Share via


SharePoint Forefront Server Security Administrator

 

Applies to: Forefront Security for SharePoint

The Forefront Server Security Administrator is used to configure and run FSSP, locally or remotely. For the Forefront Server Security Administrator to launch successfully, FSCController and the SharePoint server must be running on the computer to which the Forefront Server Security Administrator is connecting. Because the Forefront Server Security Administrator is the front end of the FSSP software, it can be launched and closed without affecting the back-end processes that are being performed by the FSSP services. The Forefront Server Security Administrator may also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who may need to view information provided through the user interface. (For more information, see Read-Only Administrator.)

Important

For users running Microsoft Windows XP® Service Pack 2 (SP2), due to default security settings in Windows XP SP2, the Forefront Server Security Administrator will not run properly when first installed.

To enable the Forefront Server Security Administrator to run on Windows XP SP2

  1. Click Start, click Run, and enter dcomcnfg. The Component Services dialog box appears.

  2. Expand Component Services, expand Computers, and then right-click My Computer.

  3. Select Properties, and then select the COM Security tab.

  4. Click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user.

  5. Add the Forefront Server Security Administrator application to the Windows Firewall Exceptions list:

    1. Open Control Panel, and then select Security Center.
    2. Select Windows Firewall. The Windows Firewall dialog box appears.
    3. Select the Exceptions tab.
    4. Click Add Program, select Forefront Server Security Administrator from the list, and then click OK. This adds the Forefront Server Security Administrator to the Programs and Services list.
    5. Select the Forefront Server Security Administrator in the Programs and Services list.
    6. Click Add Port.
    7. Enter a name for the port.
    8. Enter 135 as the port number.
    9. Select TCP as the protocol.
    10. Click OK.

Note

If you are concerned about opening port 135 to all computers, it can be opened only for the Forefront servers. When adding port 135, click Change Scope and select Custom list. Enter the IP addresses of all the Forefront servers that should be allowed access through port 135.

Launching the Forefront Server Security Administrator

To run the Forefront Server Security Administrator, click Start, expand Programs, expand Microsoft Forefront Server Security, expand SharePoint Security, and then select Forefront Server Security Administrator. Or, you can launch it from a command prompt.

To launch Forefront Server Security Administrator (FSSAClient) from a command prompt

  1. Open a Command Prompt window.

  2. Navigate to the Forefront Security for SharePoint install directory.

    Default: C:\Program Files\Microsoft Forefront Security\SharePoint

  3. Enter fssaclient.exe.

Connecting to a local server

The first time the Forefront Server Security Administrator is launched, the Connect To Server dialog box appears, prompting you to connect to the SharePoint server running on the local computer. The local server name is filled in by default. (You could also enter the local alias.)

Connecting to a remote server

The Forefront Server Security Administrator can also be connected to a remote SharePoint server running FSSP. This allows you to use a single installation of the Forefront Server Security Administrator to configure and control FSSP throughout the network. If the server you are connecting to is in a different domain, you must ensure that the FSSPController is using a valid user ID that has permissions to access the server in that domain.

To connect to a remote server, enter the server name, IP address, or Domain Name System (DNS) name of the remote computer into the Connect To Server dialog box (which appears whenever the Forefront Server Security Administrator is started). Instead of entering an identifier for the remote computer, you can click Browse to display the Select Server dialog box, in which you can select any of the servers that FSSP has detected.

If the Forefront Server Security Administrator is already running, you can connect to a remote server using the procedure in Connecting to a Different Server.

Note

If you have problems connecting the Forefront Server Security Administrator to the SharePoint server, try using the PING command to test for server availability. If the server is available, be sure that no other Forefront Server Security Administrators are currently connected to it.

Connecting to a different server

To connect to a different server, select the Open command from the Forefront Server Security Administrator File menu. The Connect To Server dialog box appears. Enter the name of another server running FSSP, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Forefront Server Security Administrator dialog box to quickly reconnect to a server.

Read-only Administrator

The Forefront Server Security Administrator may be run in a read-only mode. To do so, the administrator will need to modify the NTFS permissions on the FSSP install directory to only allow modify access to those users with permission to change FSSP settings. By default, the FSSP install directory is: C:\Program Files\Microsoft Forefront Security\SharePoint. Its actual value can be found in DatabasePath in one of these registry keys:

For 32-bit systems:

HKLM\Software\Microsoft\Forefront Server Security\SharePoint

For 64-bit systems:

HKLM\Software\Wow6432Node\Microsoft\Forefront Server Security\ SharePoint

To ensure proper configuration, first remove modify access for all users and then set modify access only for users that are allowed to change Forefront Security for SharePoint settings. When a user without modify access opens the Forefront Server Security Administrator, it will not allow any configuration changes.

Forefront Server Security Administrator user interface

The Forefront Server Security Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right.

Shuttle Navigator

The Shuttle Navigator is divided into several areas:

SETTINGS   Configure scan jobs, antivirus settings, scanner updates, templates, and General Options. For more information, see General Options.

FILTERING   Configure keyword filtering, file filtering, and filter lists.

OPERATE   Configure jobs, schedule jobs, and perform Quick Scans.

REPORT   Configure notifications. View incidents and the quarantine area.

General Options

General Options, accessed from the SETTINGS shuttle, provides access to a variety of system-level settings for Forefront Security for SharePoint, eliminating the need to directly access the registry to change them.

Although there are many options that can be controlled through the General Options panel, each of them has a default (enabled, disabled, or a value), which is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation and you might need to change one of them from time to time.

The General Options work pane is divided into several sections: Diagnostics, Logging, Scanner Updates, and Scanning.

Diagnostics

Additional Manual

Logs every file scanned by the manual scanner.

Additional Realtime

Logs every file scanned by the realtime scanner.

Notify on Startup

Indicates that FSSP should send a notification to all the e mail addresses listed in the Virus Administrators list (Realtime Scan, Email) whenever the Realtime Scan Job starts. Only SMTP addresses may be used. (For more information about setting up notifications to Administrators, see Event Notifications.)

Logging

Enable Event Log

Enables the logging of FSSP events to the event log. Enabled by default.

Enable Performance Monitor and Statistics

Enables the logging of FSSP performance statistics in Performance Monitor. Enabled by default.

Enable Forefront Program Log

Enables the FSSP program log (ProgramLog.txt). Enabled by default.

Enable Forefront Virus Log

Enables the FSSP virus log (VirusLog.txt). Disabled by default.

Max Program Log Size

Specifies the maximum size of the program log. Expressed in kilobytes (KB). The minimum size is 512 KB. A value of 0 (the default) indicates that there is no limit to the maximum size.

For more information about the log files and Performance Monitor, see SharePoint reporting and statistics.

Scanner updates

Redistribution Server

Indicates that a server will be the central hub to distribute scanner updates to other servers. (For more information, see Distributing Updates.)

Perform Updates at Startup

Indicates that engines should be automatically updated every time FSSP is started.

Send Update Notification

Sends a notification to the Virus Administrator each time a scan engine is updated. (For more information about setting up notifications to Administrators, see Event Notifications.)

Use Proxy Settings

Indicates that proxy settings are to be used. (For more information, see Updating Through a Proxy.)

Use UNC Credentials

Indicates that UNC credentials are needed. (For more information, see Distributing Updates.)

Proxy Server Name/IP Address

Indicates the name or IP address of the proxy server. Required, if using proxy settings.

Proxy Port

Indicates the port number that Forefront Security for SharePoint should use. Required, if using proxy settings. The default is port 80.

Proxy Username

Indicates the name of a user with access rights to the proxy server, if necessary. Optional field.

Proxy Password

Indicates the appropriate password for the proxy user name, if necessary. Optional field.

UNC Username

Indicates the name of a user with access rights to the UNC path, if necessary. Optional field.

UNC Password

Indicates the appropriate password for the UNC user name, if necessary. Optional field.

For more information about updating the scan engines, see SharePoint file scanner updating.

Scanning

Block/Delete Corrupted Compressed Files

Indicates if compressed files that are corrupted will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. They are reported as a CorruptedCompressedFile virus. Enabled by default.

Block/Delete Corrupted Uuencode Files

Indicates if UUENCODE files that are corrupted will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. They are reported as a CorruptedCompressedUuencodeFile virus. Enabled by default.

Block/Delete Encrypted Compressed Files

Indicates if encrypted compressed files will be deleted or blocked, depending on the Action settings for the Realtime and Manual Scan Jobs. (Encrypted files cannot be scanned by AV scan engines.) They are reported as an EncryptedCompressedFile virus.

Treat ZIP Archives containing highly-compressed files as Corrupted Compressed

Specifies whether ZIP archives containing highly-compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Block/Delete corrupted compressed files is enabled, the archive is deleted. If Block/Delete corrupted compressed files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat cannot be cleaned, the message will be deleted. If the file is compressed with an unknown algorithm, it is always treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files are treated as corrupted compressed).

Treat Multipart RAR Archives as Corrupted Compressed

A file within a RAR archive can be compressed across multiple files or parts (hence “multipart”), thereby enabling very large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed.

Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

If the archive is reported as corrupted compressed, and if the option to Block/Delete corrupted compressed files is enabled, the archive is deleted. If Block/Delete corrupted compressed files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted. Enabled by default.

Note

If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see SharePoint registry keys.

Treat concatenated gzips as corrupted compressed

Multiple Gnu zip (gzip) files can be concatenated into a single file. Although FSE recognizes concatenated gzips, it may not recognize individual files split across concatenated gzips. Therefore, FSE treats concatenated gzips as corrupted compressed by default. In combination with the Block/Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections.

Disabling the Treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case a virus may escape detection.

Scan Doc Files As Containers - Manual

Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers.

Scan Doc Files As Containers - Realtime

Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers.

Note

When a Microsoft Office file (PowerPoint®, Access, Excel®, or Word document) is embedded in another Office file, its data is included as part of the original Office file. These are not scanned as individual files. If, however, another file type (such as .exe) is embedded in one of these files that is then embedded in an Office file, it will be detected and scanned as a separate file. (The .exe extension, however, is still visible because the icon is a GIF file that cannot be deleted. If you click the file, the icon is replaced with the correct TXT icon.)

Case Sensitive Keyword Filtering

Specifies that keyword filtering should be case-sensitive. Filtering is not case-sensitive by default.

Scan on Scanner Update

Indicates that previously scanned files should be re-scanned when accessed following a scanner update.

Forefront Manual Priority

Specifies the priority of manual scans: Normal (the default), Below Normal, or Low. This lets more important jobs take precedence over manual scans when demands on server resources are high.

Note

When the Manual Scan Priority is set to Low, the Manual Scan Job may not stop immediately when you click STOP in the Run Job work pane.

Max Container File Infections

Specifies the maximum number of infections allowed in a compressed file. If this is exceeded, the entire file is deleted and FSSP sends a notification stating that an ExceedinglyInfected virus was found. A value of zero means that there is no limit on the number of infections that can be detected. The default value is 5 infections.

Max Container File Size

Specifies the maximum container file size (in bytes) that FSSP will attempt to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet File Filter rules. Forefront Security for SharePoint will report these deleted files as LargeInfectedContainerFile virus.

Max Nested Attachments

Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and UUENCODE documents. The limit will include the sum of the nestings of all of these types. If the maximum number is exceeded, FSSP will block or delete the document and report that an ExceedinglyInfected virus was found. The default is 30.

Max Nested Compressed Files

Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and FSSP sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default is 5.

Max Container Scan Time - Realtime

Specifies the number of milliseconds (msec) that FSSP will scan a compressed attachment before reporting it as a ScanTimeExceeded virus in real-time scans. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 msec (ten minutes).

Max Container Scan Time – Manual

Specifies the number of milliseconds that FSSP will scan a compressed attachment before reporting it as a ScanTimeExceeded virus in manual scans. Intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 msec (ten minutes).