Applies to: Forefront Security for Exchange Server
Serious problems might occur if you modify the registry incorrectly. These problems could require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Always make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base article Windows registry information for advanced users.
Forefront Security for Exchange Server stores many settings in the Windows registry. You seldom have to edit the registry yourself, because most of those settings are derived from entries you make in General Options. However, there are some additional settings that you may occasionally need to make. FSE stores registry values in the following locations:
For 32-bit systems (only valid during evaluation of FSE):
- HKLM\SOFTWARE\Microsoft\Forefront Server Security\ \Exchange Server
For 64-bit systems:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server
Description and values
Forefront Security for Exchange Server performs signature type checking on files to avoid scanning files that can never contain a virus. If it becomes necessary to scan an additional file type, you will need to contact Help and Support to obtain the proper setting for the file type you would like to add. This key is set to 0 (off) by default.
Specifies the path under which the Forefront Security for Exchange Server configuration files and Quarantine folder reside. It defaults to the Forefront Security for Exchange Server installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If this value is changed and the files are not moved, Forefront Security for Exchange Server re-creates them and the previous settings are lost. Move the files first and then change this value.
Specifies whether the system will apply the secure AV stamp. An important feature of Forefront optimizes for scanning messages on the Exchange 2007 Transport role. A secure AV stamp is applied to messages scanned by Forefront on Transport servers; this prevents duplicate scanning on the Mailbox server role when the message is deposited into the Information Store. DisableAVStamping enables you to override this recommended default so that Forefront can scan with some engines on a Transport server, and a different set of engines on the Mailbox server. To set it up, add a new DWORD with a value of "1". This causes the Transport stamp to be suppressed, and the Mailbox server to treat the message as not having been previously scanned. You should use this setting only when different engines (or different filtering settings) are selected on the Transport server and the Mailbox server. Otherwise, needless duplicate scanning will take place.
When the value of DisableAVStamping is set to "1", it prevents the stamping of messages at the Transport. This value is not present by default and is assumed to be "0" (the default).
When the value of DisableAVStamping is set to "1", we also recommend that you turn on mailbox server proactive scanning on all Mailbox servers routed to by the transport server. This causes newly-arrived mail to the Mailbox server to be placed in a scanning queue to be scanned upon arrival. To enable proactive scanning on the Mailbox server role, set the DWORD value of the following Exchange key to "1" (it is normally disabled, with a value of "0"):
When set to 1, this value disables inbound file filtering for the Transport Scan Job. The default value is 0. The Forefront Security services must be recycled for this feature to take effect.
When set to 1, this value disables inbound virus scanning for the Transport Scan Job. The default value is 0.
When set to 1, this value disables outbound file filtering for the Transport Scan Job. The default value is 0. The Forefront Security services must be recycled for this feature to take effect.
When set to 1, this value disables outbound virus scanning for the Transport Scan Job. The default value is 0.
Specifies whether to scan IPM replication messages. The Transport Scan Job scans files called Winmail.dat for viruses. Exchange uses these files for several purposes, including facilitating replication between servers (IPM replication messages). If FSE modifies a Winmail.dat file, the public folder replication process will fail. Setting this DWORD registry key to 1 prevents the Transport Scan Job from scanning IPM replication messages. If a virus is replicated because of public folder replication, the Realtime Scan Job will still detect the virus even if this key is set.
Specifies the timeout value (in seconds) that Forefront Security will allow for scan engine downloads. The default value is 300 (5 minutes).
Enables or disables purging by the Transport scanner. If set to 0, purging is disabled. If set to 1, purging is enabled. The key is set to 1 by default.
Used to recover from a manual scan failure when a scan engine encounters problems with a file or when moving between folders. This prevents the manual scan from stopping if an engine encountered a problem while scanning a file or traversing a folder structure. When this key is set to any value other than 0, Forefront Security for Exchange Server continues scanning after such an event.
This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxCompressedSize, the Delete Corrupted Compressed Files General Option setting must be enabled.
This key sets the maximum compressed file size that Antigen attempts to clean or repair in the event that it discovers an infected file. This key is set to 26 MB by default but may be changed by the administrator. Infected files or files that meet file filter rules that are larger than the allowed maximum size are deleted. Antigen reports a deleted file as having a LargeCompressedInfectedFile virus.
This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxUncompressedFileSize, the Delete Corrupted Compressed Files General Option setting must be enabled.
This key sets the maximum uncompressed file size for a file within a .zip or a RAR archive file. Files larger than the maximum permitted size are deleted and reported as Large Uncompressed File Size. The default setting is 100 MB.
The RAR archive format enables one or more compressed files to be stored in multiple RAR volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart RAR volumes are subject to the size limit specified by this registry value (its default is 100MB). If a file exceeds the limit, any multipart RAR volume that contains the file, or a part of the file, is deleted. However, the outcome can vary, depending on the size of the original files and how they are distributed across the multiple RAR volumes.
A single file (F1) is split across 3 RAR volumes (V1, V2, V3).
Outcome: If the uncompressed size of F1 exceeds the default 100MB limit, all 3 RAR volumes (V1, V2, V3) is deleted.
Four files (F1, F2, F3, F4) are split across three RAR volumes (V1, V2, V3) as follows:
V1 contains F1 and the first half of F2.
V2 contains the second half of F2 and F3.
V3 contains only F4.
Outcome: If only F1 exceeds the default 100MB limit, only V1 will be deleted. If only F2 exceeds the default 100MB limit, V1 and V2 will be deleted, but V3 will not. If only F4 exceeds the limit, only V3 will be deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit.
In both examples, deletion text specifies that a file (the RAR volume) was deleted because it exceeded the maximum uncompressed file size limit.
To prevent the volumes from being deleted, you must set the registry value MaxUncompressedFileSize to a value large enough to exceed the uncompressed size of the largest file in the multipart RAR volumes.
Some e-mail client programs, such as Microsoft Outlook Express, let you send large e-mail messages in several fragments. By default, when Security for Exchange Server scans fragmented messages (content type: message/partial), the e-mail message may be tagged as FragmentedMessage. In this case, the message body is deleted and replaced with the file filter deletion text.
To prevent Forefront from deleting fragmented e-mail messages, you must create a new DWORD registry key called MIMEDeletePartialMessages and set it to a value of 0.
Fragmented messages are not deleted when the value data is set to 0. Fragmented messages are deleted when there is no MIMEDeletePartialMessages DWORD value in the registry or when the MIMEDeletePartialMessages value data is set to 1.
Specifies whether items that cause a scan job timeout should be quarantined. If this DWORD registry value is not present or if it is present and its value is not zero, a message that causes a scan job timeout will be quarantined. If the registry value is present and its value is zero, that message will not be quarantined.
Enables or disables purging by the Realtime scanner. If set to 1, purging is enabled. If set to 0, purging is disabled. The key is assumed to be 1 by default. Each time you alter this registry value, you must recycle the Exchange Information Store for the change to take effect for the Realtime Scan Job.
When this DWORD value is set to 1 (the default), Forefront Security for Exchange Server scans all file attachments. ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.
When set to 1, this key ensures that a background scan will be initiated every time a change is made and saved to the Realtime Scan Job. This key is disabled by default.
Enables or disables purging by the Transport scanner. If set to 1, purging is enabled. If set to 0, purging is disabled. The key is assumed to be 1 by default. Each time you alter this registry value, you must recycle the Exchange IMC service for the change to take effect for the Transport Scan Job.
When this value is set to 1, updates are scheduled for each file scanner that was installed with Forefront Security for Exchange Server after a Forefront Security service startup. This feature is mainly used in clustered Exchange servers. By default, this value is set to 0.
Specifies whether a text file (called Domains.dat) is used to indicate your internal domains. If the value is 0 (the default), the Internal Address field in General Options is used. If you change the value to 1, you can enter all your internal addresses in a text file called Domains.dat in the DatabasePath directory. You would do this if you have a large number of domains to be used as internal addresses.
Scanner Update Settings registry keys
These are the keys containing the scanner information that is reported on the Scanner Update Settings work pane. Although these should not be modified, you may find them useful for reporting purposes.
For 32-bit systems (only valid during evaluation of FSE):
- HKLM\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server\Scan Engines\enginename
For 64-bit systems:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server\Scan Engines\enginename
Indicates the current version of enginename, as specified in the Forefront Server Security Administrator.
Indicates the date and time enginename was last checked, as specified in the Forefront Server Security Administrator.
Indicates the date and time enginename was last updated, as specified in the Forefront Server Security Administrator.
Indicates the current version of the enginename signature file, as specified in the Forefront Server Security Administrator.
Indicates the current update of enginename, as specified in the Forefront Server Security Administrator.