Chapter 6 - Configuring Manual Scan Jobs

  • Article

 

Applies to: Microsoft Antigen

Antigen enables you to customize the Manual Scan Job for the purpose of scanning mailboxes that are not covered by the Realtime Scan Job or that contain messages that predate the installation of Antigen. The Manual Scan Job is also useful for scanning with a third-party engine that is different from the engines being used by the Realtime Scan Job. It is recommended that you conduct a full manual scan after installing Antigen for the first time. The Manual Scan Job can be configured to scan message bodies, as well as attachments. The ability to scan message bodies is disabled by default on installation, but can be enabled by checking the box for Manual Body Scanning in the General Options work pane. Message body scanning increases the time that is required to perform a manual scan of a server.

Configuring the Manual Scan Job

When configuring the Manual Scan Job settings, select the mailboxes and public folders to be protected, and optionally specify Deletion Text.

To configure the Manual Scan Job

  1. Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right.

  2. Click Manual Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs.

  3. In the Scan portion of the Scan Job Settings work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders.

  4. Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This deletion text box is used by Antigen for Exchange when the contents of an infected file are being replaced during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.

    Note

    Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros.

  5. Click Save.

About mailboxes and public folders

Antigen offers flexibility in choosing what mailboxes, public folders, and items to scan in any specified scan job. You can configure the scan job to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.

Note

Mailboxes and public folders with names that are made up entirely of back slashes () will not be scanned if Antigen is configured for Selected scanning. If Antigen is set to scan all mailboxes and public folders, mailboxes and public folders that use back slashes or other special characters will be scanned.

In the Scan portion of the work pane, mailboxes and public folders each have three selection options:

Option Description

All

Scan all existing and newly created mailboxes or public folders.

None

Do not scan any mailboxes or public folders.

Selected

Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options becomes active. Click this icon to change to the listing of mailboxes or public folders on the server.

You can choose each mailbox or public folder to be scanned by clicking on the name. You can also use the accompanying buttons to select All or None of the mailboxes or public folders. The +/- button inverts the current selection.

Note

Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders that are added after making this selection will not automatically be included.

To return to the main scan selection window, click the arrow in the upper-right corner of the selection window.

Configuring the antivirus scanners and job action

After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.

To configure antivirus settings

  1. Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right.

  2. Select the Manual Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane.

  3. In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the Manual Scan Job.

  4. Select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines.

  5. Select the Action that you want Antigen for Exchange to perform when a virus is detected:

    • Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files is selected in General Options, a match to any of those conditions will cause the item to be deleted.
    • Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
    • Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from the message and a text file will be inserted in its place. The text file will contain, by default, a message saying that the attachment was removed because it was found to be infected with a particular virus.

  6. Enable or disable e-mail notifications by using the Send Notifications box. By default, the Send Notifications box is disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications).

  7. Enable or disable the saving of attachments detected by the file-scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.

  8. Click Save.

Running the Manual Scan Job

After the scan job and the antivirus settings have been properly configured, you can run the Manual Scan Job.

To run the Manual Scan Job

  1. Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears on the right.

  2. Select the Manual Scan Job.

  3. The Manual Scan Job can perform any combination of virus scanning, file filtering, or content filtering. Select or clear the following options: Virus Scanning, File Filtering, or Content Filtering. Any change to these settings is performed immediately, even if the job is currently running.

  4. Select the Send Summary Notification check box if you would like a notification sent to the virus administrator when the scan job is complete.

  5. The State for the scan job should be Stopped. Click the Start button to start the scan job.

Checking results and status

The lower half of the Run Job work pane displays the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when it is no longer needed by using the Clear Log button. This does not affect the Virus Incidents log, which stores global viruses or filtered results that include every job on a particular server.

A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.

Note

If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.

Use the Export button to save the results in formatted text or delimited text formats.

At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.

Antigen sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Manual Scan work pane is checked. This e-mail message includes:

  • Total Mailboxes Scanned
  • Total Physical Attachments Scanned
  • Total Physical Attachments Detected
  • Total Physical Attachments Cleaned
  • Total Physical Attachments Deleted
  • Total Logical Attachments Scanned
  • Total Logical Attachments Detected
  • Total Logical Attachments Cleaned
  • Total Logical Attachments Deleted

Scheduling the Manual Scan Job

To schedule a Manual Scan Job, click OPERATE in the left navigation shuttle, and then click the Schedule Job icon. The Schedule Job work pane appears on the right.

The top portion of the Schedule Job work pane shows the Manual Scan Job and indicates whether it is enabled or disabled.

The bottom portion of the Schedule Job work pane shows the scheduling information for the Manual Scan Job.

To schedule the Manual Scan Job

  1. Use the calendar option to set the Date when the Manual Scan Job will activate. The red circle indicates today's date.

  2. Set the run time by using the Time edit field to the right of the calendar.

  3. Set the Frequency of the scheduled Manual Scan Job to control whether the job will run only once, daily, weekly, or monthly.

  4. If the job is disabled, click Enable to enable it and save your changes. If the job is already enabled, just click Save.

Note

The Schedule Job work pane displays the status of the Manual Scan Job. You can also verify that the scheduled job is enabled by opening a Windows® command window and typing AT. When a scheduled job is enabled, it will appear in the AT list until it is run or disabled.

Performing a quick scan

There are times when you may want to perform a scan of a single mailbox or another one-time virus scanning job. Quick Scan enables you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in one work pane.

Quick Scan initially uses the default configuration (all mailboxes and public folders, the scan engines selected during installation, a bias of Neutral, an action of Skip: detect only, no notifications, and quarantining). You can make changes to any of these settings and Antigen will preserve them for the next time that you run a Quick Scan.

To perform a quick scan

  1. Click OPERATE in the left navigation shuttle and then click the Quick Scan icon. The Quick Scan work pane appears. Your last Quick Scan configuration is displayed.

  2. To run the Quick Scan with the same configuration, click Start. Otherwise, make changes as necessary.

    1. In the Scan portion of the Quick Scan work pane, select the mailboxes and public folders to be protected. For more information about the choices, see About mailboxes and public folders.
    2. Select the File Scanners from the list of available third-party scanners.
    3. Select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines.
    4. Select the Action that you want Antigen for Exchange to perform when a virus is detected. The choices are:
      Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
      Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text.
      Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from the message and a text file will be inserted in its place. The text file will contain the following string: "Antigen for Exchange found a virus and deleted this file.”
    5. Enable or disable e-mail notifications by using the Send Notifications box. By default, it is disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications).
    6. Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, making it possible for you to recover them. However, worm-purged messages are not recoverable.
    7. Click Start.

Checking results and status

At the bottom of the screen, the status of the Quick Scan job and the mailbox, folder, or file currently being scanned are reported.

Scanning files by type

By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)

Chapter 5 - Using multiple scan engines

Chapter 7 - Configuring Realtime Scan Jobs