effort and slows the troubleshooting process. The Forefront Security Diagnostic tool (FSCDiag) automates the collection process, by assembling all the necessary data in one file that can then be uploaded or sent in an email attachment to Microsoft.

Information Collected
The Forefront Security Diagnostic tool can collect the following information: Forefront Security for SharePoint file versions (including scan engine file versions) SharePoint version Forefront Security for SharePoint registry key Forefront Security for SharePoint database (*.fdb) files Forefront Security for SharePoint archive files Forefront Security for SharePoint program log file Windows Event log files Dr. Watson log file User.dmp file

106 Forefront Security for SharePoint install log file

You can request any or all of this information.

Running the Forefront Security Diagnostic Tool

The selected data is gathered and compressed into a single file that can be uploaded or sent in an e-mail attachment to Microsoft. To run the Forefront Security Diagnostic tool 1. Launch FSCDiag.exe from the Forefront Security install folder (default: C:\Program Files\Microsoft Forefront Security\SharePoint). 2. Select the information to be included by answering each of the following screen prompts. Type Y for yes or N for no, pressing ENTER after each response: Add Forefront file versions Yes(Y)/No(N) ? Add SharePoint versions Yes(Y)/No(N) ? Add Forefront registry key Yes(Y)/No(N) ? Add Forefront database files Yes(Y)/No(N) ? Add Forefront archive files Yes(Y)/No(N) ? Add Forefront Program Log Yes(Y)/No(N) ? Add Windows Event log Yes(Y)/No(N) ? Add Dr. Watson log Yes(Y)/No(N) ? Add User.dmp Yes(Y)/No(N) ? Add Forefront Install log Yes(Y)/No(N) ? 3. After the final prompt, the tool gathers the requested information and compresses the results into a new file in the Log\Diagnostics folder (in the FSSP install directory). The file name, constructed from the name of the server, the date, and the time, has the following format: Format: InstallDirectoryPath\Log\Diagnostics\FSCDiag-<server name><date>-<time>.zip date has the format yyyymmdd

107 time has the format hh.mm.ss (where hh represents a 24-hour clock) Example: C:\Program Files\Microsoft Forefront Security\SharePoint\Log\ Diagnostics\ FSCDiag-Server1-20060202-17.50.27.zip 4. Upload or send the compressed file in an e-mail attachment to Microsoft.