Configuring the action when malware is detected
Applies to: Forefront Protection for Exchange
You must indicate the action that Forefront Protection 2010 for Exchange Server (FPE) should take when malware is detected. You must set the action for each scan job type (realtime, transport, scheduled, and on-demand) you configure. The action setting is not global. Also, for each scan job type except the on-demand scan (which does not support spyware scanning), you can configure different actions for virus and spyware detections. In cases where a file is detected as containing both a virus and spyware, the virus action setting takes precedence.
The available action options are listed and described in the following table. Click Save after making any changes to your action settings.
| Action | Description |
|---|---|
Skip (detect only) |
Makes no attempt to clean or delete. Malware is reported, but the files remain infected. If, however, Delete corrupted compressed files, Delete corrupted UUEncoded files, or Delete encrypted compressed files was selected in Global Settings - Advanced Options, a match to any of those conditions causes the item to be deleted. |
Clean |
Attempts to clean the malware. If successful, the infected attachment or message body is replaced with the clean version (even if part of a container file). If cleaning is not possible, the attachment or message body is replaced with the deletion text. For example, consider a scenario where an email message has an attachment named example.zip. The .zip file contains two documents: ex1.doc and ex2.doc. If ex1.doc is infected, and cleaned by FPE, and ex2.doc is not infected, a modified example.zip file that contains the cleaned ex1.doc and original ex2.doc file will arrive in the user’s mailbox. This is the default setting for each antivirus scan job type. |
Delete |
Deletes the file attachment without attempting to clean it. The detected file is removed from the message (even if part of a container file), and the deletion text is inserted in its place. This is the default setting for each antispyware scan job type. Note You can specify the extension type used for all deleted attachments (for example, .abc), making it easy to instantly identify deleted attachments. For more information, see Configuring the extension type for all deleted attachments. |
Purge |
Deletes the entire message from your mail system. It cannot be recovered unless you select to quarantine files. |
Available Malware Scan Actions
The following table shows the available actions for each type of malware scan.
| Server Role | Virus | Spyware |
|---|---|---|
Edge or Hub Transport |
Skip detect, Clean (default), Delete |
Skip detect, Purge, Delete (default) |
Mailbox Realtime |
Skip detect, Clean (default), Delete |
Skip detect, Purge, Delete (default) |
Mailbox Scheduled |
Skip detect, Clean (default), Delete |
Skip detect, Purge, Delete (default) |
Mailbox On-demand |
Skip detect (default), Clean, Delete |
Not applicable |
Configuring the extension type for all deleted attachments
You can specify the extension type used for all deleted attachments (for example, .abc), making it easier to instantly identify deleted attachments.
To configure the extension type for all deleted attachments
In the Forefront Protection 2010 for Exchange Server Administrator Console's Policy Management view, in the tree, expand Global Settings, and then click Advanced Options.
In the Global Settings - Advanced Options pane, in the Scans section, specify a value in the Use this extension when replacing a deleted attachment with the deletion text field. The default value is txt.
If you want to disable this feature (causing the original extension to be retained), replace txt with an empty string.
If you want to specify a different extension, replace txt with another string, which must be between one and three characters long.
Click Save.
See Also
Concepts
Configuring the transport scan
Configuring the realtime scan
Configuring the scheduled scan
Configuring the on-demand scan