Chapter 7 - Configuring Realtime Scan Jobs
Applies to: Microsoft Antigen
The Antigen Realtime Scan Job runs on the Microsoft® Exchange Server to provide immediate scanning of e-mail messages that are sent or received by the mailboxes and public folders that reside on the server. This method of scanning e-mail messages in real time is the most effective method for stopping the spread of infectious file attachments. The Realtime Scan Job can be configured to scan message bodies, as well as attachments. This feature is disabled by default on installation, but can be enabled by selecting the box for Body Scanning - Realtime in the General Options work pane. Message body scanning will increase the time required to scan messages.
About multiple Realtime processes
During installation, two Realtime Scan Jobs (processes) are created for each storage group (Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003) or private/public store (Microsoft Exchange Server 5.5). Administrators can create additional Realtime Scan Jobs for each storage group or private/public store by changing the value of the General Options setting, Realtime Process Count, to represent the number of Antigen Realtime processes that you want running per Storage Group or on the public/private stores. The maximum is four.
When you run multiple Realtime processes, files are scanned by the first process unless it is busy, in which case the file is delivered to the second process. If the second process is busy and a third is enabled, the file is scanned by the third process. Whenever possible, Antigen delivers files to the first process, if it is available. Multiple processes will increase the load on the server at startup when they are being loaded and whenever they are called on to scan a file. More than two Realtime processes should not be necessary except in high-volume environments that need the additional redundancy provided by 3 or 4 processes. As a general rule, it is recommended to enable only two Realtime Processes per processor on each server.
Configuring the Realtime Scan Job
When configuring the Realtime Scan Job settings, select the mailboxes and public folders to be protected and optionally specify Deletion Text.
To configure the Realtime Scan Job
Select Scan Job from the SETTINGS shuttle. The Scan Job Settings work pane appears on the right.
Click Realtime Scan Job in the top portion of the Scan Job Settings work pane that contains the list of configurable scan jobs.
In the Scan portion of the Scan Job Settings work pane, select the mailboxes and public folders to be protected. For more information, see About mailboxes and public folders.
Optionally, you can specify Deletion Text. When you click the Deletion Text button, a text box appears. This deletion text box is used by Microsoft Antigen for Exchange when replacing the contents of an infected file during a delete operation. A custom message can be placed inside the deleted file attachments by modifying this text box.
Antigen provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. For more information about this feature, see Appendix C - Using keyword substitution macros.
About mailboxes and public folders
Antigen offers flexibility in choosing which mailboxes, public folders, and items to scan with the Realtime Scan Job. You can configure the scan job to include all existing and new mailboxes and public folders, or you can build an inclusion list from available mailboxes and public folders.
Mailboxes and public folders with names that are composed entirely of back slashes () will not be scanned if Antigen is configured for Selected scanning. If Antigen is set to scan all mailboxes or public folders, mailboxes or public folders that use back slashes or other special characters will be scanned.
In the Scan portion of the Scan Job Settings work pane, mailboxes and public folders each have three selection options:
Configures the scan job to include all existing and newly created mailboxes or public folders.
Do not scan any mailboxes or public folders.
Scan specific mailboxes or public folders. When you choose Selected, the icon underneath the options become active. Click this icon to change to the listing of mailboxes or public folders on the server.
You can choose each mailbox or public folder to be scanned by clicking on the name. You can also use the accompanying buttons to select All or None of the mailboxes or public folders. The +/- button inverts the current selection.
Choosing all mailboxes or public folders in the selection pane is not the same as choosing the All option in the previous pane. An inclusion list is built from the selections made here. New mailboxes or public folders added after making this selection will not automatically be included.
To return to the main scan selection pane, click the arrow in the upper-right corner of the mailbox or public folder selection pane.
Configuring the antivirus scanners and job action
After you have configured the scan job settings, select the antivirus engines to use, the Bias setting, the Action to take, and whether to Send Notifications or Quarantine Files.
To configure antivirus settings
Click Antivirus in the SETTINGS shuttle. The Antivirus Settings work pane opens on the right.
Select the Realtime Scan Job from the list in the top pane. The settings are displayed in the bottom half of the work pane.
In the lower pane, select the file scanning engines from the list of available third-party scanners. To disable virus scanning while retaining the ability to run File Filtering and Content Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE shuttle for the Realtime Scan Job.
Select the bias to control how many engines should be used to provide an acceptable probability that your system is protected. For more information, see Chapter 5 - Using multiple scan engines.
Select the Action that you want Antigen for Exchange to perform when a virus is detected:
- Skip: detect only – Make no attempt to clean or delete. Viruses will be reported, but the files will remain infected. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
- Clean: repair document – Attempt to clean the virus. If successful, the infected attachment or message body is replaced with the clean version. If cleaning is not possible, the attachment or message body is replaced with the Deletion Text
- Delete: remove infection – Delete the attachment without attempting to clean. The detected attachment will be removed from the message and a text file will be inserted in its place. The text file will contain the following string: "Antigen for Exchange found virus and deleted this file.”
Enable or disable e-mail notifications by using the Send Notifications box. By default, it is disabled. This setting does not affect reporting to the Virus Incidents log. In addition, you must also configure the notifications (see Chapter 18 - Using e-mail notifications).
Enable or disable the saving of attachments detected by the file scanning engine by using the Quarantine Files box. By default, it is enabled. Enabling quarantine causes deleted attachments and purged messages to be stored, allowing you to recover them. However, worm-purged messages are not recoverable.
Controlling the Realtime Scan Job
After the scan job and antivirus settings have been properly configured, you can access additional settings to further control the Realtime Scan Job.
To control the Realtime Scan Job
Click OPERATE in the left navigation shuttle, and then click the Run Job icon. The Run Job work pane appears to the right.
Select the Realtime Scan Job.
If the State for the scan job is not set to Enabled, click the Enable button to enable the scan job.
The Realtime Scan Job can perform any combination of virus scanning, file filtering, or content filtering. Select or clear the following options: Virus Scanning, File Filtering, or Content Filtering. Any change to these settings is performed immediately, even if the job is currently running.
Checking results and status
The lower half of the Run Job work pane shows the infections or filtered results found by the currently selected job. These results are stored to disk in the virus log file by the AntigenService service and are not dependent on the Administrator remaining open. The virus log file can be cleared when no longer needed by using the Clear Log button. This does not affect the Virus Incidents log, which stores global viruses or filtered results that include every job on a particular server.
A subset of the results can also be deleted by selecting entries in the Folder column (use the mouse or SPACEBAR in combination with the SHIFT or CTRL key). When the desired subset is selected, pressing the DELETE key will delete the subset from the virus log file.
If a large number of entries are selected, the deletion process may take a long time. In this case, a message box appears asking you to confirm the deletion.
Use the Export button to save the results in formatted text or delimited text format.
At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.
About Realtime Scan recovery
In the event that the Realtime Scan Job takes longer than a specified amount of time to scan a file (default is 5 minutes or 300,000 milliseconds), the process is terminated and Antigen attempts to restart the service. If successful, real-time scanning resumes and a notification is sent to the administrator stating that the Realtime Scan Job exceeded the allotted scan time and was recovered.
When the new Realtime scan process starts, the message that caused it to terminate is reprocessed according to the action set in the General Option setting Realtime Scan Timeout Action. For example, if it is set to Delete, Antigen deletes the file, replaces its contents with the Deletion Text for the Realtime Scan Job, logs the information, and quarantines and archives the file. (For more information on General Options, see Chapter 4 - Using the Antigen Administrator.)
If the process cannot be restarted, a notification is sent to the administrator stating that the Realtime Scan Job stopped. In this event, real-time scanning for the particular storage group does not function, but the information store will not stop.
The default time-out for message scanning can be modified by creating the DWORD registry value RealtimeTimeout and setting a new time-out. The value is in milliseconds.
If you continue to have time-out problems, you can try increasing the time specified in the RealtimeTimeout registry value. Because this is a hidden registry value, you must create a new DWORD registry value called RealtimeTimeout, set the Base to Decimal, and type the time in milliseconds in the Value data box. Recycle the Exchange and Antigen services for the change to take effect. For more information about registry values, see Appendix B - Setting registry values.
Scanning files by type
By default, Antigen is configured to scan all attachments for viruses. To perform scans as quickly and efficiently as possible, however, Antigen can be configured to only scan file attachments that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases Antigen performance while making sure that no potentially infected file attachments pass without being scanned. If you would like Antigen to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "silent" key, that is, if it is not present, its value defaults to 1.)