Appendix B - Setting registry values

 

Applies to: Microsoft Antigen

Warning

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Make sure that you back up the registry before you modify it, and that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base article Windows registry information for advanced users.

Antigen stores many settings in the Windows® registry. You rarely need to edit the registry yourself because most of those settings are derived from entries that you make in General Options. However, there are some additional settings that you may occasionally need to make. Antigen stores registry values in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange

Variable Description and Values

AdditionalEngines

Enables users to use locally installed antivirus engines by specifying the engines in the DWORD value for this registry key.

AdditionalTypeChecking

Antigen performs signature type checking on files to avoid scanning files that can never contain a virus. If it becomes necessary to scan an additional file type, you will need to contact Microsoft Technical Support to obtain the proper setting for the file type that you would like to add. This key is set to 0 (off) by default.

CloudmarkDownloadTimeout

Specifies the time (in seconds) that the Cloudmark scan engine will attempt to download an update before timing out. The default value is 900 (15 minutes).

ConvertExtensionType

When this value is set with a specified extension type (for example, "txt"), all deleted attachments will be renamed with that extension. By default, this registry value is set to "txt.” To disable this feature, replace "txt" with an empty string (that is, ""). To specify a different extension, replace "txt" with the desired extension. The allowed maximum size of a specified extension is three characters. If you place an extension larger than three characters or if you delete the ConvertExtensionType registry value, the extension will default back to "txt" at the next recycling of the services. Any changes made to this registry value will take effect only after recycling the appropriate Exchange and Antigen services.

DatabasePath

Specifies the path under which the Antigen configuration files and Quarantine folder reside. It defaults to the Antigen installation path (InstalledPath). If this value is changed, the configuration files and the Quarantine folder (along with its contents) must be moved to this new location. If this value is changed and the files are not moved, Antigen recreates them and the previous settings are lost. Move the files first and then change this value.

DisableInboundFileFiltering

When set to 1, this value disables inbound file filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableInboundContentFiltering

When set to 1, this value disables inbound content filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableInboundVirusScanning

When set to 1, this value disables inbound virus scanning for the Internet Scan Job. The default value is 0.

DisableOutboundFileFiltering

When set to 1, this value disables outbound file filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableOutboundContentFiltering

When set to 1, this value disables outbound content filtering for the Internet Scan Job. The default value is 0. The Antigen services must be recycled for this feature to take effect.

DisableOutboundVirusScanning

When set to 1, this value disables outbound virus scanning for the Internet Scan Job. The default value is 0.

DisableSMTPVS

By default, Antigen will scan mail on all SMTP Virtual Servers when the SMTP Scan Job is enabled. This value can be used to prevent Antigen from scanning selected SMTP Virtual Servers. To disable scanning on selected SMTP Virtual Serves, create a STRING registry value named DisableSMTPVS. The STRING value must be populated with a comma delimited list of numbers from 1 through 10 representing the virtual servers (VS) that you would like Antigen to skip during scanning. For example, if you have four virtual servers and want Antigen to scan only VS1 and VS3, the STRING value would be: 2,4.

Note

Placing anything other than the numbers 1 through 10 in the STRING will cause unpredictable results.

DomainDatFilename

Specifies whether an external text file will be used to indicate your internal domains. Specify the full path of the external text file into which you have entered domains. If the DomainDatFilename registry key is not present, the Internal Address field in General Options is used.

DoNotScanIPMReplicationMessages

Specifies whether to scan IPM replication messages. The SMTP Scan Job scans files called Winmail.dat for viruses. Exchange uses these files for several purposes, including facilitating replication between servers (IPM replication messages). If Antigen modifies a Winmail.dat file, the public folder replication process will fail. Setting this DWORD registry key to 1 prevents the SMTP Scan Job from scanning IPM replication messages. If a virus is replicated because of public folder replication, the Realtime Scan Job will still detect the virus even if this key is set.

EngineDownloadTimeout

Specifies the time (in seconds) that the antivirus scan engines will attempt to download an update before timing out. The default value is 300 (5 minutes).

HttpPort

Specifies the port used while performing an engine update via HTTP. The default value is 80. By default, entries into the registry are hex values. You will not notice this unless you enter a value that is greater then 9. If you are entering a value greater then 9, you must change the option from hexadecimal to decimal.

HTTPUseWinInet

Configures scan engine updating to use the WinInet API to handle MS Proxy authentication. Set the value to 1 to enable and 0 (the default) to disable.

IncidentPurge

Sets a purge threshold for removing entries from the incidents.mdb file. To enable the incident purging feature, a new DWORD registry key called IncidentPurge must be added to the registry. The upper byte of this registry value must be set to 0001 for incident purging to be enabled. The lower byte must be set to the number of days (in hex) of the threshold limit. For example, to enable purging after 20 days, which is 14 hex, make the key 00010014. (Note that this key is similar to the QuarantinePurge registry value that is set and enabled in the Quarantine work pane.)

InternetPurge

Enables or disables purging by the Internet scanner. If set to 0, purging is disabled. If set to 1 (the default), purging is enabled.

ManualScanContinueOnFailed

Used to recover from a manual scan failure when a scan engine encounters problems with a file or when moving between folders. This prevents the manual scan from stopping when an engine encounters a problem while scanning a file or traversing a folder structure. When this key is set to any value other than 0, Antigen continues scanning after such an event.

MaxCompressedSize

This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxCompressedSize, the Delete Corrupted Compressed Files General Option setting must be enabled.

This key sets the maximum compressed file size that Antigen attempts to clean or repair in the event that it discovers an infected file. This key is set to 26 MB by default but may be changed by the administrator. Infected files or files that meet file filter rules that are larger than the allowed maximum size are deleted. Antigen reports a deleted file as having a LargeCompressedInfectedFile virus.

MaxUncompressedFileSize

This registry key works in conjunction with the General Option setting Delete Corrupted Compressed Files. In order to delete a file that exceeds the MaxUncompressedFileSize, the Delete Corrupted Compressed Files General Option setting must be enabled.

This key sets the maximum uncompressed file size for a file within a .zip or a RAR archive file. Files larger than the maximum permitted size are deleted and reported as Large Uncompressed File Size. The default setting is 100 MB. A restart of the Exchange services is required for any changes to this setting to take effect.

The RAR archive format allows one or more compressed files to be stored in multiple RAR volumes, thereby permitting large files to be broken into smaller-sized files for ease of file transfer. The files stored in the multipart RAR volumes are subject to the size limit specified by the registry value MaxUncompressedFileSize (its default is 100MB). If a file exceeds the limit, any multipart RAR volume that contains the file, or a part of the file, is deleted. However, the outcome can vary depending on the size of the original files and how they are distributed across the multiple RAR volumes.

Example 1: A single file (F1) is split across 3 RAR volumes (V1, V2, V3).

Outcome: If the uncompressed size of F1 exceeds the default 100MB limit, all 3 RAR volumes (V1, V2, V3) will be deleted.

Example 2: Four files (F1, F2, F3, F4) are split across three RAR volumes (V1, V2, V3) as follows:

V1 contains F1 and the first half of F2.

V2 contains the second half of F2 and F3.

V3 contains only F4.

Outcome: If only F1 exceeds the default 100MB limit, only V1 will be deleted. If only F2 exceeds the default 100MB limit, V1 and V2 will be deleted but V3 will not. If only F4 exceeds the limit, only V3 will be deleted. Note that deleting a volume causes all files stored in the same volume to be deleted, even if only one file or part of a file exceeded the size limit.

In both examples, deletion text specifies that a file (the RAR volume) was deleted because it exceeded the maximum uncompressed file size limit.

To prevent the volumes from being deleted, you must set the registry value MaxUncompressedFileSize to a value large enough to exceed the uncompressed size of the largest file in the multipart RAR volumes.

MIMEDeletePartialMessages

Some e-mail client programs, such as Microsoft Outlook Express, let you send large e-mail messages in several fragments. By default, when Antigen for Exchange scans fragmented messages (content type: message/partial), the e-mail message may be tagged as FragmentedMessage. In this case, the message body is deleted and replaced with the file filter deletion text.

To prevent Antigen from deleting fragmented e-mail messages, you must create a new DWORD registry key called MIMEDeletePartialMessages and set it to a value of zero.

Note

Fragmented messages are not deleted when the value data is set to 0. Fragmented messages are deleted when there is no MIMEDeletePartialMessages DWORD value in the registry or when the MIMEDeletePartialMessages value data is set to 1.

QuarantineTimeout

Specifies whether items that cause a scan job timeout should be quarantined. If this DWORD registry value is not present or if it is present and its value is not zero, a message that causes a scan job timeout will be quarantined. If the registry value is present and its value is zero, that message will not be quarantined.

RealtimePurge

Enables or disables purging by the Realtime scanner. If set to 1 (the default), purging is enabled. If set to 0, purging is disabled.

ScanAllAttachments

When this DWORD value is set to 1 (the default), Antigen scans all file attachments.

UpdateDllonScanJobUpdate

When set to 1, this key ensures that a background scan is initiated every time a change is made and saved to the Realtime Scan Job. This key is disabled by default.

UpdateOnLoad

When this value is set to 1, updates are scheduled for each file scanner that was installed with Antigen after an AntigenService startup. This feature is mainly used in clustered Exchange servers. By default, this value is set to 0.

UpdateStatusNotification

When this key is set to 1, it will enable Antigen to send notifications to the Virus Administrator following an engine update. Antigen will send unique notifications for a Successful Update, No Update Available, or an Error Updating.

VirusLogEnabled

When this key is set to 1, the Incidents log is enabled. If set to 0, the log is disabled. When enabled, all virus incidents are written to a text file VirusLog.txt under the Antigen installation path (InstalledPath). The Virus Incident Log also follows the ProgramLogMaxFile settings.

There are also registry keys containing the scanner information that is reported on the Scanner Update Settings work pane. Although these should not be modified, you may find them useful for reporting purposes. These registry values are stored in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Antigen for Exchange\Scan Engines\engine name

Variable Description

Engine Version

Indicates the current version of engine name, as specified in the Antigen Administrator.

Last Checked

Indicates the date and time engine name was last checked, as specified in the Antigen Administrator.

Last Updated

Indicates the date and time engine name was last updated, as specified in the Antigen Administrator.

Signature Version

Indicates the current version of engine name signature file, as specified in the Antigen Administrator.

Update Version

Indicates the current update of engine name, as specified in the Antigen Administrator.

Appendix A - Using the Antigen utility

Appendix C - Using keyword substitution macros