Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft Corporation may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft Corporation, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2006 Microsoft Corporation. All rights reserved. Microsoft, ActiveX, Excel, Forefront, Internet Explorer, Outlook, PowerPoint, Visio, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Review the Microsoft Forefront Security Privacy Statement at the Microsoft Forefront Security Web site.
Contents
User's Guide Microsoft Forefront Server Security for SharePoint 2007 Contents SharePoint Introduction Components Installing Forefront Security for SharePoint System Requirements Minimum Server Requirements Minimum Workstation Requirements Installing on a Local Server Installing on a Remote Server Installing to Multiple Servers Administrator-Only Installation Upgrading Hot Upgrade Applying SharePoint Service Packs and Hotfixes Relocating Forefront Security for SharePoint Data Files Uninstalling Forefront Security for SharePoint Evaluation Version Forefront Security for SharePoint Services FSCController FSSPController Disabling Forefront Security for SharePoint Services Disabling Forefront Security for SharePoint Using the Services Control Manager Securing the Service Disabling or Enabling Scan Jobs Disabling Scan Jobs Locally Enabling Scan Jobs Locally Disabling Scan Jobs Remotely Enabling Scan Jobs Remotely Engine Parameters SharePoint Forefront Server Security Administrator Launching the Forefront Server Security Administrator
Connecting to a Local Server Connecting to a Remote Server Connecting to a Different Server Read-Only Administrator Forefront Server Security Administrator User Interface Shuttle Navigator General Options Diagnostics Logging Scanner Updates Scanning SharePoint Multiple Scan Engines Engine Rankings Bias Setting Bias Setting Choices Bias Setting Example Configuring the Bias Setting Cleaning Infected Files SharePoint Manual Scan Job Configuring the Manual Scan Job Scan Job Settings Configuring the Engines Running the Manual Scan Job Immediately Scheduling a Manual Scan Job Viewing Results Send Summary Notification Quick Scan SharePoint Realtime Scan Job Configuring the Realtime Scan Job Scan Job Settings Realtime Antivirus Configuration Settings Configuring the Engines Running the Realtime Scan Job Viewing Results SharePoint Scan Recovery SharePoint Templates Template Uses Creating Templates
Associating a New Template With a Scan Job Modifying Templates Modifying Default File Scanner Update Templates Modifying Notification Templates Using Named Templates Deploying Templates With FSCStarter Deploying Templates Remotely SharePoint File Filtering Creating a File Filter Matching Patterns in the File Name With Wildcard Characters Detecting Files of a Particular Type File Types Selection Detecting Files by File Size Enabling the Filter Action Realtime Scan Job Actions Manual Scan Job Actions Limiting Compressed File Scanning Send Notifications Quarantine Files Deletion Text Editing a File Filter Filter Lists Importing Items Into a Filter List Associating a Filter List With a Scan Job Viewing Filter List Contents Editing a Filter List Filter Sets for File Filters Configuring a Filter Set Associating a Filter Set With a Scan Job Editing a Filter Set Deleting a Filter Set Renaming a Filter Set Deploying Filters to Remote Servers International Character Sets SharePoint Keyword Filtering Creating New Keyword Filter Lists Keyword List Syntax Rules Enabling a Keyword Filter
Action Notify Administrator Quarantine Minimum Unique Keyword Hits Viewing Keyword List Contents Editing a Keyword List Case Sensitive Filtering International Character Sets Event Notifications Forefront Security for SharePoint Notification Web Parts Configuring Notifications Notification Roles Default Notification Roles Enabling or Disabling a Notification Editing a Notification Keyword Substitution Macros Deleting Notifications SharePoint Reporting and Statistics Incidents Log VirusLog.txt Forefront Security for SharePoint Incidents Event Statistics Resetting Statistics Other Incidents Database Tasks Quarantine Quarantine Database Tables Viewing the Quarantine Log ExtractFiles Tool Retrieving a Database Other Quarantine Database Tasks Clearing the Databases Clearing the Incidents Database Clearing the Quarantine Database Exporting Database Items Saving Database Items to Disk Purging Database Items Filtering Database Views Wildcard Characters for Filtering Moving the Databases
Windows Event Viewer Performance Monitor Reinstalling Forefront Security for SharePoint Performance Counters SharePoint File Scanner Updating Automatic File Scanner Updating Scheduling an Update Scheduling Updates on Multiple Servers Update Now Scanner Information Manifest.cab Update on Load Distributing Updates Engine Update Notifications Using the New File Scanner Updating Through a Proxy SharePoint Troubleshooting Diagnostics Technical Support Forefront Security Tool Disabling and Enabling Forefront Security for SharePoint SharePoint Registry Keys SharePoint Keyword Macros SharePoint File Types List Forefront Security Diagnostic Tool Information Collected Running the Forefront Security Diagnostic Tool
SharePoint Introduction
Microsoft SharePoint Products and Technologies, a premier groupware solution, also permit viruses to proliferate rapidly throughout an organization. In SharePoint Products and Technologies, viruses can exist in documents saved in the various content sources, which may include public folders, workspaces, and Web sites, but traditional antivirus technology cannot monitor or scan the contents of these diverse storage units. SharePoint environments require an antivirus solution that can prevent the spread of viruses by scanning all documents in real time as they are accessed or stored while not impacting server performance. Microsoft Forefront Security for SharePoint (FSSP) is the solution for the SharePoint virus problem. Forefront for SharePoint is designed to protect servers running Microsoft Office SharePoint Portal Server 2007 or Microsoft Windows SharePoint Services 2007. Both versions run on either the 32-bit or 64-bit version of the SharePoint server and have identical functionality. The configuration data for the Forefront for SharePoint Realtime Scan is stored in the SharePoint Portal Server or Windows SharePoint Services configuration database, and not in a separate Forefront for SharePoint database. This means that you can access the configuration data from either the Microsoft Forefront Server Security Administrator or from the SharePoint Administrator. Forefront for SharePoint also supports the Microsoft Forefront Server Security Management Console (FSSMC). The FSSMC provides administrators with central installation and reporting functionality.
Components
Forefront Service Acts as the configuration and monitoring agent on the server to which the Forefront Server Administrator connects. Forefront Server Security Administrator Used to configure and run Forefront for SharePoint locally or remotely.
System Requirements
The following are the minimum server and workstation requirements for Forefront Security for SharePoint.
10 Microsoft .NET Framework 2.0 Internet Information Services (IIS) in IIS 6.0 worker process isolation mode NTFS file system
Microsoft Office SharePoint Server 2007 or Microsoft Windows SharePoint Services version 3 550 megabytes (MB) of available disk space Intel processor, or equivalent
MAPI client, such as Microsoft Outlook, to provide the MAPI interface necessary for the proper parsing of message bodies in .msg files or TNEF-encoded messages
11 Installation Location dialog box. Select Local Installation. 3. Select Client - Admin console only. At this point, Setup will verify that SharePoint Portal Server or Windows SharePoint Services is installed. 4. When the Engines dialog box appears, select those engines that you want installed. The Microsoft AV engine is always installed. You should select four others. Four engines have been randomly selected for you, but you may change that selection to any four you desire. If you select fewer than four, you receive a warning, but the installation continues. You cannot select more than four. 5. Choose the destination directory. Default: C:\Program Files\Microsoft Forefront Security\SharePoint 6. Choose the Start Menu program folder. Default: Forefront Security for SharePoint 7. Enter the account to be used for remote SharePoint database access. This account must be a member of the local Administrators group on which SharePoint Portal Server is installed (one who is a local administrator on the web server or who has System Administrator rights on the database server). The user name must be entered in the following format: <domain or server name\user name> 8. After installation is complete, Setup can stop and restart the SharePoint services automatically, if necessary. Click Next to have Setup perform this step or click Skip to manually perform this step at a later time. 9. As in most installations, Setup updates shared Microsoft files on your computer. If you are prompted to restart the computer, you do not have to do that immediately, but it may be necessary for certain FSSP features to work correctly. 10. View the ReadMe file.
12 Note: Since the SMB protocol is used to copy the service to the remote server, you should ensure that you are working over a secure network. To install Forefront Security for SharePoint on a remote SharePoint server 1. Run the Setup.exe file, which is available on your CD image or from the selfextracting package available at the Microsoft Volume Licensing Download Center. The installation process begins automatically. 2. Proceed with the setup until you are prompted by the Installation Location dialog box. Select Remote Installation/Uninstallation. If FSSP is already installed on the remote SharePoint Portal Server or Windows SharePoint Services computer, the install process can automatically stop the SharePoint services, uninstall FSSP, and restart the SharePoint services prior to beginning the new installation. Enter the following information: Server Name. The name of the remote computer on which you are installing FSSP. Share Directory. The temporary location that the remote install will use while setting up FSSP. The default is C$. At this point, Setup will determine if SharePoint Portal Server or Windows SharePoint Services is installed on the remote computer. 3. When the Engines dialog box appears, select those engines that you want installed. The Microsoft AV engine is always installed. You should select four others. Four engines have been randomly selected for you, but you may change that selection to any four you desire. If you select fewer than four, you will receive a warning, but the installation will continue. You cannot select more than four. 4. Select the Destination Directory and Start Menu folder name. 5. Enter the account to be used for remote SharePoint database access. This account must be a member of the local Administrators group on which SharePoint Portal Server is installed (one who is a local administrator on the web server or who has System Administrator rights on the database server). The user name must be entered in the following format: <domain or server name\user name> 6. After installation is complete, Setup can stop and restart the SharePoint services automatically. This must be done for FSSP to become active. Click Next
13 to have Setup perform this step, or click Skip to manually perform this step at a later time. 7. As in most installations, Setup updates shared Microsoft files on your computer. If Setup prompts you to restart your computer, you do not have to do that immediately, but it may be necessary for certain FSSP features to work correctly. Note: Upon installation, Forefront Security for SharePoint is configured to allow everyone access to FSCController. To change the security settings to restrict access to FSCController, you need to use DCOMCNFG to modify the security settings. For more information about securing access to FSCController, see Forefront Security for SharePoint Services.
Administrator-Only Installation
An Administrator-only installation places only the Forefront Server Security Administrator onto any Windows workstation or server. The Forefront Server Security Administrator can then be used to centrally manage the FSSP service running on remote SharePoint servers. An Administrator-only installation requires approximately 11 MB of disk space. To install the Administrator only 1. Run the Setup.exe file, which is available on your CD image or from the selfextracting package available at the Microsoft Volume Licensing Download Center. The installation process begins automatically. 2. Proceed with the setup until you are prompted by the Installation Location dialog box. Select Local Installation. 3. Select Administrator - Admin Console Only. 4. Indicate the installation directory. Default: C:\Program Files\Microsoft Forefront Security\SharePoint
14 5. Indicate the Start Menu program folder. Default: Forefront Security for SharePoint
Upgrading
The install program detects previous installations of FSSP. Local and remote installs provide the option of uninstalling the previous version or upgrading it. Upgrading an installation only requires that you provide the password for the user account that the FSSP services run under. (For security reasons, FSSP does not store this.) When you upgrade, FSSP retains all of your previous settings, and additional features may be added, based on your environment. Note: When upgrading Forefront Security for SharePoint, all scan jobs have their template settings configured to none, to prevent users from inadvertently overwriting existing settings. To deploy templates, you need to change this setting on each server to default or a named template. For more information about configuring scan job template settings, see SharePoint Templates.
Hot Upgrade
The Microsoft Hot Upgrade technology allows you to apply most upgrades to FSSP without the need to stop or recycle the SharePoint services. However, if critical files need to be upgraded, the services must be recycled after the upgrade. In that case, you are given the opportunity to recycle the services after the upgrade or stop the upgrade if you do not want the services to be recycled at that time.
15 3. Install the SharePoint service pack or hotfix. 4. Start SharePoint services and verify that all services are working. 5. Stop all SharePoint services once again. 6. From a command prompt, run the FSCUtility command again to enable the FSSP services. The syntax is:
fscutility /enable
Evaluation Version
Microsoft provides a fully functional version of Forefront Security for SharePoint for a 120-day evaluation. If you have a product key and enter it during installation, the product becomes a fully licensed subscription version. If not, it remains an evaluation version. After 120 days, the evaluation version of FSSP will continue to operate and report detected files. It will, however, cease to clean files. Keyword filters will be set to Skip: Detect Only. To subsequently convert an evaluation version to a subscription version, enter a product key using the Forefront Server Security Administrator, by selecting Product Activation from the Help menu.
16
FSCController
The Forefront Server Security Administrator connects to FSCController on a server to configure and monitor Forefront Security for SharePoint activities. FSCController, therefore, acts as the agent on that server, and coordinates all real-time and manual scanning activities. The FSCController startup type defaults to automatic. The Schedule service becomes a dependency of FSCController and must be operating properly for FSCController to initialize. There is no benefit from starting or stopping FSCController independently of the Microsoft SharePoint services.
FSSPController
FSSPController is the agent responsible for communicating with the SharePoint SQL Server databases. This service runs under the account used by the SharePoint Administration service. You will be requested to enter the account information during the install process. Note: The account used must be a member of the local Administrators group on the server on which SharePoint Portal Server is installed.
17
Disabling Forefront Security for SharePoint Using the Services Control Manager
To disable the FSSP services, open the Windows Services Control Manager. Click Start, click Control Panel, click Administrative Tools, click Services, and then rightclick FSSPController. Select Stop to disable the service. Caution: If the Forefront Security for SharePoint Service is disabled, traffic will continue to flow but will no longer be scanned.
18 you to manually swap an engine DLL. When you then enable the scan jobs, you can add an engine parameter to instruct FSSP to update that engines last checked and last updated fields, and update the Engine Version Number in the Forefront Server Security Administrator. Caution: When you disable all scan jobs, Forefront Security for SharePoint will halt data flow for ten minutes. After that time, data flow will be resumed, but no scanning will take place.
The e parameter enables all scan jobs and causes them to reload their engines. The n parameter is a number, representing the engine that you just manually updated. (For more information, see the Engine Parameters list.) This method is for use when manually updating an engine signature file. Forefront Security for SharePoint merely updates the user interface information to reflect the changes made to the engines. This example enables the scan jobs and updates the VirusBuster Antivirus Scan Engine information:
fscstarter e512
19
The e parameter enables all scan jobs and causes them to reload their engines. The n parameter is a number, representing the engine that you just manually updated. (For more information, see the Engine Parameters list.) This method is for use when manually updating an engine signature file. Forefront Security for SharePoint merely updates the user interface information to reflect the changes made to the engines. This example enables the scan jobs and updates the VirusBuster Antivirus Scan Engine information on a remote server called Server42:
fscstarter e512 \Server42
Engine Parameters
The engine parameter value is used with FSCStarter to enable a scan job. Each value represents a different vendor or product, as follows: 1 = Norman Virus Control 2 = Microsoft Antimalware Engine 8 = Sophos Virus Detection Engine 16 = CA InoculateIT 32 = CA Vet 64 = Authentium Command Antivirus Engine 128 = AhnLab Antivirus Scan Engine 256 = Forefront Security Worm List 512 = VirusBuster Antivirus Scan Engine 2048 = Kaspersky Antivirus Technology
20
d. Click Add Program, select Forefront Server Security Administrator from the list, and then click OK. This adds the Forefront Server Security
21 Administrator to the Programs and Services list. e. Select the Forefront Server Security Administrator in the Programs and Services list. f. Click Add Port.
g. Enter a name for the port. h. Enter 135 as the port number. i. j. Note: If you are concerned about opening port 135 to all computers, it can be opened only for the Forefront servers. When adding port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be allowed access through port 135. Select TCP as the protocol. Click OK.
22 on the local computer. The local server name is filled in by default. (You could also enter the local alias.)
Read-Only Administrator
The Forefront Server Security Administrator may be run in a read-only mode. To do so, the administrator will need to modify the NTFS permissions on the FSSP install directory
23 to only allow modify access to those users with permission to change FSSP settings. By default, the FSSP install directory is: C:\Program Files\Microsoft Forefront Security\SharePoint. Its actual value can be found in DatabasePath in one of these registry keys: For 32-bit systems: HKLM\Software\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint To ensure proper configuration, first remove modify access for all users and then set modify access only for users that are allowed to change Forefront Security for SharePoint settings. When a user without modify access opens the Forefront Server Security Administrator, it will show Read-Only at the top and not allow any configuration changes.
24
Shuttle Navigator
The Shuttle Navigator is divided into several areas: SETTINGS Configure scan jobs, antivirus settings, scanner updates, templates, and General Options. For more information, see General Options. FILTERING Configure keyword filtering, file filtering, and filter lists. OPERATE Configure jobs, schedule jobs, and perform Quick Scans. REPORT Configure notifications. View incidents and the quarantine area.
General Options
General Options, accessed from the SETTINGS shuttle, provides access to a variety of system-level settings for Forefront Security for SharePoint, eliminating the need to directly access the registry to change them.
25 Although there are many options that can be controlled through the General Options panel, each of them has a default (enabled, disabled, or a value), which is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation and you might need to change one of them from time to time. The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, and Scanning.
Diagnostics
Additional Manual Additional Realtime Notify on Startup Logs every file scanned by the manual scanner. Logs every file scanned by the realtime scanner. Indicates that FSSP should send a notification to all the e mail addresses listed in the Virus Administrators list (Realtime Scan, Email) whenever the Realtime Scan Job starts. Only SMTP addresses may be used. (For more information about setting up notifications to Administrators, see Event Notifications.)
Logging
Enable Event Log Enable Performance Monitor and Statistics Enables the logging of FSSP events to the event log. Enabled by default. Enables the logging of FSSP performance statistics in Performance Monitor. Enabled by default. Enables the FSSP program log (ProgramLog.txt). Enabled by default. Enables the FSSP virus log (VirusLog.txt). Disabled by default.
26 Max Program Log Size Specifies the maximum size of the program log. Expressed in kilobytes (KB). The minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size.
For more information about the log files and Performance Monitor, see SharePoint Reporting and Statistics.
Scanner Updates
Redistribution Server Indicates that a server will be the central hub to distribute scanner updates to other servers. (For more information, see Distributing Updates.) Indicates that engines should be automatically updated every time FSSP is started. Sends a notification to the Virus Administrator each time a scan engine is updated. (For more information about setting up notifications to Administrators, see Event Notifications.) Indicates that proxy settings are to be used. (For more information, see Updating Through a Proxy.) Indicates that UNC credentials are needed. (For more information, see Distributing Updates.) Indicates the name or IP address of the proxy server. Required, if using proxy settings. Indicates the port number that Forefront Security for SharePoint should use. Required, if using proxy settings. The default is port 80.
Proxy Port
27 Proxy Username Indicates the name of a user with access rights to the proxy server, if necessary. Optional field. Indicates the appropriate password for the proxy user name, if necessary. Optional field. Indicates the name of a user with access rights to the UNC path, if necessary. Optional field. Indicates the appropriate password for the UNC user name, if necessary. Optional field.
Proxy Password
UNC Username
UNC Password
For more information about updating the scan engines, see SharePoint File Scanner Updating.
Scanning
Block/Delete Corrupted Compressed Files Indicates if compressed files that are corrupted will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. They are reported as a CorruptedCompressedFile virus. Enabled by default. Indicates if UUENCODE files that are corrupted will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. They are reported as a CorruptedCompressedUuencodeFile virus. Enabled by default.
28 Block/Delete Encrypted Compressed Files Indicates if encrypted compressed files will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. (Encrypted files cannot be scanned by AV scan engines.) They are reported as an EncryptedCompressedFile virus. Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers.
Note: When a Microsoft Office file (PowerPoint, Access, Excel, or Word document) is embedded in another Office file, its data is included as part of the original Office file. These are not scanned as individual files. If, however, another file type (such as .exe) is embedded in one of these files that is then embedded in an Office file, it will be detected and scanned as a separate file. (The .exe extension, however, is still visible because the icon is a GIF file that cannot be deleted. If you click the file, the icon is replaced with the correct TXT icon.) Case Sensitive Keyword Filtering Specifies that keyword filtering should be case-sensitive. Filtering is not casesensitive by default. Indicates that previously scanned files should be re-scanned when accessed following a scanner update.
29 Forefront Manual Priority Specifies the priority of manual scans: Normal (the default), Below Normal, or Low. This lets more important jobs take precedence over manual scans when demands on server resources are high.
Note: When the Manual Scan Priority is set to Low, the Manual Scan Job may not stop immediately when you click STOP in the Run Job work pane. Max Container File Infections Specifies the maximum number of infections allowed in a compressed file. If this is exceeded, the entire file is deleted and FSSP sends a notification stating that an ExceedinglyInfected virus was found. A value of zero means that there is no limit on the number of infections that can be detected. The default value is 5 infections. Specifies the maximum container file size (in bytes) that FSSP will attempt to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet File Filter rules. Forefront Security for SharePoint will report these deleted files as LargeInfectedContainerFile virus. Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUENCODE documents. The limit will include the sum of the nestings of all of these types. If the maximum number is exceeded, FSSP will block or delete the document and report that an ExceedinglyInfected virus was found. The default is 30.
30 Max Nested Compressed Files Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSSP sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default is 5. Specifies the number of milliseconds (msec) that FSSP will scan a compressed attachment before reporting it as a ScanTimeExceeded virus in real-time scans. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 msec (ten minutes). Specifies the number of milliseconds that FSSP will scan a compressed attachment before reporting it as a ScanTimeExceeded virus in manual scans. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 msec (ten minutes).
31 Multiple engines are easy to configure. You need only select which engines you would like to use for a scan job and indicate the bias setting. (For more information, see Bias Setting.) These two settings (both on the Antivirus Settings work pane) allow the Forefront Security for SharePoint Multiple Engine Manager (MEM) to properly control the selected engines during the scan job. MEM uses the engine results to decide the likelihood that a particular message or file contains a virus. If any of the engines used in a scan detect something, FSSP considers the item infected and has MEM deal with it accordingly. (For more information, see Cleaning Infected Files.)
Engine Rankings
MEM uses the results from each engine as part of its engine ranking process. MEM ranks each engine based on its past performance and its age. This information allows MEM to weight each engine so that better performing ones are used more during scanning, and their results are given more weight in determining if a file is infected. This ensures that the most up-to-date and best performing engines have more influence in the scanning process. If two or more engines are equally ranked, FSSP invokes them by cycling through various engine order permutations.
Bias Setting
The bias setting controls how many engines are needed to provide you with an acceptable probability that your system is protected (realizing that there is a trade-off between virtual certainty and system performance). The more engines you use, the greater the probability that all viruses will be caught. However, the more engines you use, the greater the impact on your systems performance. Thus, at one extreme is the number of engines to use for maximum certainty. The other extreme is the number of engines that will allow maximum performance. In between is the number of engines that permit balanced (called neutral) performance. This will probably be your optimal setting. You can have a different bias setting on different servers, depending on your needs. For example, you might want to use only a single engine on your Edge Transport server, to maximize its performance. Then, you can use several engines on your other servers where performance is not as critical.
32 Note: The bias setting only applies to virus scanning. It is not used in file filtering.
Favor Performance
Maximum Certainty
33 Bias setting Neutral Favor Certainty Maximum Certainty Description Each item is virus-scanned by at least three engines. Fluctuates between virus scanning each item with three and five engines. Each item is virus-scanned by all five of the selected engines.
34 ones in use by the Realtime Scan Job. We recommend that you do a full manual scan after installing FSSP for the first time. Note: When Forefront Security for SharePoint cleans an infected file that has been checked into a document library, the file extension is not changed. For example: If the file Eicar.com is detected, the contents are removed and replaced with the deletion text, but the file extension remains .com rather than being changed to Eicar.txt. (For more information, see Deletion Text.) If the same file is cleaned while it is nested inside a compressed file, however, the extension is changed to .txt.
35 specific ones or by using the buttons beneath the tree view: All None Find Browse Select all the files or folders displayed in the tree. Clear all the files or folders displayed in the tree. Search for a particular folder or file. Open a selected folder in the Web browser (to visually check that it is the one you want to manually scan). Update the tree.
Refresh
3. Modify the deletion text, if desired. (For more information, see Deletion Text.) Clicking Deletion Text displays the text used by Forefront Security for SharePoint when replacing the contents of an infected file during a Delete operation. You may modify this text to place a custom message inside the deleted file attachments. Forefront Security for SharePoint provides keywords that can be used in the Deletion Text field to obtain information from the file in which the infection was found. For a list of available keywords, see Keyword Macros.
36 initially selected by default. (Although you may only use a maximum of five engines, you may use any five. You are not limited to the ones you selected during the installation.) To run jobs that only perform file filtering, disable all the scanners (by clearing their check boxes). Note: If you have the maximum of five engines selected and you want to change the ones used, clear the check boxes of unwanted engines before selecting new ones. You may only have a maximum of five engines selected at a time. 4. Select a Bias setting for the scan job. For more information about bias settings, see SharePoint Multiple Scan Engines. 5. Select the Action for FSSP to perform when it detects a virus: Skip: detect only Make no attempt to clean or delete the infection. Viruses will be reported, but the files will remain infected Clean: repair document Attempt to replace the infected file with a clean version. If unsuccessful, the file will be deleted and the deletion text will be sent in its place. (For more information, see Deletion Text.) Delete: remove infection Delete the file without attempting to clean the infection. The deletion text will be sent in place of the file. (For more information, see Deletion Text.) Note: Due to SharePoint restrictions, if Forefront Security for SharePoint deletes a file that has been checked in to a SharePoint document library, the file icon and extension will remain the same, but the contents will be replaced with the deletion text. (For more information, see Deletion Text.) 6. Enable or disable e-mail notifications for the Manual Scan Job by using the Send Notifications field. This setting does not affect reporting to the Virus Incidents or Scan Job log. Notifications are disabled by default. 7. Enable or disable saving files detected by the file scanning engines by using the Quarantine Files field. Quarantine is enabled by default. 8. To perform scans as quickly and efficiently as possible, FSSP normally scans only those files that can potentially contain viruses. It does this by first determining the file type and then by determining if that file type can be infected with a virus. The file type is determined by looking at the file header and not by looking at the file extension. This is a much more secure method because file
37 extensions can be easily spoofed. This pre-scan check increases Forefront Security for SharePoint performance, while making sure no potentially infected file attachments pass without being scanned. If you would like all attachments to be scanned, no matter what the type, set the ScanAllAttachments registry key to 1. The registry key can be found at: For 32-bit systems: HKLM\Software\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint
38 not halt immediately when Stop is selected. 6. View the results of the scan. For more information, see Viewing Results.
39
Viewing Results
The lower pane of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk by the Forefront Security for SharePoint Service and are not dependent on the Forefront Server Security Administrator remaining open. The database files can be cleared when no longer needed. For more information, see Clearing the Databases. Note: When a new document library is created, SharePoint services creates resource file folders that contain files needed for the proper functioning of SharePoint services. FSSP scans these folders and the results are reflected in the manual scan statistics. This results in several hundred extra files being reported as scanned.
Quick Scan
There are times when you need to scan a single document library or run a special onetime virus scanning job. Quick Scan allows you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in a single work pane.
40 To run Quick Scan 1. Select Quick Scan in the OPERATE shuttle of the Forefront Server Security Administrator. The Quick Scan work pane appears. The top left pane shows a tree view of the document libraries that can be scanned (as detailed in Scan Job Settings). The top right pane contains the list of File Scanners, the bias setting, the Action, Send Notifications, and Quarantine Files (as detailed in Configuring the Engines). There are no Save or Cancel buttons. Any changes you make are automatically saved and will be used to populate the various fields the next time you invoke the Quick Scan. 2. Make any desired changes to the Quick Scan job configuration. 3. Click Start to run the scan. After the job has started, you can Stop or Pause it by clicking the appropriate button
41
42
43 Allow scanner to use up to ___ threads The number of processes the VSAPI scanning interface will run simultaneously. The default of 10 simultaneous threads is also the maximum.
If Scan Documents on Upload and Scan Documents on Download are both cleared, the Realtime Scan Job and its Attempt to Clean Infected Documents setting will both be disabled. When Attempt to Clean Infected Documents is selected, the Action for the Realtime Scan Job will be set to Clean. Finally, if the Realtime Scan Job is disabled in the Run Job dialog box, Scan Documents on Upload and Scan Documents on Download will be cleared and all the other settings, except Allow Users to Download Infected Documents, will be disabled.
44 engines selected at a time. 2. Select a Bias setting for the scan job. For more information about bias settings, see Multiple Scan Engines. 3. Select the Action for FSSP to perform when it detects a virus. Skip: detect only Make no attempt to clean or delete the infection. Viruses will be reported, but the files will remain infected. Attempt to replace the infected file with a clean version. If unsuccessful, the file will be deleted and the deletion text will be sent in its place. For more information, see Deletion Text.
Note: This option is only available if Attempt to clean infected documents is selected in Scan Job Settings. Block: prevent transfer If FSSP identifies a file as infected, it will be blocked from being uploaded or downloaded. The user will receive a SharePoint message that the file was infected and could not be uploaded or downloaded.
Note: Due to SharePoint restrictions, if FSSP deletes a file that has been checked in to a SharePoint document library, the file icon and extension remain the same, but the content is replaced with text as previously described. 4. Enable or disable e-mail notifications for the Realtime Scan Job by using the Send Notifications field. This setting does not affect reporting to the Virus Incidents or Scan Job log. Notifications are disabled by default. 5. Enable or disable saving files detected by the file scanning engines by using
45 the Quarantine Files field. Quarantining is enabled by default. 6. To perform scans as quickly and efficiently as possible, FSSP normally scans only those files that can potentially contain viruses. It does this by first determining the file type and then by determining if that file type can be infected with a virus. The file type is determined by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This pre-scan check increases Forefront Security for SharePoint performance, while making sure no potentially infected file attachments pass without being scanned. If you want all attachments to be scanned, no matter what the type, set the ScanAllAttachments registry key to 1. The registry key can be found at: For 32-bit systems: HKLM\Software\Microsoft\Forefront Server Security\SharePoint For 64-bit systems: HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint
46
Viewing Results
The lower pane of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk by the FSSP service and are not dependent on the Forefront Server Security Administrator remaining open. The database files can be cleared when no longer needed. For more information, see Clearing the Databases.
SharePoint Templates
When it was installed, Forefront Security for SharePoint created default templates for the various scan jobs, scan engines, and notifications. At installation time, scan jobs were configured to use the values in the default templates. You can create additional templates for File Filter and Keyword Filter settings, as well as additional scan jobs, as needed. (These are called named templates.) Templates are useful for controlling the configuration of Forefront Security for SharePoint on multiple servers from a central location and the configuration of scan jobs and other functions at installation. Templates are stored in the Template.fdb file, which initially contains the following default templates: Scan job templates, which include Realtime and Manual Scan Job templates.
47 Notification templates for each of the notification categories. (For more information, see Event Notifications.) Scanner update templates for each scan engine that is installed on the current system. Note: Only the primary network update path field (and not the secondary network update path) of a file scanner update template will be modified when the template is deployed to a server. To deploy templates to remote computers after an upgrade, you must set FSSP on the target server to use default templates or named templates for configuring the scan job settings. (For more information, see Using Named Templates and Deploying Templates Remotely.) To view templates in the Forefront Server Security Administrator, click File, click Templates, and then click View Templates. This will cause the default and named templates to be displayed in the various work panes.
Template Uses
Templates are used for two purposes: Controlling configuration settings of all FSSP servers from a single location.
After the Template.fdb file is created, the Microsoft Forefront Server Security Management Console (FSSMC) can be used to copy and activate the template settings on multiple FSSP servers throughout your organization. Templates can be deployed simultaneously to multiple FSSP servers, and their settings can be applied to currently running scan jobs without the need to stop or restart any services. (For information about how to use the FSSMC to deploy templates, see the Microsoft Forefront Server Security Management Console User Guide.) Controlling the configuration of scan jobs at installation time.
The settings for all the scan jobs are contained in the file Scanjobs.fdb. If it is not present when the FSSP service starts, a new one is created, based on the values in the Template.fdb file. If the Template.fdb file does not exist, a new one is created, based on the values in the Scanjobs.fdb file. If they both do not exist, new ones are created using default values. Thus, by deliberately deleting one of these files, you can force its reconstruction based on the values contained in the other one. By including templates in your install images, you can configure your remote servers at the time of installation.
48
Creating Templates
To use named templates, you must create them and associate them with jobs. To create a new template (called a named template) 1. Select Templates from the SETTINGS shuttle of the Forefront Server Security Administrator. The Template Settings work pane appears. 2. Click File, click Templates, and then click View Templates to have templates displayed in the Job List. If you have many templates, you may want to normally hide them just to simplify the display. 3. Click File, click Templates, and then click New. The New Template work pane appears. 4. Select the Type of template you want to create (Realtime, Manual, or Filter Set). 5. Give the template a Name, and then click OK. The new template is created and becomes a choice in the Template list in the bottom pane of the Template Settings work pane. 6. Select the scan job (in the Job List) with which the template is to be associated. Note that if none of the scan jobs is selected in the Job List, the Template list is not active. 7. Select your new template in the Template list, and then click Save. 8. Display the appropriate work pane to configure the template (Antivirus, File Filtering, or Keyword Filtering). For example, if you have created a real-time scan job template, select Antivirus in the SETTINGS shuttle, select the new template in the Job List, and then configure it as you would a real-time scan job. Click Save when you are done. 9. Associate the new template with the scan job by following the directions given in Associating a New Template With a Scan Job or distribute it to remote servers using the Microsoft Forefront Server Security Management Console. 10. Rename or delete a template by selecting it in the Job List. Then, click File, click Templates, and then click Rename or Delete. (You will be asked to confirm a deletion.) You cannot delete or rename a default template. Note: You cannot create new notification templates. You must modify the default notification template to update Notification settings.
49 For more information about named templates, see Using Named Templates.
Modifying Templates
There are times when you might want to make changes to an existing template. To modify an existing template 1. If the templates are not visible, display them. Click File, click Templates, and then click View Templates. 2. Select a work pane with the template to be modified (for example, Scan Job Settings). 3. Select the template to be modified in the Job List. 4. Configure the template as desired, and then click Save. Note: The default template settings are not changed when scan job settings are changed and saved. To change the settings in a default template, you must follow the steps in Modifying Default File Scanner Update Templates.
50
51
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them on the current server. All scan job settings (including filter settings), all filter settings, all notification settings, and all file scanner update paths can be updated. You must insert a space between FSCStarter and the t parameter. However, there is no space between the t parameter and the options.
52 If the optional newtemplatefile parameter is specified, the file you indicate (by entering its full path) will overlay the current Template.fdb file before any settings are updated. The following options allow subsets of the template settings file (Template.fdb) to be applied. Enter any combination of the options, in any order, with no spaces. If no options are specified after the t parameter, all settings in the Template.fdb file are updated. c Update the Content Filter (Keyword) settings for each scan job. f l Update the File Filter settings for each scan job. Update the Filter Lists for each scan job.
n Update the Notification settings with the data in the associated templates. p Update the Network Update Paths for all installed file scanners. s Update the Scan Job settings with the data found in the associated template type. All Realtime Scan Jobs will be updated with the settings found in the Realtime Scan Job template and all Manual Scan Jobs will be updated with the settings found in the Manual Scan Job template. This includes File Filter and Content Filter settings. For example, to update the Content Filter settings, the File Filter settings, and the Notification settings, you would enter: fscstarter tcfn Before you deploy templates to a server (local or remote), you must ensure that the Forefront Security for SharePoint scan jobs on that server are configured to run from templates. To do so, select Templates on the SETTINGS shuttle. The Template Settings work pane appears. The Template field associated with each scan job should be set to either Default (the default value) or to a named template. (Templates will not be used if the value is None.)
53 All the templates are stored in the Template.fdb file, so all will be deployed when you use the FSSMC. This is not a problem if all of your servers are configured identically, but if you have multiple configurations in your environment, be sure to distribute the template files that match the configuration of the targeted servers. If you have multiple configurations, it is helpful to configure your servers to use named templates for their settings. This will allow you to easily distribute template files to all your servers without worrying about corrupting configuration settings. For more information about configuring servers at installation time to use named templates, see Using Named Templates. For more information about using the FSSMC to deploy templates, refer to the Microsoft Forefront Server Security Management Console User Guide.
54 To create a new file filter 1. Select File from the FILTERING shuttle. The File Filtering work pane appears. 2. Select a scan job (in the top pane) with which the new file filter should be associated. 3. Click the Names button. All available filters are displayed in the Filter Lists section. 4. Click Add. An entry field appears in the File Names pane. 5. Type the name of the filter (which is the name of a specific file), and then press ENTER. You can use wildcard characters in the name. (For more information, see Matching Patterns in the File Name With Wildcard Characters.) Finally, you can indicate that files of a certain size are to be checked. (For more information, see Detecting Files by File Size.) If you make a mistake typing the name of the filter, select it in the File Names pane, and then click Edit. Fix the mistake, and then press ENTER. To delete a file filter, select it in the File Names pane, and then click Delete. 6. Indicate the File Type. (For more information, see Detecting Files of a Particular Type.) 7. Ensure that the filter is enabled. (For more information, see Enabling the Filter.) 8. Indicate the Action to be taken if the filter is matched. (For more information, see Action.) 9. Indicate if notifications are to be sent. (For more information, see .) 10. Indicate if matched files are to be quarantined. (For more information, see Quarantine Files.) 11. Change the Deletion Text, if desired. (For more information, see Deletion Text.) 12. Click Save to save your work.
55 * Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage: Single: Any of these single wildcard character patterns would detect veryevil.doc: veryevil.*, very*.doc, very*, *il.doc. Multiple: Any of these multiple wildcard character patterns would detect eicar.com: e*c*r*om, ei*.*, *car.*.
Note: Use multiple asterisks to filter file attachments with multiple extensions. For example: love*.*.* ? Used to match any single character in a name where a single character may change. For example: virus?.exe would find virusa.exe, virus1.exe, or virus$.exe. However, this filter would not find virus.exe. [set] A list of characters or ranges, enclosed in square brackets [abcdef]. Any single character in the specified set will be matched. For example: klez[a-h].exe would find kleza.exe through klezh.exe. [^set] Used to exclude characters that you know are not used in the file name. For example: klez[^m-z].exe would not find klezm.exe through klezz.exe.
56 range Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character. For example: klez[ad-gp].exe would match kleza.exe, klezd.exe, klezf.exe, and klezp.exe but not klezb.exe or klezr.exe. \char Indicates that special characters are used literally. (The characters are: * ? [ ] - ^ < >.) The backslash is called an escape character, and indicates that a reserved control character is to be taken literally, as a text character. For example: If you enter *hello*, you would normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you would match *hello*. If you enter *\*hello\?\**, you would match *hello?*.
57
Action
Choose the action that you want FSSP to perform when a specified file name is detected. There are different actions available for realtime and manual scans.
58 Note: You must set the action for each file filter you configure. The Action setting is not global.
59 SkipFileFilterWithinCompressedManual
Send Notifications
Enables or disables e-mail notifications for the selected file name. This does not affect reporting to the Virus Incidents or Scan Job log. Notifications are disabled by default.
Quarantine Files
Enables or disables quarantine for the selected file name. Quarantine is enabled by default.
Deletion Text
This is the text used by Forefront Security for SharePoint when replacing the contents of an infected file during a Delete operation. You may modify this text to place a custom message inside the deleted file attachments. Forefront Security for SharePoint provides keywords that can be used in the Deletion Text field to obtain information from the file in which the infection was found. For a list of available keywords, see SharePoint Keyword Macros.
60
Filter Lists
You can create and maintain lists of filters for use by different scan jobs or to organize your filters, if you have created many of them. Simply create one or more named lists of filters (rather than a series of individual ones) to be associated with various scan jobs. To create and configure a new filter list 1. Select Filter Lists from the FILTERING shuttle. The Filter Lists work pane appears. 2. Select the type of filter list (Files or Keywords) in the List Types section of the top pane. 3. Click Add in the List Names section. 4. Type a name for the new list, and then press ENTER. The new list's name is added to the List Names section. 5. With the new lists name selected, click Edit. The Edit Filter List dialog box appears. Use it to enter files to include in the search query. 6. Click Add (under Include In Filter), type a search query, and press ENTER. To have multiple items, enter each item individually. To have an item excluded from the list (never scanned), click Add in the Exclude From Filter section, type the item name in the field, and then press ENTER. This section is used to enter items that should never be included in the filter list. This will prevent these items from accidentally being added to the Include section when importing a list from a text file. To modify an existing list, select an item, click Edit, and then make the required changes. 7. You can import file names from a text file by means of the Import button. (For more information, see Importing Items Into a Filter List.) After you have built a list, you can save it to a text file by means of the Export button. This file can later be imported into other Include lists to reduce typing. 8. Click OK to return to the Filter Lists work pane when you are finished entering queries. You will now see the new filter and all its queries. 9. Click Save to save your work.
61
62 Action.) 7. Indicate if notifications are to be sent. (For details, see .) 8. Indicate if matched files are to be quarantined. (For details, see Quarantine Files.) 9. Change the Deletion Text, if desired. (For details, see Deletion Text.) 10. Click Save to save your work. The filter list is now associated with the selected scan job.
63 3. Select Filter Set. 4. Enter a name for the new filter set. 5. Click OK. The new filter set will then be displayed in the upper pane whenever you click File, click Templates, and then click View Templates. 6. Configure the new filter set. (For more information, see Configuring a Filter Set.)
64 Note: To cancel the association, repeat the steps in the preceding procedure and select None from the Filter Set list.
65 2. Select Rename from Templates on the File menu. The Rename Template dialog box appears. 3. Type the template's new name. 4. Click OK.
The t parameter instructs FSCStarter to read the settings in the Template.fdb file and apply them to the current server. Note: You must insert a space between FSCStarter and the t parameter and between the options and the \servername. However, there is no space between the t parameter and the options. The following are the options. They may be entered in any order, with no spaces. F Update the file filter or filter sets settings for each scan job. L Update the filter lists for each scan job. For example, to update the file filter settings, you would enter: fscstarter tf
66
67 items. You will now see the new filter list and all its items. 10. Enable the list, and set its Action and other attributes. (For more information, see Enabling a Keyword Filter.) 11. Click Save to retain your work.
Queries use OR functionality. It is considered to be a positive detection if any entry is a match. Queries may contain operators that separate text tokens. Such queries are called expressions. There must be a space between an operator and a keyword, represented in the following examples by the character. The following logical operators are supported: _AND_ (Logical AND). For example, apple_AND_orange juice. _NOT_ (Negation). For example, apple_AND__NOT_juice. _ANDNOT_ (Same as _AND__NOT_). For example, apple_ANDNOT_juice. _WITHIN[#]OF_ (Proximity). If the two terms are within a specific number of words of each other, there is a match. For example, free_WITHIN[10]OF_offer. (If free is within 10 words of offer, this query will be true.) _HAS[#]OF_ (Frequency). Specifies the minimum number of times the text must appear for the query to be considered true. For example, _HAS[4]OF_get rich quick. If the phrase get rich quick is found in the text four or more times, this query will be true. This operator is implicitly assumed and has a default value of 1 when it is not specified. Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest): 1) _WITHIN[#]OF_ 2) _HAS[#]OF_ 3) _NOT_ 4) _AND_ The logical operators must be entered in uppercase letters.
68 Phrases may be used as keywords, for example, apple juice or get rich quick.
Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) are treated as one blank space for matching purposes. For example, AB is treated as AB and matches the phrase AB. In HTML encoded message texts, punctuation (any character that is not alphanumeric) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML mark-up tags can be properly identified by the filter. However, note that the filter <html> matches <html>, but does not match html. Examples (the character represents a space): apple_AND_orange_AND_lemon_WITHIN[50]OF_juice confidential_WITHIN[10]OF_project_AND_banana_WITHIN[25]OF_shake _HAS[2]OF_get rich_WITHIN[20]OF_quick
69
Action
Select the action for FSSP to take if it detects a keyword filter match. The choices are: Skip: Detect Only Records the number of files that meet the filter criteria, but allows the files to route normally. Notifications are sent to the Administrator and the Sender, if notifications are enabled. Prevents the transfer of a file that meets the filter criteria. This action is for real-time scans only. Deletes the contents of the file and replaces it with the string that was configured using the deletion text. (For more information, see Deletion Text.) This action is for manual scans only.
Note: You must set the action for each keyword filter you configure. The action setting is not global.
Notify Administrator
Enables or disables e-mail notifications. Notifications are disabled by default.
Quarantine
Enables or disables quarantine. It is enabled by default. If enabled, each file will be quarantined for later analysis or routing by the administrator.
70 appears at all. The keyword filter has not been matched, because only one term in the list was matched.
71
Event Notifications
Event notifications provide a convenient way for administrators to receive information about virus and filtering events without having to continually check logs or the Incidents work pane. Both e mail (SMTP) and browser-based notifications are available. Notifications are sent automatically to the e-mail address of the administrator configured in FSSP. Note: To send e-mail notifications, you must configure an SMTP server for SharePoint Portal Server to use when sending the notifications.
72 8. Click Add a Web Part in the area you would like the Forefront detailed notifications to appear, and then select Forefront Notifications Detailed from the list of available web parts. 9. Select Exit Edit Mode to complete editing the detailed notifications page. 10. Return to the portal sites home page and add the Forefront Notifications Summary web part to the desired area of the page in the same manner. The summary web part will now link to the detailed web part when it is clicked.
Configuring Notifications
There are various types of notification messages and each can be individually configured. To configure notifications 1. Select Notification in the REPORT shuttle. The Notification Setup work pane appears. The top pane of the Notification Setup work pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. (For more information about roles, see Notification Roles.) 2. Enable those notifications that are to be in effect. (For more information, see Enabling or Disabling a Notification.) Note: Scan Job configurations control whether a Scan Job will send any enabled notifications. 3. Make the desired changes to the notifications that are to be enabled. (For more information, see Editing a Notification.) 4. Click Save to retain your work.
Notification Roles
The top pane of the Notification Setup work pane contains the list of default notification roles. Each role can be customized, as well as enabled or disabled. Both File and Virus notifications include individual notices for Web and e-mail. Web notifications are sent to the Forefront Security Notifications area of the SharePoint browser and e-mail notifications are sent to the e-mail address of the administrator or author.
73
74
Editing a Notification
Changes that you make to the lower pane of the Notification Setup work pane apply to the currently selected Notification role and take effect immediately when you click Save. All fields can have keyword substitution macros. For more information, see SharePoint Keyword Macros. The following fields can be edited: To: (Recipients) A semicolon-separated list of people and groups who will receive the notification. This list can include SharePoint names, aliases, and groups. For servers that are in a domain, user names should follow the syntax: domain\username. For servers that are in a workgroup, user names should follow the syntax: servername\username. Subject The message that will be sent on the subject line of the notification. Body The message that will be sent as the body of the notification.
75
Deleting Notifications
SharePoint administrators can view all the notifications in the database. This allows them to delete undeliverable or old notifications as needed. To delete the notifications that appear in the Forefront Security Web Parts, the user must be a member of the Power Users group. Navigate to Forefront Notifications - Detailed and click Delete All Notifications. All Forefront Security notifications throughout the system, regardless of the individual SharePoint security settings, will be deleted.
Incidents Log
The incidents log is a database (Incidents.mdb) that stores a record of all detected viruses and items trapped by filters for a SharePoint server. Results are stored in the database by FSCController and are not dependent on the Forefront Server Security Administrator remaining open. To view this log, select Incidents in the REPORT shuttle. The Incidents work pane appears. This is the information that Forefront Security for SharePoint reports for each incident: Time The date and time of the incident. State The action taken by Forefront Security for SharePoint. Name The name of the scan job that reported the incident. Folder The name of the folder where the file was found. File The name of the virus or the name of the file that matched a file filter or content filter. Incident The type of incident that occurred. The categories are: VIRUS and FILE FILTER. Each is followed by either the name of the virus caught or the name of the filter that triggered the event.
76 Author Name The name of the author of the document. Author's E-mail The e-mail address of the author of the document. Last Modified By The name of the last user to modify the document. Modified User's E-mail The e-mail address of the last user to modify the document. Note: The last four fields will be reported as N/A for the Realtime Scan Job because FSSP does not have access to this information during a real-time scan.
VirusLog.txt
You can also have virus and filter events recorded in a file called VirusLog.txt. To enable this file, select Enable Forefront Virus Log in General Options. When enabled, all virus incidents are written to the VirusLog.txt text file, under the FSSP installation path (InstalledPath). The following is a sample entry from the VirusLog.txt file: Wed Dec 14 12:56:13 2005 (3184), "Information: Realtime scan found virus: Folder: WorkSpace1\SavedFiles File: Eicar.com Incident: VIRUS=EICAR-STANDARD_AV_TEST_FILE State: Cleaned"
77 Reported incident EngineLoopingError General Options setting Not applicable Description Forefront has deleted a file causing a scan engine to be caught in a read/write loop while scanning or attempting to clean a file. Forefront has deleted a compressed file that has exceeded the maximum number of infections, as set in General Options. When the number is exceeded, the entire container is deleted. Forefront has deleted a compressed file that has exceeded the maximum nested depth, as set in General Options. When the number is exceeded, the entire file is deleted. Forefront has deleted a file that has exceeded the maximum nested attachment limit. The default is 30 attachments. For more information, see "MaxNestedAttachments" in SharePoint Registry Keys. Forefront has deleted a file that has exceeded the maximum container size that it will attempt to clean or repair. The default is 26 MB, but you may change the value in General Options.
ExceedinglyInfected
ExceedinglyNested
ExceedinglyNested
LargeInfectedContainerFile
78 Reported incident ScanTimeExceeded General Options setting Max Scan Time Description Forefront has deleted a container file that has exceeded the maximum amount of scan time (in milliseconds). The default value is 600,000 msec (10 minutes). Forefront has deleted a compressed file that it could not read. Forefront has deleted a compressed file to which it cannot write (for example, during a cleaning operation).
UnReadableCompressedFile
Not applicable
UnWriteableCompressedFile
Not applicable
Event Statistics
Forefront Security for SharePoint maintains three basic groups of statistics: Event Rate. Tracks the number of events per second (by means of Windows Performance Monitor). Event. Tracks the number of events for the current Forefront Security for SharePoint session. Total Events. Tracks the total number of events since installation or reset.
Only the Event and Total Events statistics for each scan job are reported in the bottom pane of the Incidents work pane. The Event Rate statistics can be viewed with Windows Performance Monitor. Within each group, several different events are maintained (for both realtime and manual scans): Documents Scanned Documents Detected Documents Cleaned Documents Removed
79 Total Documents Scanned Total Documents Detected Total Documents Cleaned Total Documents Removed
Resetting Statistics
The Event Rate and Event statistics for the Realtime and Manual Scan Jobs are automatically reset to zero each time the FSSP service is started. All statistics for each scan job can also be manually reset. To reset all the statistics for a scan job, click the X in the Statistics display next to the scan job's name at the top of the column. You can also recycle the services to reset the statistics.
The control to reset statistics You will be asked to confirm the reset. Clicking Yes will reset all the statistics for the selected scan job. Use the Export button (on the Incidents work pane) to save the report and the statistics in either formatted text or delimited text formats. Note: You may instruct FSSP to write all virus incidents to a text file named VirusLog.txt by selecting Enable Forefront Virus Log in General Options. (For more information, see General Options.)
80
Quarantine
Forefront Security for SharePoint, by default, creates a copy of every detected file before a Clean, Delete, or Skip action. These files are stored in an encoded format in the Quarantine folder in the FSSP install directory, unless you relocate it. (For information, see Moving the Databases.) Each detected file is saved under the name Filex where x is the ID number of the file. The Quarantine database consists of two tables stored inside the Quarantine.mdb file. (For more information, see Quarantine Database Tables.) This database is configured as a system data source name (DSN) with the name Forefront Quarantine, and can be viewed and manipulated using third-party tools.
Quarantine. This table contains all the details for each quarantined message. Type Text Text Text Date/Time Int Size 255 255 255 Not applicable Not applicable Description Attachment file name Virus name Sender name Date and time file was quarantined File ID used to save a renamed quarantined file (for example, File9)
81 Field name ID Type AutoNumber Size Not applicable Description Identifies a row in the table
ExtractFiles Tool
Forefront Security for SharePoint includes a console tool, ExtractFiles, that allows you to extract all, or a subset, of the quarantined files to a specified directory. ExtractFiles.exe has two required arguments, path and type: Path. The absolute path of the folder in which to save the extracted quarantined files. Type. The type of quarantined files to extract. This can be the specific name of a virus, a specific extension, or all quarantined files: Jerusalem.StandardExtracts files that were infected with the virus named Jerusalem.Standard. *.docExtracts quarantined files having a .doc extension. *.*Extracts all quarantined files. This is the syntax of ExtractFiles:
extractfiles path type
82
Retrieving a Database
Quarantine database files can be retrieved using the FSSMC, as described in the Microsoft Forefront Server Security Management Console User Guide. You can select a .csv file to open (to view or retrieve) in the standard manner. (The .csv file was created by the Export function.) After the data is retrieved, you can export or delete the quarantined files as needed. Export creates a .csv text file of the Quarantine log, either formatted or delimited. (For more information, see Exporting Database Items.) The Save As function saves a copy of the database.
83 After you have cleared the entries in both places, they will no longer appear in the work panes. However, they will actually be deleted from the Incidents.mdb database only when it is compacted, which automatically occurs every day at 02:00 (2:00 A.M.). You can also delete a subset of the results by selecting one or more entries (use the SHIFT and CTRL keys to select multiple entries), and then using the DELETE key to remove them from the Incidents listing. Note: If a large number of entries is selected, the deletion process can take a long time. In this case, you will be asked to confirm the deletion request.
84
85 [!] Denotes a negative set or range. Matches any single character not within the specified set (for example, [!abcdef]) or range (for example, [!a-f]).
86
Performance Monitor
All FSSP virus scan statistics can be displayed using the Performance Monitor tool (Perfmon.exe) provided by Windows and usually found by clicking Start, pointing to Administrative Tools, and then clicking Performance. The FSSP object is called Microsoft Forefront Server Security.
By issuing FFSCCPMSetup from a command prompt in the FSSP install folder (default: C:\Program Files\Microsoft Forefront Security\SharePoint). The syntax is:
ffsccpmsetup -install
87 Engine, and VirusBuster Antivirus Scan Engine. Although all engines are integrated, only five may be enabled at any time. During the installation, the Microsoft AV engine is selected and four other engines are selected at random. Administrators can modify the four additional engine selections during the installation or through the Forefront Server Security Administrator after installation is complete. These engines begin scanning your system as soon as the FSSP service starts. Unless you disable updating a specific engine, it will always be automatically updated. (For more information, see Automatic File Scanner Updating.) After FSSP is installed, updates automatically take place. By default, the Scanner Update Settings are set to begin updating your engines five minutes after the FSSP service is started. Updates are spaced at five-minute intervals. All selected engines are automatically downloaded and installed by the first update. Note: We recommend that you schedule updates and do a manual update before scanning with an engine that you have not used before. For more information, see Scheduling an Update and Update Now. For more information about setting up scanning options, see SharePoint Manual Scan Job and SharePoint Realtime Scan Job.
88
Scheduling an Update
You can control when your scanning engines update, how often, and the update source. To schedule updates for scanning engines 1. Select Scanner Updates in the SETTINGS shuttle. The Scanner Update Settings work pane appears. The top of the pane shows a list of all supported file scanners. The bottom of the pane contains the update paths and schedule for a selected scanner, along with information about that scanner. (For more information, see Scanner Information.) 2. Select the name of the engine to be scheduled. 3. Set the primary update path by clicking Primary in the bottom pane and entering a value into the Network Update Path field. By default, FSSP uses the primary update path to download updates. If the primary path fails for any reason, FSSP uses the secondary update path, if any. The primary update path is set to http://forefrontdl.microsoft.com/server/scanengineupdate by default. You may change it to point to another HTTP update site. Or, if you prefer to use UNC updating as the primary update path, enter the UNC path to another SharePoint Server. For more information about UNC updating, see Distributing Updates. To restore the default server path, right-click in the Network Update Path field and select Default HTTP Path. 4. Set the secondary update path, if desired, by clicking Secondary in the bottom pane and entering a value into the Network Update Path field. If the primary path fails for any reason, FSSP will use the secondary update path. It is left blank by default. The secondary path may be set to use HTTP or UNC updating. Enter either a URL or a UNC path to another SharePoint server. For more information about UNC updating, see Distributing Updates. 5. Specify when to check for updates. If you choose a Frequency of Once, this date is the only time update checking will take place. If you specify anything other than Once, this date represents the first time update checking will take place. Click the left and right arrows on the calendar to change the month. Click a particular day to select it. (It will turn blue.) 6. Set a time for the update to take place. Each of the subfields (hour, minute, seconds, and AM/PM) can be selected and set separately. You can enter a time
89 or use the up or down arrows to change the current value of each subfield. 7. Specify how often the update will occur (the frequency). You can choose Once (update only once, on the specified date and time), Daily (update every day, at the same time), Weekly (update each week, on the same day and time), or Monthly (update each month, on the same date and time). We recommend that you select Daily, and then set a Repeat interval to update the engine at multiple times during the day. 8. Indicate a repeat interval. Select Repeat, and then choose a time interval (the minimum time is 15 minutes). We recommend that you check for updates at least every two hours. If a new update is not available at the scheduled time, the engine is not taken offline and no updating is done. 9. Use the Enable and Disable buttons to control whether the update check will be performed for a selected engine. All engine updates are enabled by default. Note: Enable and Disable control updating only, and not the use of the engine. To discontinue using the engine itself, see "Configuring the Engines" in SharePoint Manual Scan Job and SharePoint Realtime Scan Job.
Update Now
Click Update Now (on the Scanner Updates work pane) to immediately update a selected scanner. If an update exists, Forefront Security for SharePoint will download it and start using it immediately. This is useful for quick checks between regularly scheduled updates.
90
Scanner Information
This is the information that appears for a selected scanner: Engine Version. The version, as reported by the third-party scan DLL.
Signature Version. The version of the scanner's virus definition files currently in use, as reported by the third-party scan DLL (not available with every scanner). Update Version. The value located in the Manifest.cab file. For more information, see Manifest.cab. Last Checked. The date and time of the last check made for a new scan engine or definition files. Last Updated. The date and time of the last update made to the scan engine or definition files.
Manifest.cab
The Manifest.cab files, maintained by Microsoft, store information for determining if a newer version of a scan engine is available for download. (Each engine has an associated Manifest.cab file in its Package folder.) During a scheduled update, or when Update Now is invoked, FSSP searches the network update path for a new update. To minimize overhead, the Manifest.cab file is first downloaded and used to determine if an update is required. If not, no further processing takes place. If it is, the update is then downloaded and applied. When the update is finished, the new Manifest.cab file overlays the old one. This is the directory structure of the scan engines on a Forefront Security for SharePoint server: Forefront Security Install\ Engines\ x86\ Engine Name\ Package\ manifest.cab Version Directory\ manifest.cab enginename_fullpkg.cab
91 other enginename files Forefront Security Install is the top-level directory where all of the FSSP files are kept. Engine Name is a directory with the name of an engine's vendor (for example: Norman or Sophos). There is an Engine Name directory for each engine. The Package directory contains the most recent Manifest.cab file. To minimize overhead, this file is first downloaded and used to determine if an update is required. If not, no further processing takes place. If it is, the update is downloaded and applied. If the update is successful, the new Manifest.cab file overlays the old one in the Package directory. The Version Directory name has the format yymmddvvvv (year, month, day, version, for example: 0602020001). On any specific day, there may be multiple version directories. Each contains the current Manifest.cab file, the enginename_fullpkg.cab (for example: norman_fullpkg.cab), and all other required files for the engine.
Update on Load
You can configure Forefront Security for SharePoint to update its file scanners when the FSSP service starts. To enable it, select Perform Updates At Startup in the Scanner Updates section of General Options. For more information, see General Options. The update on load feature uses the Windows Task Scheduler. Updates should be scheduled in five-minute intervals to avoid possible conflicts. Updating when the service starts is useful for clustered SharePoint servers, where the inactive node will not receive updates while it is offline.
Distributing Updates
The most common method of distributing updates is to have one server (the hub) receive updates from the Microsoft HTTP server and then share those updates among the rest of the servers (the spokes) in your environment. A server can share engine updates with any other server whose network update path points to it. Start with the computer that you want to be the hub server and establish a Windows share for its Engines directory (which is, by default, in the FSSP install folder). Then, enable the Redistribution Server option in the Scanner Updates section of General Options. For more information, see General Options.
92 When the hub server has been set up, configure the spoke servers to point to the shared directory by entering its UNC path (\\ServerName\ShareName), into the Primary Network Update Path field of each of the spokes. Example: Server SharePoint1 receives its updates automatically from the Microsoft HTTP server. SharePoint1 has Forefront Security for SharePoint installed in C:\Program Files\Microsoft Forefront Security\SharePoint, and you have created a share, called AdminShare, that begins at the Engines directory. Another server, SharePoint2, will get its updates from SharePoint1. SharePoint2 will therefore have a UNC Primary Network Update Path of:
\\SharePoint1\AdminShare
To enter UNC credentials 1. Select General Options from the SETTINGS shuttle. 2. In the Scanner Updates section, select Use UNC Settings. 3. Enter the UNC Username and Password. For details, see General Options. 4. Click Save to retain your changes.
Subject Line: Successful update of <engine_name> scan engine on server <server_name>. Body: The <engine_name> scan engine has been updated from <update_path>. No Update available:
Subject Line: No new update for the <engine_name> scan engine on server <server_name>. Body: There are currently no new scan engine files available for the <engine_name> scan engine at <update_path>.
93 Error Updating:
Subject Line: Failed update of <engine_name> scan engine on server <server_name>. Body: An error occurred while updating the <engine_name> scan engine. [There may be an error message included here.] For more information, see the program log. Note: If the Program Log contains the "could not create mapper object" error, it means that the engine in question did not load properly.
94
SharePoint Troubleshooting
For information about contacting Microsoft, see Technical Support.
Diagnostics
Diagnostic logging provides helpful information that can be used by Microsoft support technicians to help troubleshoot any problems that are occurring while Forefront Security for SharePoint is running. Enable diagnostics for the Manual Scan Job or the Realtime Scan Job, by selecting that job in the Diagnostics section of General Options. For more information, see General Options. By default, Diagnostic logging for the scan jobs is not selected.
Technical Support
To obtain technical support visit the Microsoft Web site at Microsoft Help and Support.
95 There are other parameters, but they should only be used when directed by support technicians.
3. Restart the SharePoint services. Caution: When you are not running FSSP, you are without its protection. To enable Forefront Security for SharePoint by reestablishing dependencies 1. Stop the SharePoint services. 2. Enable FSSP dependencies. At the command line, enter:
fscutility /enable
For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint Variable AdditionalTypeChecking Description and values Forefront Security for SharePoint performs signature type checking to avoid scanning those files that can never contain a virus. If it becomes necessary to scan an additional file type, contact Help and Support to obtain the proper setting for the file type you would like to add. This key is set to 0 (off) by default. Specifies the extension type with which all deleted attachments will be named (example: abc). By default, its value is txt. To disable this feature (to retain the original extension), replace txt with an empty string (""). To specify a different extension, replace txt with some other string (between one and three characters). If you use an extension size larger than three characters, or if you delete this registry value, it will default back to txt at the next recycling of the services. Any changes made to this registry value take effect only after you recycle the FSSP services.
ConvertExtensionType
97 Variable DatabasePath Description and values Specifies the path under which the FSSP configuration files and Quarantine folder will be created. It defaults to the FSSP installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If the files are not moved, Forefront Security for SharePoint will recreate the files and the previous settings will be lost. For more information about moving these files, see Moving the Databases. Specifies that Forefront Security for SharePoint should recover from a manual scan failure if a message contains broken or corrupted links to attachments. When the value is 1, FSSP will continue scanning after encountering a message with a broken or corrupted link. A value of 0 (the default) causes FSSP to terminate the scan if a broken or corrupted link is found. Sets the limit for the maximum nested attachments that can appear in MSG, TNEF, MIME, and UUENCODE files. The limit is the sum of the nesting of all of these types. If the maximum is exceeded, the entire file is deleted and a notification is sent stating that an ExceedinglyNested virus was found. The default is 30.
ManualScanContinueOnFailed
MaxNestedAttachments
98 Variable RealtimeProcessCount Description and values This registry value will be created after the initial start of FSCController. The default value is 3, which indicates that three FSSP real-time processes will be launched. You may modify it to represent the number of FSSP realtime processes you want running on the server (the maximum is 10). FSCController must be recycled for the change to take effect. Specifies whether purging by the realtime scanner will take place. A value of 1 (the default) enables purging. A value of 0 disables it. Indicates whether FSSP should scan all attachments or just certain types known to contain viruses. When this DWORD value is set to 1, FSSP will scan all file attachments. A value of 0 (the default) indicates that only certain types should be scanned.
RealtimePurge
ScanAllAttachments
These keys contain the scanner information that is reported on the Scanner Update Settings work pane. Although they should not be modified, you may find them useful for reporting purposes. For 32-bit systems: HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint\Scan Engines\ enginename For 64-bit systems: HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint\Scan Engines\enginename Variable Engine Version Description Indicates the current version of <engine name>.
99 Variable Last Checked Last Updated Signature Version Update Version Description Indicates the date and time <engine name> was last checked Indicates the date and time <engine name> was last updated. Indicates the current version of the <engine name> signature file. Indicates the current update of <engine name>.
100 The name of the detected file. %Filter% The name of the filter that detected the item. %Folder% The workspace and subfolders where the virus or attachment was found. %ScanJob% The name of the scan job that scanned the attachment or performed the filtering operation. %Server% The name of the server that found the infection or performed the filtering operation. %State% The disposition of the detected item (Deleted, Cleaned, Skipped, Purged, or Identified). %Virus% The name of the virus, as reported by the file scanner. %Virus Engines% A list of all the scan engines that found the virus.
101 File type Program log number AutoCad AVIfile 63 29 AutoCad file Windows Audio/Visual file format (Audio/Video Interleaved resource interchange file format) Bitmap image file InstallShield file (InstallShield 3) Microsoft OLE Structured Storage file Eicar test virus file Encapsulated Post-Script file (Adobe) Microsoft executable file Adobe Type 1 Font file GIF image file GZip compression format file ARC compression format file (Systems Enhancement Associates) Windows icon file InstallShield Uninstall file Microsoft Cabinet Archive format file Java archive file Java byte code file (usually contained inside a JAR file) JPEG image file Description
BMPfile DataZfile Docfile Eicar EPSfile EXEfile Font_Type1 GifFile GZipFile HyperArc
24 15 6 5 57 3 64 22 16 54
27 48 14 52 45 23
102 File type Program log number LHAfile MACFILE 12 77 Compression format file (LHA/LHARC) A binary (non-text) format that encodes Macintosh files so that they can be safely stored or transferred through nonMacintosh systems Access database file MP3 audio file MPEG animation file (.mpg) Document file Microsoft Help Index (.chi) Microsoft Help file (.hlp) Microsoft Type Library file format (typically used for Microsoft ActiveX service) Microsoft Windows Metafile Format graphics (vectored and bit-mapped) Cabinet file (Microsoft installation archive) Microsoft compression format file MIME formatted text file with IMC binary header Microsoft Object code library file Microsoft Shortcut file (.lnk) Notes database file Description
71 67 32 51 50 49
MS_WMF
59
13 17/18 46 42 44 68
103 File type Program log number OBJfile 43 Object Code file (Intel Relocatable Object Module - .obj). Adobe PageMaker Library palette file or a Color palette file Bitmap graphic file (PC Paintbrush) Portable Document Format file (Adobe) Program Information File (Windows), or Vector Graphics GDF format file (IBM mainframe computers) PKLite compression format file Bitmap graphics file (Portable Network Graphics.) Quick Time Movie file RAR-compressed archive file RIFF bitmap graphics file (Fractal Design Painter) Self extracting executable file Description
PALfile
26
25 47 4
55 61 31 76 30 73
104 File type Program log number TARFILE 75 TAR archive format file (a UNIX method of archiving files, which can also be used by personal computers). TAR archives files but does not compress them, so sometimes .tar files are compressed with other tools, which produces extensions like .tar.gz, .tar.Z, and .tgz. Text file (.txt) Tagged Image File Format (TIFF) bitmap graphics file Microsoft Transport Neutral Encapsulation Format file (Message file) Microsoft TrueType font file (.ttf) Universal Character Code double-byte text file Unix Compressed format file Microsoft Visio exported meta file Waveform audio file (RIFF WAVE format.) Microsoft Excel 1.x file (.xls) Microsoft Word (1.x and 2.x) file Microsoft Write file XaraX graphic file Description
1 62 56
65 2 53 60 28 8 7 9 58
105 File type Program log number ZipFile ZOOfile 10 19 Compressed file created by PKZip Compressed file created by ZOO Description
Information Collected
The Forefront Security Diagnostic tool can collect the following information: Forefront Security for SharePoint file versions (including scan engine file versions) SharePoint version Forefront Security for SharePoint registry key Forefront Security for SharePoint database (*.fdb) files Forefront Security for SharePoint archive files Forefront Security for SharePoint program log file Windows Event log files Dr. Watson log file User.dmp file
107 time has the format hh.mm.ss (where hh represents a 24-hour clock) Example: C:\Program Files\Microsoft Forefront Security\SharePoint\Log\ Diagnostics\ FSCDiag-Server1-20060202-17.50.27.zip 4. Upload or send the compressed file in an e-mail attachment to Microsoft.