Transport Scan Job
Applies to: Forefront Security for Exchange Server
The Forefront Security for Exchange Server Transport Scan Job runs on an Exchange 2007 server with either a Hub Transport or an Edge Transport role installed. It can scan, in real time, all MIME and UUENCODE-based e-mail messages that are inbound or outbound from the Transport stack of an Exchange site or organization as well as all internal mail. The Transport scanner scans for viruses in attachments and for embedded and HTML viruses in the message body.
About multiple Transport processes
During installation, four Transport Scan Jobs (processes) are created for the Transport server. You can create additional Transport Scan Jobs by changing the value of the General Options setting Transport Process Count to the number of scanning processes you want running per Transport server. The maximum is ten.
When multiple transport processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy and a third is enabled, the third process scans the file. Whenever possible, FSE delivers files to the first process if it is available.
Multiple processes increase the load on the server at startup, when the processes are being loaded, and whenever they are called upon to scan a file. More than the default number of processes should not be necessary, except in high-volume environments. Because increasing the number of processes consumes additional server resources, it is best to increase them one at a time, and evaluate the performance at each step.
To change the number of transport processes
In the Forefront Server Security Administrator, in the Shuttle Navigator, select Settings, and then select General Options.
In the Scanning area, choose a suitable value in the Transport Process Count drop-down box. The maximum value that you can use is 10.
Exit the Forefront Server Security Administrator.
Under Administrative Tools, click Services to open the Service Control Manager, and then restart the Forefront Security for Exchange Server services.
Configuring the Transport Scan Job
Configure the Transport Scan Job to specify what combination of inbound, outbound, and internal mail should be scanned. You can optionally specify Deletion Text and Tag Text.
To configure the Transport Scan Job
In the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears.
In the top portion of the Scan Job Settings work pane (which contains a list of configurable scan jobs), select the Transport Scan Job.
In the Transport Messages section of the work pane, select the combination of Inbound, Outbound, and Internal messages to be scanned. For more information, see About message queues.
Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text.
FSE provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Keyword substitution macros.
Optionally, you can specify Tag Text. This text is used by Forefront Security for Exchange Server to “tag” the subject line or MIME header of messages that meet filter criteria so that they can be identified later for routing into specific user inboxes or for other purposes identified by the Forefront Server Security Administrator. The action for a filter must set to Identify: Tag Message in order for the tag to be used. To modify the text, click the Tag Text button on the Scan Job Settings work pane. The Tag Text dialog box appears. There are two fields, each of which has a default that can be changed. The subject line tag text defaults to SUSPECT: and the message header tag text (which cannot have any spaces) defaults to Junk-Mail. Click OK.
The same tag is used for all filters associated with the Transport Scan Job.
Click Save to save your scan job configuration.
Configuring antivirus settings
There are various settings that you can adjust for the Transport Scan Job. These include file scanner selection, bias, action, notifications, and quarantining.
To configure antivirus settings
In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears.
In the list in the top pane, select the Transport Scan Job. The file current settings are displayed in the bottom half of the work pane.
Choose the file scanning engines from the list of available third-party scanners in the File Scanners section. To disable virus scanning while retaining the ability to run File Filtering and Keyword Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Transport Scan Job.
Select the Bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see Multiple scan engines.
Choose the Action that you want Forefront Security for Exchange Server to perform when a virus is detected. The action choices are:
Skip: detect only
Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
Clean: repair attachment
Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
Delete: remove infection
Delete the attachment without attempting to clean it. The detected attachment is removed from the message and the Deletion Text is inserted in its place.
Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see E-mail notifications). Notifications are disabled by default.
Enable or disable saving infected attachments detected by the file scanning engines by selecting or clearing Quarantine files. Quarantining is enabled by default. Enabling quarantine causes deleted attachments and purged messages to be stored, permitting you to recover them. However, worm-purged messages are not recoverable.
Click Save to save your antivirus settings.
Editing the Transport Scan Job
Select the Transport Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.
Controlling the Transport Scan Job
To control the Transport Scan Job, click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears.
Select the Transport Scan Job in the list at the top of the Run Job work pane. The bottom portion of the Run Job work pane shows the status and results of the currently selected scan job.
Enabling and disabling the Transport Scan Job
With the Transport Scan Job selected, the Enable and Bypass buttons control the operation of the job.
Selecting virus scans, file filtering, or keyword filtering
The Transport Scan Job can scan for viruses, perform file filtering or keyword filtering, or a combination of the three tasks. Use the Virus Scanning, File Filtering, and Keyword Filtering check boxes to make the appropriate selections. Any change to these settings is immediate, even if the job is currently running.
Checking results and status
The lower portion of the Run Job work pane shows the infections or filtered results found by the Transport Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Incidents log.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will remove the subset from the virus log file.
If a large number of entries is selected, the deletion process may potentially take a long time. In this case, a message box appears to ask the user to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text formats.
About Transport scan recovery
In the event that the Transport Scan Job takes longer than a specified amount of time to scan a message (default is 5 minutes or 300,000 milliseconds), the process is terminated and Forefront Security for Exchange Server attempts to restart the service. If successful, Transport scanning resumes and a notification is sent to the administrator stating that the Transport Scan Job stopped and recovered.
When the new Transport scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Transport Scan Timeout Action. For example, if it is set to Delete, Forefront Security for Exchange Server deletes the file, replaces its contents with the Deletion Text for the Transport Scan Job, logs the information, and quarantines and archives the file. (For more information about General Options, see Forefront Server Security Administrator.)
If the process cannot be restarted, a notification is sent to the administrator stating that the Transport Scan Job stopped. In this event, Transport scanning will not function and the mail stream will not be scanned.
If you continue to have time-out problems, you may try increasing the time specified in the TransportTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called TransportTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Forefront Security for Exchange Server services for the change to take effect. For more information about registry values, see Registry keys.
About message queues
Forefront Security for Exchange Server offers flexibility in choosing which message queues to scan with the Transport Scan Job: inbound, outbound, or internal. You can configure Forefront Security for Exchange Server to only scan one queue or all three. In the Scan Job Settings work pane there are three check boxes for making queue selections.
Scanning the inbound queue
Selecting the Inbound check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all e-mail messages entering the Edge Transport or Hub Transport. Messages are designated as inbound if the message originated from or relayed through an external server. If the Exchange servers within that site or organization are not running Forefront Security for Exchange Server, this is an effective way to protect them from infected e-mail messages coming from the Internet.
Scanning the outbound queue
Selecting the Outbound check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all outgoing e-mail messages that leave your Exchange site or Exchange organization via the Edge Transport or Hub Transport. Messages are designated as outbound if at least one recipient has an external address.
Selecting the Internal check box within the Scan Job Settings work pane configures Forefront Security for Exchange Server to scan all mail that is being routed from one location inside your domain to another location inside your domain. Messages are designated as internal if they originate from inside your domain and all the recipients are located inside your domain.
Scanning nested compressed files
Exceedingly nested, compressed files can slow the performance of Forefront Security for Exchange Server and the Exchange server. Multiple nesting is also a known denial of service attack against antivirus products. To minimize the potential impact on server performance and guard against denial of service attacks, the Forefront Security for Exchange Server registry key MaxNestedCompressedFile is set to five (5) by default. This setting allows Forefront Security for Exchange Server to search into five nested, compressed attachments to scan for viruses. Attachments with more than five nestings are marked for deletion.
You may change this setting as needed for your environments in the General Options work pane. For more information, see Forefront Server Security Administrator.
Scanning files by type
By default, Forefront Security for Exchange Server is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Forefront Security for Exchange Server can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Forefront Security for Exchange Server performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Forefront Security for Exchange Server to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)