You can configure Microsoft Forefront Protection 2010 for SharePoint (FPSP) to delete the following types of files:

You can also configure FPSP to treat specialty file settings as corrupted compressed files. Specialty file settings include multipart RAR archives and high-compression ZIP archives.

To delete corrupted compressed files
  1. In the Forefront Protection 2010 for SharePoint Administrator Console, click Policy Management, and in Global Settings, click Advanced Options.

  2. In the Global Settings - Advanced Options pane, in the Deletion Criteria section, you can enable or disable the following settings:

    1. Delete corrupted compressed files—Configures whether corrupted compressed files are deleted. This setting is enabled by default.

      When a corrupted compressed file is detected, FPSP reports it as a CorruptedCompressedFile incident. This setting also handles the following file types:

      UnwritableCompressedFile—A type of compressed file whose contents cannot be correctly modified (cleaned or deleted), or whose compressed file write back type is not supported by FPSP (for example, OpenXML). Or, it may be that the scanners cannot correctly insert the corrupted compressed file back into the archive due to the corrupt nature of the file.

      UnreadableCompressedFile—A type of compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.

      Note:
      Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can override quarantining for these file types by clearing the Quarantine corrupted compressed files check box in Advanced Options and then clicking Save.
    2. Delete corrupted UUEncoded files—Configures whether corrupted UUEncoded files are deleted. This setting is enabled by default.

      When a corrupted UUEncoded file is detected, FPSP reports it as a CorruptedCompressedUUEncodedFile incident.

    3. Delete encrypted compressed files—Configures whether encrypted compressed files are deleted. This setting is disabled (cleared) by default. When enabled, if one file in a container file is encrypted, then the entire container file is tagged as encrypted compressed and replaced with deletion text. When an encrypted compressed file is deleted, FPSP reports it as an EncryptedCompressedFile incident.

  3. In the Global Settings - Advanced Options pane, in the Specialty file type settings section, you can enable or disable the following settings. The action taken on these file types is dependent upon the Delete corrupted compressed files setting.

    1. Treat multi-part RAR archive as a corrupted compressed file—A file within a .rar archive can be compressed across multiple files or parts (hence “multi-part”), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This setting specifies whether .rar archives containing such parts are reported as corrupted compressed files.

      Disabling this option enables you to receive such files. However, in this case malware may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

      If the archive is reported as corrupted compressed, and if the option to Delete corrupted compressed files is enabled, the archive is deleted.

      If Delete corrupted compressed files is not enabled, only the .rar archive as a whole is passed to the engines to be scanned. If no threat is found when the archive is scanned, the message is delivered. If a threat is found and can be cleaned, the message is delivered. If a threat is found and cannot be cleaned, the message is deleted.

      Note:
      If you are using multipart .rar archives in order to compress files that exceed 100 megabytes (MB) when uncompressed, you should be aware of the Maximum uncompressed file size setting in Advanced Options. For more information, see Configuring maximum file sizes and other threshold levels.
    2. Treat high compression ZIP as a corrupted compressed file—Specifies whether .zip archives containing highly compressed files are reported as corrupted compressed.

      If the archive is reported as corrupted compressed, and if the setting to Delete corrupted compressed files is enabled, the archive is deleted. If Delete corrupted compressed files is not enabled, the files in the .zip archive are passed to the engines to be scanned, in their compressed form. The .zip archive itself is also passed to the engines. If scanned and no threat is found, the message is delivered. If a threat can be cleaned, the message is delivered. If a threat cannot be cleaned, the message is deleted. If the file is compressed with an unknown algorithm, it is treated as corrupted compressed, regardless of this setting. This setting is enabled by default (that is, .zip archives containing highly compressed files are treated as corrupted compressed).

  4. Click Save.

Related Topics