There are several configuration settings that you can adjust for the on-demand scan in order to meet the needs of your environment. All changes to on-demand scan settings take effect as soon as you begin the scan.To configure the on-demand scan
In the Forefront Protection 2010 for Exchange Server Administrator Console's Tasks view, in the tree, expand Task Library, and then click Mailbox On-Demand.
In the Task Library - Mailbox On-Demand pane, in the Exchange Client Access Server section, specify the name of the Exchange Client Access Server (CAS) through which the on-demand scan job connects to your Exchange environment in order to scan mailboxes. You can select to Use the default CAS (the default) or you can select to Specify the CAS host name or computer name. The value of this parameter can be the fully qualified domain name of the CAS, or the name or IP address of the CAS. The default CAS is detected during the first run after installation. It is recommended that you specify a network load-balanced CAS if you want to change the default.
Note: Microsoft Exchange Server 2010 requires that a CAS be configured for the on-demand scan job. For earlier Exchange versions, a CAS is not required.
In the Task Library - Mailbox On-Demand pane, in the Scan Targets section, configure the mailboxes to scan. For more information, see Selecting which mailboxes to scan on-demand.
In the Task Library - Mailbox On-Demand pane, in the Engines and Performance section, select the number of scan engines that should be used for each scan. For more information, see Configuring the number of scan engines used for each scan.
In the Task Library - Mailbox On-Demand pane, in the Scan Actions section, configure the following settings:
- Action—Select the action that you want performed when a
virus is detected (spyware scanning is not available for the
on-demand scan). For more information about actions, see Configuring the action
when malware is detected.
- Quarantine Files—Using the drop-down list, enable (by
selecting Yes) or disable (by selecting No) saving
infected files detected by the file-scanning engines. Quarantining
is enabled by default. Enabling quarantine causes deleted
attachments and purged messages to be stored in a secure location,
from which you can recover them. However, worm-purged messages are
not recoverable. For more information about quarantine, see
- Edit Malware Deletion Text—You can specify deletion
text, which is used to replace the contents of an infected file
during a delete operation. The default deletion text informs you
that an infected file was removed, along with the name of the file
and the name of the malware found. To change the default deletion
text, click Edit Malware Deletion Text, make the
modifications to the deletion text in the Edit Malware Deletion
Text dialog box, and then click Apply and Close to
return to the Task Library - Mailbox On-Demand pane.
Note: FPE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. To use them, in the Edit Malware Deletion Text dialog box, right-click, select Insert Field, and then select the desired macro. For more information about this feature, see Keyword substitution macros.
- Action—Select the action that you want performed when a virus is detected (spyware scanning is not available for the on-demand scan). For more information about actions, see Configuring the action when malware is detected.
Configuring additional on-demand scan options by using Windows PowerShell commands
Additional settings for the on-demand scan are not available in the Forefront Protection 2010 for Exchange Server Administrator Console. You need to use the Forefront Management Shell to enter Windows PowerShell commands.To access the Forefront Management Shell
Click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell.
After accessing the Forefront Management Shell, you can issue the following configuration commands for the on-demand scan:
Configures the on-demand scan to scan files that use structured storage and the OLE embedded data format (for example, ,doc, .xls, .ppt, and .shs) as container files. This ensures that any embedded files are scanned as potential malware carriers. The possible values are $false and $true. The default is $true.
Indicates the number of seconds that the on-demand scan scans a compressed attachment before reporting it as a ScanTimeExceeded incident. This option is intended to prevent the risk of denial of service due to zip-of-death attacks. The default value is 120 seconds (two minutes).
Indicates that the body of the message should be scanned. The possible values are $false and $true. The default is $false.
Indicates the CPU priority of the on-demand scan. The possible values are Normal (the default), BelowNormal, and Low. Changing the setting to BelowNormal or Low enables more important jobs to take precedence when demands on server resources are high.
Indicates whether virus, spyware, or worm notifications should be sent when malware is detected. The possible values are $false and $true. The default of $false indicates that if virus, spyware, or worm notifications are enabled, they are sent. If they were disabled with Set-FseNotification, this parameter has no effect.