SharePoint registry keys


Applies to: Forefront Security for SharePoint


Serious problems might occur if you modify the registry incorrectly. These problems could require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Always make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base article 256986.

Forefront Security for SharePoint stores many settings in the Windows registry. You seldom have to edit the registry yourself, because most of those settings are derived from entries you make in General Options. However, there are some additional settings that you may occasionally need to make. FSSP stores registry values in the following locations:

For 32-bit systems:

  • HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint

For 64-bit systems:

  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint

    Variable Description and values


    Forefront Security for SharePoint performs signature type checking to avoid scanning those files that can never contain a virus. If it becomes necessary to scan an additional file type, you will need to contact Help and Support to obtain the proper setting for the file type you would like to add. This key is set to 0 (off) by default.


    Specifies the extension type with which all deleted attachments will be named (example: abc). By default, its value is txt. To disable this feature (causing the original extension to be retained), replace txt with an empty string (""). To specify a different extension, replace txt with some other string (between one and three characters). If you use an extension size larger than three characters, or if you delete this registry value, it will default back to txt at the next recycling of the services. Any changes made to this registry value take effect only after you recycle the FSSP services.


    Specifies the path under which the Forefront Security for SharePoint configuration files and Quarantine folder reside. It defaults to the Forefront Security for SharePoint installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If this value is changed and the files are not moved, Forefront Security for SharePoint re-creates them and the previous settings are lost. Move the files first and then change this value. For more information about moving these files, see "Moving the Databases" in SharePoint reporting and statistics.


    Specifies the time (in seconds) that the antivirus scan engines will attempt to download an update before timing out. The default value is 300 (5 minutes).


    Specifies that Forefront Security for SharePoint should recover from a manual scan failure when a scan engine encounters problems with a file or when moving between folders. This prevents the manual scan from stopping if an engine encountered a problem while scanning a file or traversing a folder structure. When this key is set to any value other than 0, Forefront Security for SharePoint continues scanning after such an event.


    Sets the limit for the maximum nested attachments that can appear in MSG, TNEF, MIME, and UUENCODE files. The limit is the sum of the nesting of all of these types. If the maximum is exceeded, the entire file is deleted and a notification is sent stating that an ExceedinglyNested virus was found. The default is 30.


    This key sets the maximum uncompressed file size for a file within a .zip or a RAR archive file. Files larger than the maximum permitted size are deleted and reported as Large Uncompressed File Size. The default setting is 100 MB.

    The RAR archive format enables one or more compressed files to be stored in multiple RAR volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart RAR volumes are subject to the size limit specified by this registry value (its default is 100MB). If a file exceeds the limit, any multipart RAR volume that contains the file, or a part of the file, is deleted. However, the outcome can vary, depending on the size of the original files and how they are distributed across the multiple RAR volumes.

    Example 1: A single file (F1) is split across 3 RAR volumes (V1, V2, V3).

    Outcome: If the uncompressed size of F1 exceeds the default 100MB limit, all 3 RAR volumes (V1, V2, V3) is deleted.

    Example 2: Four files (F1, F2, F3, F4) are split across three RAR volumes (V1, V2, V3) as follows:

    V1 contains F1 and the first half of F2.

    V2 contains the second half of F2 and F3.

    V3 contains only F4.

    Outcome: If only F1 exceeds the default 100MB limit, only V1 will be deleted. If only F2 exceeds the default 100MB limit, V1 and V2 will be deleted, but V3 will not. If only F4 exceeds the limit, only V3 will be deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit.

    In both examples, deletion text specifies that a file (the RAR volume) was deleted because it exceeded the maximum uncompressed file size limit.

    To prevent the volumes from being deleted, you must set the registry value MaxUncompressedFileSize to a value large enough to exceed the uncompressed size of the largest file in the multipart RAR volumes.


    Specifies whether items that cause a scan job timeout should be quarantined. If this DWORD registry value is not present or if it is present and its value is not zero, a message that causes a scan job timeout will be quarantined. If the registry value is present and its value is zero, that message will not be quarantined.


    Specifies the number of Realtime processes permitted. This registry value is created after the initial start of FSCController. The default value is 3, which indicates that three FSSP Realtime processes will be launched. You may modify it to represent the number of FSSP Realtime processes you want running on the server (the maximum is 10). FSCController must be recycled for the change to take effect.


    Specifies whether purging by the Realtime scanner will take place. A value of 1 (the default) enables purging. A value of 0 disables it.


    Indicates whether FSSP should scan all files or just certain types known to contain viruses. When this DWORD value is set to 1 (the default), FSSP will scan all files.


    When this value is set to 1, updates are scheduled for each file scanner that was installed with Forefront Security for SharePoint after a Forefront Security service startup. By default, this value is set to 0.

Scanner Update Settings registry keys

These are the keys containing the scanner information that is reported on the Scanner Update Settings work pane. Although these should not be modified, you may find them useful for reporting purposes.

For 32-bit systems:

  • HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint\Scan Engines\ <enginename>

For 64-bit systems:

  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint\Scan Engines\<enginename>

    Variable Description

    Engine Version

    Indicates the current version of <enginename>, as specified in the Forefront Server Security Administrator.

    Last Checked

    Indicates the date and time <enginename> was last checked, as specified in the Forefront Server Security Administrator.

    Last Updated

    Indicates the date and time <enginename> was last updated, as specified in the Forefront Server Security Administrator.

    Signature Version

    Indicates the current version of the <enginename> signature file, as specified in the Forefront Server Security Administrator.

    Update Version

    Indicates the current update of <enginename>, as specified in the Forefront Server Security Administrator.