SharePoint Realtime Scan Job
Applies to: Forefront Security for SharePoint
The Forefront Security for SharePoint Realtime Scan Job runs on the SharePoint server to provide immediate scanning of all files that are uploaded to or downloaded from it. When users upload or download documents using a Web browser or any application that uses the SharePoint 2007 Object Model, the VSAPI hooking DLL will send the documents to FSSP for scanning. This method of scanning file transfers in real time is the most effective method for stopping the spread of infectious files.
About multiple Realtime processes
During installation, three Realtime Scan Jobs (processes) are created. You can create additional Realtime Scan Jobs by changing the value of the RealtimeProcessCount registry key to the number of FFSCCRealtime processes you would like to run on the SharePoint server. The maximum is ten. For more information about this setting, see SharePoint registry keys. Additional real-time processes, beyond the default three, may impact server performance.
When FSSP cleans an infected file that has been checked into a document library, the file extension is not changed. For example: If the file Eicar.com is detected, the contents are removed and replaced with the deletion text, but the file extension remains .com rather than being changed to Eicar.txt. If the same file is cleaned while it is nested inside a compressed file, however, the extension is changed to .txt.
When multiple Realtime processes are running, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file is scanned by the third process. Whenever possible, Forefront Security for SharePoint delivers files to the first process, if it is available. Multiple processes increase the load on the server at startup when they are being loaded and whenever they are called upon to scan a file. More than four Realtime processes should not be necessary except in high-volume environments that need the additional redundancy provided by three or four processes. As a general rule, Microsoft recommends enabling only four Realtime processes per processor on each server.
Configuring the Realtime Scan Job
When you configure the Realtime Scan Job settings, select the document libraries to be protected, and optionally specify Deletion Text.
You can also modify these SharePoint 2007 settings through the Configure Antivirus Settings in the SharePoint Central Administration of SharePoint Server 2007.
To select the document libraries and set the deletion text
From the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears.
In the top portion of the work pane (which contains a list of configurable scan jobs), select the Realtime Scan Job.
Make any needed changes to the Realtime antivirus configuration settings. For more information, see Configuring antivirus settings.
Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text.
FSSP provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see SharePoint keyword substitution macros.
Configure the engines for the scan. For more information, see Configuring antivirus settings.
Click Save to save your scan job configuration.
Configuring antivirus settings
There are various settings that you can adjust for the Realtime Scan Job.
To configure antivirus settings
In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears.
In the list in the top pane, select the Realtime Scan Job. The file current settings are displayed in the bottom half of the work pane.
All the settings on this screen are read-only. Below them, there is a link to the SharePoint Administration site, so that you can make your changes using the SharePoint user interface.
Scan documents on upload—Scans documents being uploaded to SharePoint Portal Server. It is enabled by default.
Scan documents on download—Scans documents being downloaded from SharePoint Portal Server. It is enabled by default.
Allow users to download infected documents—Allows users to download infected documents. If left cleared, all infected documents are blocked. It is disabled by default.
Attempt to clean infected documents—Allows FSSP to clean infected documents, if possible. If FSSP is unable to clean an infected file, it will be reported as infected and SharePoint Portal Server will block the file. If the infected file is nested, FSSP will remove the infected nested file (if it cannot be cleaned). If this option is cleared, Forefront Security for SharePoint will mark detected files as infected and SharePoint Portal Server will block them. It is enabled by default.
Time out scanning after ___ seconds—The number of seconds FSSP will continue to scan a document before timing out. The default is 600 seconds (ten minutes).
Allow scanner to use up to ___ threads—The number of processes that FSSP will run simultaneously. The default of 10 simultaneous threads is also the maximum.
If Scan Documents on Upload and Scan Documents on Download are both cleared, the Realtime Scan Job and its Attempt to Clean Infected Documents setting will both be disabled.
In the list of available third-party scanners in the File Scanners section, choose the file scanning engines. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Realtime Scan Job.
In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see SharePoint Multiple scan engines.
In the Action field, select the action that you want Forefront Security for SharePoint to perform when a virus is detected. The action choices are:
Skip: detect only—Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
Clean: repair document—Attempt to clean the virus. If successful, the infected file is replaced with the clean version. If cleaning is not possible, the file is replaced with the Deletion Text. This is the default setting.
Block: prevent transfer—An infected file will be blocked from being uploaded or downloaded. The user will receive a SharePoint message that the file was infected and could not be uploaded or downloaded.
Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see SharePoint E-mail notifications). Notifications are disabled by default.
Enable or disable the saving of files detected by the file scanning engine by selecting or clearing Quarantine Files. Quarantining is enabled by default. Enabling quarantine causes deleted files to be stored, permitting you to recover them.
By default, FSSP is configured to scan all files for viruses. To perform scans as quickly and efficiently as possible, however, FSSP can be configured to only scan files that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases FSSP performance while making sure that no potentially infected file attachments pass without being scanned. If you would like FSSP to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "hidden" key, that is, if it is not present, its value defaults to 1.)
The registry key can be found at:
For 32-bit systems:
HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint
For 64-bit systems:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint
Editing the Realtime Scan Job
Select the Realtime Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the Scan Job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.
Controlling the Realtime Scan Job
To control the Realtime Scan Job, click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears.
Select the Realtime Scan Job in the list at the top of the Run Job work pane. The bottom portion of the Run Job work pane shows the status and results of the currently selected scan job.
Enabling and bypassing the Realtime Scan Job
With the Realtime Scan Job selected, the Enable and Bypass buttons control the operation of the job.
When the Realtime Scan Job is set to Bypass, SharePoint still calls FSSP to scan files as they are uploaded. The only responses FSSP can make to SharePoint are “The file is good” or “The file is a virus”. When Realtime is set to Bypass, it returns “The file is good”. Even after re-enabling Realtime, the item is already in the database as “The file is good”. The next time the file is accessed, SharePoint does not pass it to FSSP because it already has a “The file is good” status.
This means that files that have been uploaded when Realtime was set to Bypass will not be scanned on download, even after the Realtime Scan Job has been re-enabled, until the 2am maintenance is performed. When the daily 2AM FSSP maintenance is performed, the virus stamp on all the items in the database is cleared and the next access will cause the items to be scanned. To prevent this situation from occurring, it is recommended that you do not set the Realtime Scan Job to Bypass. If you do set it to Bypass and you do not want to wait until the 2am maintenance for files that were not scanned on upload to be scanned, you can use the stsadm command option to clear the virus stamp and allow these items to be scanned on download.
To use the stsadm command option to allow previously unscanned items to be scanned on download
From a command prompt, navigate to the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN directory.
Run the following commands, on separate lines, in order to obtain the values for the avvendorupdatecount and the avvendorid parameters:
stsadm -o getproperty -pn avvendorupdatecount
stsadm -o getproperty -pn avvendorid
Increase the values for each parameter by 1 by running the following commands:
stsadm -o setproperty -pn avvendorupdatecount –pv previous value incremented by 1
stsadm -o setproperty -pn avvendorid –pv previous value incremented by 1
For example, if the value of each parameter is 513, increase this to 514 by entering the following commands:
stsadm -o setproperty -pn avvendorupdatecount –pv 514
stsadm -o setproperty -pn avvendorid –pv 514
For more information about the stsadm parameter, consult your Microsoft SharePoint documentation.
Selecting virus scans, file filtering, and content filtering
The Realtime Scan Job can scan for viruses, perform file filtering or keyword filtering, or a combination of the three tasks. Use the Virus Scanning, File Filtering, and Keyword Filtering check boxes to make the appropriate selections. Any change to these settings is immediate, even if the job is currently running.
Checking results and status
The lower portion of the Run Job work pane shows the infections or filtered results found by the Realtime Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open. The database files can be cleared when no longer needed. For more information, see "Clearing the databases" in SharePoint reporting and statistics.
SharePoint scan recovery
In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (the default is 10 minutes or 600000 milliseconds), the process is terminated and Forefront Security for SharePoint attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and recovered.
If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job terminated. In this event, Realtime scanning will not function and files will not be scanned.
If you continue to have time-out problems, you can increase the time interval before timeout. Create a new DWORD registry value called RealtimeTimeout and set the time, in milliseconds. (For example, 20 minutes would be 1200000 milliseconds.) For more information about registry values, see SharePoint registry keys.