Chapter 4 - Using the Antigen Administrator

  • Article

 

Applies to: Microsoft Antigen

The Antigen Administrator is used by the administrator to configure and run Antigen locally or remotely. For the Administrator to launch successfully, the AntigenService service and the Microsoft® Exchange Server must be running on the computer to which the Administrator is connecting. Because the Administrator is the front end of the Antigen software, it can be launched and closed without affecting the back-end processes that are performed by the Antigen Services. The Antigen Administrator can also be run in a read-only mode to provide access to users who do not have permission to change settings or run jobs, but who might need to view information provided through the user interface.

Enabling the Antigen Administrator

Because of default security settings in Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2, before you can use the Antigen Administrator on those operating systems, you must first enable the Administrator.

To enable the Antigen Administrator to run on Microsoft Windows XP SP2

  1. Click Start, click Run, and then enter dcomcnfg.

  2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer, and then click Properties.

  3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user.

  4. Add the AntigenClient application to the Windows Firewall Exceptions list, as follows:

    1. In Control Panel, click Windows Firewall.
    2. In the Windows Firewall dialog box, click the Exceptions tab.
    3. Click Add Program, select AntigenClient from the list, and then click OK. This adds the Antigen Administrator to the Programs and Services list.
    4. In the Programs and Services list, select the AntigenClient.
    5. Click Add Port, enter a name for the port, and enter 135 for the port number.
    6. Select TCP as the protocol, and then click OK.

Note

If you are concerned about opening port 135 to all computers, you can opt for the port to open only for the servers running Antigen. When you add port 135, click Change Scope, and then select Custom List. Enter the IP addresses of all the Antigen servers that should be allowed access through port 135.

To enable the Antigen Administrator to run on Microsoft Windows Server 2003 SP2

  1. Click Start, click Run, and then type dcomcnfg.

  2. In Component Services, at the console root, expand Component Services, expand Computers, right-click My Computer, click Properties, and then click the COM Security tab.

  3. Under Access Permissions, click Edit Limits.

  4. In the Access Permission dialog box, select the Add Anonymous logon account, and then select the Allow check box for Remote Access for the Anonymous Logon user.

Running the Antigen Administrator

To run the Antigen Administrator, on the Start menu, point to All Programs, point to Microsoft Antigen for Exchange, and then click Antigen Administrator. You can also launch it from a command prompt.

To launch the Antigen Administrator from a command prompt

  1. Open a Command Prompt window.

  2. Navigate to the Antigen installation directory. The default is:

    \Program Files\Microsoft Antigen for Exchange

  3. Type antigenclient.exe, and then press Enter.

Connecting to a server

The first time that the Administrator is launched, it will prompt you to connect to the Exchange server running on the local computer. You can use the server name or local alias to connect to the local Exchange server.

The Administrator can also be connected to a remote Exchange server running Antigen. This enables an administrator to use one installation of the Administrator to configure and control Antigen throughout the network. To connect to a remote server, at the Server prompt box, click the Browse button or enter the server name, IP Address, or Domain Name System (DNS) name of the remote computer.

Note

Due to enhanced security settings in Windows 2003 SP1, DCOM settings may need to be updated when Antigen is installed on a Windows 2003 SP1 server to allow remote access. Remote administrators must have privileges enabled for both remote launch and remote activation.
Because the Antigen installation includes the installation folder for both administrator-only installations and for the full product installation on the access control list (ACL), a remote administrator must have access to the local installation folder and registry key, as well as access to the server to which it is connecting.
If you are having problems connecting the Antigen Administrator to the Exchange server, try using the PING command to test for server availability. If the server is available, make sure that no other Antigen Administrators are currently connected to the server.

Connecting to a different server

To connect to a different server when already connected to Antigen, select Open from the Antigen Administrator File menu. The Connect to Server dialog box appears. Enter the name of another server running Antigen, select one that you have connected to before from the drop-down list, or click Browse to attach to a server you have never before connected to. You can also use the Server list at the top of the Antigen Administrator dialog box to quickly reconnect to a server.

Running in read-only mode

The Antigen Administrator can be run in a read-only mode. To do so, the administrator will need to modify the NTFS permissions on the Antigen Database directory to allow modify access to only those users with permission to change Antigen settings. By default, the installation directory is:

Program Files\Microsoft Antigen for Exchange

To ensure proper configuration, you must first remove modify access for all users, and then set modify access only for users who are allowed to change settings in Antigen. When a user without modify access opens the UI, the UI will display ReadOnly at the top of the pane and will not allow any configuration changes.

Note

The System Account and Exchange Service Account must have full control of the Antigen for Exchange folder, or Antigen will not run properly.

Antigen Administrator overview

The Antigen Administrator user interface contains the Shuttle Navigator on the left and the work panes on the right, as shown in the following image:

a1fa581e-ee77-43e1-a5ad-9b7245c090ef

The Shuttle Navigator is divided into several areas, each of which has icons that enable you to access various work panes:

Area Description

SETTINGS

The SETTINGS area enables you to configure scan jobs, antivirus settings, scanner updates, templates, General Options, and the Anti-Spam Job when the Antigen Spam Manager is enabled.

FILTERING

The FILTERING area enables you to configure content filtering, file filtering, mailhost filtering, keyword filtering, allowed senders lists, and filter lists.

OPERATE

The OPERATE area enables to control virus scanning, spam scanning, and filter options, schedule and run scan jobs, and perform quick scans.

REPORT

The REPORT area enables you to configure notifications, view and manage incidents, and view and manage quarantined files.

General Options

General Options, accessed from the SETTINGS shuttle, provide access to a variety of system level settings for Antigen. These options are stored in the registry. The General Options pane eliminates the need to directly access the registry when changing these settings. Note that the settings Antigen Enabled, Internet Process Count, and Realtime Process Count require that the Antigen services be restarted for the change to take effect.

Although there are many options that can be controlled through the General Options pane, each of them has a default (Enabled, Disabled, or a value), which is probably the correct one for your enterprise. It is rare that any of these settings would need to be changed. However, several of the settings were entered during installation, and you might need to change one of them from time to time.

To access the General Options pane, click General Options in the SETTINGS area of the Shuttle Navigator. The General Options pane opens.

The General Options pane is divided into several sections: Diagnostics, Logging, Scanner Updates, Scanning, VSAPI, and Microsoft Exchange Server 2003 UCE Settings.

Note

Although the Exchange 2003 UCE Settings are always visible, they are only enabled when the Antigen Spam Manager is installed on Exchange Server 2003.

Diagnostics section

The following table lists and describes the settings in the Diagnostics section of General Options.

Setting Description

Additional Internet

Logs every file that is scanned by the Internet scanner.

Additional Realtime

Logs every file that is scanned by the Realtime scanner.

Additional Manual

Logs every file that is scanned by the Manual scanner.

Notify on Startup

When checked, Antigen will send a notification to all the e-mail addresses listed in the Virus Administrators list whenever the Internet Scanner starts.

Archive SMTP Mail

Enables administrators to archive inbound and outbound SMTP e-mail (Microsoft Exchange 2000 Server and Exchange Server 2003) in two folders (named In and Out) that are located in the Antigen installation folder. Each message will be given a file name that consists of the year, day, month, time, and a three-digit number. For example: 20022009102005020.eml.

Administrators have the following options for archiving:

No Archive - No mail is archived.

Archive Before Scan - Messages are archived prior to scanning.

Archive After Scan - Messages are archived after scanning.

Archive Before And After Scan - Messages are archived before and after scanning.

These options are provided to help administrators and Antigen support engineers diagnose and isolate problems that users may be experiencing.

Critical Notification List

Enter the e-mail addresses of administrators and others who should be notified in the event that the Exchange Store starts and Antigen is not hooked in or if the Antigen Store shuts down abnormally. Multiple e-mail addresses should be separated by semicolons. Example: admin@microsoft.com;admin2@microsoft.com.

Logging section

The following table lists and describes the settings in the Logging section of General Options.

Setting Description

Enable Event Log

Enables logging of Antigen events to the event log.

Enable Antigen Program Log

Enables the Antigen program log (ProgramLog.txt). The Antigen services must be restarted for a change to this value to take effect.

Enable Performance Monitor and Statistics

Enables logging of Antigen performance statistics to the Performance Monitor.

Enable Antigen Virus Log

Enables the Antigen Virus Log (VirusLog.txt).

Enable Incidents Logging - Realtime

Enables or disables incident logging for the Realtime Scan Job.

Enable Incidents Logging - Manual

Enables or disables incident logging for the Manual Scan Job.

Enable Incidents Logging - Internet

Enables or disables incident logging for the Internet Scan Job. You can select from the following options:

  • Enable all incident logging.
  • Disable all incident logging.
  • Disable Spam/RBL incident logging – Only Spam/RBL logging will be disabled. Other incidents will still be logged.

Max Program Log Size

Specifies the maximum size of the program log. Expressed in kilobytes (KB), the minimum size is 512 KB. The default is 25600 KB. A value of 0 indicates that there is no limit to the maximum size.

For more information on the log files and the Performance Monitor, see Chapter 19 - Reporting and statistics overview.

Scanner Updates section

The following table lists and describes the settings in the Scanner Updates section of General Options.

Setting Description

Redistribution Server

When this option is enabled, the two most recent engine update packages are saved in the engine package folder instead of the usual single engine package. Antigen will also download the full update package rather than perform an incremental update. The multiple engine packages enable the spoke servers to continue pulling updates from the redistribution server while a new update is being downloaded.

Perform Updates at Startup

Configures Antigen to automatically perform engine updates every time Antigen is started.

Send Update Notification

Configures Antigen to send a notification to the Virus Administrator each time a scan engine is updated.

Use Proxy Settings

Configures Antigen to use proxy settings when retrieving antivirus scanner updates. The use of a proxy server to retrieve updates is optional.

Use UNC Credentials

Configures Antigen to use Universal Naming Convention (UNC) credentials when retrieving scanner updates from a file share. The use of a UNC path to retrieve updates is optional. Note: Credentials are not supported if you are using the Antigen Enterprise Manager for redistribution. Be sure to clear this setting if you are using the AEM to manage antivirus engine updates.

Proxy Server Name/IP Address

Name or IP address of the proxy server Antigen should use when retrieving antivirus scanner updates. Required, if using proxy settings.

Proxy Port

Port number for the proxy server.

Proxy Username

Name of a user with access rights to the proxy server, if necessary. Optional field.

Proxy Password

Password for the proxy user name, if necessary. Optional field.

UNC Username

Name of a user with access rights to the UNC path, if necessary. Optional field.

UNC Password

Password for the UNC user name, if necessary. Optional field.

For more information on updating the scan engines, see Chapter 20 - File scanner updating overview.

Scanning section

The following table lists and describes the settings in the Scanning section of General Options.

Setting Description

Body Scanning - Manual

Enable message body scanning for the Manual Scan Job.

Body Scanning - Realtime

Enable message body scanning for the Realtime Scan Job.

Delete Corrupted Compressed Files

Specifies whether corrupted compressed files will be deleted. A corrupted compressed file is an archive or compressed file type that does not conform to the standard of that type. These files usually have internal headers set incorrectly, or it could be that the file exceeds the size limit configured for Antigen.

When a corrupted compressed file is detected, Antigen reports it as a CorruptedCompressedFile virus. This option is enabled by default.

Quarantining of these files is determined by the individual scan job settings. By default, files identified as corrupted are quarantined. You can also create a new registry key setting named QuarantineCorruptedCompressedFiles to override quarantining for these file types. The DWORD setting must be created and its value set to 0.

Note: In addition to CorruptedCompressedFile viruses, this setting also handles these file types:

UnwritableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly modified (cleaned or deleted), or correctly inserted back into the archive by the scanners due to the corrupt nature of the file.

UnReadableCompressedFile—A type of corrupted compressed file whose contents cannot be correctly read out of the archive due to the corrupt nature of the archive.

Delete Corrupted Uuencode Files

Specifies whether corrupted Uuencoded files will be deleted. Typically, a Uuencoded file that Antigen is unable to parse is considered corrupted. When a corrupted compressed file is detected, Antigen will report it as a CorruptedCompressedUuencodeFile virus. This option is enabled by default.

Delete Encrypted Compressed Files

Specifies whether encrypted compressed files with at least one encrypted item within its contents are deleted. (Encrypted files cannot be scanned by antivirus scan engines.) When an encrypted compressed file is detected, Antigen will report it as an EncryptedCompressedFile virus. This option is disabled by default.

Treat high compression ZIP files as corrupted compressed

Specifies whether ZIP archives containing highly-compressed files are reported as corrupted compressed. If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, the files in the ZIP archive are passed to the virus engines to be scanned, in their compressed form. The ZIP archive itself is also passed to the virus engines. If scanned and no threat is found, the message will be delivered. If a threat can be cleaned, the message will be delivered. If a threat cannot be cleaned, the message will be deleted. If the file is compressed with an unknown algorithm, it will always be treated as corrupted compressed, regardless of the setting of this option. This option is enabled by default (that is, ZIP archives containing highly-compressed files will be treated as corrupted compressed).

Treat multipart RAR archives as corrupted compressed

A file within a RAR archive can be compressed across multiple files or parts, thereby allowing large files to be broken into smaller-sized files for ease of file transfer. This option specifies whether RAR archives containing such parts are reported as corrupted compressed.

Disabling this option enables you to receive such files. However, in this case a virus may escape detection if it is split across multiple volumes. Therefore, this setting is enabled by default.

If the archive is reported as corrupted compressed, and if the option to Delete Corrupted Compressed Files is enabled, the archive is deleted. If Delete Corrupted Compressed Files is not enabled, only the RAR archive as a whole is passed to the virus engines to be scanned. If no threat is found when the archive is scanned, the message will be delivered. If a threat is found and can be cleaned, the message will be delivered. If a threat is found and cannot be cleaned, the message will be deleted.

Note

If you are using multipart RAR to compress files that exceed 100MB when uncompressed, you should be aware of the registry value MaxUncompressedFileSize. For more information, see Appendix B - Setting registry values.

Treat concatenated gzips as corrupted compressed

Multiple Gnu zip (gzip) files can be concatenated into a single file. Although Antigen recognizes concatenated gzips, it may not recognize individual files split across concatenated gzips. Therefore, Antigen treats concatenated gzips as corrupted compressed by default. In combination with the Delete Corrupted Compressed Files option, this default behavior prevents all concatenated gzips from passing through, thereby preventing potential infections.

Disabling the treat concatenated gzips as corrupted compressed option enables you to receive concatenated gzips. However, in this case, a virus may escape detection.

Scan Doc Files as Containers - Manual

Specifies that the Manual Scan Job should scan .doc files and any other files that use structured storage and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any embedded files are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types list overview. Disabled by default.

Scan Doc Files as Containers - Internet

Specifies that the Internet Scan Job should scan .doc files and any other files that use structured storage files and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any files embedded in the file are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types list overview. Disabled by default.

Scan Doc Files as Containers - Realtime

Specifies that the Realtime Scan Job should scan .doc files and any other files that use structured storage files and the OLE embedded data format (for example, .xls, .ppt, or .shs) as container files. This ensures that any files embedded in the file are scanned as potential virus carriers. This setting does not apply to Office 2007 (OpenXML) files; they are always scanned as containers. For more information about OpenXML files, see Appendix E - File types list overview. Disabled by default.

Skip Content Filtering for Allowed Mailhosts

This setting allows Antigen to skip Content Filtering for SMTP messages when every public Mailhost in the Received MIME header field—up to the number specified in the Maximum Allowed Mailhosts Lookups General Options setting—is listed in an enabled Allowed Mailhost list. For more information, see Chapter 14 - Using mailhost filtering.

Case Sensitive Keyword Filtering

This setting makes all keyword filters case sensitive. When this setting is cleared, all keyword filters are case insensitive.

Fix Bare CR or LF in Mime Headers

This setting is intended to correct a discrepancy between the MIME header parsing method used by Outlook and Outlook Express and the RFC822 spec on how bare CR (0x0d) and bare LF (0x0a) are handled in MIME headers. MIME messages can be formed that allow Outlook and Outlook Express to improperly detect attachments in the MIME headers that are not scanned.

When checked, Antigen will modify any bare carriage return (CR) or bare line feed (LF) found in the MIME headers to the CRLF combination, which removes the discrepancy in parsing methods.

For more information about this setting, see “Exchange cannot deliver e-mail messages to certain domains after you configure an e-mail disclaimer” in Chapter 21 - Troubleshooting overview.

Add Disclaimers to Clear Signed Messages

When this option is selected, Antigen will add disclaimers—if disclaimers are enabled—to Clear Signed Messages. If you do not want disclaimers appended to Clear Signed Messages, clear this option. A Clear Signed Message is a message that contains a digital signature and is in a readable state. If the message is modified by the addition of a disclaimer, however, the digital signature will be invalid. When a user receives the message they will be told that the digital signature is invalid. This option is enabled by default.

Enable Junk Mail Folders

This setting is used to create the ASM Junk Mail folders for each Outlook mailbox when the ASM is installed on Exchange 2000. When this option is selected and saved, the Junk Mail Folder creation cycle begins immediately. The creation cycle runs again every day at 2:00 am in order to create folders for any new mailboxes that have been added. For more information about the ASM Junk Mail Folders, see Chapter 17 - Antigen Spam Manager overview.

Note   Junk Mail folders require certain prerequisites. If any are missing, the following grayed out option will be displayed: “Requirements for Junk folder option: W3SVC started, IIS and junk mail web folder installed, .NET installed for 200x.” W3SVC is the World Wide Web Publishing Service, which must be started. IIS must be installed and started. The Junk Mail homepage that is created by Antigen during the installation when the ASM is licensed must exist. For Exchange 2000, .NET Framework also must be installed. If any requirements are missing, they must be installed and started before Junk Mail folders can be enabled.

Purge Message if Message Body Deleted - Internet

Some messages carry viruses in the body of the message file. When all or part of the message body is deleted to remove a virus, Antigen inserts deletion text in its place. If administrators do not want e-mail users receiving cleaned messages that contain deletion text, they can use this setting to purge messages where all or part of the message body has been deleted by Antigen and there are no attachments. Note that if a message contains both HTML and plain text and the HTML is deleted, the message will be purged if this option is checked.

Enable Antigen for Exchange Scan

This setting enables Administrators to enable or disable all or selected Antigen jobs. The options are: Disable All, Enable Store Scanning, Enable Internet Scanning, and Enable All. The default value is Enable All. After changing this setting, the Antigen services must be recycled. For more information on recycling the services, see “Recycling the Antigen services” in Chapter 3 - Antigen services overview.

Internet Process Count

This setting is used to change the number of Internet processes that are used by Antigen. The default value is 2. You can create up to 10 Internet processes. After changing this setting, the Antigen services must be recycled. For more information about this setting, see Chapter 8 - Configuring SMTP Scan Jobs.

Realtime Process Count

This setting is used to change the number of Realtime processes that are used by Antigen. The default value is 2. You may create up to 4 Realtime processes. After changing this setting, the Antigen services must be recycled. For more information about this setting, see Chapter 7 - Configuring Realtime Scan Jobs.

Antigen Manual Priority

This setting enables administrators to set the CPU priority of Manual Scan Jobs to Normal, Below Normal, or Low to allow more important jobs to take precedence over Manual Scan Jobs when demands on server resources are high. The default value is Normal.

Engine Error Action

Sets the action that Antigen should take if a scan engine error occurs. (Examples include an engine exception, excessive read/write operations, a virus found without a virus name, multiple engine errors, and any other failure code returned by an engine.) The options are: Ignore, which will log the error to the program log; Skip, which will log the error to the program log and display an EngineError entry with the state Detected in the UI; and Delete, which will log the error to the program log, delete the file that caused the error, and display an EngineError entry with the state Removed in the UI. The file that caused the engine error will always be quarantined. The default value is Delete.

Illegal MIME Header Action - Internet

If Antigen encounters an illegal MIME header during a scan, it can be enabled to Purge: eliminate message (the default) or set to Ignore the message. Illegal MIME headers are headers that have multiple Content-Type, Content-Transfer Encoding, or Content-Disposition headers containing conflicting data. Messages where the Content-Disposition or Content-Type header is longer than it is supposed to be, and messages that contain multiple subject lines, are also identified as illegal MIME headers. Identified messages will be quarantined by default. If you do not want identified messages to be quarantined, create a new registry DWORD value named DisableQuarantineForIllegalMimeHeader and set it to 1 to override quarantining.

Internet Scan Timeout Action

Indicates what to do in the event that the Internet/SMTP Scan Job times out while scanning a file. The options are: Ignore, Skip, and Delete. The Ignore setting will let the file pass without being scanned. The Skip setting will report in the Incidents log and Program log that the file exceeded the scan time and let it pass without being scanned. The Delete setting will also report the event and replace the contents of the file with the deletion text. A copy of the file will be stored in the Quarantine database if quarantining is enabled and Internet Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

Realtime Scan Timeout Action

Indicates what to do if the Realtime Scan Job times out while scanning a file. The options are: Ignore, Skip, and Delete. The Ignore setting will let the file pass without being scanned. The Skip setting will report in the Incidents log and Program log that the file exceeded the scan time and let it pass without being scanned. The Delete setting will also report the event and replace the contents of the file with the deletion text. A copy of the file will be stored in the Quarantine database if quarantining is enabled and Realtime Scan Timeout Action is set to either Skip or Delete. The default value is Delete.

SMTP Quarantine Messages

Antigen performs two different quarantine operations: quarantining of entire messages or quarantining of attachments only. Entire messages are quarantined only for content filters, spam filters, and file filters that are set to Purge when quarantine is enabled.

When SMTP Quarantine Messages is set to Quarantine as Single EML File (only applies to the SMTP Scan Job), the quarantined message and all attachments are quarantined in an EML file format.

When SMTP Quarantine Messages is set to Quarantine Message Body and Attachments Separately, Antigen will quarantine messages as separate pieces (bodies and attachments).

For a complete description of this setting, see “About quarantine” in Chapter 19 - Reporting and statistics overview.

Note

These settings do not apply to files that are quarantined due to virus scanning. Only infected attachments are quarantined when an infection is detected.

Deliver From Quarantine Security

This value gives administrators flexibility for handling messages and attachments that are forwarded from quarantine. The options for this setting are Secure Mode and Compatibility Mode.

  • Secure Mode forces all messages and attachments delivered from quarantine to be rescanned for viruses and filter matches. This is the default setting.
  • Compatibility Mode allows messages and attachments to be delivered from Quarantine without being scanned for filter matches. (Messages and attachments are always scanned for viruses.) Antigen identifies these messages by placing special tag text in the subject line of all messages that are delivered from quarantine.

For more information about this setting, see Chapter 19 - Reporting and statistics overview.

SMTP Sender Information

By default, Antigen for Exchange uses the “MIME FROM:” header sender address for the SMTP Scan Job on Exchange 2000/2003. This General Option setting allows administrators to use the MAIL FROM sender address from the SMTP protocol for the SMTP Scan Job. When Use SMTP protocol MAIL FROM is selected, the address in that field will be used anywhere the sender address is used, for example, for sender or domain content filtering, notifications, reporting in the Administrator, and Multiple Disclaimers. The options for this setting are:

  • Use MIME From: Header (the default).
  • Use SMTP protocol MAIL FROM.

Note

When MIME From is selected and a MIME Sender header is also present, the MIME Sender header information will be used.

Perform Reverse DNS Lookup

Provides the ability to disable Reverse DNS lookups when validating an IP address or domain name against the Allowed Mailhost or Rejected Mailhost lists. If Reverse DNS lookups are disabled, the domain name found in the MIME Received header field will be used for comparisons with the Allowed Mailhost and Rejected Mailhost lists. The options for this setting are:

  • Enable All (the default)
  • Disable All
  • Only for Mailhost List Checking
  • Only for Inbound/Outbound Determination

For more information about this setting, see Chapter 14 - Using mailhost filtering.

Max Container File Infections

Specifies the maximum number of infections allowed in a compressed file. If this number is exceeded, the entire file is deleted and Antigen logs an incident stating that an ExceedinglyInfected virus was found. A value of zero means that a single infection will cause the entire container to be deleted. In this case, the logged incident has the tag “Container Removed” appended to the filter match. The default value is 5 infections.

Max Container File Size

Specifies the maximum container file size (in bytes) that Antigen will attempt to clean or repair in the event that it discovers an infected file. The default is 26 MB (26,214,400 bytes). Files larger than the maximum size are deleted if they are infected or meet file filter rules. Antigen reports deleted files as a LargeInfectedContainerFile virus.

Max Nested Attachments

Specifies the limit for the maximum nested documents that can appear in MSG, TNEF, MIME, and Uuencoded documents. The limit will include the sum of the nestings of all of these types. If the maximum number is exceeded, Antigen will block or delete the document and report that an ExceedinglyInfected virus was found. The default value is 30.

Max Nested Compressed Files

Specifies the maximum nested depth for a compressed file. If this is exceeded, the entire file is deleted and Antigen sends a notification stating that an ExceedinglyNested virus was found. A value of zero represents that an infinite amount of nestings is allowed. The default value is 5.

Max Container Scan Time (msecs) - Realtime/Internet

Specifies the number of milliseconds that Antigen will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 120,000 milliseconds (two minutes).

Max Container Scan Time (msecs) - Manual

Specifies the number of milliseconds that Antigen will scan a compressed attachment before reporting it as a ScanTimeExceeded virus. This setting is intended to prevent denial of service risk from zip of death attacks. The default value is 600,000 milliseconds (ten minutes).

Internal Address

Antigen can be configured to send different notifications to internal and external senders and recipients. If your list of internal names is small, enter the domain names in the Internal Address field, to show who should be sent internal notifications. Domains should be entered as a semicolon delimited list (for example: microsoft.com;microsoft.net;
company.com) with no spaces. Any change to this value is immediately reflected in virus notifications.

When entering a domain name in the Internal Address field, be aware that subdomains are covered by the entry.

For example: domain.com will include subdomain.domain.com and subdomain2.domain.com.

Alternate domains such as domain.net or domain.org must be entered individually.

Values entered in Internal Address are used as a substring match of the end of an e-mail address. For example, “soft.com” would consider “someone@microsoft.com” and “someone@abcdef123soft.com” to be internal addresses.

If you have a large number of domains to be used as internal addresses, you can enter them in an external text file (leaving the Internal Address field blank). Enter all your internal domains, each on a separate line. Be aware that all subdomains must be entered individually. To use the external file, you must manually create the registry key DomainDatFilename and set its value to the full path of the external text file. For more about this key, see Appendix B - Setting registry values.

(For more information about internal addresses and notifications, see Chapter 18 - Using e-mail notifications.)

SMTP External Hosts

If you are using an SMTP gateway to route e-mail into your Exchange environment, you can enter the IP address of the gateway server so that Antigen will treat all mail coming from that server as inbound when determining which filters and scan jobs to use for a message. If you do not enter the IP address of your SMTP gateway, Antigen will use its internal logic to determine whether messages are inbound or internal. IP addresses should be entered as a semicolon delimited list with no spaces.

Example: 123.456.78;876.543.21;000.000.00

Maximum RBL Lookups

Specifies the number of hops allowed while doing RBL tests. (Only public IP addresses received in the chain are counted.) Antigen starts counting with the first public IP address and checks the IP address of each hop until the Maximum RBL Lookups is reached or a private IP address is encountered. The default value is 4.

Maximum Allowed Mailhost Lookups

Specifies how many addresses need to be checked and matched by the Allowed Mailhost filter for content filtering to be skipped. The default value is 4.

VSAPI section

The following table lists and describes the settings in the VSAPI section of General Options.

Setting Description

Scan on Scan Job Update

Causes previously scanned files to be rescanned when accessed following a scan job update. This setting is disabled by default.

Note

When Scan on Scan Job Update is selected, the Mailbox server may experience increased virus scanning, which may affect server performance.

Enable Background Scan if 'Scan on Scan Job Update' Enabled

Initiates a Background Scan every time a scan job setting is updated if the General Option setting Scan on Scan Job Update is enabled.

Scan on Scanner Update

Causes previously scanned files to be rescanned when accessed following a scanner update. This setting applies to messages stored on a Mailbox server or a Public Folder server. This setting provides heightened security protection to rescan messages that have already been scanned.  Messages will be rescanned the first time that a mailbox server “On-Access” event occurs and during every “On-Access” event after the initial one, if new virus signatures have been received since the last time the message was scanned. This setting is disabled by default.

Note

When Scan on Scanner Update is selected, the Mailbox server may experience increased virus scanning, which may impact server performance.

Note

Messages retrieved by Outlook 2003 or by Outlook 2007 clients running in cache mode generate an “On-Access” event only when they are originally synchronized to the client and will not be rescanned on the server when the messages are accessed on the local client and retrieved from the cache. To rescan these already retrieved messages, use the General Option setting Enable Background Scan if ‘Scan on Scanner Update’ Enabled. If a background scan detects a virus in a message and cleans or purges the message, then the next time the Outlook client resynchronizes with the server, the already-retrieved infected message will be cleaned or purged.

Enable Background Scan if 'Scan on Scanner Update' Enabled

Initiates a Background Scan every time a scan engine is updated if the General Option setting Scan on Scanner Update is enabled.

Exchange 2003 UCE Settings

These settings are visible in the General Options pane for all installations, but will not configure the Exchange settings unless the Antigen Spam Manager is enabled. The UCE settings are Exchange 2003 functions that help combat spam e-mail by tagging potential spam and diverting suspect messages into a Junk folder instead of a user’s inbox.

Setting Description

Enable SCL Rating

Specifies whether the user wants to use the Exchange 2003 features to specify Spam Confidence Level (SCL) ratings in a message. If this option is checked, Antigen will set an SCL rating based on the results of filtering operations performed by the Spam Manager. Administrators must configure the Action Identify: Tag Message to Set SCL property for ratings to be appended to messages. For more information, see Chapter 17 - Antigen Spam Manager overview.

Skip Content Filtering for Authenticated Connections

Specifies whether to use the Authenticated Connections property of a message. This property is added to the message by the SMTP service according to administration options available in Exchange 2003. Virus scanning, worm detection, and file filtering will still be performed even if this is enabled.

Skip Content Filtering for Safe Connections

Specifies whether to use the Safe Connections property of a message. This property is added to the message by the SMTP service according to administration options available in Exchange 2003. Virus scanning, worm detection, and file filtering will still be performed even if this is enabled.

Central Management

Central management of Antigen is handled through the Microsoft Antigen Enterprise Manager (AEM). The AEM enables administrators to:

  • Install or uninstall Antigen on local and remote servers.
  • Update all or individual scan engines on local and remote servers.
  • Run a manual scan on multiple servers simultaneously.
  • Check Antigen, scan engine, and virus definition versions on multiple servers.
  • Deploy Antigen template files.
  • Retrieve virus logs from multiple servers.
  • Retrieve quarantined files.
  • Retrieve the ProgramLog.txt file from single or multiple servers.
  • Retrieve virus incident information.
  • Deploy General Options settings.
  • Deploy Filter List templates.
  • Generate HTML reports.
  • Send outbreak alerts.

For detailed instructions on using these features, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.

Chapter 3 - Antigen services overview

Chapter 5 - Using multiple scan engines