SharePoint Manual Scan Job

  • Article

 

Applies to: Forefront Security for SharePoint

Forefront Security for SharePoint enables you to customize the Manual Scan Job to scan newly added document libraries or to perform periodic scans of the entire environment. The Manual Scan Job is also useful for scanning with a third-party engine that is different from those being used by the Realtime Scan Job. It is recommended that you run a full manual scan after installing Forefront Security for SharePoint for the first time.

Note

When Forefront Security for SharePoint cleans an infected file that has been checked into a document library, the file extension is not changed. For example: If the file Eicar.com is detected, the contents are removed and replaced with the deletion text, but the file extension remains .com rather than being changed to Eicar.txt. If the same file is cleaned while it is nested inside a compressed file, however, the extension is changed to .txt.

Configuring the Manual Scan Job

When you configure the Manual Scan Job settings, select the document libraries to be scanned, and optionally specify Deletion Text.

To select the document libraries and set the Deletion Text

  1. In the SETTINGS section of the Shuttle Navigator, select Scan Job. The Scan Job Settings work pane appears.

  2. In the top portion of the Scan Job Settings work pane (which contains a list of configurable scan jobs), select the Manual Scan Job.

  3. Select the document libraries to be scanned using the tree view in the bottom pane of the Scan Job Settings work pane. Forefront Security for SharePoint offers complete flexibility in choosing which document libraries to scan in any scan job. You can configure scan jobs to include all existing document libraries, or you can build an inclusion list from available document libraries. Use the tree view to locate folders and files for scanning. The tree displays all the sites, folders, and files for the currently connected SharePoint server. You can select any sites, folders, or files to be manually scanned by checking specific ones or by using the buttons beneath the tree view:

    All

    Select all the files or folders displayed in the tree.

    None

    Clear all the files or folders displayed in the tree.

    Find

    Search for a particular folder or file.

    Browse

    Open a selected folder in the Web browser (to visually check that it is the one you want to manually scan).

    Refresh

    Update the tree.

  4. Optionally, you can specify Deletion Text, which is used to replace the contents of an infected file during a delete operation. The default deletion text informs you that an infected file was removed, along with the name of the file and the name of the virus found. To create your own custom message, click Deletion Text.

    Note

    FSSP provides keywords that can be used in the Deletion Text field to obtain information from the file in which the infection was found. For a list of available keywords, see SharePoint keyword substitution macros.

  5. Click Save.

Configuring antivirus settings

There are various settings that you can adjust for the Manual Scan Job. These include file scanner selection, bias, action, notifications, and quarantining.

Note

To configure scan jobs, administrators must log on to the SharePoint server using an account that has SharePoint Administrative rights. Otherwise, the Antivirus Settings work pane will be disabled.

To configure antivirus settings

  1. In the SETTINGS section of the Shuttle Navigator, click the Antivirus icon. The Antivirus Settings work pane appears.

  2. From the list in the top pane, select the Manual Scan Job. The file current settings are displayed in the bottom half of the work pane.

  3. From the list of available third-party scanners in the File Scanners section, choose the file scanning engines to use. To disable virus scanning while retaining the ability to run File Filtering, clear the Virus Scanning check box in the Run Job work pane of the OPERATE section of the Shuttle Navigator for the Manual Scan Job.

  4. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see SharePoint Multiple scan engines.

  5. In the Action field, choose the action that you want Forefront Security for SharePoint to perform when a virus is detected. The action choices are:

    Skip: detect only   Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Block/Delete Corrupted Compressed, Block/Delete Corrupted Uuencode Files, or Block/Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.

    Clean: repair document   Attempt to clean the virus. If successful, the infected file is replaced with the clean version. If cleaning is not possible, the file is replaced with the Deletion Text.

    Delete: remove infection   Delete the file without attempting to clean it. Replace the file with the Deletion Text.

    Note

    Due to SharePoint restrictions, if Forefront Security for SharePoint deletes a file that has been checked in to a SharePoint document library, the file icon and extension will remain the same, but the contents will be replaced with the Deletion Text.

  6. Enable e-mail notifications by selecting Send Notifications. This setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see SharePoint E-mail notifications). Notifications are disabled by default.

  7. Enable or disable the saving files detected by the file scanning engine by selecting or clearing Quarantine Files. Quarantining is enabled by default. Enabling quarantine causes deleted files to be stored, permitting you to recover them.

    By default, FSSP is configured to scan all files for viruses. To perform scans as quickly and efficiently as possible, however, FSSP can be configured to only scan files that are more likely to contain viruses. It does this by first determining the file type and then by determining whether that file type can be infected with a virus. Determining the file type is accomplished by looking at the file header and not by looking at the file extension. This is a much more secure method because file extensions can be easily spoofed. This check increases FSSP performance while making sure that no potentially infected file attachments pass without being scanned. If you would like FSSP to bypass scanning for file types that are not commonly known to be capable of carrying a virus, set the registry key ScanAllAttachments to 0. (ScanAllAttachments is a "hidden" key, that is, if it is not present, its value defaults to 1.)

    The registry key can be found at:

    For 32-bit systems:

    HKLM\SOFTWARE\Microsoft\Forefront Server Security\SharePoint

    For 64-bit systems:

    HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\SharePoint

  8. Click Save.

Editing the Manual Scan Job

Select the Manual Scan Job in the Scan Job Settings work pane. The changes that are made to the lower portion of the Scan Job Settings work pane apply to the scan job currently selected in the Scan Job list. Making any change to the configuration activates the Save and Cancel buttons. If you make a change to a scan job and try moving to another scan job or shuttle icon without saving it, you are prompted to save your changes.

Running the Manual Scan Job

After the scan job and antivirus settings have been properly configured, you can run the Manual Scan Job immediately. To schedule the job, see Scheduling the Manual Scan Job.

To run the Manual Scan Job

  1. Click OPERATE in the Shuttle Navigator, and then click the Run Job icon. The Run Job work pane appears.

  2. In the top portion of the pane, select the Manual Scan Job.

  3. Specify the scope of the Manual Scan Job by selecting or clearing the following options: Virus Scanning, File Filtering, or Keyword Filtering; the Manual Scan Job can perform any combination. Any change to these settings takes effect immediately, even if the job is currently running.

  4. To send a notification to the Virus Administrator when the scan job has completed, select Send Summary Notification.

  5. Click Start to begin the Manual Scan Job. There are also buttons to Pause and Stop the job.

    Note

    When the Manual Scan Priority is set to low, the Manual Scan Job may not halt immediately when Stop is selected.

  6. View the results of the scan. For more information, see Checking results and status.

Checking results and status

The lower portion of the Run Job work pane shows the infections or filtered results found by the Manual Scan Job. These results are stored to disk in the virus log file by the FSCController and are not dependent on the Forefront Server Security Administrator remaining open.

Note

When a new document library is created, SharePoint services creates resource file folders that contain files needed for the proper functioning of SharePoint services. FSSP scans these folders and the results are reflected in the manual scan statistics. This results in several hundred extra files being reported as scanned.

At the bottom of the screen, the status of the selected job and the mailbox, folder, or file currently being scanned are reported.

Forefront Security for SharePoint sends an e-mail message to the designated Virus Administrators after the completion of a manual scan if the Send Summary Notification box on the Run Job work pane is selected. This e-mail message includes:

  • Total Physical Documents Scanned
  • Total Physical Documents Detected
  • Total Physical Documents Cleaned
  • Total Physical Documents Deleted
  • Total Logical Documents Scanned
  • Total Logical Documents Detected
  • Total Logical Documents Cleaned
  • Total Logical Documents Deleted

Scheduling the Manual Scan Job

To schedule the Manual Scan Job, click OPERATE in the Shuttle Navigator, and then click the Schedule Job icon. The Schedule Job work pane appears.

To schedule the Manual Scan Job

  1. Select the Manual Scan Job on the top of the Schedule Job work pane. The bottom of the pane shows the scheduling information for the job.

  2. Use the calendar in the Date section to set the date when the Manual Scan Job will activate. The red circle indicates today's date. The date you set is highlighted in blue.

  3. Set the run time using the Time edit field to the right of the calendar.

  4. Indicate the Frequency of the scheduled job: run it Daily (to have the job run at the same time every day), Weekly (to have the job run at the same day and time every week), Monthly (to have the job run at the same date and time every month), or only Once.

  5. If the job is disabled, click Enable to enable it.

  6. Click Save.

Performing a Quick Scan

There are times when you may want to perform a scan of a single document library or run a special one-time virus scanning job. Quick Scan enables you to perform this task efficiently by combining both the configuration and operation features of a single Manual Scan Job in one work pane.

Quick Scan initially has the following default configuration: all document libraries, the scan engines selected during installation, a bias of Favor Certainty, an action of Skip: detect only, notifications disabled, and quarantining enabled. You can make changes to any of these settings and FSSP will preserve them for the next time you run a Quick Scan.

To perform a Quick Scan

  1. Click OPERATE in the Shuttle Navigator and then click the Quick Scan icon. The Quick Scan work pane appears. Your last Quick Scan configuration is displayed.

  2. To run the Quick Scan with the same configuration, click Start. Otherwise, make changes as necessary.

    1. In the tree view, select the document libraries to be scanned.
    2. From the list of available third-party scanners, select the file scanners to use.
    3. In the Bias field, select the bias to control how many engines should be used to provide you with an acceptable probability that your system is protected. For more information see SharePoint Multiple scan engines.
    4. In the Action field, select the action for FSSP to perform if a virus is detected. The choices are:
      Skip: detect only   Make no attempt to clean or delete. Viruses are reported, but the files remain infected. If, however, Block/Delete Corrupted Compressed, Block/Delete Corrupted Uuencode Files, or Block/Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions will cause the item to be deleted.
      Clean: repair document   Attempt to clean the virus. If successful, the infected file is replaced with the clean version. If cleaning is not possible, the file is replaced with the Deletion Text.
      Delete: remove infection   Delete the file without attempting to clean it. Replace the file with the Deletion Text.
    5. Indicate whether to Send Notifications. The setting does not affect reporting to the Incidents log. In addition, you must also configure the notifications (see SharePoint E-mail notifications). Notifications are disabled by default.
    6. Indicate whether to Quarantine Files. Quarantining, enabled by default, causes deleted files to be stored, permitting you to recover them.
    7. Click Start.

  3. View the results of the scan. For more information, see Checking Quick Scan results and status.

Checking Quick Scan results and status

At the bottom of the screen, the status of the Quick Scan and the document library currently being scanned are reported.