There are various configuration settings that you can adjust for the scheduled scan in order to meet the needs of your environment. These include selecting the number of scan engines to use for each scan, setting the action to take when malware is detected, and specifying whether or not to quarantine detected files.
 Note: |
|---|
| When you configure the scheduled scan, the default is to scan only messages that have attachments. If you have also created subject line filters or sender-domain filters, those filters only apply to mail that has attachments, not to all mail. If you change the scheduled scan to scan all mail (by selecting the Scan message body check box in the Additional Options section of the Antimalware - Mailbox Scheduled pane), then the filters apply to all mail. In other words, the filters are applied to whatever mail is being scanned for malware. |
-
In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management and under Antimalware, click Mailbox - Scheduled.
-
In the Antimalware - Mailbox Scheduled pane, under the General Settings section, configure the following settings:
- Enable scheduled antivirus scan—Select or clear this
check box to enable or disable the scheduled antivirus scan. This
setting is enabled by default.
- Enable scheduled antispyware scan—Select or clear this
check box to enable or disable the scheduled antispyware scan. This
setting is enabled by default.
- Enable scheduled antivirus scan—Select or clear this
check box to enable or disable the scheduled antivirus scan. This
setting is enabled by default.
-
In the Antimalware - Mailbox Scheduled pane, under the Engines and Performance section, select the number of scan engines that should be used for this scan. For more information, see Configuring the number of scan engines used for each scan.
-
In the Antimalware - Mailbox Scheduled pane, under the Scan Actions section, configure the following settings:
- Action—Select the action that you want performed when a
virus or spyware is detected. For virus detections, you can select
Skip detect, Clean (the default), and Delete.
For spyware detections, you can select Skip detect,
Delete (the default), and Purge. For more
information, see Configuring the action
when malware is detected.
- Quarantine Files—Using the drop-down list, enable (by
selecting Yes) or disable (by selecting No) saving
infected files detected by the file-scanning engines. Quarantining
is enabled by default. Enabling quarantine causes deleted
attachments and purged messages to be stored in a secure location,
from which you can recover them. However, worm-purged messages are
not recoverable. For more information about quarantine, see
Viewing and
managing quarantine.
- Edit Malware Deletion Text—You can specify deletion
text, which is used to replace the contents of an infected file
during a delete operation. The default deletion text informs you
that an infected file was removed, along with the name of the file
and the name of the malware found. To change the default deletion
text, click Edit Malware Deletion Text, make the
modifications to the deletion text in the Edit Malware Deletion
Text dialog box, and then click Apply and Close to
return to the Antimalware - Mailbox Scheduled pane.
Note:FPE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. To use them, in the Edit Malware Deletion Text dialog box, right-click, select Insert Field, and then select the desired macro. For more information about this feature, see Keyword substitution macros.
- Action—Select the action that you want performed when a
virus or spyware is detected. For virus detections, you can select
Skip detect, Clean (the default), and Delete.
For spyware detections, you can select Skip detect,
Delete (the default), and Purge. For more
information, see Configuring the action
when malware is detected.
-
Click Save.
| Note: |
|---|
| The Schedule options are described in Scheduling the scheduled scan. |
Configuring additional scheduled scanning options
You can configure the following additional settings located under the Additional Options section of the Antimalware - Mailbox Scheduled pane. Click Save after making any changes to your settings.
- Scan doc files as
containers—Configures the scheduled scan to scan files that use
structured storage and the OLE embedded data format (for example,
.doc, .xls, .ppt, or .shs) as container files. This ensures that
any embedded files are scanned as potential malware carriers. This
setting is disabled by default.
- Scan message body—Configures the
scheduled scan to scan message bodies as well as attachments.
Scanning message bodies is disabled by default because message-body
scanning increases the time required to perform a scan.
- Start scheduled scan after engine
update—Configures the scheduled scan to run immediately after
an engine or definition update, regardless of when it is next
scheduled to run. This setting is disabled by default.
Caution:When this setting is enabled and an update occurs while a scheduled scan is in progress, the scheduled scan restarts at the mail that was being scanned. If updates continue to occur before the scheduled scan finishes, the scan continues to run indefinitely. It is therefore recommended that you do not schedule a scan for a large dataset if this setting is enabled. Also note that when this option is enabled, the mailbox server may experience increased malware scanning, which may impact server performance. - Suppress malware
notifications—Suppresses the sending of Virus found,
Spyware found, and Worm found notifications, even if
these notifications are enabled. This setting is disabled by
default.
- Process count—Configures the number of
processes you want running per mailbox server. The default value is
1; the maximum value is 10.
When multiple scheduled processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FPE delivers files to the first process if it is available.
Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step.
Important:You must stop and then start the Microsoft Exchange Information Store service in order for changes to this setting to take effect. Do not use the Restart function. - Scanning timeout (seconds)—Configures
the number of seconds that the scheduled scan scans a file before
timing out. The default value is 150 seconds.
In the event that the scheduled scan exceeds the specified time to scan a message, the process is terminated, and FPE attempts to restart the service. If successful, scheduled scanning resumes and a notification is sent to the administrator stating that the scheduled scan exceeded the allotted scan time and was recovered.
When the new scheduled scan process starts, the message that caused it to terminate is reprocessed according to the Scan timeout action setting. For example, if it is set to Delete, FPE deletes the file, replaces its contents with the deletion text for the scheduled scan, logs the information, and quarantines and archives the file.
If the process cannot be restarted, a notification is sent to the administrator stating that the scheduled scan stopped. In this event, scheduled scanning for the particular storage group does not function, but the information store does not stop.
Important:You must stop and then start the Microsoft Exchange Information Store service in order for changes to this setting to take effect. Do not use the Restart function. - Scan timeout action—Configures what
action to take when the scheduled scan times out while scanning a
file. The options are the following:
- Ignore—Lets the file pass without
being scanned.
- Skip detect—Reports in the Incidents
log and the Program log that the file exceeded the scan time and
lets it pass without being scanned.
- Delete—Reports the event and replaces
the contents of the file with the deletion text. Delete is
the default value.
Note:If the Scan timeout action is set to Skip detect or Delete, and if quarantining is enabled, then a copy of the file is stored in the database. - Ignore—Lets the file pass without
being scanned.
- Maximum container scan time
(seconds)—Configures the number of seconds that the scheduled
scan scans a compressed attachment before reporting it as a
ScanTimeExceeded incident. This option is intended to prevent the
risk of denial of service due to zip-of-death attacks. The default
value is 120 seconds.
You can configure the following additional settings located under the Scheduled Scan Settings section of the Antimalware - Mailbox Scheduled pane. Click Save after making any changes to your settings.
- Scan only unscanned
messages—Configures the scheduled scan to only scan messages
that have not yet been scanned. This setting is disabled by
default.
- Scan only messages with
attachments—Configures the scheduled scan to scan only messages
that include attachments. This setting is enabled by default.
- Enable maximum scan time—Selecting
this check box enables you to specify the maximum time that the
scheduled scan runs before timing out. This setting is disabled
(cleared) by default, meaning that there is no scan time limit. If
selected, set the time with the Maximum scan time (hours:
minutes) option.
- Maximum scan time (hours: minutes)—If
you enabled the Enable maximum scan time setting, use this
setting to specify the maximum time, in hours and minutes, that the
scheduled scan will run before timing out. When enabled, the
default setting is 1 hour. The maximum time that you can specify is
23 hours and 59 minutes.
- Scan only messages received within the
last—Places limits on scheduled scanning by configuring the
scheduled scan to scan messages based on their age. In the
drop-down list, click one of the following options: Anytime,
4 hours, 6 hours, 8 hours, 12 hours,
18 hours, 1 day, 2 days (the default), 3
days, 4 days, 5 days, 6 days, 7
days, 30 days.
The selected scan back period should be set based on an understanding of a specific threat or in order to generally cover the always-present protection gap between when malware may have been released and the availability of protection definitions. If scanning is scheduled to run on a daily basis (for more information, see Scheduling the scheduled scan), the recommended setting is to scan the previous two days' worth of mail. However, the time should be set based on both security and performance considerations.Important:Use caution when setting this option. If the message arrival rate at the mailbox server is very high and too long a scan back period is selected, scheduled scanning may run continuously, which can have a negative impact on server performance.
- Set priority—Sets the CPU priority in
order to permit more important jobs to take precedence over other
scheduled scans when demands on server resources are high. In the
Set priority drop-down list, click one of the following:
Normal (the default), Below normal, or
Low.