You can configure the maximum values that FPE uses for various thresholds. These include the following: container file size, uncompressed file size, container file infections, and nested attachments. If a threshold value is exceeded, the file is deleted.
To configure maximum file sizes and other threshold levels-
In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.
-
In the Global Settings - Advanced Options pane, under the Threshold Levels section, you can enter values for the following settings:
- Maximum container file infections—Specifies the maximum
number of infections permitted in a container file. If this value
is exceeded, the entire file is deleted, and an ExceedinglyInfected
incident is added to the log file (all infections prior to when the
maximum number of infections is reached are also logged). A value
of 0 (zero) means that a single infection causes the entire
container to be deleted. The default value is 5 infections.
- Maximum container file size: (megabytes)—Specifies the
maximum container file size (in megabytes) that FPE attempts to
scan. The default value is 25 MB. Files larger than the maximum
size are deleted if they are infected or meet file filter rules.
FPE reports these deleted files as LargeInfectedContainerFile
incidents.
- Maximum compressed file size: (megabytes)—Specifies the
maximum compressed size of a file within a .zip or other compressed
container file. Files larger than this size are treated as
corrupted compressed. The size is specified in megabytes, with a
valid range of values from 0 to 2047. The default value of 20 means
that all compressed files larger than 20 MB are deleted.
- Maximum uncompressed file size: (megabytes)—Sets the
maximum uncompressed file size for a file within a .zip file, a
.gzip file, or a .rar archive file. Files larger than the maximum
permitted size are deleted and reported as
LargeUncompressedFileSize incidents. The default value is 100 MB.
This setting works in conjunction with the Delete corrupted
compressed files setting. In order to delete a file that
exceeds the Maximum uncompressed file size, the Delete
corrupted compressed files setting must be enabled. For more
information about this setting, see Deleting corrupted
compressed files.
The .rar archive format enables one or more compressed files to be stored in multiple .rar volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart .rar volumes are subject to the size limit specified by this setting. If a file exceeds the limit, any multipart .rar volume that contains the file or a part of the file is deleted. However, the outcome can vary, depending on the size of the original files and how they are distributed across the multiple .rar volumes.
Example 1
A single file (F1) is split across 3 .rar volumes (V1, V2, V3).
Outcome: If the uncompressed size of F1 exceeds the default 25 MB limit, all 3 .rar volumes (V1, V2, V3) are deleted.
Example 2
Four files (F1, F2, F3, F4) are split across three .rar volumes (V1, V2, V3) as follows:
V1 contains F1 and the first half of F2.
V2 contains the second half of F2 and F3.
V3 contains only F4.
Outcome: If only F1 exceeds the default 25 MB limit, only V1 is deleted. If only F2 exceeds the default 25 MB limit, V1 and V2 are deleted, but V3 is not. If only F4 exceeds the limit, only V3 is deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit.
In both examples, deletion text specifies that a file (the .rar volume) was deleted because it exceeded the maximum uncompressed file size limit.
To prevent the volumes from being deleted, you must set a large enough value in order to exceed the uncompressed size of the largest file in the multipart .rar volumes.
For concatenated .gzips, the Maximum uncompressed file size is applied to each part of the concatenated .gzip. For example, let us take a .gzip that has two parts, part1 and part2. Part1 is within the size limit, and part2 is also within the size limit, but the combined size of part1 and part2 exceeds the limit. This is not considered exceeding the size limit and FPE continues scanning.
- Maximum nested attachments—Specifies the limit for the
maximum number of nested documents that can appear in MSG, TNEF,
MIME, and UUEncoded files. Note that for the realtime scan, a
nested MSG file is not treated as a nested file with certain e-mail
clients. If the maximum number is exceeded, FPE deletes the
document and reports an ExceedinglyNested incident. The default
value is 30.
- Maximum nested depth compressed files—Specifies the
maximum nested depth for a compressed file. If this is exceeded,
FPE deletes the entire file and reports an ExceedinglyNested
incident. A value of 0 (zero) represents that an infinite amount of
nestings is permitted. The default value is 5.
- Maximum container file infections—Specifies the maximum
number of infections permitted in a container file. If this value
is exceeded, the entire file is deleted, and an ExceedinglyInfected
incident is added to the log file (all infections prior to when the
maximum number of infections is reached are also logged). A value
of 0 (zero) means that a single infection causes the entire
container to be deleted. The default value is 5 infections.
-
Click Save.