You can configure Forefront Protection 2010 for Exchange Server (FPE) to delete the following types of files:
- Corrupted compressed files—Archive or
compressed file types that FPE is unable to parse. An error may
occur when parsing a file due to any number of reasons, including
improper formatting, exceeding the file size limit, or exceeding
the allowable scan time.
- Corrupted UUEncoded files—UUEncoded
files that FPE is unable to parse.
- Encrypted compressed files—Compressed
files that contain at least one encrypted item. Encrypted files
cannot be parsed by FPE.
You can also configure FPE to treat specialty file settings as corrupted compressed files. Specialty file settings include multipart RAR archives and high-compression ZIP archives.
To delete corrupted compressed files-
In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.
-
In the Global Settings - Advanced Options pane, under the Deletion Criteria section, you can enable or disable the following settings:
- Delete corrupted compressed files—Configures whether
corrupted compressed files are deleted. This setting is enabled by
default.
When a corrupted compressed file is detected, FPE reports it as a CorruptedCompressedFile incident. This setting also handles the following file types:
UnwritableCompressedFile—A type of compressed file whose contents cannot be correctly modified (cleaned or deleted) or whose compressed file write back type is not supported by FPE (for example, OpenXML). Or, it may be that the scanners cannot correctly insert the corrupted compressed file back into the archive due to the corrupt nature of the file.
UnReadableCompressedFile—A type of compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.
Note: Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can override quarantining for these file types by clearing the Quarantine corrupted compressed files check box in Advanced Options and then clicking Save. - Delete corrupted UUEncoded files—Configures whether
corrupted UUEncoded files are deleted. This setting is enabled by
default. When a corrupted UUEncoded file is detected, FPE reports
it as a CorruptedCompressedUUEncodedFile incident.
- Delete encrypted compressed files—Configures whether
encrypted compressed files are deleted. This setting is disabled
(cleared) by default.
When enabled, if one file in a container file is encrypted, then the entire container file is tagged as encrypted compressed and replaced with the deletion text. When an encrypted compressed file is deleted, FPE reports it as an EncryptedCompressedFile incident.
- Delete corrupted compressed files—Configures whether
corrupted compressed files are deleted. This setting is enabled by
default.
-
In the Global Settings - Advanced Options pane, under the Specialty File Type Settings section, you can enable or disable the following settings. The action taken on these file types is dependent upon the Delete corrupted compressed files setting.
- Treat multi-part .rar archive as a corrupted compressed
file—A file within a .rar archive can be compressed across
multiple files or parts (hence “multi-part”), thereby enabling very
large files to be broken into smaller-sized files for ease of file
transfer. This setting specifies whether .rar archives containing
such parts are reported as corrupted compressed files.
Disabling this option enables you to receive such files. However, in this case, malware may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.
If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted.
If Delete corrupted compressed files is not enabled, only the .rar archive as a whole is passed to the engines to be scanned. If no threat is found when the archive is scanned, the message is delivered. If a threat is found and can be cleaned, the message is delivered. If a threat is found and cannot be cleaned, the message is deleted.
Note: If you are using multipart .rar archives in order to compress files that exceed 100 megabytes (MB) when uncompressed, you should be aware of the Maximum uncompressed file size setting. For more information, see Configuring maximum file sizes and other threshold levels. - Treat high compression .zip file as a corrupted compressed
file—Specifies whether .zip archives containing highly
compressed files are reported as corrupted compressed.
If the archive is reported as corrupted compressed, and if the setting to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the .zip archive are passed to the engines to be scanned, in their compressed form. The .zip archive itself is also passed to the engines. If scanned and no threat is found, the message is delivered. If a threat can be cleaned, the message is delivered. If a threat cannot be cleaned, the message is deleted. If the file is compressed with an unknown algorithm, it is treated as corrupted compressed, regardless of this setting. This setting is enabled by default (that is, .zip archives containing highly compressed files are treated as corrupted compressed).
- Treat multi-part .rar archive as a corrupted compressed
file—A file within a .rar archive can be compressed across
multiple files or parts (hence “multi-part”), thereby enabling very
large files to be broken into smaller-sized files for ease of file
transfer. This setting specifies whether .rar archives containing
such parts are reported as corrupted compressed files.
-
Click Save.