Configuring the realtime scan
Applies to: Forefront Protection 2010 for SharePoint
There are various configuration settings that you can adjust for the Microsoft Forefront Protection 2010 for SharePoint (FPSP) realtime scan in order to meet the needs of your environment. These include selecting the number of scan engines to use for each scan, setting the action to take when malware is detected, and specifying whether or not to quarantine detected files.
To configure the realtime scan
In the Forefront Protection 2010 for SharePoint Administrator Console, click Policy Management and in Antimalware, click Realtime.
In the Antimalware - Realtime pane, in the General options section, configure the following settings:
Enable realtime antivirus scan—Select or clear this check box to enable or disable the realtime antivirus scan. This setting is enabled by default.
Enable realtime antispyware scan—Select or clear this check box to enable or disable the realtime antispyware scan. This setting is enabled by default.
In the Antimalware - Realtime pane, in the Engines and performance section, configure the number of scan engines that should be used for this scan. For more information, see Configuring the number of scan engines used for each scan.
In the Antimalware - Realtime pane, in the Scan actions section, configure the following settings:
Action—Select the action that you want performed when a virus or spyware is detected. For more information, see Configuring the action when malware is detected.
Quarantine Files—Using the drop-down list, enable (by selecting Yes) or disable (by selecting No) saving infected files detected by the file-scanning engines. Quarantining is enabled by default. Enabling quarantine causes deleted files to be stored in a secure location, from which you can recover them. For more information about quarantine, see Viewing and managing quarantine.
Edit Malware Deletion text—You can specify deletion text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the malware found. To change the default text, click Edit Deletion Text, make the modifications to the deletion text in the Edit Malware Deletion Text dialog box, and then click OK to return to the Antimalware - Realtime pane.
FPSP provides keywords that can be used in the deletion text field to obtain information from the message in which the infection was found. To use them, in the Malware Deletion Text dialog box, right click, select Insert Field, and then select the desired macro. For more information about this feature, see Keyword substitution macros.
In the Antimalware - Realtime pane, in the SharePoint antivirus settings section, you can optionally modify several other settings via SharePoint Central Administration. These include scanning documents when they are uploaded or downloaded, allowing users to download infected documents, and the time-out value for the realtime scan. For more information, see Configuring other settings via SharePoint Central Administration.
Configuring additional realtime scan options
You can configure the following additional settings located under the Additional options section of the Antimalware - Realtime pane. Click Save after making any changes to your settings.
Scan doc files as containers—Configures the realtime scan to scan files that use structured storage and the OLE embedded data format (for example, .doc, .xls, .ppt, and .shs) as container files. This ensures that any embedded files are scanned as potential malware carriers. This setting is enabled by default.
Scan after engine update—Configures the realtime scan to rescan previously scanned files when they are accessed following an engine update.
This setting is disabled by default. When enabled, this setting provides heightened security protection by rescanning files that have already been scanned. Files are rescanned the first time an "on-access" event occurs and during every "on-access" event after the initial one if new engine definition updates have been received since the last time the file was scanned.
The SharePoint server may experience increased malware scanning when this option is enabled. This may impact server performance.
During a virus "outbreak" scenario, it is recommended that you enable the Scan after engine update setting, causing files to be scanned repeatedly when accessed after each engine update. You will achieve the best protection because you are always scanning with the latest definitions. When the outbreak passes, disable this setting again.
You would not normally enable this setting, but if your server has a lot of free capacity and the user experience is not impacted, having this enabled all the time ensures the best possible level of protection. Keep in mind that enabling this setting can have a considerable performance impact on a busy server, as it leads to significantly more scanning.
Suppress malware notifications—Suppresses the sending of Virus found and Spyware found notifications, even if these notifications are enabled. This setting is disabled by default.
Process count—Configures the number of processes you want running per Web Front End server. The default value is 4; the maximum value is 10.
When multiple realtime processes are running, the first process scans the file unless it is busy; in which case, the file is delivered to the second process for scanning. If the second process is busy, and a third is enabled, the third process scans the file. When the server runs out of scanning processes to use, the scan is queued until a scanning process becomes available.
On systems with greater than 4 processor cores, performance may be improved by increasing the number of processes towards the total number of CPU cores available. Each additional process will consume additional system resources. When increasing this setting, you should closely monitor resource consumption and performance prior to making additional adjustments.
You must stop and then start the Microsoft Forefront Server Security Controller Service and World Wide Web Publishing Service in order for changes to this setting to take effect.
Maximum container scan time (seconds)—Configures the number of seconds that the realtime scan scans a compressed file before reporting it as a "ScanTimeExceeded" incident. This option is intended to prevent the risk of denial of service due to zip-of-death attacks. The default value is 120 seconds (2 minutes).
Bypassing the realtime scan
You can configure FPSP to bypass realtime scanning of all SharePoint files. When you configure FPSP to bypass realtime scanning, no malware scanning or filtering is performed by the realtime scan job.
Bypassing the realtime scan should only be used for troubleshooting and under the direction of a Customer Service and Support (CSS) engineer. When enabled (it is disabled by default), the realtime scan offers no protection from malware, and all mail is marked as “Clean”.
To bypass realtime scanning
In the Forefront Protection 2010 for SharePoint Administrator Console, click Policy Management, and under Global Settings, click Scan Options.
In the Global Settings – Scan Options pane, under the Realtime scan section, select the Bypass realtime scanning check box.
When you are finished troubleshooting, in order to once again be protected against malware, you must restore scanning by disabling the bypass. Do this by clearing the Bypass scanning check box and then clicking Save. If you bypassed scanning for any period of time, it is also recommended that you run a full scheduled scan for malware that may have been bypassed.