Configuring maximum file sizes and other threshold levels
Applies to: Forefront Protection for Exchange
You can configure the maximum values that FPE uses for various thresholds. These include the following: container file size, uncompressed file size, container file infections, and nested attachments. If a threshold value is exceeded, the file is deleted.
To configure maximum file sizes and other threshold levels
In the Forefront Protection 2010 for Exchange Server Administrator Console, click Policy Management, and under Global Settings, click Advanced Options.
In the Global Settings - Advanced Options pane, under the Threshold Levels section, you can enter values for the following settings:
Maximum container file infections—Specifies the maximum number of infections permitted in a container file. If this value is exceeded, the entire file is deleted, and an ExceedinglyInfected incident is added to the log file (all infections prior to when the maximum number of infections is reached are also logged). A value of 0 (zero) means that a single infection causes the entire container to be deleted. The default value is 5 infections.
Maximum container file size: (megabytes)—Specifies the maximum container file size (in megabytes) for attachments. The default value is 25 MB; it is recommended that you change this value to match your e-mail policy concerning the largest permissible file attachment size. If a filter match or malware is detected, attachments larger than this value will automatically be deleted. FPE reports these deleted files as LargeInfectedContainerFile incidents.
Maximum compressed file size: (megabytes)—Specifies the maximum compressed size of a file within a .zip, .gzip, .rar, or other compressed container file. Files larger than this size are treated as corrupted compressed. The size is specified in megabytes, with a valid range of values from 0 to 2047. The default value of 20 means that all compressed files larger than 20 MB are deleted.
Maximum uncompressed file size: (megabytes)—Sets the maximum uncompressed file size for a file within a .zip, .gzip, .rar, or other compressed container file. Files larger than the maximum permitted size are deleted and reported as LargeUncompressedFileSize incidents. The default value is 100 MB. This setting works in conjunction with the Delete corrupted compressed files setting. In order to delete a file that exceeds the Maximum uncompressed file size, the Delete corrupted compressed files setting must be enabled. For more information about this setting, see Deleting corrupted compressed files.
The .rar archive format enables one or more compressed files to be stored in multiple .rar volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. To prevent the volumes from being deleted, you must set a large enough value in order to exceed the uncompressed size of the largest file in the multipart .rar volumes.
For concatenated .gzips, the Maximum uncompressed file size is applied to each part of the concatenated .gzip. For example, take a .gzip that has two parts. Part1 is within the size limit, and part2 is also within the size limit, but the combined size of part1 and part2 exceeds the limit. This is not considered exceeding the size limit and FPE continues scanning.
Maximum nested attachments—Specifies the limit for the maximum number of nested documents that can appear in MSG, TNEF, MIME, and UUEncoded files. Note that for the realtime scan, a nested MSG file is not treated as a nested file with certain e-mail clients. If the maximum number is exceeded, FPE deletes the entire file and reports an ExceedinglyNested incident. The default value is 30.
Maximum nested depth compressed files—Specifies the maximum nested depth for a compressed file. If this is exceeded, FPE deletes the entire file and reports an ExceedinglyNested incident. A value of 0 (zero) represents that an infinite amount of nestings is permitted. The default value is 5.